Skip to content

theguly/DecryptOpManager

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Credential decrypter for ManageEngine OpManager version 11.x and 12.2 Tested on Free and Essential version

Abusing some SQL Injection on OpManager, is it possible to dump the table that contains managed devices' username/password and ip.

OpManager encrypts password before to store them in the database. Of course OpManager need passwords in plaintext to login on devices so the alghoritm couldn't be one-way. The encryption algorithm doesn't use a per-site key therefore reversing^Hguessing the algorithm leads to decryption of credentials on every (tested) installation.

Notified to the vendor the 7th of April 2015, no fix nor workaround yet.

Assigned CVE-2015-9107

Usage:

$ javac DecryptOpManager

$ java -cp . DecryptOpManager [encrypt|decrypt] string

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages