Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-36446 PoC — Webmin 安全漏洞

Source
https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE
Associated Vulnerability
Title:Webmin 安全漏洞 (CVE-2022-36446)
Description:software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
Description
A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
Readme
![](./.github/banner.png)

<p align="center">
  A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
  <br>
  <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE">
  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
  <br>
</p>


## Features

 - [x] Supports HTTP and HTTPS (even with self-signed certificates with `--insecure`).
 - [x] Single command execution with `--command` option.
 - [x] Interactive console with `--interactive` option.

## Usage

```
$ ./CVE-2022-36446.py -h
CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated) v1.1 - by @podalirius_

usage: CVE-2022-36446.py [-h] -t TARGET [-k] -u USERNAME -p PASSWORD (-I | -C COMMAND) [-v]

CVE-2022-36446 - Webmin < 1.997 - Software Package Updates RCE (Authenticated)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL to the webmin instance
  -k, --insecure
  -u USERNAME, --username USERNAME
                        Username to connect to the webmin.
  -p PASSWORD, --password PASSWORD
                        Password to connect to the webmin.
  -I, --interactive     Interactive console mode.
  -C COMMAND, --command COMMAND
                        Only execute the specified command.
  -v, --verbose         Verbose mode. (default: False)
```

## Mitigation

Update to Webmin >= 1.997.

## Demonstration

https://user-images.githubusercontent.com/79218792/184222596-3878e169-92ec-4507-99b5-3fe2c1d39360.mp4

## Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

## References
 - Vulnerable version: https://github.com/webmin/webmin/releases/download/1.996/webmin_1.996_all.deb
 - https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde
File Snapshot

 [4.0K]  /data/pocs/07ef1fd3795129066e9bc9c9673e5f9a573b9492
├── [5.2K]  CVE-2022-36446.py
├── [2.2K]  README.md
└── [4.0K]  test_env
    ├── [ 787]  Dockerfile
    └── [ 467]  Makefile

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →