Taking over your Evilzone account - The easy way.

[Architect]

and here is your PoC lel

Code: [Select]

for n in range(0,68719476735):
  print hex(n).zfill(6).replace("x", "")

Every possibility from 0 to "holy fuck" would be pretty kek.

[zediwon]

...That's a small DoS attack and I don't think an admin exists that wouldn't notice it. Even if you did throttle it back to a conservative rate :p

Actually, there just needs to be one successful bruteforce attempt against one Super-Admin and everything will be over. if you can do that attack with <10 mins, with rented zombies or whatever, it means that, you can take over the whole EZ. :/

I have faced similar problem with Facebook. http://paulosyibelo.blogspot.com/2014/08/ow-facebook-taking-over-random-accounts.html

[Phage]

Actually, there just needs to be one successful bruteforce attempt against one Super-Admin and everything will be over. if you can do that attack with <10 mins, with rented zombies or whatever, it means that, you can take over the whole EZ. :/

I have faced similar problem with Facebook. http://paulosyibelo.blogspot.com/2014/08/ow-facebook-taking-over-random-accounts.html

Wrong. Getting access to our forum account only gives you access over the forum. The server and the IRC network are hidden under other accounts/usernames/passwords.

[zediwon]

and ^ there you have some info to look for more info, LOL. thanks Phage and still RCE in Forums is enough to infect more users and escalate the attack to more worse scenarios, very worse (I leave that to your imaginations)

[Phage]

and ^ there you have some info to look for more info, LOL. thanks Phage and still RCE in Forums is enough to infect more users and escalate the attack to more worse scenarios, very worse (I leave that to your imaginations)

How would you turn an admin account into remote code execution?

And there's not really any info to it. It's basic, read BASIC, security to not use the same password on every service. It should only be expected.

[zediwon]

How would you turn an admin account into remote code execution?

Well Phage, I am pretty sure someone will manage something out once being Admin? I am sure it isn't that complex. even if I can write Javascript, it won't be that hard afterwards. :/

[Phage]

Well Phage, I am pretty sure someone will manage something out once being Admin? I am sure it isn't that complex. even if I can write Javascript, it won't be that hard afterwards. :/

I know the admin panel, and there's no way you could do that.

[Stackprotector]

I know the admin panel, and there's no way you could do that.

It is very easily possible. Though that would require being admin which is only given to people who would need access to do updates etc anyway.

[Phage]

It is very easily possible. Though that would require being admin which is only given to people who would need access to do updates etc anyway.

…