Research & Development
$ #


SSRF vulnerability in /servlet/ADSHACluster endpoint

8.6 (High)


ManageEngine ADSelfService Plus

< 6112

Krzysztof Andrusiak and Marcin Ogorzelski

It is possible to conduct SSRF attack without authentication by sending specially crafted request to /servlet/ADSHACluster endpoint. By abusing this vulnerability an attacker can send POST requests to any address, any endpoint and can provide own parameters in POST request body. Requests can be sent via HTTPS protocol only.

  1. Start HTTPS server (which will receive POST request sent by ADSSP server).
  2. Change the following variables in script:
    ADSSP_URL - ADSSP server address
    TARGET_URL - address to which POST request will be sent (where HTTPS server from step 1 is running)
    PARAMS - arguments which will be included in POST request body
  3. Execute script.
  4. HTTPS server from step 1 should receive POST request sent from ADSSP server:
[*] Starting HTTPS server on port 8080
[*] Received POST request from!
Path: /myOwnAPI
Connection: close
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_162
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 73
  • 07-05-2021 - Vulnerability reported to vendor
  • 07-05-2021 - First response from vendor
  • 24-06-2021 - Update from vendor
  • 26-08-2021 - Fixed version release
  • 21-02-2022 - Public disclosure
  • 21-02-2022 - PoC release