Hacked

Participate

Supporters

From 26C3 Public Wiki

Jump to: navigation, search

1 Login
2 Foodhacks
3 @ The CON
4 Free Downloads
5 XSS
6 spread the word
7 Targets
8 Insecure Passwords
9 File Inclusions
10 SQL Injections
11 Happy little cloud

Login

anonymous2/2342

Anonymous/anonymous3

Foodhacks

As last year I present you the Burger-King Voucher-Generator: ~~http://zzzbk.zz.funpic.de/bk/bk.php~~

(If you would like to thank me/talk to me, just contact mathias_ on #26c3@freenode - maybe bring me that second big king xxl you left over or a bottle of mate/beer? ;)

I'd get you a beer if you give us the source... --Bugmenot 21:12, 27 December 2009 (CET))

You can generate your own vouchers on Burger-king.de, but you can only get 4 on a DinA4-pages, and even worse: you cant select all vouchers that are on their servers. Also you need to register on their site. All of the vouchers used to work (they changed the format of the vouchers, and some are really a good deal (mid-sized fries for 50 Cent i.e.).

Store them on your smartphone, ebook reader, scrap paper, skin, ....

You can also print them out, of course, but where's the fun in that? Please don't ask the Ministry of Information if you don't have a printer.

The "Asia Gourmet" Shop in the Station Alexanderplatz is giving 50c Discount on everything >5€, if you show your congress badge.

@ The CON

Rickroll Armee Fraktion - Dan Kaminsky trolling

Free Downloads

Harzflirt.de

full list at http://pbot.rmdir.de/0c7cee461730d0c5c13d8a750e7c1d16
Index of http://harzflirt.de/fotos @ ftp://81.163.16.183/incoming/harzflirt_index.html (32mb)
Torrent: [1]
additional download (6000 new profile-photos) http://rapidshare.de/files/48917127/additional_images.tar.html

flirt-datings.de

http://www.flirt-datings.de/

unaone Hoster

user: 23317-24641b-ftp
pass: retep
host: ftp.unaone.net

Nazi-KFZ-Kennzeichen, anyone?

http://picpaste.de/photo_1230999651.jpg (FIXED)

NPD Fraktion Sachsen

See Hacked/npd-fraktion-sachsen.de

forum.deutsche-armee.com

Blöd, wenn Leute in der Flirt-Börse den gleichen Mail-Account verwenden wie für die Organisation ihrer politischen Aktivitäten UND DAS GLEICHE PASSWORD noch dazu!

Ich hätte hier eine nette Nazi-Seite anzubieten. Könnte bitte jemand einen Torrent draus machen? Tausend Dank!

phpbb mysql-dump: 1. http://rapidshare.com/files/328310266/backup_1262192175_23b69906890bfe3d.sql.gz.html

Den Blog hätt ich auch noch: 2. http://rapidshare.com/files/328309942/wordpress.2009-12-30.xml.tar.gz.html

XSS

Please do not poste too much lame XSS. Real hacks desired!

 Input: "><script>alert("26C3 FTW!")</script><script

http://www.spd-hessen.de/html/-1/welcome/Startseite.html

 Input: '><script>alert("26C3 FTW!")</script>

spread the word

Mindwerk Seiten:
- http://www.fdp-bielefeld.de/magazin/artikel.php?artikel=405&type=2&menuid=120&topmenu=120
- http://www.toyota-handball.de/
- http://www.enbw-ludwigsburg.de/magazin/artikel.php?artikel=1247&type=&menuid=54&topmenu=6
http://afhakers.nl/
- http://www.afhakers.nl/media.asp?x=-1%27LAME?
http://www.dragontown.bloodymary-bsw.de/
http://www.herner-karneval.de/
http://promoaoa.pr.funpic.de/
http://www.alba.ac-m-design.de/php/
http://thebrotherhood.th.funpic.de/
http://formel1.villa-schlumpf.de/php/
true 26c3mediawiki layout
http://www.the-paladins.de/
http://www.steelers.de/aktuelles/news_anzeigen.php?news_id=1688
- die admins sind schnell :(
http://www.9korn.com/
http://www.ma-flirt.de Auch Nazis brauchen Liebe!
CSU Rosenheim Upppppss : Screenshot: http://picpaste.de/CSU-Rosenheim-capture.jpg
Wifimaps Login to edit PHP code or use the Bash (may have to load twice) or look at the DB (wifimaps/7f6232fj9)
- Have anyone an Dump of the (PHP) Files?
http://www.fdp-hille.org/ einmal mit profis
www.berlin-klavierunterricht.com
http://www.grundschule-cainsdorf.de/
http://www.svp-stadt-zuerich.ch/ Screenshot: http://yfrog.com/j5svpp
DaPhix Prepay-Internet-Hotspot (no encryption!) @ http://www.generatorhostels.com/en/berlin -> use static IP 192.168.11.x / dns&gateway 192.168.11.1 and get Internet 4free -> Screenshot Admin Interface (no pw): http://yfrog.com/6eadminpreisep / http://yfrog.com/5zbildschirmfotoep

Targets

See Hacked/Targets

Insecure Passwords

No password at a SMTP server at airport Tegel: 10.5.40.140:25
DHL Austria Self-service Username/Password: dhl (Presented to you by "just this guy, you know")
Bayernbund e.V. Admin:123456
TSV 1860 Rosenheim Admin:123456
Junge Union Rosenheim Land Admin:123456 thanks google
Theater Rosenheim e.V admin/123456 thx to http://www.mdwd.org/index.php?section=ref
Admin/123456 most pages from http://www.mdwd.org/index.php?section=ref via index.php?section=admin
Support.Steampowered.com Username: erics / EricS - Password: connie (erics@valvesoftware.com) and Username: miked - Password: rosemary (miked@valvesoftware.com)
community.steampowered.com Username: michaeld@valvesoftware.com - Password: rosemary
Kuhne+Nagel Logistics Access a PHP based file manager and host your own project on a Windows based web server! Password: axadmin (according to html source, the system is by some company called AutomationX -> first and last letter of company name + "admin" does it ;-) The Website itself is at [2]

FDP Hille: Use [3] Cosmos:stargate

File Inclusions

Strato Communicator File Inclusion found1 (FIXED)
System-Failures.org Failure at its best. /etc/passwd Screenshot

SQL Injections

SVP STADT ZUERICH databasedump anyone? 13 columns afair.
MVV München _FULL SQL QUERY DISCLOSURE_ ... have fun
NPD Fraktion Sachsen (MIRRORS?)
- Here you have a dump (csv) npd_dump.zip 1
cdu-reinickendorf.de Have fun!
- User: v089141@85.13.128.149
- DB: v089141
- DB Version: 4.0.23-Max-log
Turbine-Potsdam
treff.bundeswehr.de
- rds_user
  - id
  - levelnr
  - login
  - password
  - name
  - vorname
  - email
  - email_flag
  - telefon
  - abteilung
  - info
  - ip
  - accesstime
  - lastlogin
  - active
  - startPage
Also a Local File Inclusion within a Bundeswehr page