module

ManageEngine Multiple Products Authenticated File Upload

Try Surface Command
Back to search
Disclosed
2014-12-15
Created
2018-05-30

Description

This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
the upload does not handle correctly '../' sequences, which can be abused to write
to the file system. Authentication is needed to exploit this vulnerability, but this module
will attempt to login using the default credentials for the administrator and guest
accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password.
For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has
been tested successfully in Windows and Linux on several versions.

Author

Pedro Ribeiro pedrib@gmail.com

Platform

Java

Architectures

java

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/http/manageengine_auth_upload
    msf exploit(manageengine_auth_upload) > show targets
        ...targets...
    msf exploit(manageengine_auth_upload) > set TARGET < target-id >
    msf exploit(manageengine_auth_upload) > show options
        ...show and set options...
    msf exploit(manageengine_auth_upload) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today