Blog Archives
Unlocking The CMS Templates
Recently one of my friends showed me a Locked Joomla Template, i.e. the template which was locked by its developers. It was nice, creative and a good way to get paid but just out of curiosity I decided to look into it and unlock it.
This is how their mechanism worked. I could download the template free of cost and test it on local server (localhost || 127.0.0.1) very easily but as soon as I uploaded it over a paid Web-server, it showed a horrific “License Required” logo instead of pretty website. So, I couldnt’t get the website running without a license. From the moment that logo showed up, it became a challenge to find a way to remove it, so I sat down to remove that ugly thing.
Disclaimer: If you like things, Pay for them. This was done by me just out of curiosity and knowledge purposes, Am neither responsible for your deeds nor I support these type of activities.
Closely looking at template structure, I found a call to default.php in the very beginning which included with following code :
eval(gzinflate(base64_decode('ZZBBa4NAEIXPCv6HIQhrILp3S4RcikhDSvEuWzuNSzfudtwk9N933Y2BkOPMvPe9x8RN3e7fyrLL2CcO4iI1Fd8kTnjV9MM2YOmM65ckTmLC37Mk7PTYIzTvu7buPg6HFgpYcYsno4TFia/cnNpBTnm1LN2Gcdmj1VpNfEBlkAozGOaxnMMRLRjhQqckTsMdtjDiFZyr9nP2BJ1L3cR5RTh+IbW3210coBD6p8KYKIq20LyK3mr6K0sXvDNGyV5YqcfMI5eA4HXy2ZdXTnrH+58s9MBW+qg9/CHZ2zI2H1ko8Q8=')));
This code melts down to simple php script which is checking a value of a parameter in helper.php
Opening up helper.php we again get one messy code :
eval(gzinflate(base64_decode('1Vn7U9tIEv4ZqvgfGsWF5JRt2dTmsSbmzmvLgSzYrBGXS6VSKiGNsQ5Z0uoB+Hb537fnafkFpC77w4XEyDM9Xz+m+5seZdc0YRiDH6TEy8H1PJJljb1dn0yCiPiG7nyy/m319CrEKQqRo73dvd3KpdW7Gp/aX5zeqG9BB7TAI/mUzIh2JJcaWu/E6v3q9LtftBq8f/tTs1ktTfatX64+Oue4HGcnbpiR8uylNf6XNXauxmc4q03zPGmb5v39fUPqaXjxzAwinzw0kmmiAV0cTIwFavWPvd0dCTe8Oqd2XCIYM+Jxb5egxi0iLSGyt+uFbpYB6jwhYUJSKn/nplCZxlmOXkdFGB7JsSBxXN9PMXqrMzmZJaGbEyfwaag0NeFNiXfrFGmIwwuP1XSCWhx8ooBanORBHHXQbSdEg6KMHNwF5L4jvmQHuZvddhjiQdhZ6JhhvGKm92J0aS/GnSx382LNVoca6yRu6s7Kc5Mi8qh+cBwvjrI8LbzcWHOMxXynkk+DrH4sYlRxuGdfdeHhsHtu6d+OSpJLkbuh9mb59TxyZ8TYsrrKluN+owH53FjDqXJLNipQkNrYOh/ZltPt98caN+ixZNWyc2VfqSiVTIprjD6o2GQkt1Hqmbg8j6sA2W6exZ4b0pAYAuZ+GqB4GLDwumnqzg0tlEK0XFqH7xpN/GlpKk4QRA4XhdL21KAEVoU//1yIrUVuRVYEOCV5kUaA+UAWARSDrKilT+br1/gJr2Hm3hJIye8FQfszkt5h/vIZ/vlPlnuAKRZEN1DB4hDjAvUuDvwGGzKX8jLIPJQNMDfdMETeqgK3kDovpRzygMZnhk5FnTuSZjiIzNbBTbIi9xrXIZOwZXzxmn/cwR1KHmWxYAJgyNjhI1Og12gyO2Hs+sRH1TnWKerLjGpVGrdBgdDAVGywHQyNGR9EQa6pbXgGZ0VIbYySetyYeT0f8xITxqO/S4lMzdoXlcfmVLlF8T3K5QFWLk+9nUrqRje4OI2LyDfAYCJ1gVk1QZ0RQh6xxZIPHZCcrNzcvB1bk26lkDhTokOCM6GjaaBckh6JSekTbq0Bsmg2ZJk0zTQLRKSzkMd04wGJErc8h0kaz4DnMQ3I1I38kIZT7aOMFRdgw0glSPhoKpeuAR63Z6MLm54PNWnN4vgQAC9DQPrrfrSGdq3EzSe2fcFmHDalf1OQT4PZp+fW6Aqh8HRXS+gecgvl4SNPH5WuZdQ1UCoK7E+tVV3OZjxlF0yOHOGkBNnTw/O7odU0R1OxKZ0FGxzZqHJwap31L5laAaIO4IbMioZ24He0RolDcSRfjJTYHCeChM4ok18W0rFlX42H9rg7vBxYY+xGynHdx3xxMLkMPXMnxJnFPkH+OjgANYGNAomcazcj2NFpJaZ50v/B6Oxs9Pls1Ovap6OhaIFKcX9y8YnV7VtjsWPYXwFgS9kfwXBkA/cGaH4Bl7sEsZUYkiRmZchLgTwQT4JL9bLuVLPCJNHPIJrEy5acDgcjh+Ux7UmXYu2FMat7UXoK3ImLPClynkr4F0WkUTXt6x9aKfCCHMSKKj8kJP1vQFoAgbYAetykWOWwOMtRcU17/IYf7EGrIgRNbKl73Xo8K2fG6jytQiWCBUhJU/uB58WSaHkzeYNLB2NmHR7oGaE0ZazylnKFpGkU024IHzAi+KTrck72kQj2VadfRPP4P5FBJXHzqUKlX5DyGqD/Q8fPv6f6lT8E+4EUaKA+WjZwS2jemq1GK420FbkGyp2gpja/dWwW6PGjpm7PE9IGN0nQYJeefOZDHW9N9UmczuoYcBJ5yBj+ZpAuXv2SvG5RGey92hDFEdmqLyLsaG1DjxZXGi0EhXgWe7fo5IT+ppxkcAfwKtisAd/xmtzw1fMDjH22fq1PWkpFoAmoJCb3KbanBluHwNxaCbmDvStWvrE/IfGEy5SosZS+6N0E6SWTOK3D9wrjUWrifMJRjrZSwBYy2c4mOwt7XsgnyqQfwijPUsoznLLO1ofNply6gXGU9WXOWQd5sw5STgOJ8vg9DWFKIswOW9SrAQcVdeXlMZONnbRm+VospPklVnWTcrh+zA5iMY4RF/ulGullOTa6kGLd9eI9Bqg+dIk+S7fCp5vj1YXLTX31BZ31Il9XWmPiTWPQPvjBHSbdPCQd/dr1bm9Yq99+Zb21Br3DI7iOUwx1u5U8QBaHeOl91bOs5vu3R0CZkRJNq4lzrTfJwxHeDtObIOIjbpHHR3Af+Pm0/eawSac5Vj11/aDI2u/o0ASprz5xZ0E4b3fTwA3FUBb8l7RbPyUP+rFWaq+FzdNDabLQ2IQmvEc8Jc0EP9l4bWu3HUMbxiDuD/Arme9r1XVMc3p4/CFZwQUK/O4JYDsGenHIpwROPWLTd1twkZJZUMxAnicwjwuICPHBBZltt2Te2GhFssmIreq/ILLnRuzCQm0owfOLizSKvnADqVDocmGakklH3/Z+Tr6bakzzWagffxQ6yoH8YLpLlnEHTMwpNfygbkgsHUVKLhXD2s1O3Uix/8Nazx16J129msoqzEpVCEsrpKR/jWsPPg1cL4/TebuN0er/MloBcv6TIbN0wODvLqpLLLFT+b0g6Zye+lcX/a5twSvHUf0C264MLrEf4Gs6OrYOJdiGpsPnE2tsqZxgEhvaDl1TNjPPfqNqDa69WppiA9KDtdc4C0Z+QaUPBtah1dxU6YPBz92fD/+/Kv00unOp8X9PuX8meMAQjE+KyXCNxyiWdrpUdUEGgTAhTiHIMVIoSaCI2PvGbEr87yh8/GEB/TH1X4fvpQD8h20L1pPJX2DXSi+wzdCNbmokMumL7JokC/NZoniZ1084fRESl76swezBikb+BWw52UYEWVYQSOibQbx11L/X2+41Nkdmj+MK1hPfVCCfcGQL7e1I7ntk/y3xFw==')));
This messed up code actually melts to the following when decoding and is the main part :
// No direct access.
defined('_JEXEC') or die;
$SECURITY_CODE = "icetheme";
define("CHECK_DAY", 86400);
define("DEBUG_MODE", false);
define("SERVER_URL", "http://www.icetheme.com/index.php" );
if(DEBUG_MODE){
define("NUM_DAYS", 0);
}
else{
define("NUM_DAYS", 1);
}
class iceHelper{
var $host = null;
var $ip_address = null;
var $template_id = "";
var $check_url = SERVER_URL;
var $post_vars = "option=com_license&view=licenses&task=check&l=";
var $method = "POST";
var $_status = null;
var $_temp_params = null;
function __construct($template_id = ""){
$this->host = $_SERVER['SERVER_NAME'];
$this->ip_address = gethostbyname($_SERVER['SERVER_NAME']); // Imp line no. 1
if(empty($this->ip_address)){
$this->ip_address = $_SERVER["REMOTE_ADDR"];
}
$this->template_id = $template_id;
}
public function setTemp($template_id = ""){
$this->template_id = $template_id;
}
function checkLocalhost(){
$white_list = array("localhost", "127.0.0.1"); // Imp line no. 2
if( in_array( $this->host, $white_list) || in_array($this->ip_address, $white_list) ){
return true;
}
return false;
}
/**
* make request service
*
* @param string $url
* @return void.
... snip ...
Notice that in this code looks up your host name. It is matched up against the white-list, i.e the list of ips on which the template is allowed to work (localhost is by default on whitelist). If the ip is not there in this whitelist, the License required logo shows up. Now you can clearly override the calling of this script or you can use a simple approach, add your server’s ip to whitelist. Like
$white_list = array("localhost", "127.0.0.1", "Your ip here")
Note: you have to make these changes, encode it back to original format (just opposite as you decoded it to readable script) and save it on your server.
Now your website will show instead of “License Required” logo ๐
This method is used by many content management systems now-a-days. Only the file names or script structure may differ little. You just need how the template is authenticating itself with the developer’s site ( Traffic capturing should ring some bells), which file is responsible for authentication and a little bit of programming.
Cyberoam Hack : As many accounts as you like
NOTE : I have now detailed the process explaining how to do itย http://navkamalrakra.com/cyberoam-accounts-stealing-hacking-bypassing/ย
Our College has got a CybeRoam Firewall to censor our online activities, and everybody is provided with a username/password combination to connect to internet. Students get a limited access and the faculty gets unlimited access, so the the aim ultimately is, to gather as many faculty accounts as possible. In free time I wrote a shell script to accomplish this task … and in about 2 hours I had more than 100 accounts out of which more than 10 were unlimited faculty accounts ๐ ….
It was as easy as grep -i "mode=[0-9][0-9][0-9]"
from the dump .
Here the proof (the list is too long to be displayed and the usernames as well as passwords have been trimmed off for security of accounts):
username=10803149 44 username=10901012 56 username=10901015 ki username=10901018 34 username=10901024 bh username=10901025 43 username=10901031 1* username=10901040 le username=10901042 67 username=10901047 31 username=10901048 40 username=10901056 12 username=10901062 al username=10902025 dd username=10902027 ja username=10902038 ja username=10902050 19 username=10902062 30 username=10902064 78 username=10902070 78 username=10902105 85 username=10902107 32 username=10902123 26 username=10902125 47 username=10902132 87 username=10902145 32 username=10902172 35 username=10902173 86 username=10902302 70 username=10902302 70 username=10902303 43 username=10903001 76 username=10903005 12 username=10903006 29 username=10903015 20 username=10903016 64 username=10903030 19 username=10903031 13 username=10903038 pa username=10903045 80 username=10903052 qw username=10903055 24 username=10903056 22 username=10903058 51 username=10903060 re username=10903105 31 username=10903108 32 username=10903110 24 username=10903115 80 username=10903125 25 username=10903131 20 username=10903159 90 username=10903159 90 username=10903164 71 username=10903178 ni username=11002001 88 username=11002005 67 username=11002010 28 username=11002013 41 username=11002034 49 username=11002043 82 username=11002049 23 username=11002096 52 username=11002160 10 username=11002160 um username=11002172 46 username=11002176 as username=11003301 77 username=11003309 80 username=11102146 15 username=11102156 15 username=11103042 ba username=11103069 cu username=11103323 90 username=11103333 72 username=11103339 72 username=11103339 72 username=1110339 72 username=11191039 96 username=120425727 en username=120426058 36 username=120426058 36 username=641 40 username=801090 78 username=801160 95 username=802088 mo username=802100 aa username=802124 75 username=802242 74 username=802246 59 username=amandeep pl username=amandeep pl username=baljinder hl username=daljeet sh username=dinesh ma username=ema 37 username=hardeep 72 username=harpreet 20 username=jagro 32 username=nidh 56 username=palwin 11 username=ps 74 username=rake 67 . .
The article has been moved to http://navkamalrakra.com/cyberoam-accounts-stealing-hacking-bypassing/