Project 1999 - View Single Post - We wiped to Cazic for 6 hours on Saturday

456 · #3 06-26-2012, 08:02 PM

Title: EQdkp <= 1.3.1 Referer Spoof to access to SQL Database
URL: http://www.eqdkp.com
Hook: "Powered by EQdkp"
Author: Eight10
Contact: Eight10@gmail.com
--------------------------------------------------------------------------------------------------------
Background: EQdkp is the largest DKP tracking program utilized largely
by the MMORPG community, specifically
large use in the World of Warcraft Community among Guild/clan Websites.
--------------------------------------------------------------------------------------------------------
Discussion: A Vulnerability exists in all current versions of EQdkp that
allows one to
spoof Their refering URL to gain access to an integrated class-1 MySQL
Backup/Restore program
which allows one to download and modify sensitive SQL data. The script
only checks for authentication
via refering url from the administration control panel. Note some sites
have this funcitonality
disabled/not installed. From the EQdkp_USERS.sql file, the
username/email and MD5 Hashed password can be
obtained. From there the password needs to be cracked.

Tested on: 1.3.1 Default install.
1.3.0 Default install.
---------------------------------------------------------------------------------------------------------
Exploit:
Use a referer spoofing program, like quickspoof.

Refering URL - - http://www.sitehere.com/pathtoeqdkp/admin/
Target URL - - http://www.sitehere.com/pathtoeqdkp/admin/backup

From the Control menu goto "Backup MySQL data" and select the
appropraite Database*.
Download eqdkp_users.sql from there and MD5 Hashes and usernames/emails
will be present.
E.g.
VALUES ('1', 'admin', 'ec67739608318602f2dd6bcb141b56bc',
'admin@guildswebsite.com', ......
---------------------------------------------------------------------------------------------------------
Alternative type attack**:
One downloads the EQDKP_users.sql and modifies the administration hash
in there to be
"5f4dcc3b5aa765d61d8327deb882cf99" == password
One could then restore said Database and login to the EQdkp system as
admin.

Alternate type attack 2**:
One Downloads the EQDKP_users.sql and modifies the email address to his
own. Then one requests
a password reset from the "forgot my password" page. Then the reset
password is emailed to the
new email address.
----------------------------------------------------------------------------------------------------------

Futher Discussion: As we know people tend to use the same passwords in
multiple places, especially when
the topics are related, for instance WoW account information and WoW
clan websites. Along with similiar
passes often used for the email address, which one can retrieve account
names from the blizzards site.
Note, when cracking, the requirements for WoW passwords, I believe it is
atleast 8 characters long containing
both numbers and letters. These can be difficult hashes to break but
when the passwords are weak dictionary words
simply followed by numbers, a good amount of success can be achieved.
This method is especially good when
you already have appropriately generated rainbow tables, or hashes can
be sent to online hash crackers.

*Note Other databases can be obtained using this SQL backup tool too!
Such as PHPBB databases.
**(Note Sometimes Permission settings prevent SQL restores)

Shout Out:
RichyPoo (Calrich AKA Faglord). Throhg (pwnt). BrowerPower. Bliznat(ty)
_______ _________ _______ _________ __ _______
( ____ \\__ __/( ____ \|\ /|\__ __// \ ( __ )
| ( \/ ) ( | ( \/| ) ( | ) ( \/) ) | ( ) |
| (__ | | | | | (___) | | | | | | | / |
| __) | | | | ____ | ___ | | | | | | (/ /) |
| ( | | | | \_ )| ( ) | | | | | | / | |
| (____/\___) (___| (___) || ) ( | | | __) (_| (__) |
(_______/\_______/(_______)|/ \| )_( \____/(_______)