cbcvebase.
CVE-2016-9488
published 2018-06-05

CVE-2016-9488: ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.77%
90.8th percentile
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Affected

4 ranges
VendorProductVersion rangeFixed in
manageengineapplications_manager
manageengineapplications_manager
manageengineapplications_manager
manageengineapplications_manager

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/MenuHandlerServlet
path/servlet/MenuHandlerServlet
commandaction=verticalmenulist&config_id=0 UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--
commandaction=verticalmenulist&config_id=0 ; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1); --
otherintitle:"Applications Manager Login Screen"
  • Monitor HTTP GET requests to /servlet/MenuHandlerServlet with parameters containing SQL keywords such as UNION, INSERT, SELECT, or comment sequences (-- , $$) in the config_id or action parameter values.
  • Alert on unauthenticated access to /servlet/MenuHandlerServlet — the endpoint requires no authentication and is directly exploitable.
  • Detect SQL injection payloads using PostgreSQL dollar-quoting ($$) syntax in HTTP query parameters targeting ManageEngine Applications Manager.
  • Look for the MD5 hash 21232f297a57a5a743894a0e4a801fc3 (MD5 of 'admin') appearing in HTTP responses or database records, indicating credential extraction or rogue account creation via this exploit.
  • Detect attempts to insert into am_usergrouptable with ADMIN or USERS group values via SQL injection, indicating privilege escalation through the vulnerability.
  • ·Password hashes extracted are unsalted MD5, making them trivially crackable. The severity of credential exposure depends on whether the backend database also permits OS command execution via SQL queries.
  • ·The exploit PoC targets HTTPS on port 8443 with certificate verification disabled; deployments on non-standard ports or HTTP may require adjusted detection rules.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.