Hacking InvisionFree forums
Hacking InvisionFree forums
Ever wanted to hack that InvisionFree forum that you despise? Or maybe you're the ethical hacker that simply wants to show InvisionFree owners how to stay secure (through demonstration, no less). Either way, you might find this guide useful.
Requirements:
- Basic HTML knowledge
- Advanced-ish PHP knowledge
- Advanced-ish Javascript knowledge
- An inconspicuous image
- A PHP host
- An (active) Invisionfree forum to hack
- Proxy/proxies (optional, but recommended)
- Possibly social engineering skills
That's a long list of requirements, but I'm sure most of you have these things.
STEP ONE: THE COOKIE STEALER You need to write a cookie stealer. Preferrably, the cookie stealer should show itself as an image so you don't have to redirect your victims to it (ensuring a quickly blown cover). I'm not going to tell you how to write one, mainly because you have an unlimited amount of information at your fingertips, hiding under the name "Google". Just have there be a GET variable containing the cookie and then store it in a text file or a MySQL database. If you choose the latter, remember to include a file that gets the cookies from the database and also guard against SQL injections.
STEP TWO: IMPLEMENTATION It's time to implement your cookie stealer. You will need the forum to have HTML in signatures. If you already have HTML in the signatures, skip to the next paragraph. If you're unlucky enough not to, you're going to have to convince the admin of the forum to enable HTML in signatures. For instance, say you have a killer Flash signature that you just HAVE to include.
Include the cookie stealer's image in an img tag. Give it a unique id like "snarfblat" or "cacklemuffs" so you can edit the image source with Javascript.
InvisionFree doesn't filter out "onFocus", which is great for us. Add a body tag with the onFocus attribute that changes snarfblat/cacklemuffs' src. It would appear something like:
Submit and try it out. If it works, congratulations! Move to step three. If it doesn't, you might have done something wrong.
STEP THREE: GETTING THE COOKIES Post. If you feel like you're not getting good enough cookies fast enough (you want access to the ACP), PM the admins.
STEP FOUR: WHAT NOW? Crack the admin passwords. They're unsalted. If you somehow don't know how to distinguish between admin and member, find the member ID's of the admins. Then find those ID's in your cookies (e.g. [forumname]member_id=1), locate the pass_hash of the cookies, and start cracking the MD5's.
Once you have the admin passwords, log in as the admins and do whatever you want.
PREVENTION To prevent this from happening, filter out the attribute "onFocus" loosely. If you're extremely paranoid, disable HTML in signatures altogether.
DISCLAIMER You are responsible for your own actions.
spyware 16 years ago
All I have to add to your little speech, moshbat, is the sound of my hands clapping together, creating the sound of yet another vote, cast to 'poor'. Clap clap, mosh, clap clap.
ghost 16 years ago
well despite the fact that the article is 99% useless.. I did get one good thing out of it… I didn't know InvisionFree was vulnerable to XSS via onfocus. Hmmm… cooks up a fun CSRF exploit in his head. Hmmm.. maybe Ill go check out some boards later. :p
Uber0n 16 years ago
This should be rewritten a bit and posted as a PoC at some full-disclosure vulnerability archive, not as a HBH article :p
Uber0n 16 years ago
PS. Fritzo says he's sorry for me being so nice to you. Let me clarify my point; this is not a good article. Happy now, Fritzo? ;)
ghost 16 years ago
… Someone that didn't comment. I agree with Uberon: the article didn't teach anything. It only demonstrated.