Skip to content

theguly/DecryptOpManager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
DecryptOpManager.java
DecryptOpManager.java
 
 
README.md
README.md
 
 

Repository files navigation

Credential decrypter for ManageEngine OpManager version 11.x and 12.2 Tested on Free and Essential version

Abusing some SQL Injection on OpManager, is it possible to dump the table that contains managed devices' username/password and ip.

OpManager encrypts password before to store them in the database. Of course OpManager need passwords in plaintext to login on devices so the alghoritm couldn't be one-way. The encryption algorithm doesn't use a per-site key therefore reversing^Hguessing the algorithm leads to decryption of credentials on every (tested) installation.

Notified to the vendor the 7th of April 2015, no fix nor workaround yet.

Assigned CVE-2015-9107

Usage:

$ javac DecryptOpManager

$ java -cp . DecryptOpManager [encrypt|decrypt] string

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages