来源

关联漏洞

描述

Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass Exploit/PoC

介绍

# CVE-2019-17240 Exploit/PoC - Bludit Brute-force Mitigation Bypass

> Exploit Code for [CVE-2019-17240](https://nvd.nist.gov/vuln/detail/CVE-2019-17240) aka Bludit <= 3.9.2 Bruteforce Mitigation Bypass

Exploit Links: [[ExploitDB-48942](https://www.exploit-db.com/exploits/48942)] [[PacketStorm](https://packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.html)]

Expected outcome: Discover login credentials, bypassing Brute-force Mechanism on host running Bludit <=3.9.2

Intended only for educational and testing in corporate environments.

This Exploit was tested on Python 3.8.6

### Usage

```shell
cfx:  ~/bludit 
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERLIST] [-p PASSLIST]

Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass

optional arguments:
  -h, --help            show this help message and exit
  -l URL, --url URL     Path to Bludit (Example: http://127.0.0.1/admin/login.php)
  -u USERLIST, --userlist USERLIST
                        Username Dictionary
  -p PASSLIST, --passlist PASSLIST
                        Password Dictionary

Exploit Usage : 
./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt
```
- Make sure Python3 is installed with following additional modules:

### Additional required Python modules :
- requests
- pwn

Installation:
```shell
pip3 install pwn
pip3 install requests
```
### Proof of Concept :

This exploit expects three user inputs :
- **URL** : Login Page url
- **User.txt** : Potential list of Usernames, for PoC purpose we have single username in user.txt
- **Pass.txt** : Dictionary with list of Passwords

#### Executing exploit

Exploit usage where the username inside **user.txt** is mapped against every password inside **pass.txt** and sent to login:

![execute](/images/execute.png)

#### Word Block

Values are sent into **X-Forwarded-For** header from **pass.txt**, if the list contains less number of passwords chances are there that a word gets blocked by the server, in that case the script will show the blocked word in the output:

![block](/images/block.png)

#### Successful Output

On successful login, following output with working credentials would be shown:

![success](/images/success.png)


## Reference
This is an exploit for the vulnerability found by [Rastating](https://rastating.github.io/) on [Bludit CMS](https://www.bludit.com/).

Vulnerability explanation: https://rastating.github.io/bludit-brute-force-mitigation-bypass/.

Patch: https://github.com/bludit/bludit/pull/1090

文件快照

 [4.0K]  /data/pocs/09b912c820457abbc3bc02e5ad0f618be04a559b
├── [3.3K]  exploit.py
├── [4.0K]  images
│   ├── [ 22K]  block.png
│   ├── [ 19K]  execute.png
│   └── [ 26K]  success.png
├── [1.0K]  LICENSE
└── [2.6K]  README.md

1 directory, 6 files

备注