module
ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
| Disclosed | Created |
|---|---|
| 06/08/2014 | 05/30/2018 |
Disclosed
06/08/2014
Created
05/30/2018
Description
This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet,
which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and
Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The
SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as
the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older
or upgraded builds). MySQL targets are more reliable due to the use of relative paths;
with PostgreSQL you should find the web root path via other means and specify it with
WEB_ROOT.
The injection is only exploitable via a GET request, which means that the payload
has to be sent in chunks smaller than 8000 characters (URL size limitation). Small
payloads and the use of exe-small is recommended, as you can only do between 10 and
20 injections before using up all the available ManagedConnections until the next
server restart.
This vulnerability exists in all versions released since 2006, however builds below
DC v7 70200 and PMP v6 6500 do not ship with a JSP compiler. You can still try your
luck using the MySQL targets as a JDK might be installed in the $PATH.
which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and
Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The
SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as
the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older
or upgraded builds). MySQL targets are more reliable due to the use of relative paths;
with PostgreSQL you should find the web root path via other means and specify it with
WEB_ROOT.
The injection is only exploitable via a GET request, which means that the payload
has to be sent in chunks smaller than 8000 characters (URL size limitation). Small
payloads and the use of exe-small is recommended, as you can only do between 10 and
20 injections before using up all the available ManagedConnections until the next
server restart.
This vulnerability exists in all versions released since 2006, however builds below
DC v7 70200 and PMP v6 6500 do not ship with a JSP compiler. You can still try your
luck using the MySQL targets as a JDK might be installed in the $PATH.
Author
Pedro Ribeiro
Platform
Linux,Windows
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/manage_engine_dc_pmp_sqli
msf /(i) > show actions
...actions...
msf /(i) > set ACTION < action-name >
msf /(i) > show options
...show and set options...
msf /(i) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.