CVE-2015-7766
published 2015-10-09CVE-2015-7766: PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the…
PriorityP270critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
80.64%
99.6th percentile
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_opmanager | <= 11.5 | — |
| zohocorp | manageengine_opmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect login attempts using the hidden default account 'IntegrationUser' with password 'plugin' against the ManageEngine OpManager login endpoint. ↗
- →Alert on POST requests to 'api/json/admin/SubmitQuery' containing SQL comment sequences (e.g., /**/) used to bypass keyword filtering, particularly patterns like INSERT/**/INTO or UPDATE/**/SET. ↗
- →Monitor for SQL queries referencing 'pg_largeobject' table combined with lo_export calls writing .war files to the Tomcat webapps directory, indicating WAR-based RCE payload staging. ↗
- →Detect lo_export SQL calls targeting paths containing 'tomcat/webapps' with a .war extension, which indicates exploitation of the SQL query endpoint to deploy a malicious WAR payload. ↗
- →Monitor for unexpected new .war file creation and subsequent directory expansion under the Tomcat webapps folder on OpManager hosts, which may indicate automatic deployment of a malicious payload. ↗
- →Flag HTTP responses from OpManager's post-login page containing the pattern 'window.OPM.apiKey = "[a-z0-9]+"', as this indicates successful authentication and API key harvesting by an attacker. ↗
- ·The hidden 'IntegrationUser' account with password 'plugin' cannot be reset through the OpManager user interface, making it a persistent attack vector on unpatched versions. ↗
- ·The exploit has been confirmed to work on OpManager v11.0 and v11.4–v11.6 for Windows; detection and patching efforts should prioritize these versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine OpManager - Remote Code Execution (Metasploit)
exploitdb·2015-09-17
CVE-2015-7766 ManageEngine OpManager - Remote Code Execution (Metasploit)
ManageEngine OpManager - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpMa
Metasploit
ManageEngine OpManager Remote Code Execution
metasploit
ManageEngine OpManager Remote Code Execution
ManageEngine OpManager Remote Code Execution
This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which cannot be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/66http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rcehttps://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerabilityhttps://www.exploit-db.com/exploits/38221/http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2015/Sep/66http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rcehttps://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerabilityhttps://www.exploit-db.com/exploits/38221/
2015-10-09
Published