module
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
| Disclosed | Created |
|---|---|
| 2014-11-08 | 2018-05-30 |
Disclosed
2014-11-08
Created
2018-05-30
Description
ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection
vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate
privileges and obtain Super Administrator access. A Super Administrator can then
use his privileges to dump the whole password database in CSV format. PMP can use
both MySQL and PostgreSQL databases but this module only exploits the latter as
MySQL does not support stacked queries with Java. PostgreSQL is the default database
in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,
so a higher version does not guarantee exploitability. This module has been tested
on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in
v7.1 build 7105 and above.
vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate
privileges and obtain Super Administrator access. A Super Administrator can then
use his privileges to dump the whole password database in CSV format. PMP can use
both MySQL and PostgreSQL databases but this module only exploits the latter as
MySQL does not support stacked queries with Java. PostgreSQL is the default database
in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,
so a higher version does not guarantee exploitability. This module has been tested
on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in
v7.1 build 7105 and above.
Author
Pedro Ribeiro pedrib@gmail.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.