niedziela, 5 listopada 2017

SQL Injection in ManageEngine Applications Manager 13

This morning I decided to start some new "challenge" related to webapp pentesting. That's how I found latest version of ManageEngine Applications Manager.(You can grab a copy here.) Below you will find some 'results'...

TL;DR - Below you will find some details about an SQL Injection bug I found in admin's panel.

Idea was simple: coffee + Burp + Sunday 5:00AM ;]

Grabbed request to webapp look like this:


To 'verify' the bug I used sqlmap, see below:


"Unfortunately" ;] the bug is accessible only from 'logged in' user(s) but maybe later I will find something else...

As far as I know, running this request (like sqlmap -r asd --sql-shell) should work as well.


In case of any questions/feedback/comments - feel free to find me @twitter.


*Update (9:22)*
Another SQLi bug - this time when you will access GraphicalView.do page:


Here you will find full request. Enjoy. ;]


*Update (9:34)*


Looks like a 3rd one. well... :]


*Update (19:44)*
According to CVE Mitre we can target this vulnerability now as CVE-2017-16542 
(and CVE-2017-16543) .


Cheers

Brak komentarzy:

Prześlij komentarz