Skip to content

Latest commit

 

History

History
59 lines (42 loc) · 2.25 KB

File metadata and controls

59 lines (42 loc) · 2.25 KB

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
GitHub release (latest by date) YouTube Channel Subscribers

Features

  • Supports HTTP and HTTPS (even with self-signed certificates with --insecure).
  • Single command execution with --command option.
  • Interactive console with --interactive option.

Usage

$ ./CVE-2022-36446.py -h
CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v1.1 - by @podalirius_

usage: CVE-2022-36446.py [-h] -t TARGET [-k] -u USERNAME -p PASSWORD (-I | -C COMMAND) [-v]

CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL to the webmin instance
  -k, --insecure
  -u USERNAME, --username USERNAME
                        Username to connect to the webmin.
  -p PASSWORD, --password PASSWORD
                        Password to connect to the webmin.
  -I, --interactive     Interactive console mode.
  -C COMMAND, --command COMMAND
                        Only execute the specified command.
  -v, --verbose         Verbose mode. (default: False)

Mitigation

Update to Webmin >= 1.997.

Demonstration

demo.mp4

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

References