ManageEngine products Service Desk Plus, Asset Explorer, Support Center, and IT360 suffer from file upload and directory traversal vulnerabilities.
b54ee8abb80c4bd0609677cf861ed3705c479b3f720f286b5441144adbe04dd3
This Metasploit module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus versions 5310 and below, caused by execution of bcp.exe file inside ADSHACluster servlet
3d8c5a206e655ffc1020ae9dc72f79a8470fd65b1714a8754570a275ba8cf2ad
This Metasploit module exploits a command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute an operating system command under the context of privileged user. The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing the given system. This endpoint calls several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.
a9eac798117fa04eab31bed74f5ad242fd765118d1e7c673979dc44d64574e70
ManageEngine ServiceDesk Plus version 9.2 build 9207 suffers from an unauthorized information disclosure vulnerability.
ca5032b6240d7fcfedfe155b4a2a37add04b02783d944b43d7889190c570b156
This Metasploit module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. Please note that by default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file rdslog0.txt. This exploit was successfully tested on version 9, build 90109 and build 91084.
8c99cf5f1217da665c86fd771e4aa70d6faca00dd6c6fcfa981543f8297351af
This Metasploit module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus. The vulnerability exists in the FileUploader servlet which accepts unauthenticated file uploads. This Metasploit module has been tested successfully on versions v9 b9000 - b9102 in Windows and Linux. The MSP versions do not expose the vulnerable servlet.
420d521b451538bcdb3d95efb3417571e395f8709b295655dad279c97881d455
ManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.
f8c2df4202c241dffb8fdf7f5b2b23f85c16dc7b6036aaef2466f7f1c632fa98
This Metasploit module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This Metasploit module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
883715a7f63b19f3be245204a59084b8ad642d1866b7fdd2c6b33080b2dcb675
ManageEngine EventLog Analyzer version 10.6 build 10060 suffers from a SQL query execution vulnerability.
e43184b3c2e6936208082a4f3f3c97ec7847e32991323e490bc64eafefc58612
ManageEngine OpManager versions 11.5 and below suffer from SQL query protection bypass and has hard-coded credentials.
14e7eded55b53f71e7a0c1efbb36f40694306d92477d8cda6fe7cfc83868d93e
ManageEngine Asset Explorer version 6.1 suffers from a persistent cross site scripting vulnerability.
0e0cbef4faaa90dd611f268ecebd5e06de49fa975ef884e5b752fbdcd43706b1
Manage Engine AD Audit Manager Plus versions below build 6270 suffer from a cross site scripting vulnerability.
4735134ce9bdd039e2630ec69133cc374c5e9bd945eade4e8fdf2b899bfb27a2
This Metasploit module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write in the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest accounts. Alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This Metasploit module has been been tested successfully in Windows and Linux on several versions.
cfe15941681878a96b266d26c1d7d9356a553c192cb7478e884d2b24e8196dcb
ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability.
f28c12e2709e29fe58c181837e6106a9c54c5b1f2469324aa04db88e1e55be7f
ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities.
ae0902d2d1251e6a705e5a528c9450f71f486b0f84a93f3094c7c09f8e7737f8
ManageEngine DeviceExpert version 5.9 suffers from a user credential disclosure vulnerability.
51e22c92f98a813a1c5ec8301f8d7ed43adbe8dcd3be82e7f05dd0b625342ecf
ManageEngine EventLog Analyzer version 7.2.2 suffers from multiple reflective cross site scripting vulnerabilities.
0bf36f68da768952108b58e9e72774b2bf741922f4c175919319cf299d4fe76d
ManageEngine Support Center Plus versions 7916 and below suffer from a directory traversal vulnerability.
7f3d4cf2f0f2823e532afe04ee4652f5b01e45dec6270e68523714952b7cd42b
ManageEngine EventLog Analyzer version 8.6 suffers from a cross site scripting vulnerability.
fb2b863e3a6c89be1bed5b157e455b433c0efa45b5c8a60e740a73a619b3c3ba
This Metasploit module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability.
ae2e0907bda1eeb2906f4560caa8085b35712d1a7fe05eeb19dddd8fe8de7ac1
ManageEngine Security Manager Plus versions 5.5 build 5505 remote SYSTEM/root SQL injection exploit that spawns a shell.
6d2a8bcbddb1c5a2fce72265db430d93c35c4e46841e736af9eb65ee5db7fa47
ManageEngine Security Manager Plus versions 5.5 build 5505 and below suffer from a path traversal vulnerability.
fa2c630e11d919d9d1b121504583b9b23aae97d94b41855b33e036271a53318b
This Metasploit module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM. No authentication is necessary to exploit this.
e2984c80e9b18bcfe0bf36c7deb7a463e4967710e4784d8a20eb3c7da32c323b
ManageEngine Support Center Plus versions 7908 and below suffer from multiple cross site scripting and shell upload vulnerabilities.
ce1d93bee37427da393ef8b2a378940e15f95dfe2266842aa8f8b6171109489a
ManageEngine Device Expert version 5.6 suffers from a Java Server ScheduleResultViewer servlet unauthenticated remote directory traversal vulnerability.
ac9ce0ef47d738091d599b3ea17bfa50dae411a0fcf3d690ac1f2757cfe3424d
ManageEngine ServiceDesk versions 8.0.0.12 and below suffers from a database disclosure vulnerability.
8ff8cb00de08190c593785661a3f7dc8b780a7ae05d5a439665cefd854ff9a44