Unauthenticated RCE in Zoho ManageEngine SAML SSO

This repository is an exploit for CVE-2022-47966, targeting multiple ManageEngine products vulnerable to unauthenticated remote code execution via SAML SSO. The exploit is implemented in Python (main.py) and is part of the hgrab-framework. It takes a list of target URLs (in a file) and a command to execute as arguments. For each target, it crafts a malicious SAMLResponse XML containing an XSLT transform that leverages Java's Runtime.exec() to execute the supplied command on the server. The payload is sent via HTTP POST to the /SamlResponseServlet endpoint of the target. The exploit is operational, allowing arbitrary command execution if the target is vulnerable. The repository contains a README with usage instructions and a single exploit script (main.py).

This repository contains a proof-of-concept (POC) exploit for CVE-2022-47966, a pre-authentication remote code execution vulnerability affecting several ManageEngine products that use Apache Santuario (xmlsec) <= 1.4.1. The exploit is implemented in a single Python script (CVE-2022-47966.py) that crafts a malicious SAML response containing an XSLT transform. This transform abuses Java's Runtime.exec method to execute arbitrary commands on the target server. The script takes three arguments: the target SAML endpoint URL, the command to execute, and an optional SAML issuer. The README.md provides detailed usage instructions, affected product lists, technical analysis links, and example endpoints. The exploit targets network-accessible SAML endpoints and is effective against products that do not perform additional validation on SAML responses. The repository is structured simply, with one exploit script and a comprehensive README.