CF SEA admin accounts.

[poedeltje]

Hey,

I've no idea where I can post this of I'm even allowed to post it, but the protection of CF SEA's we website is so bad..

CF SEA Admin accounts: (MD5 protected, I've no idea where the actual admin login is..)
https://pastebin.com/XJNE7F0H (Separated by line breaks.)
Databases: (Hashed passwords !)
root:*568A8C07FA1D98D3CC10B46FFE52B3A019EB353F:loc alhost
root:*07F94955AD26E2F0FF20E4444A2F37C87CDB241C:vL-WEB-DB-02
root:*07F94955AD26E2F0FF20E4444A2F37C87CDB241C:127 .0.0.1
root:*07F94955AD26E2F0FF20E4444A2F37C87CDB241C:::1
root:*568A8C07FA1D98D3CC10B46FFE52B3A019EB353F:%
sgsea_root:*2E1604C3ADEE7C57AF9AB81363B078D7182ACF 1A:%
sgsea_app:*2E1604C3ADEE7C57AF9AB81363B078D7182ACF1 A:172.16.80.106
mogile:*A1F1B2A7F3B2C124AE91B424477A6AC49A3D6C4B:%
zuyao.chin:*83A66AC4E6709FD211392432EAD4F0DDB865D5 50:%
myrepl:*568A8C07FA1D98D3CC10B46FFE52B3A019EB353F:%

There are also >200.000 IP's and E-mail adresses in the database, but it takes too long for me :P.

Please close this topic if it isn't allowed.
Poedeltje.

[Paradoxium]

woahh not even going to though... might want to let them know...

[poedeltje]

woahh not even going to though... might want to let them know...

I already did, but isn't it bad that a game like this has so much vulnerabilities?

[Paradoxium]

I already did, but isn't it bad that a game like this has so much vulnerabilities?

Oh yeah, its due to bad webmasters. They probably wanted to save money and outsourced their webmaster.

[quanschink]

Damn I thought it was CF NA @poedeltje When are you releasing CF NA accounts?

[Purple.]

well, Thanks for Share )

[poedeltje]

I may be able to get free redeem codes.
https://redemption.gambooz.com/item_claim/CFSEA

[Ima?]

Can you explain me please what exactly is that?

[poedeltje]

Can you explain me please what exactly is that?

Administrator accounts of https://cf.gambooz.com/, but I've no idea where the admin login page is.

[Delta[X]]

These aren't MD5 hashes but MySQL5 hashes

[-Ben]

wait, i dont get it. Are they free accounts? or..

[poedeltje]

@-Ben administrator accounts of CF SEA.

[Delta[X]]

I want to point out that you can't use these db credentials -even if you manage to decrypt the hashed passwords-, you wouldn't be able to log in because it's localhost.
You'd have to be part of their local network to access their database.

For example, it's like you were trying to connect to my router by typing "192.168.1.1" in your url bar, no, it won't connect to mine but yours.

You can use those accounts https://pastebin.com/XJNE7F0H but the (decrypted) passwords seems to be incorrect... I guess they changed them already, or the data you gathered was bullshit honeypot.. it would explains why most of all the passwords are "123456" or "123@#456" crap

[poedeltje]

I want to point out that you can't use these db credentials -even if you manage to decrypt the hashed passwords-, you wouldn't be able to log in because it's localhost.
You'd have to be part of their local network to access their database.

For example, it's like you were trying to connect to my router by typing "192.168.1.1" in your url bar, no, it won't connect to mine but yours.

You can use those accounts https://pastebin.com/XJNE7F0H but the (decrypted) passwords seems to be incorrect... I guess they changed them already, or the data you gathered was bullshit honeypot.. it would explains why most of all the passwords are "123456" or "123@#456" crap

It's actually not localhost, you are acting like someone that doesn't know anything about this sort of things.

https://cf.gambooz.com/cfsea/weapons_...9;AssaultRifle

Please can you please stop talking crap now that you read on the internet.


//FYI take a look at the database called `db_admin`.

[Delta[X]]

root:*568A8C07FA1D98D3CC10B46FFE52B3A019EB353F:loc alhost
root:*07F94955AD26E2F0FF20E4444A2F37C87CDB241C:vL-WEB-DB-02
root:*07F94955AD26E2F0FF20E4444A2F37C87CDB241C:127 .0.0.1

This is localhost

sgsea_app:*2E1604C3ADEE7C57AF9AB81363B078D7182ACF1 A:172.16.80.106

This is local network

And I guess it's the same with the other. You seems to know more about the subject than me, then just log in, if you can.

https://cf.gambooz.com/cfsea/weapons_...27AssaultRifle
This is SQL injection, I know that. You may use the credentials from pastebin but not the root credentials

edit: oh, guess what I found, a XSS vulnerability. You don't even need to "decrypt" the hashes, just steal the staff cookies and then mess with the website...