Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Exploiting a common EQDKP vulnerability.


Exploiting a common EQDKP vulnerability.

By ghostghost | 7946 Reads |
0     0

EQDKP is a popular implementation of the DKP loot distribution system, commonly used by guilds in MMORPGs such as World of Warcraft or Everquest. MMOs often require 50+ people to kill 1 monster, that only drops 3-4 pieces of loot, which leaves a problem of how to distribute it fairly. EQDKP is a database tracking how many events someone has attended, and assigning them points which they can then use to bid on loot, an attempt to distribute loot "fairly."

The EQDKP backup system has a ref:spoof vulnerability. Although a patch has been released, it has not been widely applied. Most existing EQDKP sites are vulnerable.

The default backup directory for EQDKP is /eqdkp/admin/backup/. In unpatched systems, spoofing your referrer as /eqdkp/admin/ allows full access to /eqdkp/admin/backup/. (if you have firefox, google refspoof. if you don't have firefox, slit your wrists.)

EQDKP's default login info backup table is eqdkp_users. Some DKP backup systems are also hooked in to PHPBB installations - in which case, you can back up the PHPBB's login info directly, generally PHPBB login info is stored in something like "phpbb2_users".

If you just want to manipulate dkp standings, you can look through the DKP site, figure out who the admins are, and AIM the md5s of their passwords to md5library. You may need a few tries before you get a hash in md5library, but you can gain admin access to most dkp sites in this fashion. (md5library is an aimbot hooked up to a large collection of resolved md5 hashes.)

Now the fun part! if you have downloaded the PHPBB user-table directly and successfully get a password, you have admin access to the board. If you haven't - no worries. People suck. They don't like having to remember more than one password. pull officer/admin names from the message boards of the site, look through the dkp backup until you find a set of login info with a solvable md5. when you get a password/user combo, try it on the boards. 90% of people use the SAME login info for EQDKP as for their message board account (and often even their email accounts,) so it's fairly easy to obtain administrator access to PHPBBs on sites that have EQDKP running - or at least access to all protected forums.

It's notable that this isn't limited to PHPBBs. You will find that very frequently, EQDKP usernames and passwords will work for any associated messageboard of a guild - phpbb/ezboard/guildportal, etc.

have fun.

edit: forgot to mention! the backup menu IS backup/restore, so you can edit admin passwords. It's best to avoid doing so if you can just crack the md5 for one, but if you can't, and DO want to change the admin password… save the original md5. after you make whatever changes you want, restore their password to the original, so that they don't suspect anything. DKP and phpbb dumps also have associated email addresses, and very often people use the same PW. I'm sure you see where that is going =)

Comments
ghost's avatar
ghost 17 years ago

would have been nice if you expanded a little bit on what EQDKP is, "DKP loot distribution system" doesn't really say much (what i mean is, if you exploited it what could you gain from it?) but overall, a nice article

ghost's avatar
ghost 17 years ago

an alright article. Could use more background description of what EQDKP is and what can be done with it.

Uber0n's avatar
Uber0n 17 years ago

From the developers description of EQDKP: *"DKP, short for Dragon Kill Points, is a concept originally created by Thott of Afterlife. These points are awarded to each guild member as they attend a guild raid. The current DKP of each member reflects his or her priority for loot. When a member "wins" an item, they lose a DKP amount that reflects the value of that item.

DKP allows for an unbiased comparison between guild members when decisions about loot are to be made based on attendance and recent items that have been awarded."*

ghost's avatar
ghost 17 years ago

its old now…2007-02-02 (Milw0rm) i exploit it and got several database. Many of them is patched now.

ghost's avatar
ghost 17 years ago

well like he said in his article, the main thing that i would do it for, is to get hashes that might resolve to the same plaintext password as that hacked user's other logins such as his email, etc. while chances are that their other login passwords might be different, the exploiter could still deface the site (EQDKP section), perhaps get their mysql info if its the in the admin panel, etc. i'm not saying that i myself would deface the site but these are just options that you could gain out of using this exploit. all granted that the site is still vulnerable and not already patched.

ghost's avatar
ghost 17 years ago

it is kind of old, but I've looked around over the last couple days and found a few dozen vulnerable installations. it's actually VERY old, the eqdkp patch that fixed it was released about a year ago.