64 lines
No EOL
3.8 KiB
Text
64 lines
No EOL
3.8 KiB
Text
Title: EQdkp <= 1.3.1 Referer Spoof to access to SQL Database
|
|
URL: http://www.eqdkp.com
|
|
Hook: "Powered by EQdkp"
|
|
Author: Eight10
|
|
Contact: Eight10@gmail.com
|
|
--------------------------------------------------------------------------------------------------------
|
|
Background: EQdkp is the largest DKP tracking program utilized largely by the MMORPG community, specifically
|
|
large use in the World of Warcraft Community among Guild/clan Websites.
|
|
--------------------------------------------------------------------------------------------------------
|
|
Discussion: A Vulnerability exists in all current versions of EQdkp that allows one to
|
|
spoof Their refering URL to gain access to an integrated class-1 MySQL Backup/Restore program
|
|
which allows one to download and modify sensitive SQL data. The script only checks for authentication
|
|
via refering url from the administration control panel. Note some sites have this funcitonality
|
|
disabled/not installed. From the EQdkp_USERS.sql file, the username/email and MD5 Hashed password can be
|
|
obtained. From there the password needs to be cracked.
|
|
|
|
Tested on: 1.3.1 Default install.
|
|
1.3.0 Default install.
|
|
---------------------------------------------------------------------------------------------------------
|
|
Exploit:
|
|
Use a referer spoofing program, like quickspoof.
|
|
|
|
Refering URL - - http://www.sitehere.com/pathtoeqdkp/admin/
|
|
Target URL - - http://www.sitehere.com/pathtoeqdkp/admin/backup
|
|
|
|
From the Control menu goto "Backup MySQL data" and select the appropraite Database*.
|
|
Download eqdkp_users.sql from there and MD5 Hashes and usernames/emails will be present.
|
|
E.g.
|
|
VALUES ('1', 'admin', 'ec67739608318602f2dd6bcb141b56bc', 'admin@guildswebsite.com', ......
|
|
---------------------------------------------------------------------------------------------------------
|
|
Alternative type attack**:
|
|
One downloads the EQDKP_users.sql and modifies the administration hash in there to be
|
|
"5f4dcc3b5aa765d61d8327deb882cf99" == password
|
|
One could then restore said Database and login to the EQdkp system as admin.
|
|
|
|
Alternate type attack 2**:
|
|
One Downloads the EQDKP_users.sql and modifies the email address to his own. Then one requests
|
|
a password reset from the "forgot my password" page. Then the reset password is emailed to the
|
|
new email address.
|
|
----------------------------------------------------------------------------------------------------------
|
|
|
|
Futher Discussion: As we know people tend to use the same passwords in multiple places, especially when
|
|
the topics are related, for instance WoW account information and WoW clan websites. Along with similiar
|
|
passes often used for the email address, which one can retrieve account names from the blizzards site.
|
|
Note, when cracking, the requirements for WoW passwords, I believe it is atleast 8 characters long containing
|
|
both numbers and letters. These can be difficult hashes to break but when the passwords are weak dictionary words
|
|
simply followed by numbers, a good amount of success can be achieved. This method is especially good when
|
|
you already have appropriately generated rainbow tables, or hashes can be sent to online hash crackers.
|
|
|
|
*Note Other databases can be obtained using this SQL backup tool too! Such as PHPBB databases.
|
|
**(Note Sometimes Permission settings prevent SQL restores)
|
|
|
|
Shout Out:
|
|
RichyPoo (Calrich AKA Faglord). Throhg (pwnt). BrowerPower. Bliznat(ty)
|
|
_______ _________ _______ _________ __ _______
|
|
( ____ \\__ __/( ____ \|\ /|\__ __// \ ( __ )
|
|
| ( \/ ) ( | ( \/| ) ( | ) ( \/) ) | ( ) |
|
|
| (__ | | | | | (___) | | | | | | | / |
|
|
| __) | | | | ____ | ___ | | | | | | (/ /) |
|
|
| ( | | | | \_ )| ( ) | | | | | | / | |
|
|
| (____/\___) (___| (___) || ) ( | | | __) (_| (__) |
|
|
(_______/\_______/(_______)|/ \| )_( \____/(_______)
|
|
|
|
# milw0rm.com [2007-02-02] |