Giters

ColdFusionX / CVE-2019-17240_Bludit-BF-Bypass

Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass Exploit/PoC

Home Page:http://coldfusionx.github.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cve-2019-17240bluditbrute-forcebypasscmsexploitpocproof-of-conceptpython3pwn

CVE-2019-17240 Exploit/PoC - Bludit Brute-force Mitigation Bypass

Exploit Code for CVE-2019-17240 aka Bludit <= 3.9.2 Bruteforce Mitigation Bypass

Exploit Links: [ExploitDB-48942] [PacketStorm]

Expected outcome: Discover login credentials, bypassing Brute-force Mechanism on host running Bludit <=3.9.2

Intended only for educational and testing in corporate environments.

This Exploit was tested on Python 3.8.6

Usage

cfx:  ~/bludit 
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERLIST] [-p PASSLIST]

Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass

optional arguments:
  -h, --help            show this help message and exit
  -l URL, --url URL     Path to Bludit (Example: http://127.0.0.1/admin/login.php)
  -u USERLIST, --userlist USERLIST
                        Username Dictionary
  -p PASSLIST, --passlist PASSLIST
                        Password Dictionary

Exploit Usage : 
./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt
  • Make sure Python3 is installed with following additional modules:

Additional required Python modules :

  • requests
  • pwn

Installation:

pip3 install pwn
pip3 install requests

Proof of Concept :

This exploit expects three user inputs :

  • URL : Login Page url
  • User.txt : Potential list of Usernames, for PoC purpose we have single username in user.txt
  • Pass.txt : Dictionary with list of Passwords

Executing exploit

Exploit usage where the username inside user.txt is mapped against every password inside pass.txt and sent to login:

execute

Word Block

Values are sent into X-Forwarded-For header from pass.txt, if the list contains less number of passwords chances are there that a word gets blocked by the server, in that case the script will show the blocked word in the output:

block

Successful Output

On successful login, following output with working credentials would be shown:

success

Reference

This is an exploit for the vulnerability found by Rastating on Bludit CMS.

Vulnerability explanation: https://rastating.github.io/bludit-brute-force-mitigation-bypass/.

Patch: bludit/bludit#1090

About

Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass Exploit/PoC

http://coldfusionx.github.io

cve-2019-17240bluditbrute-forcebypasscmsexploitpocproof-of-conceptpython3pwn

License:MIT License

Languages

Language:Python 100.0%