Rapid7 Vulnerability & Exploit Database

ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection

Back to Search

ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection

Disclosed
11/08/2014
Created
05/30/2018

Description

ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.

Author(s)

  • Pedro Ribeiro <pedrib@gmail.com>

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/http/manageengine_pmp_privesc
msf auxiliary(manageengine_pmp_privesc) > show actions
    ...actions...
msf auxiliary(manageengine_pmp_privesc) > set ACTION < action-name >
msf auxiliary(manageengine_pmp_privesc) > show options
    ...show and set options...
msf auxiliary(manageengine_pmp_privesc) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;