MantisBT Template Not Working on Valid Vulnerable Instance

[YashVardhanTrip]

Team, recently I discovered that the MantisBT default login template is not working and is yielding that no issues were found although the URL on which it was run is accessible via Default Credentials.

I tried to write my own custom template :

http:
  - raw:
      - |
        POST /mantis/login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Content-Type: application/x-www-form-urlencoded
        Connection: close
        Upgrade-Insecure-Requests: 1

        return=index.php&username={{username}}

    redirects: true

    extractors:
      - type: regex
        name: session
        group: 1
        part: header
        regex:
          - "PHPSESSID=([a-zA-Z0-9]+);"

  - raw:
      - |
        POST /mantis/login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Connection: close
        Upgrade-Insecure-Requests: 1

        return=index.php&username={{username}}&password={{password}}&secure_session=on

    payloads:
      username:
        - administrator
      password:
        - root
    attack: pitchfork

    matchers:
      - type: status
        status:
          - 302
      - type: regex
        part: header
        regex:
          - "Location: .*?/login_cookie_test.php\\?return=account_page.php"`

My template is not yielding any results too, Requesting to please fix this , feel free to use my custom template as reference if needed.

[pussycat0x]

Hi @YashVardhanTrip Could you please share the debug data for validation?

[YashVardhanTrip]

Greetings,

Here's the debug information:

-> PDiscovery's MantisBT Template Not Yielding any Results.

ProjectDiscovery's Template is not following the appropriate logic to get default credentialson the vulnerable instance.

-> Custom Template also does not yield any results, code has been attached above in the issues ticket.

-> MantisBT Vulnerable Page Accessible Via Default Credentials.

Please see to this.

[YashVardhanTrip]

Respected PDiscovery Team,

I am writing this to humbly inform you that I made some changes to my custom template and my custom build template worked in finding default credentials access on the vulnerable instance. I am mentioning the code below, please let me know if I should create a new ticket for it or the current one would suffice for the contribution.

Awaiting your response. Here's the code :

`id: mantisbt-default-credential

info: name: MantisBT Default Admin Login author: YashVardhanTripathi severity: high description: A MantisBT default admin access discovery automation.

http:

• method: GET path:

  • "{{BaseURL}}/mantis/login_page.php"

  redirects: true

  extractors:

  • type: regex name: somesome group: 1 part: header regex:
    • "PHPSESSID=([a-zA-Z0-9]+);"

• raw:

  • | POST /mantis/login_password_page.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: MANTIS_secure_session=1; PHPSESSID={{somesome}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1

    return=index.php&username={{pewpew}}&password={{password}}&secure_session=on

  payloads: pewpew:

  • administrator password:
  • root attack: pitchfork

  matchers:

  • type: status status:
    • 302
  • type: regex part: header regex:
    • "Location: .*?/login_cookie_test.php\?return=account_page.php" `

[YashVardhanTrip]

Any updates on this team? Let me know If i should recreate a new ticket for contribution or this would suffice.

[YashVardhanTrip]

Team, its been 10 days. Kindly expedite this, or let me know to create a new "contribution" ticket for the same.

[pussycat0x]

Hello @YashVardhanTrip Sometimes it takes a while to respond. Apologies for the delay, I have updated the matchers and application paths. Please review them and let me know your thoughts.

id: mantisbt-default-credential

info:
  name: MantisBT Default Admin Login
  author: For3stCo1d,YashVardhanTripathi
  severity: high
  description: A MantisBT default admin login was discovered.
  reference:
    - https://mantisbt.org/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    max-request: 1
    shodan-query: title:"MantisBT"
  tags: mantisbt,default-login

http:
  - raw:
      - |
        GET /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
        Content-Type: application/x-www-form-urlencoded

        return=index.php&username={{username}}
      - |
        POST /login_password_page.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}

        return=index.php&username={{username}}&password={{password}}&secure_session=on
      - |
        GET /my_view_page.php HTTP/1.1
        Host: {{Hostname}}

    attack: pitchfork
    payloads:
      username:
        - administrator
      password:
        - root

    matchers-condition: and
    matchers:
      - type: word
        part: body_4
        words:
          - "View Issues"
          - "Change Log"
        condition: and

      - type: regex
        part: header_3
        regex:
          - "Location: .*?/login_cookie_test.php\\?return=account_page.php" 

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: session
        internal: true
        group: 1
        part: header
        regex:
          - "PHPSESSID=([a-zA-Z0-9]+);"

[pussycat0x]

Hello @YashVardhanTrip , thank you so much for sharing this template with the community and contributing to this project :beers: You can grab some cool PD stickers over here http://nux.gg/stickers :smile: