CVE-2018-17283 PoC — ZOHO ManageEngine OpManager 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-17283.yaml

Associated Vulnerability

Title:ZOHO ManageEngine OpManager 安全漏洞 (CVE-2018-17283)
Description:ZOHO ManageEngine OpManager是美国卓豪（ZOHO）公司的一套网络、服务器及虚拟化监控软件。 ZOHO ManageEngine OpManager 12.3 Build 123196之前版本中存在安全漏洞，该漏洞源于程序没有对/oputilsServlet请求要求身份验证。攻击者可利用该漏洞泄露信息或实施SQL注入攻击。

Description

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

File Snapshot


 id: CVE-2018-17283

info:
  name: Zoho ManageEngine OpManager - SQL Injection
  author: DhiyaneshDK


...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!