This site is some kind of personal database gathering notes about my day-to-day discoveries in the IT world basically about security.
While some are howtos and tips (we learn a new thing every day eh), hopefully you'll find some of them informative !

August 1, 2008

Hacking InvisionFree forums

Ever wanted to hack that InvisionFree forum that you despise? Or maybe you're the ethical hacker that simply wants to show InvisionFree owners how to stay secure (through demonstration, no less). Either way, you might find this guide useful.

Requirements:
- Basic HTML knowledge
- Advanced-ish PHP knowledge
- Advanced-ish Javascript knowledge
- An inconspicuous image
- A PHP host
- An (active) Invisionfree forum to hack
- Proxy/proxies (optional, but recommended)
- Possibly social engineering skills

That's a long list of requirements, but I'm sure most of you have these things.

STEP ONE: THE COOKIE STEALER
You need to write a cookie stealer. Preferrably, the cookie stealer should show itself as an image so you don't have to redirect your victims to it (ensuring a quickly blown cover). I'm not going to tell you how to write one, mainly because you have an unlimited amount of information at your fingertips, hiding under the name "Google". Just have there be a GET variable containing the cookie and then store it in a text file or a MySQL database. If you choose the latter, remember to include a file that gets the cookies from the database and also guard against SQL injections.

STEP TWO: IMPLEMENTATION
It's time to implement your cookie stealer. You will need the forum to have HTML in signatures. If you already have HTML in the signatures, skip to the next paragraph. If you're unlucky enough not to, you're going to have to convince the admin of the forum to enable HTML in signatures. For instance, say you have a killer Flash signature that you just HAVE to include.

Include the cookie stealer's image in an img tag. Give it a unique id like "snarfblat" or "cacklemuffs" so you can edit the image source with Javascript.

InvisionFree doesn't filter out "onFocus", which is great for us. Add a body tag with the onFocus attribute that changes snarfblat/cacklemuffs' src. It would appear something like:



Submit and try it out. If it works, congratulations! Move to step three. If it doesn't, you might have done something wrong.

STEP THREE: GETTING THE COOKIES
Post. If you feel like you're not getting good enough cookies fast enough (you want access to the ACP), PM the admins.

STEP FOUR: WHAT NOW?
Crack the admin passwords. They're unsalted. If you somehow don't know how to distinguish between admin and member, find the member ID's of the admins. Then find those ID's in your cookies (e.g. [forumname]member_id=1), locate the pass_hash of the cookies, and start cracking the MD5's.

Once you have the admin passwords, log in as the admins and do whatever you want.

PREVENTION
To prevent this from happening, filter out the attribute "onFocus" loosely. If you're extremely paranoid, disable HTML in signatures altogether.

DISCLAIMER
You are responsible for your own actions.

ref: hellboundhackers.org

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)