Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Defacing FTPs

Defacing FTPs

By ghostghost | 9762 Reads |
0     0

Ladies and Gentlemen, men and women, guys and gals, and anyone in between, welcome to another fine article by oxeh.

I have submitted a total of one article and with this one 2 articles to HBH. Well that should be good. Heh, okay, well enough blabbering about my accomplishments and let me teach you how to use an old vulnerability in websites that uses a FTP client called WS_FTP. The vulnerability has been patched in later versions of the famous FTP client.


The vunlerability in the previous versions of WS_FTP, saved the username (unencrypted) and the password (encrypted) on the server that the user was logged onto.

Vulnerable File

The file is called WS_FTP.ini, as you have read above that the username is unencrypted and the password is encrypted. But WS_FTP was dumb enough not to use a famous encryption-algrothim such as MD5 so they used their own (I'm assuming).

Example of such a file:

HOST= ftp.***.com
LOCDIR= G:\\***\\Download

Now, within the file above you have known that 'UID' means 'User ID' (which is the username of the target) and PWD stands for password of the target. But our goal is to find vulnerable servers and then crack their passwords and logonto their FTP.

PWD Decoder

Yes, you heard me, a decoder. There is a way to 'decrypt' / 'decode' the PWD line. Now, you have to copy the whole encrypted password including at its beggining the (PWD=).

Here is a such a decoder: http://lab.artlung.com/ws_ftp_password_decoder/

Pretty cool eh?

Finding vulnerable servers

Now, you wouldn't be choosing a sphosticated target because this vulnerability is pretty old, and you wont be going around on every single website you know and try to find the file.

Here is where a hacker's best friend barges in, Google. Yes, Google itself. Open up google.com, and we'll be using three query types:

markupinurl:\"WS_FTP.ini\"OR markupfiletype:ini WS_FTP.iniOR markupinurl:\"WS_FTP.ini\" PWD=

Now, there are a few pages Google brought up, some targets on the first page might have changed their passwords so go on to the next pages of the results and try finding which target is still vulnerable, using the same password as his FTP and hasn't changes it since and do whatever you want.

This document has been written for educational purposes on HellBoundHackers (HBH) and you cannot copy, redustribute, edit or claim this document is yours.

Copyright 2005 - 2006 ~ oxeh

ghost's avatar
ghost 16 years ago

nice tut! not musch possible targets, though. (only 7 pages on google and 3 first pages are unrealted) how come in some FTP's the UID is anonymous?

ghost's avatar
ghost 16 years ago

just wondering why the "beginers hacking guide" got slated so musch for encouraging defacement and yet this one has not been treated to the same flaming?

I dont really get off of defacing peoples sites tbh, but, i can see how it is important to understand how its done …

Like i said just wondering.