This morning I decided to start some new "challenge" related to webapp pentesting. That's how I found latest version of ManageEngine Applications Manager.(You can grab a copy here.) Below you will find some 'results'...
TL;DR - Below you will find some details about an SQL Injection bug I found in admin's panel.
Idea was simple: coffee + Burp + Sunday 5:00AM ;]
Grabbed request to webapp look like this:
To 'verify' the bug I used sqlmap, see below:
"Unfortunately" ;] the bug is accessible only from 'logged in' user(s) but maybe later I will find something else...
As far as I know, running this request (like sqlmap -r asd --sql-shell) should work as well.
In case of any questions/feedback/comments - feel free to find me @twitter.
Another SQLi bug - this time when you will access GraphicalView.do page:
Here you will find full request. Enjoy. ;]
Looks like a 3rd one. well... :]
According to CVE Mitre we can target this vulnerability now as CVE-2017-16542
(and CVE-2017-16543) .