Vulnerability & Exploit Database

Back to search

ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection

This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The SQL injection can be used to achieve remote code execution as SYSTEM in Windows or as the user in Linux. This module exploits both PostgreSQL (newer builds) and MySQL (older or upgraded builds). MySQL targets are more reliable due to the use of relative paths; with PostgreSQL you should find the web root path via other means and specify it with WEB_ROOT. The injection is only exploitable via a GET request, which means that the payload has to be sent in chunks smaller than 8000 characters (URL size limitation). Small payloads and the use of exe-small is recommended, as you can only do between 10 and 20 injections before using up all the available ManagedConnections until the next server restart. This vulnerability exists in all versions released since 2006, however builds below DC v7 70200 and PMP v6 6500 do not ship with a JSP compiler. You can still try your luck using the MySQL targets as a JDK might be installed in the $PATH.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/multi/http/manage_engine_dc_pmp_sqli

Authors

  • Pedro Ribeiro <pedrib [at] gmail.com>

References

Targets

  • Automatic
  • Desktop Central v8 >= b80200 / v9 < b90039 (PostgreSQL) on Windows
  • Desktop Central MSP v8 >= b80200 / v9 < b90039 (PostgreSQL) on Windows
  • Desktop Central [MSP] v7 >= b70200 / v8 / v9 < b90039 (MySQL) on Windows
  • Password Manager Pro [MSP] v6 >= b6800 / v7 < b7003 (PostgreSQL) on Windows
  • Password Manager Pro v6 >= b6500 / v7 < b7003 (MySQL) on Windows
  • Password Manager Pro [MSP] v6 >= b6800 / v7 < b7003 (PostgreSQL) on Linux
  • Password Manager Pro v6 >= b6500 / v7 < b7003 (MySQL) on Linux

Platforms

  • linux
  • windows

Architectures

  • x86

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/manage_engine_dc_pmp_sqli msf exploit(manage_engine_dc_pmp_sqli) > show targets ...targets... msf exploit(manage_engine_dc_pmp_sqli) > set TARGET <target-id> msf exploit(manage_engine_dc_pmp_sqli) > show options ...show and set options... msf exploit(manage_engine_dc_pmp_sqli) > exploit