PDA

View Full Version : Hacking *certain* invisionfree ***rds



S-Core
04-06-2006, 01:13 PM
I've heard they are really secure, but after i heard of a few peoples ***rds getting "Hacked"

I've decided i want hack someone i hate ;)

Any ways i can do this? ;)

Ezekiel
04-06-2006, 01:27 PM
I've heard they are really secure, but after i heard of a few peoples ***rds getting "Hacked"

I've decided i want hack someone i hate ;)

Any ways i can do this? ;)

Yes, you can go to a *certain* site called google. http://www.google.com. Or, you could actually search the forum before posting. http://www.all-nettools.com/forum/search.php. If you are talking about hacking the invisionfree forum hosting service, then no, unless you get root access to their server or something, then you can't. If you are talking about hacking invision power ***rd software, then there are always going to be people running old, unpatched versions. Search on any exploit site like www.securiteam.com or www.milw0rm.com and you will find some exploits for IPB, * on securiteam.

Ezekiel
04-08-2006, 05:37 AM
Probably possible but hard. use the right tools though or if you are a good hacker you could do it. I have used hirehackers.net a couple times and they have never failed!! once it was a phpbb im sure thats pretty close to invision...is invision php?

Ok, that's it Coolalex you spammer, I was giving you a chance to prove yourself after the first spam, but all you have proved is you need to be banned. I am PMing syntax****** now.

S-Core
04-10-2006, 01:09 PM
Yes, you can go to a *certain* site called google. http://www.google.com. Or, you could actually search the forum before posting. http://www.all-nettools.com/forum/search.php. If you are talking about hacking the invisionfree forum hosting service, then no, unless you get root access to their server or something, then you can't. If you are talking about hacking invision power ***rd software, then there are always going to be people running old, unpatched versions. Search on any exploit site like www.securiteam.com or www.milw0rm.com and you will find some exploits for IPB, * on securiteam.

Uhm, maybe i tried that and couldnt find anything? no need to be "R-O-O-D-E"


Anyhow im trying to hack a users ***rd like s*2.invisionfree.com/whatevertheusernamedthere***rdhere

Ezekiel
04-10-2006, 02:13 PM
Uhm, maybe i tried that and couldnt find anything? no need to be "R-O-O-D-E"


Anyhow im trying to hack a users ***rd like s*2.invisionfree.com/whatevertheusernamedthere***rdhere


How do you expect to hack a site like invisionfree. If you read anything else on this forum you would know that sites like that are secure. The only thing that you could use to get the password is a keylogger/other malware, google for it.

S-Core
04-11-2006, 06:16 PM
Search what? I've already tried google and them sites you gave me.

S-Core
04-11-2006, 06:31 PM
And Stop trying to insult me, its insulting(duh)


:)

Ezekiel
04-11-2006, 07:03 PM
Search what? I've already tried google and them sites you gave me.

Didn't you read my post? Here is part of it again:


The only thing that you could use to get the password is a keylogger/other malware

The sites I gave you were for exploits, which I said will not work on sites like invisionfree where they patch regulaly and run the latest software, and generally are *******. A google for "keylogger" brings back 7,580,000 results. You obviously are not looking hard enough.

hackerz
04-17-2006, 05:38 PM
Keylogging and trojaning people is not hacking. Besides, that's not the only way to "hack" invisionfree ***rds. Ever heard of SQL injections?

Ezekiel
04-17-2006, 05:54 PM
Keylogging and trojaning people is not hacking. Besides, that's not the only way to "hack" invisionfree ***rds. Ever heard of SQL injections?

Yes, but a website like invisionfree will be running the latest, patched IPB version. It is a lot different to trying to hack a small website that doesn't patch regularly, invisionfree will likely have NO exploits available, unlike a site that doesn't patch which will have many exploits that have since been fixed. So no, you can't hack an invisionfree ***rd, because they will run the latest version and keep things very secure. A forum such as the one we are posting on now will have many exploits, a place that is required to provide ***rds as a service to people is going to be a lot more secure. So my statement still stands, you have to use a keylogger or other malware to get the password to an invisionfree ***rd, unless you hit them with an exploit the day it becomes public. And sql injection is not the only way of hacking forums, there are many other forms of exploiting, including xss, etc. But sql injection is the best direct method to get the password.

hackerz
04-17-2006, 06:38 PM
You are right, they do patch regularly, except that there are currently a couple of exploits that still work and have been working for a couple weeks, one of them being an SQL injection that changes the root admins password to "*2*456." The others consist of exploiting either the member name/admin notes/topic description/forum description/password/e-mail address/calendar using a script that allows you to embed javascript into any of those fields which would be executed on the other members browsers when viewed.

junky
04-17-2006, 06:53 PM
Yes, you can go to a *certain* site called google. http://www.google.com. Or, you could actually search the forum before posting. http://www.all-nettools.com/forum/search.php. If you are talking about hacking the invisionfree forum hosting service, then no, unless you get root access to their server or something, then you can't. If you are talking about hacking invision power ***rd software, then there are always going to be people running old, unpatched versions. Search on any exploit site like www.securiteam.com or www.milw0rm.com and you will find some exploits for IPB, * on securiteam.

those were real good urls
thanx

junky
04-17-2006, 07:01 PM
thats a nice response Mr hacker but, cant a person try to understand the working of InvisionFree, scripts and forms using a web browser like firefox which provides "VIEW PAGE INFO" ?? i guess that provides fastest details about fields u are going to work with thereby, making it possible to use optimal attack method

hackerz
04-17-2006, 07:38 PM
Well, personally I use FireFox, but other browsers like Internet Explorer also allow you to view page source. But viewing the page source does not provide any help with hacking and finding exploit methods unless you understand html and javascript etc.. Even if you do understand those languages, usually viewing the page source does not help at all. For example, here is the source to the admin notes section, one of the exploitable parts of invisionfree.

"div class='maintitle'>Admin Notepad</div>

<table width='*00%' cellspacing='0' cellpadding='5' align='center' border='0'><tr>
</tr>
<tr>
<td class='tdrow*' width='*00%' valign='middle'><center><textarea rows='5' name='notes' wrap='soft' style='width:80%'>

Text Here



</textarea></center></td>"

Looking at that, can you find any exploits? Probably not. So it takes more than view source to find exploits.

junky
04-17-2006, 07:45 PM
Well, personally I use FireFox, but other browsers like Internet Explorer also allow you to view page source. But viewing the page source does not provide any help with hacking and finding exploit methods unless you understand html and javascript etc..

well, firefox provides to different functions,
View Page Source
View Page Info

Page info provides details about all form input including those which are hidden along with post method, location, ..

hackerz
04-17-2006, 07:55 PM
Thank you, I learned something new! I'll definately check that page info option out.

Edit: Looked at it and it is a nice little option, and you're right, it would help somebody who wishes to learn about the website, but I think it would take more to find an exploit.

junky
04-17-2006, 08:01 PM
<QUOTE>"div class='maintitle'>Admin Notepad</div>

<table width='*00%' cellspacing='0' cellpadding='5' align='center' border='0'><tr>
</tr>
<tr>
<td class='tdrow*' width='*00%' valign='middle'><center><textarea rows='5' name='notes' wrap='soft' style='width:80%'>

Text Here



</textarea></center></td>"</QUOTE>

can you explain how this code is exploitable ?

hackerz
04-17-2006, 08:15 PM
Sure! But this is the only one I will release because I do not want the others getting patched. What's put in the admin notes section is not properly verified which allows you to embed javascript that will be executed on any persons computer that views the admin notes. The script to embed javascript is

"</textarea>Hackerz pwns<script><!--
window.location = "http://www.google.com/"
//--></script>" (no quotes)

That would embed the text "Hackerz pwns" directly into the admin page and not into the admin notes and it would not be able to be erased. Pic = http://img60.imageshack.us/img60/4*5*/untitled*ar.jpg

The actual script would redirect to google.com and you could replace that with any other JavaScript you want

junky
04-17-2006, 08:38 PM
nice observation Mr Hacker

hackerz
04-17-2006, 08:45 PM
Thank you :D

Ezekiel
04-18-2006, 03:50 AM
Sure! But this is the only one I will release because I do not want the others getting patched. What's put in the admin notes section is not properly verified which allows you to embed javascript that will be executed on any persons computer that views the admin notes. The script to embed javascript is

"</textarea>Hackerz pwns<script><!--
window.location = "http://www.google.com/"
//--></script>" (no quotes)

That would embed the text "Hackerz pwns" directly into the admin page and not into the admin notes and it would not be able to be erased. Pic = http://img60.imageshack.us/img60/4*5*/untitled*ar.jpg

The actual script would redirect to google.com and you could replace that with any other JavaScript you want

No, because you have enclosed the whole script in a comment "<!--" which means all that will happen is <!--window.location = "http://www.google.com/"//--> will be placed in the page (without ever executing), and only people that view the source will actually know anything's there. The correct form of the code would be:

"</textarea>Hackerz pwns<script>
window.location = "http://www.google.com/"
</script>" (no quotes)

EDIT: I forgot about javascript being enclosed in comment tags to stop it being displayed on any browsers with javascript disabled; so the original script was correct.

hackerz
04-18-2006, 09:49 AM
You would be right... usually, but if you try it, it actually will work because of the admin notes' vulnerabilites. But you're way works too, I just prefer to do it my way.

Ezekiel
05-25-2006, 04:40 PM
How about putting your skills to the test??

I'm looking to steal a invision free websites password database, or itleast getting one of the people who are registered to this site's password...


If you think you can do this, then be my guest. If you wouldn't mind I would like the password database if you can get it.

or any password you get from anyone's account on this site.


Thanks, John.


invision free site.

http://www.google.com




IF YOUR ONE OF THE BEST AT HACKING WEBSITES... Try to take this websites password database...

http://www.google.com/

You are NOT going to hack any invisionfree forums. They are hosted and configured professionally, so there will likely be NO vulnerabilities. They are all on the same (or similar) servers, so all the forums are going to be patched and *******. Can people please stop asking for invisionfree forums to be cracked; the only forums that can be cracked are those on INDIVIDUAL sites, with old and vulnerable scripts running. All the forums on that site are just subdirectories on one website, so how do you think they will be any more vulnerable than the website itself?

Also, games like runescape are lame, and nobody here cares about cracking their website. If you care about it so much, get off your ass and learn like the rest of us.


EDIT: Post has been deleted, and user probably banned. Hehe, nice edit syntax******, now he looks even more like a moron.

-Flux
06-07-2006, 07:05 PM
You guys talk about invisionfree being practically unhackable but your all wrong. It is very easy to do so. If someone can hack NASA in mins. then they can hack forums like so. I'm not sure if it is true but I beleive that everythign to do with the intenet relates back to NASA. I beleive that any company DSL, Cable w/e they all link back to NASA.

Ezekiel
06-08-2006, 12:23 PM
You guys talk about invisionfree being practically unhackable but your all wrong. It is very easy to do so.

Come on then smart guy, tell us all your ***7 methods to hack invisionfree. My point was, major websites like invisionfree will patch and update their scripts regularly, and not run any old versions. Even if someone found a vulnerability in their scripts (unlikely), they would patch immediately. And because it is a single site, the same patches will be applied to all the forums they host.

With individual smaller websites, we can usually 'hack' them because there is a high probability that some of the scripts on their site will be old versions, and have vulnerabilities (for example, an old IPB forum version running). On a site like invisionfree, the scripts will be patched regularly, thus there will be no vulnerabilities.

Smaller, individual websites == strong possibility that there will be vulnerabilities.

Larger, regularly updates websites == No possibility of vulnerabilities, at least what can be relied on (in other words, it is so unlikely, that you would have to rely on pure luck to be there when some crappy scripting has left them open to attack).

feelgood
06-30-2006, 08:26 PM
our forums somehow got hacked..........it's been like a month. and the forums are going crazy cuz the guy deleted all the accounts except one, so like admins have no modding power =(

http://s8.invisionfree.com/XileRO/index.php?showtopic=54*84

Ezekiel
07-01-2006, 05:47 AM
our forums somehow got hacked..........it's been like a month. and the forums are going crazy cuz the guy deleted all the accounts except one, so like admins have no modding power =(

http://s8.invisionfree.com/XileRO/index.php?showtopic=54*84

Contact the invisionfree support and prove that you are the real 'owner' of the forum, then they will make any changes you request. Failing that, host your own forum, and don't rely on a service like invisionfree where you have no real admin control over the forum (such as direct database access, and ability to re-install when necessary).

Warthogmaster
07-13-2006, 08:27 PM
I already have a username and an InvisionFree forum, I want to delete that forum's database or reek any kind of havok possible. Is there a way I can do this?

Halla
07-14-2006, 04:06 AM
I already have a username and an InvisionFree forum, I want to delete that forum's database or reek any kind of havok possible. Is there a way I can do this?
Is it an admin or mod acct? thing is invisionfree charges for forum backups so hardly anyone does them... which means you axe a forum and its axed generally speaking.

-------------

I used to use a really stupid method and caused quite a bit of hell on an invisionfree ***rd...

sign up for a new account and use ascii codes to 'clone' the admins acct.
for example:
Dave = (alt+68)ave
alt + 68 on the numeric keypad = D. you can look up the ascii codes online.
if you use the same avatar and sig and such the only difference is the post count, which at least at the time it may be patched now you could post and delete and it would still hold the post count so you just did that until you got into the range the admin had. It definatly caused confusion...especially when you started PMing the ***rd :)

another thing was to use an automated keypresser to artificially pad a sites hits in their directory. invisionfree often removed a forum they found doing that.

another way that worked was registering a user acct, and requesting a forgotton password. At the password reset page you modify it offline to specify another member ID rather than the one you set up, ideally someone with mod or admin rights...and thats that. You've just changed that members pw and thusly taken over that members account.

hmm.. what else?
can you tell I hate invision yet?
ummm....

ah yes, an automated spammer tool was created that waited the minimum post time and posted specified messages for as long as it ran. Running the program in several of the forums under several accounts (the more the better) was rather effective and must have been maddening to clean up. It was made in python but I'll be damned if I can find it right now. I'll keep looking and if I do find it I'll post code or binary or something.

spoofing emails to members/mods/admins appearing to be invision staff, other members, even automated service messages (someone has attempted to rest your account, click this link to blah blah) and have the link in the email (in html of course) go to a page you own and get IPs, cookies or make iframes and have every site that installs spyware you can find on it can cause a riot...especially if its automated and continuous.

oh yeah, another funny thing is to spoof your IP to match the admins and then troll the hell out of the forum. Once the mods/admin ban your IP, they just banned themselves. thats always good for a laugh.

I could go on and on but I'll leave you with this...
doing this stuff is mean and I dont condone or take any responsibilty for any one doing anything. Bad person! No biscuit!
A trip to securityfocus.com helps too. Also, alot of folks at information leak dot com hate invision. power in numbers. Just thought Id mention that ;)

Ironic
07-23-2006, 07:12 AM
You are NOT going to hack any invisionfree forums. They are hosted and configured professionally, so there will likely be NO vulnerabilities.

Actually, I am here because some arsehole hacked our 2 week old invisionfree ***rd today out of vindictiveness and totally shut it down. (They were banned for harassing other members through PM.) We know exactly who did it (they also have an invisionfree ***rd), but not anything we can do about it really. I am trying to find out just how they were able to do it.

kero
07-28-2006, 05:11 AM
Hey i lost my password for my account can someone help me?

Halla
07-28-2006, 01:29 PM
hey, press "I forgot my password" when you try to sign in.
You're welcome.

Mailas
07-31-2006, 07:50 PM
yes I would really like to know how they did it.
I mean I was banned from a forum too because I just sent one complaint to an admin of why I was demoted of moderator. Now I cant do anything.


I dont understand you guys, you guys are saying its impossible to hack invision free sites but it looks like theres some sites being hacked.
Also I had a forum hacked and I contacted invision free support like you said, and they never replied back.

Please, some people are seriously stupid. But I saw something about SQL Injections, I read a walk through but I had no clue how to use it.
It said that it would change the password of the ROOT Admin on the Invisio free Forum's password to *2*456.
How????? I want to get revenge for hacking my site, they shouldnt of done that, and they are the same people who banned me from their site.

Ezekiel
08-01-2006, 06:34 AM
I dont understand you guys, you guys are saying its impossible to hack invision free sites but it looks like theres some sites being hacked.

Yes, it would have been done with malware, fake login pages, or a similar method.

I didn't say it was impossible to obtain the password of an invisionfree ***rd, I said it would be impossible to directly exploit the scripts and software they use, because they would run the latest versions.

If there are retards who a) trust programs from unknown sources, or b) are dumb enough to believe fake login pages, then they are going to lose their passwords for every service they use. It doesn't mean there's some ultra secret invisionfree hacking method, it just means you are someone who falls under one of those categories.

Saying you can hack invisionfree is like saying you can hack hotmail, yahoo, and so on. If even ONE person found a way to 'hack' their ***rds and used it, news would quickly reach the admins and they would make the necessary changes. If there was a way to hack them which spread to HUNDREDS of people, do you really think the admins would just sit on their ass and leave their service to be destroyed? Cross site scripting, sql injection, and other vulnerabilities simply DO NOT exist in services like invisionfree, because they are required to update as regularly as possible to ensure security. Sure, ONE guy may find a way to exploit them, but as soon as other people hear about it (or they see what happened in their logs), it's patched. You saying there's a way that EVERYONE is using to hack those ***rds is just ridiculous.


Please, some people are seriously stupid. But I saw something about SQL Injections, I read a walk through but I had no clue how to use it.
It said that it would change the password of the ROOT Admin on the Invisio free Forum's password to *2*456.

As I said before, they will update regularly, and I highly doubt sql injection would be possible.

And until you fully understand everything related to exploits, invisionfree, etc, you can stop calling us 'stupid'.

alpha17
09-15-2006, 11:02 PM
S-core, i am part of a outsider resistance. plz, if u have a nsider account, ive been trying to reach u, but havent found u. plz pm 2cool2spy.

Shinestar
10-01-2006, 07:50 AM
just on the off chance is any one able to hack an Invisionfree forum for me? pm me if you can help me out! :)

Darkness
01-31-2007, 07:03 AM
Is there Actually Any Way To Access Admin Cp Through 'Hacking' Of Some kind?

Poopyman
06-18-2007, 11:47 PM
Is there Actually Any Way To Access Admin Cp Through 'Hacking' Of Some kind?

ye. I happen to know some people who can hack invisionfree in under 5 minutes. here is an example of a hacked ***rd by a person called "orangeflower"

http://z6.invisionfree.com/Socomdria

WARNING CONTAINS GROSS PICS AND LOUD NOISES!

BreadMan
06-19-2007, 08:03 AM
Can you get him to teach us?

Poopyman
06-19-2007, 04:48 PM
Can you get him to teach us?

I dont think so. I barly know him.

h0lyh4cker
01-24-2008, 12:04 PM
ITS HARD! READ THIS: http://holyh4cker.duelistrealms.net/topic/56205/*/#new

YOU USE THE BUG AN REPORT LOST PASWORD FROM ANOTHER ADMIN.

hotlilmama
01-25-2008, 12:41 AM
well i was just wondering if anyone can help well you see someone hacked into my myspace and changed my password and everything and i cant get on and i had them send the password to my email except that got changed to so i was wondering if anyone could help me get back into my myspace :mad:

Moonbat
01-25-2008, 05:55 PM
Lol myspace.