Hi, I was originally going to get an admin account on this site using this method but tbh I've already donated hours trying to find the best way to pull it off. I wanna get working on something else now.
When you use the "forgot password" dealie it emails you a link that will reset the password to something "randomly" generated. The link is something like
http://antionline.com/login.php?a=pw...431&i=73954595
The 'i' at the end is a validation ID used as a security measure to prevent users from resetting other user's passwords. However the way they generate it is gay.
line 183 in login.php
PHP Code:
$user['activationid'] = build_user_activation_id($user['userid'], 2, 1);
line 580 in functions_user.php (within the function build_user_activation_id)
PHP Code:
$activateid = vbrand(0,100000000);
and finally lines 318-332 in functions.php
PHP Code:
function vbrand($min, $max, $seed = -1)
{
if (!defined('RAND_SEEDED'))
{
if ($seed == -1)
{
$seed = (double) microtime() * 1000000;
}
mt_srand($seed);
define('RAND_SEEDED', true);
}
return mt_rand($min, $max);
}
All you really have to know is that random number generators aren't random at all, that's why they're called pseudo random number generators. Given the same seed a prng will generate the same "random" numbers. In vbrand() we see that if the prng isn't seeded it will seed it with
PHP Code:
(double) microtime() * 1000000;
For which there are only 1 million possibilties of. Another point to mention is that a single seed from 0-1mil will also have a duplicate. So really there are only 500k possibilties for the validation ID (if the seed is even, then seed + 1 will generate the same random numbers).
The randomly generated password is created using the same method, so the same principles apply.
My main problem was that vBulletin only allows 5 bad logins every 15 minutes from a single IP. This is a problem because I would have to try to login with all 500k possible passes. I was planning to defeat this by either abusing tor or hunting for thousands of proxies, both which would've taken up alot of time. (and wouldn'tve been reliable)
I had also considered taking advantage of using a login cookie, bbpassword value in the cookie was generated using
PHP Code:
md5(md5(md5($password) . $vbulletin->userinfo['salt']), '') . COOKIE_SALT)
I could've predicted cookie_salt but the user salt, despite being only 3 symbols long, makes it impractical to use.
So at the moment the most I'd be able to easily do is just reset people's passes, which sucks.
PS
when you receive a lost password request is processed the IP of the user who requested the password change isn't stored anywhere, so had I managed to reset a user's password, all they would be able to do is speculate from server logs who reset it.
PPS
I wouldn't have to try to login with all 500k possible passes if I could coordinate it so that the server processes my request at a certain microtime. I could've potentially eliminated it down to 50k possible passes.. maybe even less.
PPPS
This applies to the latest vBulletin board. I managed to predict the passwords + validation ids on other major vBulletin boards too. so yea..
The following code generates all possible validation ids and passwords generated by vBulletin.
PHP Code:
<?php
for($i = 0; $i < 1000000; $i+=2) {
mt_srand($i);
print mt_rand(0, 100000000) . "\r\n";
}
?>
or if you want a hardcopy
http://www.freewebtown.com/cyberhacker665/output.txt
a t t r i t i o n . o r g > AO (I read about this site from them, lol, shame on you JP for shutting down packetstorm )
I can be reached at irc.iris-network.net #80h