This module includes an in-depth analysis and exploitation of a SQL Injection vulnerability identified in the ManageEngineAMUserResourceSyncServlet servlet that can be used to gain access to the underlying operating system. The module will also discuss ways in which you can audit compiled Java servlets to detect similar critical vulnerabilities.
Revert the ManageEngine virtual machine from your student control panel. You will find the credentials to the ManageEngine Applications Manager server and application accounts in your course materials.
5.3 Vulnerability Discovery
As described by the vendor,
ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out of the box monitoring support for 80+ applications and servers.
One of the reasons we decided to look into the ManageEngine Application Manager was because we have encountered a number of ManageEngine applications over the course of our pentesting careers.
Although the ManageEngine application portfolio has matured over the years, it is still source of interesting vulnerabilities as we will demonstrate during this module.
5.4 Bypassing Character Restrictions
As we previously stated, our ability to use stacked queries in the payload is very powerful. However, after testing various payloads, specifically those that include quoted strings, we noticed something strange. Let’s take a look at the following simple example in which we inject a single quote in the query.
5.5 Blind Bats
Now that we have all of our tools and methods worked out in theory, let’s try to attack the application and see how far we can take it. So far we have mostly played with unterminated queries to understand the limitations in the attacker-provided input. We have, however, briefly shown how to use stacked queries in our payload when we tested the blind SQL injection vulnerability with the help of the pg_sleep function.
5.6 Accessing the File System
While getting access to all the information contained in the ManageEngine database is a good achievement, we are operating under the privileges of the DBA user. Therefore, we have access to far more powerful functionalities than simply extracting information contained in the database.
In these situations, our goal is typically to gain system access leveraging the database layer. Usually, this is done by using database functions to read and write to the target file system. Other options, when supported, are to execute system commands through the database or to extend the database functionality to execute system commands or custom code.
5.7 PostgreSQL Extensions
While our previous example of a backdoored application script was arguably elegant, it relied on the existence of an application file that was suitable for that attack vector, i.e. a file executed by the web application. As that may not always be the case, we need to investigate alternative ways to achieve our goal. For example, it may be possible to load a database extension to define our own SQL functions that will allow us to gain remote code execution directly.
After reading the Postgres documentation, we learned that we can load an extension using the following syntax style...
5.8 UDF Reverse Shell
Now that we have seen how to write and execute arbitrary code using PostgreSQL, the only thing remaining is to gain a reverse shell.
At this point, this should not be too difficult. Nevertheless, the following partial C code should help you along the way.
5.9 More Shells!!!
While we hopefully managed to get a shell in the last section, we did so by utilizing a network share as the location for our DLL file. However, that can only work if we are already on an internalnetwork.
An alternative to the remote Samba extension loading is to find a method to transfer the malicious DLL to the remote server directly through an SQL query. Considering that we already know how to write arbitrary files to the remote file system using the COPY TO function, we may be tempted to do just that in our payload. Unfortunately, that will not quite work in this instance.
In this module we have demonstrated how to discover an unauthenticated SQL injection vulnerability using source code audit in a Java-based web application.
We then showed how to use time-based blind SQL injection payloads along with stack queries inorder to exfiltrate database information.
Finally, we developed an exploit that utilized Postgres User Defined Functions to gain a fully functional reverse shell.