Story

ManageEngine Security Manager Plus 5.5 SQL Injection

ManageEngine Security Manager Plus versions 5.5 build 5505 remote SYSTEM/root SQL injection exploit that spawns a shell.

ManageEngine offers simple, easy-to-use IT Management products at a price that every business can afford. It is thoughtfully built with SMBs in mind and eventually scales for large businesses. The ManageEngine 90-10 promise gets you 90% of the features of the Big 4 at 10% of the price.

Vulnerability : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse, # the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user, # which makes a remote shell with root/SYSTEM privileges possible....