Flashchat: Admin Control Panel

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.
Post Reply
Teh Inscrutable
Newbie..
Newbie..
Posts: 3
Joined: Wed Jul 23, 2008 12:18 am

Flashchat: Admin Control Panel

Post by Teh Inscrutable »

Hi. I'm first off new to this board. And won't mind introducing myself more formally if need be. Second off let me say that I have no experience in hacking/exploting/programming/coding or the like. That said let me set the stage some more:


I am part of a small internet chat group based off of Flashchat v 4.7.12 Previously part of a somewhat larger site of the similar concept we left because the admin running it was a shameless hack who didn't care about the community and only exploited it for power and occasionally extortion (I.E. Offering to ban a spammer/troller for a small paypal donation.) In response we left and took a big chunk of his members along with. This was many months prior to the event I will now explain to you.


Very recently we had a situation where a unliked member of our flashchat was spamming in his chat (the one in which we all left). Infuriated and accusing us of sending her to "attack" his room, he managed to hack into the admin control panel of our flashchat, ban numerous members and then uninstall flashchat itself. He also impersonated an admin and hacked a user's account changing the password and the deleting the profile page set up for that account. This was all very unecessary and thankfully everything was fine by the end of the day. But the thing is we didn't want a fight with him; and we have no desire to hurt his chat or "convert" his members by spamming his chat or anything.


What I wish to ask is this: How is it possible that he may have gotten access to the control panel and is there a simple process that I may either, do likewise to him or simply avoid him doing so again in the future? I want to at the least help keep our chat safe. And it's possible we'll be forced to call the proper authorities on him. I saw your youtube video about flashchat and thought you might be someone I could ask about how to handle this. I'm not personally knowledgeable in coding or anything but I'd be willing to at least learn enough to prevent an idiot from ruining something for a bunch of people due to jealousy.

Thank you for reading this.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Flashchat: Admin Control Panel

Post by Sethioz »

he managed to hack into the admin control panel of our flashchat
you mean the built in admin panel ?

do you personally own a chatroom or just go to one ? i mean have you seen admin panel ? as far as i know its impossible to uninstall flashchat from admin panel. well you can delete mysql tables, but thts all. i attached a pic of the admin panel uninstall section.

as about hacking into chatroom. its possible to bruteforce the passwords. so if admin used weak password then this ''attacker'' simply may have cracked it by bruteforcing, but i seriously doubt there's anybody else who came up with this idea, because there's no tool for bruteforcing (cracking) passwords. i used one flooder combined with packet editor to do such thing.
that flooder simply floods, but doesnt log anything. so i used packet editor (commview) to set alerts and triggers. so when flooder recieved packet ''successful login'' then packet editor's trigger made it log this user/pass phrase. its not hard, but its extremely annoying and takes quite lot of time to actually come up with this and make it happen.

as about flooding/spamming, there's pretty much nothing you can do. unless you are php coder :) its possible to write few rows of code that prevents any kind of flooding from same ip, but yet again then its possible to use sockscap and still flood it.
i havent really exploited flashchat that much, but admin and moderator passwords are kept in the config file. i know that there's several exploits that allow you to download ANY file from site (not all sites). so if thts the case he may have downloaded that file and got passwords.
actually flashchat is very very exploitable. basically you can ban ppl without having any kind of admin access. for example take my video. you can add rooms (when disabled), you can get admin and mod icon, you can ring bell ..etc. its not only those, its ALL commands that can be disabled. all you need is copy of chat or just command to send and they still work. it only disables visible stuff, but not commands. i did try to ban myself with only commands (not admin account) and i kind a succeeded, but it was glitchy (didnt look into it any further).
How is it possible that he may have gotten access to the control panel
as about this, lot of ppl use same password everywhere. have you considered that he got password elsewhere ? or if admin panel had easy password then as i mentioned...he may have bruteforced it. im sure im not only one who knows how to bruteforce a chatroom.
And it's possible we'll be forced to call the proper authorities on him
:lol: as for that...dont even dream about it. no law enforcer will even look into it..they only laugh. its not directly hacking, its basically a simple exploit. if you would actually HACK into some government site, then they may take action. or if you host a site with some child porn then they also take actions (prolly only close it down). its even same with steams, paypals..etc. if there's something wrong they simply close the account. for example if you steal a paypal and transfer money from it to ur own account and paypal finds out : they simply close BOTH accounts. then they find out if it was true (the stealing) and if it was, then they wont open your account before you pay it back. that simple, but they not doing anything else (unless its millions lol)
trust me, i know :) (look owned section)

as for more general. chatrooms are very vulnerable. i mean all kinds. for examples:
-in some chatrooms you can change message name, so it appears like somebody else said that (so you can get somebody else banned lol)
-in some chatrooms you can even change others names with simple packet editing.
those are just 2 examples how much can be done.



UPDATE:
i also discovered one more small exploit, which was ovious. you can actually put admin and mod icon into chat window too :)
there's a code for icons. ''A'' is icon and then the icon name. for example ''Aadmin'' is admin icon and ''Amod'' is mod. ''Aheart'' is the heart icon..etc. i added pic too. you can do invalid smiles too, but they simply appear as text (as seen on pic).
Attachments
FlashChat Admin Panel - Un-install_1216800716593.png
FlashChat Admin Panel - Un-install_1216800716593.png (4.32 KiB) Viewed 6419 times
fcicons.JPG
fcicons.JPG (10.66 KiB) Viewed 6417 times
Teh Inscrutable
Newbie..
Newbie..
Posts: 3
Joined: Wed Jul 23, 2008 12:18 am

Re: Flashchat: Admin Control Panel

Post by Teh Inscrutable »

Thanks I've turned this response in to the admin to see if he'll find any of this useful. It's a shame there isn't a dead set way to prevent this from happening again. And I don't think the authrorities will really do much myself. But being that he is a youth with lacking experience at least the threat of FBI paying him a phone call might prevent him from causing anymore harm.

If I have anymore questions I'll be sure to ask here!!

Thanks again.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Flashchat: Admin Control Panel

Post by Sethioz »

And I don't think the authrorities will really do much myself.
yeah they dont do anything at all. well there's small chance tht they do look into it when there's proof of really hacking or bruteforcing, but when he got the password elsewhere then don't even look into it. maybe he is real admin ?! they dont know that, so they cant say anything or do anything. when crashing chat by flooding with messages, smiles, users..etc...it doesnt actually crash server. it only crashes your client side forcing you to reload the page (sometimes it even crashes whole browser)
But being that he is a youth with lacking experience at least the threat of FBI paying him a phone call might prevent him from causing anymore harm.
well it even might work on weak minded ppl hehe. usually 'kids' are really afraid of that. they even think that when you get their IP then its big thing and that can be used against them. truth is..there's nothing much you can do with IP. well you can scan it and try to hack it, but hacking directly into pc is not easy lately. even small firewall is enought to protect you. you can always try to get his IP and then tell him that you will report his flooding/hacking from this IP and tht its logged ..etc. ..and honostly it would be better to eliminate those wanna-be noobs :)

about 4 years ago i used to crash avp2 servers a lot, they threatened me with police and FBI ..etc too, but ofc i knew it was bullshit :) got quite mad on one clan and kept them down for weeks :lol:
Teh Inscrutable
Newbie..
Newbie..
Posts: 3
Joined: Wed Jul 23, 2008 12:18 am

Re: Flashchat: Admin Control Panel

Post by Teh Inscrutable »

Well yesterday the admin of my chat attempted to change the folder location of the admin panel. In hope it might be difficult for him to locate. But it was discovered ANYWAY. And the attacker continuously made admin accounts. The profile section of flashchat read over 6,660 or so members were there, and we only had about 200 or so to begin with. so he made about 6,400 ADMIN accounts in a frame of a couple of hours. In retaliation , they changed the folder locations AGAIN and tried to restrict it so only specific IPs could see the control panel. It seemed to work as I could not see it but certain people could. And that still did not work.

Currently Flashchat has been uninstalled again as the page is back down. So at this time we have not figured out how to prevent this. =/
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Flashchat: Admin Control Panel

Post by Sethioz »

:lol: it seems that there's a simple exploit that allows you to make admin accounts.
i havent checked it, but it gave me a good idea. when you make account, there's prolly something that specifies if its admin, mod or normal user. and when you edit that, you can make admin account.
just like the smiles:
when you type

Code: Select all

:D
then flash sees it as

Code: Select all

%3AD
so when you change it to

Code: Select all

%3Aadmin%3A
and send it, then you dont get :D smile, but you get the A (admin) smile instead. ofcourse you can't simply enter it into chatbox, you have to modify the packet.
i was trying the ban as normal user, but didnt work well. as i said i think its something similiar that allows you to make admin accounts. changing name of admin panel has no point at all, you can use simple spider (website crawler) to find all accessable pages and folders.
im sure that problem is not in the admin panel at all. its in the register.php.
this chatroom you talking about is for registered users only right ? ..my best guess is that there's exploit that allows you to make admin accounts.

ill give you a GOOD example. lets say i install a flashchat and make it for registered users (so you have to register first). now, after install you have to go to index.php page and then you HAVE to create FIRST account which is always admin account. you can't even choose anything. first account you make is ADMIN account.
what if you record that data. then use that data to make more admin account.
maybe i will look into this.
so far ive only found ways to get admin icon and get access to features that has been disabled (or only for admin/mod), well ban worked too few times, but its glitchy.
Post Reply