This article is a write up on how I found my second critical vulnerability at the company’s internal bounty program.
I wrote this for educational purposes only. Do not perform any illegal activity or pen-testing without permission.
After a bunch of enumerations and information gathering on subdomains. I found an interesting subdomain that uses ManageEngine ServiceDesk Plus, which have lots of potential security risk.
A few minutes in, I discovered a way to get RCE on this subdomain. This method required an authenticated user to send a POST request to a vulnerable endpoint. (CVE-2019–8394).
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter ‘module’ equal to ‘SSP’ or ‘DashBoard’ or ‘HomePage’, and if parameter ‘module’ is set to ‘CustomLogin’ will skip check file upload extension function and upload arbitrary file to folder ‘/custom/login’ and this file can access directly from url ‘host:port/custom/login/filename’ . An authenticated user with minimum permission (ex: guest) can upload webshell to server.
So the first thing is to acquire an account (don’t care about the privileges). Rolled the dices and found the simplest account credentials of all time. This made me remembered about my first bug bounty case for V* with admin:admin credentials, easy money easy life.
Got the account, let’s dive into the process of gaining RCE
The first step is to authenticate to access the application with guest credentials, then the server will send a response with cookie parameters.
After that, take the cookie parameters and webshell content and put them in sections showed in the image below (I got the webshell from this repo)
Notes: Edit your webshell content to have no newlines (spaces are ok), I struggled for half an hour to get my shell run properly.
The server send me an 200 OK response. Go check the path
Thank god the shell popped up. I can execute arbitrary code on the web server from now on!
- Always keep your application up-to-date to mitigate security issues.
- Keep trying, there’s still a light at the end of the tunnel xD
Offensive Security's Exploit Database Archive
Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload # Date…
CVE - CVE-2019-8394
Common Vulnerabilities and Exposures (CVE®) is a list of entries - each containing an identification number, a…