Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

Dart

Java

C#

Emacs Lisp

Julia

Shell

Crystal

Lua

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

PHP

Java

Scala

R

Zig

Objective-C

TypeScript

Python

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇹🇱 Timor-Leste

🇬🇩 Grenada

🇩🇯 Djibouti

🇨🇱 Chile

🇨🇾 Cyprus

🇬🇬 Guernsey

🇱🇧 Lebanon

🇹🇴 Tonga

All Countries Compare Countries

p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE

Stars
109
Rank 319,077 (Top 7 %)
Language
Python
Created over 2 years ago
Updated about 2 years ago

p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE

p0dalirius

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.

Features

Supports HTTP and HTTPS (even with self-signed certificates with --insecure).
Single command execution with --command option.
Interactive console with --interactive option.

Usage

$ ./CVE-2022-36446.py -h
CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v1.1 - by @podalirius_

usage: CVE-2022-36446.py [-h] -t TARGET [-k] -u USERNAME -p PASSWORD (-I | -C COMMAND) [-v]

CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL to the webmin instance
  -k, --insecure
  -u USERNAME, --username USERNAME
                        Username to connect to the webmin.
  -p PASSWORD, --password PASSWORD
                        Password to connect to the webmin.
  -I, --interactive     Interactive console mode.
  -C COMMAND, --command COMMAND
                        Only execute the specified command.
  -v, --verbose         Verbose mode. (default: False)

Mitigation

Update to Webmin >= 1.997.

Demonstration

demo.mp4

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

References

Awesome-RCE-techniques

Awesome list of step by step techniques to achieve Remote Code Execution on various apps!

Coercer

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

LDAPmonitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

ApacheTomcatScanner

A python script to scan for Apache Tomcat server vulnerabilities.

smbclient-ng

smbclient-ng, a fast and user friendly way to interact with SMB shares.

webapp-wordlists

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

windows-coerced-authentication-methods

A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.

FindUncommonShares

FindUncommonShares is a Python script allowing to quickly find uncommon shares in vast Windows Domains, and filter by READ or WRITE accesses.

ipsourcebypass

This Python script can be used to bypass IP source restrictions using HTTP headers.

LDAPWordlistHarvester

A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.

ExtractBitlockerKeys

A system administration or post-exploitation script to automatically extract the bitlocker recovery keys from a domain.

DumpSMBShare

A script to dump files and folders remotely from a Windows SMB share.

GeoWordlists

GeoWordlists is a tool to generate wordlists of passwords containing cities at a defined distance around the client city.

MSSQL-Analysis-Coerce

A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.

ctfd-parser

A python script to dump all the challenges locally of a CTFd-based Capture the Flag.

ldap2json

The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.

pdbdownload

A Python script to download PDB files associated with a Portable Executable (PE)

Tomcat-webshell-application

A webshell application and interactive shell for pentesting Apache Tomcat servers.

CVE-2022-21907-http.sys

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

objectwalker

A python module to explore the object tree to extract paths to interesting objects in memory.

RDWAtool

A python script to extract information from a Microsoft Remote Desktop Web Access (RDWA) application

CVE-2021-43008-AdminerRead

Exploit tool for CVE-2021-43008 Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

pyLAPS

Python setter/getter for property ms-Mcs-AdmPwd used by LAPS.

LFIDump

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

Wordpress-webshell-plugin

A webshell plugin and interactive shell for pentesting a WordPress website.

owabrute

Hydra wrapper for bruteforcing Microsoft Outlook Web Application.

ldapconsole

The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.

pydsinternals

A Python native library containing necessary classes, functions and structures to interact with Windows Active Directory.

CVE-2022-45771-Pwndoc-LFI-to-RCE

Pwndoc local file inclusion to remote code execution of Node.js code on the server

volatility2-profiles

Memory mapping profiles for forensic analysis using volatility 2

microsoft-rpc-fuzzing-tools

This repository contains a list of python scripts to work with Microsoft RPC for research purposes.

RemoteMouse-3.008-Exploit

This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

Joomla-webshell-plugin

A webshell plugin and interactive shell for pentesting a Joomla website.

robotstester

This Python script can enumerate all URLs present in robots.txt files, and test whether they can be accessed or not.

DomainUsersToXLSX

Extract all users from an Active Directory domain to an Excel worksheet.

sectools

A Python native library containing lots of useful functions to write efficient scripts to hack stuff.

Argon2Cracker

A multithreaded bruteforcer of argon2 hashes.

p0dalirius

Front page README of my GitHub profile

Moodle-webshell-plugin

A webshell plugin and interactive shell for pentesting a Moodle instance.

WifiListProbeRequests

Monitor 802.11 probe requests from a capture file or network sniffing!

GetFortinetSerialNumber

A Python script to extract the serial number of a remote Fortinet device.

TargetAllDomainObjects

A python wrapper to run a command on against all users/computers/DCs of a Windows Domain

crEAP

crEAP will identify WPA Enterprise mode EAP types and harvest usernames and/or handshakes if insecure protocols are in use.

RobotsValidator

A python script to check if URLs are allowed or disallowed by a robots.txt file.

AccountShadowTakeover

A python script to automatically add a KeyCredentialLink to newly created users, by quickly connecting to them with default credentials.

msFlagsDecoder

Decode the values of common Windows properties such as userAccountControl and sAMAccountType.

volatility3-symbols

Memory mapping profiles for forensic analysis using volatility 3

crawlersuseragents

Python script to check if there is any differences in responses of an application when the request comes from a search engine's crawler.

Hashes-Harvester

Automatically extracts NT and LM hashes from Windows memory dumps based on volatility.

MSRPRN-Coerce

A python script to force authentication using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).

binaryexploitation

A massive documentation about binary protections, exploitation techniques, and computer architecture concepts.

TimeBasedLoginUserEnum

A script to enumerate valid usernames based on the requests response times.

CVE-2022-30780-lighttpd-denial-of-service

CVE-2022-30780 - lighttpd remote denial of service

GithubBackupAllRepos

A Python script to backup all repos (public or private) of a user.

Sprayer

Multithreaded spraying of a password on all accounts of a domain.

CVE-2020-14144-GiTea-git-hooks-rce

A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks

LootApacheServerStatus

A script to automatically dump all URLs present in /server-status to a file locally.

CVE-2016-10956-mail-masta

MailMasta wordpress plugin Local File Inclusion vulnerability (CVE-2016-10956)

DescribeNTSecurityDescriptor

A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.

volatility2docker

A volatility 2 docker for forensic investigations

http-fuzzing-scripts

A collection of http fuzzing python scripts to fuzz HTTP servers for bugs.

hivetools

A collection of python scripts to work with Windows Hives.

gitea-extract-users

A Python script to extract the list of users of a GiTea instance, unauthenticated or authenticated.

GhostSPN

List accounts with Service Principal Names (SPN) not linked to active dns records in an Active Directory Domain.

windows-cryptography-explained

Detailed explanation of Windows cryptographic algorithms, with examples and schemes.

LimeSurvey-webshell-plugin

A webshell plugin and interactive shell for pentesting a LimeSurvey application.

ParseFortinetSerialNumber

A Python script to parse Fortinet products serial numbers, and detect the associated model and revision.

wav2mmv

WAV to MMV converter. You can then use the MMV file in input of MSSTV to decode Slow Scan Television (SSTV) sound signals.

JoGet-webshell-plugin

A webshell plugin and interactive shell for pentesting JoGet application.

CVE-2022-26159-Ametys-Autocompletion-XML

A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.

CodeIgniter-session-unsign

Command line tool to fetch, decode and brute-force CodeIgniter session cookies by guessing and bruteforcing secret keys.

goLAPS

Go setter/getter for property ms-Mcs-AdmPwd used by LAPS.

CVE-2018-16763-FuelCMS-1.4.1-RCE

Exploit to trigger RCE for CVE-2018-16763 on FuelCMS <= 1.4.1 and interactive shell.

ListValidGSuiteEmails

A Python script to list valid emails of GSuite accounts.

Joomla-1.6-1.7-2.5-Privilege-Escalation-Vulnerability

A Python script to create an administrator account on Joomla! 1.6/1.7/2.5 using a privilege escalation vulnerability

factorizator

A script to factorize integers with sagemath and factordb.

hexcat

A tool to show only printable characters of a file

DescribeSDDL

A python tool to parse and describe the SDDL string.

mercurial-scm-extract

A tool to extract and dump files of mercurial SCM exposed on a web server.

FindAzureDomainTenant

A Python script to find tenant id an region from a list of domain names.

SortWindowsISOs

Extract the windows major and minor build numbers from an ISO file, and automatically sort the iso files.

pwndocapi

A python library to interact with Pwndoc instances for pentest reports generation

WindowsBuilds

This repository contains the list of windows builds as parsable JSON files.

python_packages_paths

This repository contains paths to python modules from inside python modules.

UsersWithPwdLastSetOlderThan

Extract all users from an Active Directory domain with password last set older than X days to an Excel worksheet.

linux-kernels

List of linux kernel versions and download links in JSON

CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write

A path traversal in smbserver.py allows an attacker to read/write arbitrary files on the server.

streamableDownloader

A simple python script to download videos hosted on streamable from their link

Windows-Hardening

win32errorcodes

A small C/C++ library to lookup Windows error codes.

SweetRice-webshell-plugin

A webshell plugin and interactive shell for pentesting a SweetRice website.

CrackedNTDStoXLSX

A python tool to generate an Excel file linking the list of cracked accounts and their LDAP attributes.

SymfonyDumpSource

A python script to automatically dump files and source code of a Symfony server in debug mode.

what-if

lib-parseargs

A simple library to parse command line arguments in C++.

CVE-2020-8813-Cacti-RCE-in-graph_realtime

CVE-2020-8813 - RCE through graph_realtime.php in Cacti 1.2.8

pdsimage-downloader

A python script to filter by filename and download PDS images.

stackdumper

A python tool to autmatically dump the stack content with a format string vulnerability in CTF.

SortPEbyVersions

A Python script to sort Portable Executable (PE) files by their version and download debug symbols if existing.

CpuCoresTemperatureGraph

A python tool to print CPU core temperatures for each cores.