# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung (duyhungattt@gmail.com)
# # Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung (duyhungattt@gmail.com)
# Vendor Homepage: https://www.manageengine.com/products/service-desk/
# Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr
# Version: 9.4 and 10.0 before 10.0 build 10012
# Tested on: SDP 10.0 build 10000
# CVE : CVE-2019-8394
Detail:
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server.
POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1
Host: localhost:8080
Content-Length: 50
Zoho ManageEngine ServiceDesk Plus SDP Arbitrary File Upload
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 322