Exploit for Improper Encoding or Escaping of Output in Webmin CVE-2022-36446

Name: Exploit for Improper Encoding or Escaping of Output in Webmin CVE-2022-36446
Rating: 5 (371 reviews)
2022-08-11 | CVSS 7.5
## https://sploitus.com/exploit?id=49548C54-8CD8-566E-830C-0A2EEAC7A6AC
![](./.github/banner.png)

<p align="center">
  A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
  <br>
  <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE">
  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
  <br>
</p>


## Features

 - [x] Supports HTTP and HTTPS (even with self-signed certificates with `--insecure`).
 - [x] Single command execution with `--command` option.
 - [x] Interactive console with `--interactive` option.

## Usage

```
$ ./CVE-2022-36446.py -h
CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v1.1 - by @podalirius_

usage: CVE-2022-36446.py [-h] -t TARGET [-k] -u USERNAME -p PASSWORD (-I | -C COMMAND) [-v]

CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL to the webmin instance
  -k, --insecure
  -u USERNAME, --username USERNAME
                        Username to connect to the webmin.
  -p PASSWORD, --password PASSWORD
                        Password to connect to the webmin.
  -I, --interactive     Interactive console mode.
  -C COMMAND, --command COMMAND
                        Only execute the specified command.
  -v, --verbose         Verbose mode. (default: False)
```

## Mitigation

Update to Webmin >= 1.997.

## Demonstration

https://user-images.githubusercontent.com/79218792/184222596-3878e169-92ec-4507-99b5-3fe2c1d39360.mp4

## Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

## References
 - Vulnerable version: https://github.com/webmin/webmin/releases/download/1.996/webmin_1.996_all.deb
 - https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde