EQdkp <= 1.3.1 (Referer Spoof) Remote Database Backup Vulnerability :

Date : 2007-02-02 Author : Eight10
Title: EQdkp <= 1.3.1 Referer Spoof to access to SQL Database
URL: http://www.eqdkp.com
Hook: "Powered by EQdkp"
Author: Eight10
Contact: [email protected]
--------------------------------------------------------------------------------------------------------
Background: EQdkp is the largest DKP tracking program utilized largely by the MMORPG community, specifically
large use in the World of Warcraft Community among Guild/clan Websites.
--------------------------------------------------------------------------------------------------------
Discussion: A Vulnerability exists in all current versions of EQdkp that allows one to
spoof Their refering URL to gain access to an integrated class-1 MySQL Backup/Restore program
which allows one to download and modify sensitive SQL data. The script only checks for authentication
via refering url from the administration control panel. Note some sites have this funcitonality 
disabled/not installed. From the EQdkp_USERS.sql file, the username/email and MD5 Hashed password can be
obtained. From there the password needs to be cracked. 

Tested on: 1.3.1 Default install.
	   1.3.0 Default install.
---------------------------------------------------------------------------------------------------------
Exploit:
Use a referer spoofing program, like quickspoof.

Refering URL - - http://www.sitehere.com/pathtoeqdkp/admin/
Target URL   - - http://www.sitehere.com/pathtoeqdkp/admin/backup

From the Control menu goto "Backup MySQL data" and select the appropraite Database*.
Download eqdkp_users.sql from there and MD5 Hashes and usernames/emails will be present.
E.g.
VALUES ('1', 'admin', 'ec67739608318602f2dd6bcb141b56bc', '[email protected]', ......
---------------------------------------------------------------------------------------------------------
Alternative type attack**: 
One downloads the EQDKP_users.sql and modifies the administration hash in there to be 
"5f4dcc3b5aa765d61d8327deb882cf99"  == password
One could then restore said Database and login to the EQdkp system as admin.

Alternate type attack 2**:
One Downloads the EQDKP_users.sql and modifies the email address to his own. Then one requests
a password reset from the "forgot my password" page. Then the reset password is emailed to the
new email address.
----------------------------------------------------------------------------------------------------------

Futher Discussion: As we know people tend to use the same passwords in multiple places, especially when
the topics are related, for instance WoW account information and WoW clan websites. Along with similiar 
passes often used for the email address, which one can retrieve account names from the blizzards site.
Note, when cracking, the requirements for WoW passwords, I believe it is atleast 8 characters long containing
both numbers and letters. These can be difficult hashes to break but when the passwords are weak dictionary words
simply followed by numbers, a good amount of success can be achieved. This method is especially good when
you already have appropriately generated rainbow tables, or hashes can be sent to online hash crackers.

*Note Other databases can be obtained using this SQL backup tool too! Such as PHPBB databases.
**(Note Sometimes Permission settings prevent SQL restores)

Shout Out:
RichyPoo (Calrich AKA Faglord). Throhg (pwnt). BrowerPower. Bliznat(ty)
 _______ _________ _______          _________ __    _______ 
(  ____ \__   __/(  ____ |     /|\__   __//    (  __   )
| (    /   ) (   | (    /| )   ( |   ) (   /) ) | (  )  |
| (__       | |   | |      | (___) |   | |     | | | | /   |
|  __)      | |   | | ____ |  ___  |   | |     | | | (/ /) |
| (         | |   | | \_  )| (   ) |   | |     | | |   / | |
| (____/\___) (___| (___) || )   ( |   | |   __) (_|  (__) |
(_______/\_______/(_______)|/     |   )_(   \____/(_______)

# milw0rm.com [2007-02-02]

C1

 

C2

 

C3