AWAE Course Syllabus

  1. 0.
  2. 0.1 About the AWAE Course
  3. 0.2 Our Approach
  4. 0.3 Obtaining Support
  5. 0.4 Legal
  6. 0.5 Offensive Security Labs
  7. 0.6 Backups
  8. 1.
  9. 1.1 Web Traffic Inspection
  10. 1.2 Interacting with Web Listeners with Python
  11. 1.3 Source Code Recovery
  12. 2.
  13. 2.1 Overview
  14. 2.2 Getting Started
  15. 2.3 Atmail Vulnerability Discovery
  16. 2.4 Session Hijacking
  17. 2.5 Session Riding
  18. 2.6 Gaining Remote Code Execution
  19. 2.7 Summary
  20. 3.
  21. 3.1 Overview
  22. 3.2 GetStarted
  23. 3.3 Initial Vulnerability Discovery
  24. 3.4 Brief Review of Blind SQL Injections
  25. 3.5 Digging Deeper
  26. 3.6 Data Exfiltration
  27. 3.7 Subverting the ATutor Authentication
  28. 3.8 Authentication Gone Bad
  29. 3.9 Bypassing File Upload Restrictions
  30. 3.10 Gaining Remote Code Execution
  31. 3.11 Summary
  32. 4.
  33. 4.1 Overview
  34. 4.2 Getting Started
  35. 4.3 PHP Loose and Strict Comparisons
  36. 4.4 PHPString Conversion to Numbers
  37. 4.5 Vulnerability Discovery
  38. 4.6 Attacking the Loose Comparison
  39. 4.7 Summary
  40. 5.
  41. 5.1 Overview
  42. 5.2 Getting Started
  43. 5.3 Vulnerability Discovery
  44. 5.4 Bypassing Character Restrictions
  45. 5.5 Blind Bats
  46. 5.6 Accessing the File System
  47. 5.7 PostgreSQL Extensions
  48. 5.8 UDF Reverse Shell
  49. 5.9 More Shells!!!
  50. 5.10 Summary
  51. 6.
  52. 6.1 Overview
  53. 6.2 Getting Started
  54. 6.3 The Bassmaster Plugin
  55. 6.4 Vulnerability Discovery
  56. 6.5 Triggering the Vulnerability
  57. 6.6 Obtaining a Reverse Shell
  58. 6.7 Summary
  59. 7.
  60. 7.1 Overview
  61. 7.2 Getting Started
  62. 7.3 Introduction
  63. 7.4 Serialization Basics
  64. 7.5 DotNetNuke Vulnerability Analysis
  65. 7.6 Payload Options
  66. 7.7 Putting It All Together
  67. 7.8 ysoserial.net
  68. 7.9 Summary

5. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE

5.1 Overview

This module includes an in-depth analysis and exploitation of a SQL Injection vulnerability identified in the ManageEngineAMUserResourceSyncServlet servlet that can be used to gain access to the underlying operating system. The module will also discuss ways in which you can audit compiled Java servlets to detect similar critical vulnerabilities.

5.2 Getting Started

Revert the ManageEngine virtual machine from your student control panel. You will find the credentials to the ManageEngine Applications Manager server and application accounts in your course materials.

In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.

  • Explore unique challenges and vulnerabilities related to web applications
  • Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
  • Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
  • 5.3 Vulnerability Discovery

    As described by the vendor,

    ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out of the box monitoring support for 80+ applications and servers.

    One of the reasons we decided to look into the ManageEngine Application Manager was because we have encountered a number of ManageEngine applications over the course of our pentesting careers.

    Although the ManageEngine application portfolio has matured over the years, it is still source of interesting vulnerabilities as we will demonstrate during this module.

  • 5.4 Bypassing Character Restrictions

    As we previously stated, our ability to use stacked queries in the payload is very powerful. However, after testing various payloads, specifically those that include quoted strings, we noticed something strange. Let’s take a look at the following simple example in which we inject a single quote in the query.

  • 5.5 Blind Bats

    Now that we have all of our tools and methods worked out in theory, let’s try to attack the application and see how far we can take it. So far we have mostly played with unterminated queries to understand the limitations in the attacker-provided input. We have, however, briefly shown how to use stacked queries in our payload when we tested the blind SQL injection vulnerability with the help of the pg_sleep function.

  • 5.6 Accessing the File System

    While getting access to all the information contained in the ManageEngine database is a good achievement, we are operating under the privileges of the DBA user. Therefore, we have access to far more powerful functionalities than simply extracting information contained in the database.

    In these situations, our goal is typically to gain system access leveraging the database layer. Usually, this is done by using database functions to read and write to the target file system. Other options, when supported, are to execute system commands through the database or to extend the database functionality to execute system commands or custom code.

  • 5.7 PostgreSQL Extensions

    While our previous example of a backdoored application script was arguably elegant, it relied on the existence of an application file that was suitable for that attack vector, i.e. a file executed by the web application. As that may not always be the case, we need to investigate alternative ways to achieve our goal. For example, it may be possible to load a database extension to define our own SQL functions that will allow us to gain remote code execution directly.

    After reading the Postgres documentation, we learned that we can load an extension using the following syntax style...

  • 5.8 UDF Reverse Shell

    Now that we have seen how to write and execute arbitrary code using PostgreSQL, the only thing remaining is to gain a reverse shell.

    At this point, this should not be too difficult. Nevertheless, the following partial C code should help you along the way.

  • 5.9 More Shells!!!

    While we hopefully managed to get a shell in the last section, we did so by utilizing a network share as the location for our DLL file. However, that can only work if we are already on an internalnetwork.

    An alternative to the remote Samba extension loading is to find a method to transfer the malicious DLL to the remote server directly through an SQL query. Considering that we already know how to write arbitrary files to the remote file system using the COPY TO function, we may be tempted to do just that in our payload. Unfortunately, that will not quite work in this instance.

  • 5.10 Summary

    In this module we have demonstrated how to discover an unauthenticated SQL injection vulnerability using source code audit in a Java-based web application.

    We then showed how to use time-based blind SQL injection payloads along with stack queries inorder to exfiltrate database information.

    Finally, we developed an exploit that utilized Postgres User Defined Functions to gain a fully functional reverse shell.

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE