Subscribe via feed.

ManageEngine Applications Manager 14 SQL Injection / Remote Code Execution

Posted by deepcore on April 20, 2019 – 2:50 am

This Metasploit module exploits SQL injection and command injection vulnerabilities in ManageEngine AM 14 and prior versions. An unauthenticated user can gain the authority of “system” on the server due to the SQL injection vulnerability. The exploit allows the writing of the desired file to the system using the postgresql structure. The module is written over the payload by selecting a file with the extension “.vbs” that is used for monitoring by the ManageEngine which working with “system” authority. In addition, it dumps the users and passwords from the database for us. After the harmful “.vbs” file is written, the shell session may be a bit late.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.