ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
Description
ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.
Author(s)
- Pedro Ribeiro <pedrib@gmail.com>
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/http/manageengine_pmp_privesc
msf auxiliary(manageengine_pmp_privesc) > show actions
...actions...
msf auxiliary(manageengine_pmp_privesc) > set ACTION < action-name >
msf auxiliary(manageengine_pmp_privesc) > show options
...show and set options...
msf auxiliary(manageengine_pmp_privesc) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security