czwartek, 16 listopada 2017

More SQL Injections in ManageEngine Applications Manager 13

Last time we saw few bugs found in latest ManageEngine Applications Manager 13. Today I decided to publish another 6 (so called ;] '0day') exploits (found between 6-7.11.2017). Details below...

Let's start from the beginning:

1) /manageApplications.do?method=AddSubGroup -- haid

Simple 'verification' done using sqlmap:


...and after a while we can see something similar to the screen presented below:


Next.


2) /showresource.do?resourceid=10000015 -- resourceid:

This time, vulnerable is "resourceid" parameter, check it out:


Next.

3) /manageConfMons.do  -- groupname:








Next.

4) /MyPage.do?method=viewDashBoard&forpage=1 -- forpage:



Next.

5) /showresource.do?resourceid=10000015 -- resourceid (again):




6) /MyPage.do -- widgetid:



All (copy/paste) requests you will find here.

(Now also described as CVE-2017-16846, CVE-2017-16847, CVE-2017-16848, CVE-2017-16849, CVE-2017-16850, CVE-2017-16851).

Comments/feedback/questions?

Cheers

o/






2 komentarze:

  1. Hello there,

    We apologise for the inconvenience this may have caused to our customers.
    These issues were fixed in December itself, with the release of version 13530. Please upgrade to the latest version from here: http://bit.ly/Apm13640

    ManageEngine

    OdpowiedzUsuń
  2. Apologies for the inconvenience. The issues were fixed in December 2017 itself, with the release of build 13530. Please upgrade to the latest version from here: http://bit.ly/Apm13640
    -ManageEngine

    OdpowiedzUsuń