 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 231
 Members: 0
 Total: 231
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
question about Vbulletin forum |
|
 Posted: Fri Nov 11, 2005 8:24 pm |
 |
|
| super |
| Active user |
 |
|
| Joined: Sep 19, 2005 |
| Posts: 30 |
|
|
|
 |
|
 |
|
ok I registared a null version VB forum and after that I donload the backup database from the VB forum.
now I see my pass hash in the backup file showing | Code: | | 57ebe983e50b8e129c34b0b7e8d0461b |
but when I chack in cookie.txt of my computer then I see my pass hash shoing | Code: | | 48bc02fa217cfd7c13adac0e2abddefd |
that's mean in the cookie.txt my pass value showing | Code: | | 48bc02fa217cfd7c13adac0e2abddefd |
but in the backup database(sql) my pass value showing | Code: | | 57ebe983e50b8e129c34b0b7e8d0461b |
why cookie pass value and backup pass value look like different? 
why???????
have any things which can convert the pass hash 57ebe983e50b8e129c34b0b7e8d0461b to 48bc02fa217cfd7c13adac0e2abddefd ???????????? |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 12, 2005 4:07 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Vbulletin is hard-to-exploit software 
VB uses sessionIds and salted md5 hashes. If "remember me" option is enabled, then this piece of code
| Code: |
if ($send_cookies)
{
if ($_REQUEST['cookieuser'])
{
vbsetcookie('userid', $bbuserinfo['userid']);
vbsetcookie('password', md5($bbuserinfo['password'] . '[#]license[#]'));
}
|
will set up cookie with md5 hash, combined from salted md5 hash and vbb licence number. This salted piece of data - $bbuserinfo['password'] -
is actually gotten as:
| Code: |
salted_hash = md5( md5(real_password) . salt_string )
|
So, in summary:
| Code: |
cookie_password = md5( md5( md5(real_password) . salt_string ) . licence_nr)
|
Actually kinda triple-md5 
Now, sessionhash is even less informative:
| Code: |
function fetch_sessionhash()
{
return md5(TIMENOW . SCRIPTPATH . SESSION_IDHASH . SESSION_HOST . vbrand(1, 1000000));
}
|
So, if you can get sessionhash, then only way to use it is to try somehow hijack session before real user will log out. There are protective measures in vbb against this kind of attacks, but it may be possible in some conditions.
If you will have cookie_password, then you must somehow get from vbb sql database salt value (3 chars) and additionally licence nr. Now it is possible to use standard md5 hash attack methods - wordlists and bruteforce. Of course, specially modified software is needed, because of the salted hashes. By the way, rainbow cracking will not help in case of salted hashes. |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 12, 2005 10:23 am |
|
|
| super |
| Active user |
|
|
| Joined: Sep 19, 2005 |
| Posts: 30 |
|
|
|
|
|
|
|
thanks
but what modified software I need for salted hash
Q2: which software or somthing can show this salted hash 57ebe983e50b8e129c34b0b7e8d0461b
to
48bc02fa217cfd7c13adac0e2abddefd |
|
|
|
|
| Posted: Sat Nov 12, 2005 1:23 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
more easier to sniff along the user when login to the site if u see the triple md5 and salt 
i guess u need to change a direction n find another door to break in 
[sorry if it doesnt help ] |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Nov 12, 2005 2:51 pm |
|
|
| super |
| Active user |
|
|
| Joined: Sep 19, 2005 |
| Posts: 30 |
|
|
|
|
|
|
|
what direction you talking about I don't undarstand clearly.
please explain it again |
|
|
|
|
| Posted: Sun Nov 13, 2005 8:22 am |
|
|
| super |
| Active user |
|
|
| Joined: Sep 19, 2005 |
| Posts: 30 |
|
|
|
|
|
|
|
I want to change the salt value | Code: | | backup_password = md5( md5(real_password) . salt_string ) |
TO | Code: | | cookie_password = md5( md5( md5(real_password) . salt_string ) . licence_nr) |
that's mean I want to change(convert) the backup hash value TO cookie hash value!!
which things can do it???? |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
