CVE-2015-7387
published 2015-09-28CVE-2015-7387: ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
80.19%
99.6th percentile
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_eventlog_analyzer | <= 10.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandSELECT <n>;INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(..., DECODE('...', 'base64'));--↗
- →Detect SQL injection bypass attempts: monitor POST requests to /event/runQuery.do where the query parameter contains a SELECT statement followed by a semicolon and INSERT/UPDATE/DELETE keywords (e.g., 'SELECT 1;INSERT INTO'). ↗
- →Alert on POST requests to /event/runQuery.do from any authenticated session, including the default 'guest' account, as this endpoint is accessible to all users including low-privilege accounts. ↗
- →Detect Postgres large object abuse: watch for SQL queries referencing lo_create, lo_export, lo_unlink, or INSERT INTO pg_largeobject in traffic to /event/runQuery.do, which indicates JSP webshell staging via the database. ↗
- →Detect lo_export path traversal to webapps directory: alert on SQL queries containing lo_export with a path referencing '..//webapps//event/' which writes a JSP payload to the web root. ↗
- →Monitor for new .jsp files appearing under the EventLog Analyzer webapps/event/ directory, which may indicate a dropped webshell from successful exploitation. ↗
- →Detect comment-based SQL keyword obfuscation in the query parameter: patterns like INSERT/**/ or pg_largeobject/**/ using inline comments to evade keyword filters. ↗
- →The exploit authenticates using default credentials (guest/guest); alert on successful logins to /event/j_security_check with username 'guest' followed by POST activity to /event/runQuery.do. ↗
- ·The vulnerable endpoint /event/runQuery.do is accessible to ALL authenticated users including the default 'guest' account; the SQL query option is intentionally hidden from the UI but the endpoint remains functional. ↗
- ·The embedded Postgres backend runs as SYSTEM on Windows, meaning any file written via lo_export will have SYSTEM-level privileges, enabling full OS compromise. ↗
- ·The fix was delivered as a patch (Build 11200) requiring manual file replacement of runQuery_jsp.class and RunQuery.class; versions 10.6 build 10060 and earlier remain vulnerable without this patch. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)
exploitdb·2015-09-29
CVE-2015-7387 ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)
ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine EventLog Analyzer Remote Code Execution',
'Description' => %q{
This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6
build 10060 and previous versions. Every authenticated user, including the default "guest"
account can execute SQL queries directly on the underlying Postgres database server. The
queries are executed as the "postgres" user which has full privileges and thus is able to
write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM
privileges on the web server. T
Exploit-DB
ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution
exploitdb·2015-09-14
CVE-2015-7387 ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution
ManageEngine EventLog Analyzer
Product Description
EventLog Analyzer carry out logs analysis for all Windows, Linux and Unix
systems, Switches and Routers (Cisco), other Syslog supporting devices, and
applications like IIS, MS SQL. Eventlog analyzer application is capable of
performing real-time log file analysis. Event log files analyzer
application can carry out log file analysis of imported files. The files
can be imported from the archive or from any machine.
When an important security event is generated on a machine in the network,
event log file analyser application collects, performs log analysis and
displays the event on the EventLog Analyzer Dashboard, in real-time. The
event log report is generated from the analyzed event logs. From the event
log reports (graphs), you can dril
Metasploit
ManageEngine EventLog Analyzer Remote Code Execution
metasploit
ManageEngine EventLog Analyzer Remote Code Execution
ManageEngine EventLog Analyzer Remote Code Execution
This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133581/ManageEngine-EventLog-Analyzer-10.6-Build-10060-SQL-Query-Execution.htmlhttp://packetstormsecurity.com/files/133747/ManageEngine-EventLog-Analyzer-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/59http://www.rapid7.com/db/modules/exploit/windows/misc/manageengine_eventlog_analyzer_rcehttps://www.exploit-db.com/exploits/38173/https://www.exploit-db.com/exploits/38352/http://packetstormsecurity.com/files/133581/ManageEngine-EventLog-Analyzer-10.6-Build-10060-SQL-Query-Execution.htmlhttp://packetstormsecurity.com/files/133747/ManageEngine-EventLog-Analyzer-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/59http://www.rapid7.com/db/modules/exploit/windows/misc/manageengine_eventlog_analyzer_rcehttps://www.exploit-db.com/exploits/38173/https://www.exploit-db.com/exploits/38352/
2015-09-28
Published