This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older or upgraded builds). MySQL targets are more reliable due to the use of relative paths; with PostgreSQL you should find the web root path via other means and specify it with WEB_ROOT. The injection is only exploitable via a GET request, which means that the payload has to be sent in chunks smaller than 8000 characters (URL size limitation). Small payloads and the use of exe-small is recommended, as you can only do between 10 and 20 injections before using up all the available ManagedConnections until the next server restart. This vulnerability exists in all versions released since 2006, however builds below DC v7 70200 and PMP v6 6500 do not ship with a JSP compiler. You can still try your luck using the MySQL targets as a JDK might be installed in the $PATH.
Linux,Windows
x86
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security