CVE-2022-47966 PoC — 多款ZOHO ManageEngine产品安全漏洞

Source

https://github.com/ACE-Responder/CVE-2022-47966_checker

Associated Vulnerability

Title:多款ZOHO ManageEngine产品安全漏洞 (CVE-2022-47966)
Description:ZOHO ManageEngine ADAudit Plus和ZOHO ManageEngine Access Manager Plus都是美国卓豪（ZOHO）公司的产品。ZOHO ManageEngine ADAudit Plus是用于简化审计、证明合规性和检测威胁。ZOHO ManageEngine Access Manager Plus是一种特权会话管理解决方案，用于企业集中、保护和管理特权会话的远程访问。多款ZOHO ManageEngine产品存在安全漏洞，该漏洞源于产品中使用了 Apache

Description

Run on your ManageEngine server

Readme

# CVE-2022-47966_checker

Quick and dirty powershell script to look for ManageEngine CVE-2022-47966 IOCs. The script will parse requests in ME HTTP access logs. If a characteristic SAML request is found, it will attempt to decode and extract the attacker's payload. Findings are written to `C:\aceresponder_CVE-2022-47966_checker.csv`. Run as Admin.

Fair warning: these logs don't last long if you have an internet-facing ManageEngine server. The absence of IOCs doesn't mean you're in the clear. Check the oldest log file in `C:\Program Files\ManageEngine\ServiceDesk\logs\access\` for confirmation. Make sure your alerts are up-to-date and hunt for any suspicious activity from the ManageEngine computer account and/or the ME java process.
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml

![](https://assets.aceresponder.com/github/CVE-2022-47966_checker.png)

File Snapshot


 [4.0K]  /data/pocs/8532d2836fae86c0f90bec8009fd25bdac69d9e5
├── [2.1K]  CVE-2022-47966_checker.ps1
└── [ 939]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!