Pentester Academy Command Injection ISO: SugarCRM 6.3.1 Exploitation

The Pentester Academy by Vivek Ramachandran had compiled a virtual machine that consists of various vulnerable real-world application. All the application is vulnerable to Command Injection vulnerability.

Download the virtual machine here.

If you are new to the term “Command Injection” or how it works, kindly refer our first two write-up for “Command Injection ISO” published on InfoSec Institute here and here.

In this writeup, we will try to exploit a real-world application: SugarCRM.

SugarCRM is a customer-management technology which is used to build an effective and efficient customer experience. Considering different parameters an enterprise can create a fully-personalized way of forging extraordinary relationships with customers, and SugarCRM collects data obtained from sales, services and marketing. The best part about SugarCRM is that it integrates with anything and run on the devices that we use on daily basis. It gives you the whole view of your business.

Let start exploring the vulnerability in SugarCRM and get set up.

Make sure both Kali (attacker) and command injection OS (victim) network adapters are configured to NAT as shown below.

Check the IP of the attacker machine.

The IP of the attacker machine is

Make sure the victim is also configured on the same NAT network.

To identify the victim IP, perform an nmap scan for live host detection over the subnet. This can be done with the help of the following command:

#nmap -sn

This nmap command will perform live host detection scan/ping scan on all the systems that range from to

It was observed that the IP is live. Access the victim IP using the URL as shown below:

A list of vulnerable frameworks is seen.

Our target is sugarcrm. Click (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sayaala. Read the original post at: