Date: Sun, 28 Nov 2010 16:18:11 +0000
From: Bob Smith <bobbyhadababyitsaboy@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: MD5 "decrypter" PHP Script

I use the word "decrypter" loosely, but it is what the site's
advertising it to be.

So I wrote a PHP script that takes hashes from a database
(columns are as such: id, hash, unhashed)
and checks them against md5-decrypter.com and md5decryption.com

these sites have no captcha protection (and over 4.7mil stored hashes)

<?php
set_time_limit(0);

$db_host = "localhost"; //if your port is different then default, add
a colon : and the port number (ex localhost:1337)
$db_user = "user";
$db_password = "pass";
$db_name = "db";
$db_table ="table";
$table_id_field = "id"; //change this if the unique ID field is called
something else. (ie Id, ID)
$table_hash = "hash"; //change this if the hash field is called something else
$table_plaintext = "dehashed"; //change this for where the plain text
version of the password will be updated to

//dont change anything below here unless you know what you are doing

mysql_connect($db_host, $db_user, $db_password);

mysql_select_db($db_name) or die(mysql_error());

$query = "SELECT * FROM " . $db_table . " limit 1";
	
$result = mysql_query($query) or die(mysql_error());

function get_string_between($string, $start, $end){
	$string = " ".$string;
	$ini = strpos($string,$start);
	if ($ini == 0) return "";
	$ini += strlen($start);
	$len = strpos($string,$end,$ini) - $ini;
	return mysql_real_escape_string(substr($string,$ini,$len));
}

function give_back($url, $post, $text){
	$posted_vars = $post . "=" . $text;
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	curl_setopt($ch, CURLOPT_REFERER, $url);
	curl_setopt($ch, CURLOPT_URL,$url);
	curl_setopt($ch, CURLOPT_POST, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $posted_vars);
	curl_exec($ch);
	curl_close($ch);
	unset($ch);
}

function do_except($num, $plaintext){
	if($num !=1){
		give_back("http://md5-encryption.com/", "data[Row][clear]", $plaintext);		
	}

	if($num !=2){
		give_back("http://md5encryption.com/", "submit=Encrypt%20It!&word",
$plaintext);
	}
}
function fetch_md5($url, $post, $start, $end, $trim, $hash){
	$posted_vars = $post . "=" . $hash;
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	curl_setopt($ch, CURLOPT_REFERER, $url);
	curl_setopt($ch, CURLOPT_URL,$url);
	curl_setopt($ch, CURLOPT_POST, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $posted_vars);
	$fetched_page = curl_exec($ch);
	curl_close($ch);
	unset($ch);

	$password = get_string_between($fetched_page, $start, $end);

	if(isset($trim) && !empty($trim)){
		$password = substr($password, $trim);
	}

	return $password;
}

function update_plaintext($table_name, $id_field, $row_id, $plaintext,
$dehashed){ //table name, table id field, row id value, the table
plaintext field, the dehashed password
	$sql = "update $table_name set $plaintext = '$dehashed' where
$id_field = '$row_id'";
	mysql_query($sql);
}

while($row = mysql_fetch_array($result)){

	$password1 = fetch_md5("http://md5-decrypter.com/",
"data[Row][cripted]", "Decrypted text:</b>", "</b>", "21",
$row[$table_hash]);

	if(!empty($password1)){
		update_plaintext($db_table, $table_id_field, $row[$table_id_field],
$table_plaintext, $password1);
		if($giveback == "1"){
			do_except("1", $password1);
		}
		continue;
	}

	$password2 = fetch_md5("http://md5decryption.com/",
"submit=Decrypt%20It!&hash", "Decrypted Text: </b>", "</font><br/>",
"", $row[$table_hash]);

	if(!empty($password2)){
		update_plaintext($db_table, $table_id_field, $row[$table_id_field],
$table_plaintext, $password2);
		if($giveback == "1"){
			do_except("2", $password2);
		}
		continue;
	}

}
?>
http://pastebin.com/idGqmqAg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists