Open lopesg opened 1 year ago
Hello @lopesg, thank you for sharing this template with us 🍻
While validating this template, apart from null
I came across some other responses also like showAllDomains
and Not in Domain
, are the hosts having these responses are also vulnerable?
Also, Feel free to join the discord server if you have more info that you can share directly over DM.
Hello @ritikchaddha,
Sorry for the delay to answer.
On my testing, I didn't get this behavior. I got only to 2 different answers.
First, if the user does not exist, the application replied with a null
value.
However, if the user exists the application returns the name of the domain where the user belongs.
For instance, if the domain name is TOTO, the application returns TOTO.
Right now, I don't have any vulnerable instance where I can check.
But I'm not sure it means the application is vulnerable.
For additional context got Not in Domain
on a system that did not look to utilize LDAP. This is probably auth specific.
Template Information
Version 9.0 and below of ManageEngine ServiceDesk allow an unauthenticated attacker to request the “AJaxDomainServlet” script to enumerate arbitrary usernames and domains. If the user does not exist, the servers replies with the
null
value. If the user exists, the servers returns the domain name where the user belongs. This issue was fixed on version 9.0 Build 9031.For this template, I choosed to test a non existant user. If the server returns
null
, a vulnerable version is used. The template only tests the unauthenticated issue.Nuclei Template