Exploiting a common EQDKP vulnerability.

Exploiting a common EQDKP vulnerability.

By ghost | 7744 Reads |

0     0

EQDKP is a popular implementation of the DKP loot distribution system, commonly used by guilds in MMORPGs such as World of Warcraft or Everquest. MMOs often require 50+ people to kill 1 monster, that only drops 3-4 pieces of loot, which leaves a problem of how to distribute it fairly. EQDKP is a database tracking how many events someone has attended, and assigning them points which they can then use to bid on loot, an attempt to distribute loot "fairly."

The EQDKP backup system has a ref:spoof vulnerability. Although a patch has been released, it has not been widely applied. Most existing EQDKP sites are vulnerable.

The default backup directory for EQDKP is /eqdkp/admin/backup/. In unpatched systems, spoofing your referrer as /eqdkp/admin/ allows full access to /eqdkp/admin/backup/. (if you have firefox, google refspoof. if you don't have firefox, slit your wrists.)

EQDKP's default login info backup table is eqdkp_users. Some DKP backup systems are also hooked in to PHPBB installations - in which case, you can back up the PHPBB's login info directly, generally PHPBB login info is stored in something like "phpbb2_users".

If you just want to manipulate dkp standings, you can look through the DKP site, figure out who the admins are, and AIM the md5s of their passwords to md5library. You may need a few tries before you get a hash in md5library, but you can gain admin access to most dkp sites in this fashion. (md5library is an aimbot hooked up to a large collection of resolved md5 hashes.)

Now the fun part! if you have downloaded the PHPBB user-table directly and successfully get a password, you have admin access to the board. If you haven't - no worries. People suck. They don't like having to remember more than one password. pull officer/admin names from the message boards of the site, look through the dkp backup until you find a set of login info with a solvable md5. when you get a password/user combo, try it on the boards. 90% of people use the SAME login info for EQDKP as for their message board account (and often even their email accounts,) so it's fairly easy to obtain administrator access to PHPBBs on sites that have EQDKP running - or at least access to all protected forums.

It's notable that this isn't limited to PHPBBs. You will find that very frequently, EQDKP usernames and passwords will work for any associated messageboard of a guild - phpbb/ezboard/guildportal, etc.

have fun.

edit: forgot to mention! the backup menu IS backup/restore, so you can edit admin passwords. It's best to avoid doing so if you can just crack the md5 for one, but if you can't, and DO want to change the admin password… save the original md5. after you make whatever changes you want, restore their password to the original, so that they don't suspect anything. DKP and phpbb dumps also have associated email addresses, and very often people use the same PW. I'm sure you see where that is going =)