Follow us on Twitter!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 31
Guests Online: 30
Members Online: 1

Registered Members: 82838
Newest Member: w1zarrd
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Questions

Author

Paul Johnston's javascript-MD5 digest algorithm


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-01-09 02:19
Hey again, looking for some incite.
Paul Johnston, an Information Security employee for HBOS, "one of the major UK banks," developed this neat encryption known as "RFC 1321."
RFC 1321 explained:
http://www.faqs.o. . .c1321.html

RFC 1321 is the algorithm used in the "Cymphonix" filter to restrict unnecessary servers or websites.
For example if I were to visit "http://addictinggames.com/" the filter would return the following:
Code

<SCRIPT language=3DJavaScript>
      function submit() {
        var pass =3D document.getElementById('pass').value;
   var url =3D =
"http://addictinggames.com/?CFBData=3D3BEDBDCE92AC4048F4651F32EBEDD05F_1"=
;
   if ((pass !=3D '') && (pass !=3D null)) {
     url +=3D '*' + hex_md5(pass);
     document.location.href =3D url;
   }
      }
    </SCRIPT>




So for starting, the URL would be:
http://addictinggames.com/?CFBData=3D3BEDBDCE92AC4048F4651F32EBEDD05F_1

Now with the URL I would have to attach on the following:
Code
url +=3D '*' + hex_md5(pass);




I just noticed:
Code

<FORM id=3Dpass_form name=3Dpass_form =
action=3Djavascript:submit();>Bypass=20
      password: <INPUT id=3Dpass type=3Dpassword name=3Dpass> <INPUT =
type=3Dsubmit value=3DSubmit name=3DSubmit></FORM>




Maybe I could void the id and gain some authority over the script or inject my own "3Dpass". Has something to do with 464-Bit phrase or a multiple of 16, or 32-Bit phrase. It beats the hell out of me.
Moreover, I am unsure and may seriously need that advil now. Well if you know any methods of decryption or bypassing this to get the "Bypass Password" then I would be thrilled to read whatever you can offer me. From flames to.. brainfuck.

Ill check up on this one later. If you know anything about where I may find the database the hash is stored in, I am all ears. Thanks, talk to you all sooner or later.
-Nave


Edited by on 16-01-09 02:24