Closed YashVardhanTrip closed 3 months ago
Hi @YashVardhanTrip Could you please share the debug data for validation?
Greetings,
Here's the debug information:
-> PDiscovery's MantisBT Template Not Yielding any Results.
ProjectDiscovery's Template is not following the appropriate logic to get default credentialson the vulnerable instance.
-> Custom Template also does not yield any results, code has been attached above in the issues ticket.
-> MantisBT Vulnerable Page Accessible Via Default Credentials.
Please see to this.
Respected PDiscovery Team,
I am writing this to humbly inform you that I made some changes to my custom template and my custom build template worked in finding default credentials access on the vulnerable instance. I am mentioning the code below, please let me know if I should create a new ticket for it or the current one would suffice for the contribution.
Awaiting your response. Here's the code :
`id: mantisbt-default-credential
info: name: MantisBT Default Admin Login author: YashVardhanTripathi severity: high description: A MantisBT default admin access discovery automation.
http:
method: GET path:
redirects: true
extractors:
raw:
| POST /mantis/login_password_page.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: MANTIS_secure_session=1; PHPSESSID={{somesome}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1
return=index.php&username={{pewpew}}&password={{password}}&secure_session=on
payloads: pewpew:
matchers:
Any updates on this team? Let me know If i should recreate a new ticket for contribution or this would suffice.
Team, its been 10 days. Kindly expedite this, or let me know to create a new "contribution" ticket for the same.
Hello @YashVardhanTrip Sometimes it takes a while to respond. Apologies for the delay, I have updated the matchers and application paths. Please review them and let me know your thoughts.
id: mantisbt-default-credential
info:
name: MantisBT Default Admin Login
author: For3stCo1d,YashVardhanTripathi
severity: high
description: A MantisBT default admin login was discovered.
reference:
- https://mantisbt.org/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
max-request: 1
shodan-query: title:"MantisBT"
tags: mantisbt,default-login
http:
- raw:
- |
GET /login_password_page.php HTTP/1.1
Host: {{Hostname}}
- |
POST /login_password_page.php HTTP/1.1
Host: {{Hostname}}
Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
Content-Type: application/x-www-form-urlencoded
return=index.php&username={{username}}
- |
POST /login_password_page.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: MANTIS_secure_session=1; PHPSESSID={{session}}
return=index.php&username={{username}}&password={{password}}&secure_session=on
- |
GET /my_view_page.php HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
- administrator
password:
- root
matchers-condition: and
matchers:
- type: word
part: body_4
words:
- "View Issues"
- "Change Log"
condition: and
- type: regex
part: header_3
regex:
- "Location: .*?/login_cookie_test.php\\?return=account_page.php"
- type: status
status:
- 200
extractors:
- type: regex
name: session
internal: true
group: 1
part: header
regex:
- "PHPSESSID=([a-zA-Z0-9]+);"
Hello @YashVardhanTrip , thank you so much for sharing this template with the community and contributing to this project :beers: You can grab some cool PD stickers over here http://nux.gg/stickers :smile:
Team, recently I discovered that the MantisBT default login template is not working and is yielding that no issues were found although the URL on which it was run is accessible via Default Credentials.
I tried to write my own custom template :
My template is not yielding any results too, Requesting to please fix this , feel free to use my custom template as reference if needed.