CW reverse engineering - HELP!

sdc · (This post was last modified: 2021-04-14 13:56 by sdc.)

Ok i guess some of you guys know something about IT

I think we can reverse engineer CW :

Take an example:

https://www.camwhores.tv/videos/6555419/...lil-black/

opens

https://novo2-camwhoresvideos.wpnrtnmrew...I7fQ%3D%3D

lets focus on the file parameter, and strip B64 and trailing whitespace (%3D%3D)

Code:
YTo0OntzOjQ6InRpbWUiO2k6MTYxODQwNjkxODtzOjU6ImxpbWl0IjtpOjA7czo0OiJmaWxlIjtzOjI4OiIvNjU1NTAwMC82NTU1NDE5LzY1NTU0MTkubXA0IjtzOjI6ImN2IjtzOjMyOiIzMWZlNDgzM2FlZjg3ODhhNmI5NjYzNDRlMTNlZGZjNSI7fQ

it is base64 encoded value with the file id:

Code:
a:4:{s:4:"time";i:1618406918;s:5:"limit";i:0;s:4:"file";s:28:"/6555000/6555419/6555419.mp4";s:2:"cv";s:32:"31fe4833aef8788a6b966344e13edfc5";}

take another example:

Code:
YTo0OntzOjQ6InRpbWUiO2k6MTYxODQwNzI2NztzOjU6ImxpbWl0IjtpOjA7czo0OiJmaWxlIjtzOjI4OiIvMjA0NzAwMC8yMDQ3NDg3LzIwNDc0ODcubXA0IjtzOjI6ImN2IjtzOjMyOiI4NGZhNjVmZjQ5NWIyMDI0OTIxNzEzOTMxOTQzZmRiYiI7fQ

that part decodes to

Code:
a:4:{s:4:"time";i:1618407267;s:5:"limit";i:0;s:4:"file";s:28:"/2047000/2047487/2047487.mp4";s:2:"cv";s:32:"84fa65ff495b2024921713931943fdbb";}

so the first part is fixed, then we have current timestamp (1618407267)

Code:
a:4:{s:4:"time";i:TIMESTAMP;s:5:"limit";i:0;s:4:"file";s:28:"PATH_ROUNDED_BY_1000/ID.mp4"";s:2:"cv";s:32:"MISSING_BIT";}

so the only missing thing is MISSING_BIT

which is in format:

84fa65ff495b2024921713931943fdbb
31fe4833aef8788a6b966344e13edfc5

it looks like MD5

What is interesting is that this part is not constant (it can change for the same video) and it is connected to the timestamp -> changing timestamp changes the MISSING_BIT

if we can figure out what that is we can bypass CW for all videos Smile

2021-04-14 13:57

I did not dive much into it, but I figured each call to play the video created it's own randomized link that would expire after time, hence why a bot would not work as the actually file location may be encrypted or just have some subpaths not called.

If running on a serverless backend, the instance would die after being closed.

sdc · 2021-04-14 14:02

(2021-04-14 13:57)Guest Wrote: I did not dive much into it, but I figured each call to play the video created it's own randomized link that would expire after time, hence why a bot would not work as the actually file location may be encrypted or just have some subpaths not called.

If running on a serverless backend, the instance would die after being closed.

I don't think it works that way, since if you enter incorrect itmestamp/hash you will get different error code

2021-04-14 14:28

First understand how the CW website returns private video links, and then look for defects in the first few steps of the process (it is often more effective to attack it at the initial stage of a system).

2021-04-14 14:39

The software running on CWTV and other sites is a CMS that everyone can download and run on their server as video platform. There are several different versions of it with some of them having easy private bypass vulnerabilities, while others don't. I once found the source where you could download it for reverse engineering, but that was when I was on vacation and didn't have my computer there to bookmark it. Does someone else have a link to it?

2021-04-14 14:40

Is it possible to disguise the JavaScript response of the CW website administrator identity and return the characteristic code of the link?

2021-04-14 14:47

How does the CW web server know that your request code matches and return a private video link? Maybe you can try to disguise the membership request code?

2021-04-14 14:48

Found something: This is a demo for the used software with open admin access. Maybe this helps someone find holes: https://www.kvs-demo.com/

***user001*** · 2021-04-14 14:50

You can get the answers first-hand - from the KVS developer

https://kvs-demo.com/admin/index.php

Demo administrator accounts:

demo_admin / demo

https://kvs-demo.com/admin/servers.php?a...wnload_api

remote_control.php

Code:
<?php

/* Developed by Kernel Team.

  http://kernel-team.com

*/

error_reporting(E_ERROR | E_PARSE | E_COMPILE_ERROR);

$api_version = '5.3.0';

// comma separated list of whitelisted IPs

$whitelist_ips = "";

// comma separated list of whitelisted referers

$whitelist_referers = "";

// the number of seconds temp links are valid

$ttl = 3600;

######################################################################################

$config['cv']="d4c2088d32deb3534d5ffd035dc1d3ad";

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

{

 $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];

 if (strpos($_SERVER['REMOTE_ADDR'], ',') !== false)

 {

 $_SERVER['REMOTE_ADDR'] = trim(substr($_SERVER['REMOTE_ADDR'], 0, strpos($_SERVER['REMOTE_ADDR'], ',')));

 }

} elseif (isset($_SERVER['HTTP_X_REAL_IP']))

{

 $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];

}

if ($_REQUEST['action'] == '' && $_REQUEST['file'] == '')

{

 echo "connected.";

 die;

} elseif ($_REQUEST['action'] == 'version')

{

 echo $api_version;

 die;

} elseif ($_REQUEST['action'] == 'ip')

{

 echo $_SERVER['REMOTE_ADDR'];

 die;

} elseif ($_REQUEST['action'] == 'path')

{

 if ($_REQUEST['cv'] != $config['cv'])

 {

 http_response_code(403);

 header("KVS-Errno: 2");

 echo "Access denied (errno 2)";

 die;

 }

 echo dirname($_SERVER['SCRIPT_FILENAME']);

} elseif ($_REQUEST['action'] == 'status')

{

 $load = sys_getloadavg();

 $load = floatval($load[0]);

 if ($_REQUEST['content_path'] != '' && (is_dir(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]") || is_link(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]")))

 {

 $total_space = @disk_total_space(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]");

 $free_space = @disk_free_space(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]");

 } else

 {

 $total_space = @disk_total_space(dirname($_SERVER['SCRIPT_FILENAME']));

 $free_space = @disk_free_space(dirname($_SERVER['SCRIPT_FILENAME']));

 }

 echo "$load|$total_space|$free_space";

 die;

} elseif ($_REQUEST['action'] == 'time')

{

 echo time();

 die;

} elseif ($_REQUEST['action'] == 'check')

{

 $content_path = $_REQUEST['content_path'];

 $paths = explode('||', $_REQUEST['files']);

 foreach ($paths as $path)

 {

 if ($path)

 {

 $path_rec = explode('|', $path);

 if ($content_path && $path_rec[0])

 {

 $path_rec[0] = "$content_path/$path_rec[0]";

 }

 if ($path_rec[1] > 0)

 {

 if (sprintf("%.0f", @filesize($path_rec[0])) != $path_rec[1])

 {

 echo "$path_rec[0] (expected size $path_rec[1])";

 die;

 }

 } else

 {

 if (sprintf("%.0f", @filesize($path_rec[0])) < 1)

 {

 echo $path_rec[0];

 die;

 }

 }

 }

 }

 echo '1';

 die;

} elseif ($_REQUEST['file'] <> '')

{

 $time = intval($_REQUEST['time']);

 $limit = intval($_REQUEST['lr']);

 $cv = trim($_REQUEST['cv2']);

 $target_file = rawurldecode($_REQUEST['file']);

 $is_download = trim($_GET['download']);

 if (strpos($target_file, 'B64') === 0)

 {

 $target_file_info = @unserialize(base64_decode(substr($target_file, 3)));

 if (!isset($target_file_info['time'], $target_file_info['cv'], $target_file_info['file']))

 {

 http_response_code(403);

 header("KVS-Errno: 2");

 echo "Access denied (errno 2)";

 die;

 }

 if ($target_file_info['time'] < time() - $ttl || $target_file_info['time'] > time() + $ttl)

 {

 http_response_code(403);

 header("KVS-Errno: 3");

 echo "Access denied (errno 3)";

 die;

 }

 $allowed_ips = explode(',', trim($_COOKIE["kt_remote_ips"]));

 if (md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $_SERVER['REMOTE_ADDR'] . $config['cv']) !== $target_file_info['cv'])

 {

 $ip_valid = false;

 foreach ($allowed_ips as $allowed_ip)

 {

 $allowed_ip = explode("||", $allowed_ip);

 if ($allowed_ip[1] === md5($allowed_ip[0] . $config['cv']))

 {

 if (md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $allowed_ip[0] . $config['cv']) === $target_file_info['cv'])

 {

 $ip_valid = true;

 break;

 }

 }

 }

 if (!$ip_valid && $whitelist_ips)

 {

 $whitelist_ips = array_map('trim', explode(',', trim($whitelist_ips)));

 foreach ($whitelist_ips as $whitelist_ip)

 {

 if ($whitelist_ip == $_SERVER['REMOTE_ADDR'] || md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $whitelist_ip . $config['cv']) === $target_file_info['cv'])

 {

 $ip_valid = true;

 break;

 }

 }

 }

 if (!$ip_valid)

 {

 http_response_code(403);

 header("KVS-Errno: 4");

 header("KVS-IP: $_SERVER[REMOTE_ADDR]");

 echo "Access denied (errno 4)";

 die;

 }

 } else

 {

 $has_ip_cookie = false;

 foreach ($allowed_ips as $allowed_ip)

 {

 $allowed_ip = explode("||", $allowed_ip);

 if ($allowed_ip[0] == $_SERVER['REMOTE_ADDR'])

 {

 $has_ip_cookie = true;

 }

 }

 if (!$has_ip_cookie)

 {

 $allowed_ips[] = $_SERVER['REMOTE_ADDR'] . '||' . md5($_SERVER['REMOTE_ADDR'] . $config['cv']);

 if (version_compare(PHP_VERSION, '7.3.0') >= 0)

 {

 setcookie("kt_remote_ips", implode(',', $allowed_ips), ['expires' => time() + $ttl, 'path' => '/', 'samesite' => 'Lax']);

 } else

 {

 setcookie("kt_remote_ips", implode(',', $allowed_ips), time() + $ttl, "/");

 }

 }

 }

 $target_file = $target_file_info['file'];

 $limit = $target_file_info['limit'];

 } else

 {

 if ($time < time() - $ttl || $time > time() + $ttl)

 {

 http_response_code(403);

 header("KVS-Errno: 3");

 echo "Access denied (errno 3)";

 die;

 }

 if (md5($time . $limit . $config['cv']) !== $cv)

 {

 http_response_code(403);

 header("KVS-Errno: 4");

 echo "Access denied (errno 4)";

 die;

 }

 if ($_SERVER['HTTP_REFERER'] != '' && $_REQUEST['cv3'] != '')

 {

 $ref_host = parse_url(str_replace('www.', '', $_SERVER['HTTP_REFERER']), PHP_URL_HOST);

 if ($ref_host != '' && $ref_host != $_SERVER['SERVER_NAME'] && md5($ref_host . $config['cv']) !== trim($_REQUEST['cv3']))

 {

 $referer_valid = false;

 $whitelist_referers = array_map('trim', explode(',', trim($whitelist_referers)));

 foreach ($whitelist_referers as $whitelist_referer)

 {

 if ($whitelist_referer == $ref_host)

 {

 $referer_valid = true;

 break;

 }

 }

 if (!$referer_valid)

 {

 http_response_code(403);

 header("KVS-Errno: 5");

 echo "Access denied (errno 5)";

 die;

 }

 }

 }

 if (md5($target_file . $config['cv']) !== trim($_REQUEST['cv4']))

 {

 http_response_code(403);

 header("KVS-Errno: 6");

 echo "Access denied (errno 6)";

 die;

 }

 }

 if (floatval($_REQUEST['start']) > 0)

 {

 $start_str = "?start=" . floatval($_REQUEST['start']);

 }

 if (strpos($target_file, ".flv") !== false)

 {

 header("Content-Type: video/x-flv");

 } elseif (strpos($target_file, ".mp4") !== false)

 {

 header("Content-Type: video/mp4");

 } elseif (strpos($target_file, ".webm") !== false)

 {

 header("Content-Type: video/webm");

 } elseif (strpos($target_file, ".jpg") !== false)

 {

 header("Content-Type: image/jpeg");

 } elseif (strpos($target_file, ".gif") !== false)

 {

 header("Content-Type: image/gif");

 } elseif (strpos($target_file, ".zip") !== false)

 {

 header("Content-Type: application/zip");

 } else

 {

 header("Content-Type: application/octet-stream");

 }

 if (intval($limit) > 0)

 {

 header("X-Accel-Limit-Rate: $limit");

 }

 $short_file_name = basename($target_file);

 if ($_REQUEST['download_filename'] <> '')

 {

 $short_file_name = $_REQUEST['download_filename'];

 }

 if ($is_download == 'true')

 {

 header("Content-Disposition: attachment; filename=\"$short_file_name\"");

 } else

 {

 header("Content-Disposition: inline; filename=\"$short_file_name\"");

 }

 header("X-Accel-Redirect: $target_file{$start_str}");

}

KVS Documentation

2021-04-14 15:07

Annoyed, CW returns the real video URL based on the IP address. Maybe network IP=? ?

sdc · (This post was last modified: 2021-04-14 15:55 by sdc.)

(2021-04-14 14:50)user001 Wrote: You can get the answers first-hand - from the KVS developer

https://kvs-demo.com/admin/index.php

Demo administrator accounts:

demo_admin / demo

https://kvs-demo.com/admin/servers.php?a...wnload_api

remote_control.php

Code:
<?php /* Developed by Kernel Team. http://kernel-team.com */ error_reporting(E_ERROR | E_PARSE | E_COMPILE_ERROR); $api_version = '5.3.0'; // comma separated list of whitelisted IPs $whitelist_ips = ""; // comma separated list of whitelisted referers $whitelist_referers = ""; // the number of seconds temp links are valid $ttl = 3600; ###################################################################################### $config['cv']="d4c2088d32deb3534d5ffd035dc1d3ad"; if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; if (strpos($_SERVER['REMOTE_ADDR'], ',') !== false) { $_SERVER['REMOTE_ADDR'] = trim(substr($_SERVER['REMOTE_ADDR'], 0, strpos($_SERVER['REMOTE_ADDR'], ','))); } } elseif (isset($_SERVER['HTTP_X_REAL_IP'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP']; } if ($_REQUEST['action'] == '' && $_REQUEST['file'] == '') { echo "connected."; die; } elseif ($_REQUEST['action'] == 'version') { echo $api_version; die; } elseif ($_REQUEST['action'] == 'ip') { echo $_SERVER['REMOTE_ADDR']; die; } elseif ($_REQUEST['action'] == 'path') { if ($_REQUEST['cv'] != $config['cv']) { http_response_code(403); header("KVS-Errno: 2"); echo "Access denied (errno 2)"; die; } echo dirname($_SERVER['SCRIPT_FILENAME']); } elseif ($_REQUEST['action'] == 'status') { $load = sys_getloadavg(); $load = floatval($load[0]); if ($_REQUEST['content_path'] != '' && (is_dir(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]") || is_link(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]"))) { $total_space = @disk_total_space(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]"); $free_space = @disk_free_space(dirname($_SERVER['SCRIPT_FILENAME']) . "/$_REQUEST[content_path]"); } else { $total_space = @disk_total_space(dirname($_SERVER['SCRIPT_FILENAME'])); $free_space = @disk_free_space(dirname($_SERVER['SCRIPT_FILENAME'])); } echo "$load|$total_space|$free_space"; die; } elseif ($_REQUEST['action'] == 'time') { echo time(); die; } elseif ($_REQUEST['action'] == 'check') { $content_path = $_REQUEST['content_path']; $paths = explode('||', $_REQUEST['files']); foreach ($paths as $path) { if ($path) { $path_rec = explode('|', $path); if ($content_path && $path_rec[0]) { $path_rec[0] = "$content_path/$path_rec[0]"; } if ($path_rec[1] > 0) { if (sprintf("%.0f", @filesize($path_rec[0])) != $path_rec[1]) { echo "$path_rec[0] (expected size $path_rec[1])"; die; } } else { if (sprintf("%.0f", @filesize($path_rec[0])) < 1) { echo $path_rec[0]; die; } } } } echo '1'; die; } elseif ($_REQUEST['file'] <> '') { $time = intval($_REQUEST['time']); $limit = intval($_REQUEST['lr']); $cv = trim($_REQUEST['cv2']); $target_file = rawurldecode($_REQUEST['file']); $is_download = trim($_GET['download']); if (strpos($target_file, 'B64') === 0) { $target_file_info = @unserialize(base64_decode(substr($target_file, 3))); if (!isset($target_file_info['time'], $target_file_info['cv'], $target_file_info['file'])) { http_response_code(403); header("KVS-Errno: 2"); echo "Access denied (errno 2)"; die; } if ($target_file_info['time'] < time() - $ttl || $target_file_info['time'] > time() + $ttl) { http_response_code(403); header("KVS-Errno: 3"); echo "Access denied (errno 3)"; die; } $allowed_ips = explode(',', trim($_COOKIE["kt_remote_ips"])); if (md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $_SERVER['REMOTE_ADDR'] . $config['cv']) !== $target_file_info['cv']) { $ip_valid = false; foreach ($allowed_ips as $allowed_ip) { $allowed_ip = explode("||", $allowed_ip); if ($allowed_ip[1] === md5($allowed_ip[0] . $config['cv'])) { if (md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $allowed_ip[0] . $config['cv']) === $target_file_info['cv']) { $ip_valid = true; break; } } } if (!$ip_valid && $whitelist_ips) { $whitelist_ips = array_map('trim', explode(',', trim($whitelist_ips))); foreach ($whitelist_ips as $whitelist_ip) { if ($whitelist_ip == $_SERVER['REMOTE_ADDR'] || md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $whitelist_ip . $config['cv']) === $target_file_info['cv']) { $ip_valid = true; break; } } } if (!$ip_valid) { http_response_code(403); header("KVS-Errno: 4"); header("KVS-IP: $_SERVER[REMOTE_ADDR]"); echo "Access denied (errno 4)"; die; } } else { $has_ip_cookie = false; foreach ($allowed_ips as $allowed_ip) { $allowed_ip = explode("||", $allowed_ip); if ($allowed_ip[0] == $_SERVER['REMOTE_ADDR']) { $has_ip_cookie = true; } } if (!$has_ip_cookie) { $allowed_ips[] = $_SERVER['REMOTE_ADDR'] . '||' . md5($_SERVER['REMOTE_ADDR'] . $config['cv']); if (version_compare(PHP_VERSION, '7.3.0') >= 0) { setcookie("kt_remote_ips", implode(',', $allowed_ips), ['expires' => time() + $ttl, 'path' => '/', 'samesite' => 'Lax']); } else { setcookie("kt_remote_ips", implode(',', $allowed_ips), time() + $ttl, "/"); } } } $target_file = $target_file_info['file']; $limit = $target_file_info['limit']; } else { if ($time < time() - $ttl || $time > time() + $ttl) { http_response_code(403); header("KVS-Errno: 3"); echo "Access denied (errno 3)"; die; } if (md5($time . $limit . $config['cv']) !== $cv) { http_response_code(403); header("KVS-Errno: 4"); echo "Access denied (errno 4)"; die; } if ($_SERVER['HTTP_REFERER'] != '' && $_REQUEST['cv3'] != '') { $ref_host = parse_url(str_replace('www.', '', $_SERVER['HTTP_REFERER']), PHP_URL_HOST); if ($ref_host != '' && $ref_host != $_SERVER['SERVER_NAME'] && md5($ref_host . $config['cv']) !== trim($_REQUEST['cv3'])) { $referer_valid = false; $whitelist_referers = array_map('trim', explode(',', trim($whitelist_referers))); foreach ($whitelist_referers as $whitelist_referer) { if ($whitelist_referer == $ref_host) { $referer_valid = true; break; } } if (!$referer_valid) { http_response_code(403); header("KVS-Errno: 5"); echo "Access denied (errno 5)"; die; } } } if (md5($target_file . $config['cv']) !== trim($_REQUEST['cv4'])) { http_response_code(403); header("KVS-Errno: 6"); echo "Access denied (errno 6)"; die; } } if (floatval($_REQUEST['start']) > 0) { $start_str = "?start=" . floatval($_REQUEST['start']); } if (strpos($target_file, ".flv") !== false) { header("Content-Type: video/x-flv"); } elseif (strpos($target_file, ".mp4") !== false) { header("Content-Type: video/mp4"); } elseif (strpos($target_file, ".webm") !== false) { header("Content-Type: video/webm"); } elseif (strpos($target_file, ".jpg") !== false) { header("Content-Type: image/jpeg"); } elseif (strpos($target_file, ".gif") !== false) { header("Content-Type: image/gif"); } elseif (strpos($target_file, ".zip") !== false) { header("Content-Type: application/zip"); } else { header("Content-Type: application/octet-stream"); } if (intval($limit) > 0) { header("X-Accel-Limit-Rate: $limit"); } $short_file_name = basename($target_file); if ($_REQUEST['download_filename'] <> '') { $short_file_name = $_REQUEST['download_filename']; } if ($is_download == 'true') { header("Content-Disposition: attachment; filename=\"$short_file_name\""); } else { header("Content-Disposition: inline; filename=\"$short_file_name\""); } header("X-Accel-Redirect: $target_file{$start_str}"); }

KVS Documentation

thanks, will look into that

EDIT:
the missing_part seems to be:

Code:
(md5($target_file_info['time'] . $target_file_info['limit'] . $target_file_info['file'] . $_SERVER['REMOTE_ADDR'] . $config['cv']) !== $target_file_info['cv'])

I will try to create a script tomorrow, but if anyone else can help please contribute Smile

there is a chance we will have to bruteforce the CV part, but that shoudl be quite simple if the length of CV part (if changed CW admin even cared to change if from the default) is short

2021-04-14 16:12

I assume the bot would be working again if cwtv admin had used the default. But you never know unless you check it ...

sgfkjdlnb · 2021-04-14 16:31

Just noticed that remote_control.php on cwtv doesn't seem to support the action= parameter. Maybe @user001 has more information on what version cwtv uses and if there are other options to get source code and maybe vulnerabilities in the system. I'd appreciate if someone finds stuff that helps pave the way for a new cwbot they could PM it to the users posting in this thread. Then cwtv admin and KVS devs don't find out about it that quickly.

2021-04-14 17:54

Me : know nothing of coding
Hopefully it will be successful !!

[Image: ggbTELE.jpg]

z3bsk

2021-04-14 19:50

very interesting but CW admin probably also read nobodyhome on a regular basis, after all he is most likely one of us. So be smart, keep up the good work... in the shadows!

sdc · 2021-04-14 23:03

seems like the only way to crack it is to brute-force the $config[cv] (secret) based on the formula:

Code:
md5(time + limit + file + remote + secret)  = request_cv

the issue is that the secret can be easily changed in the admin panel so it would be just a temporary solution

and the default d4c2088d32deb3534d5ffd035dc1d3ad doesn't seem to work (or maybe I made a mistake ?)

I am also curious if anyone has access to get_file script ?

2021-04-14 23:17

you guys are dumb as fuck. good luck bruteforcing md5

St8nk · 2021-04-14 23:24

(2021-04-14 23:17)Guest Wrote: you guys are dumb as fuck. good luck bruteforcing md5

Sure Guest! Big Grin

sdc · 2021-04-14 23:26

(2021-04-14 23:17)Guest Wrote: you guys are dumb as fuck. good luck bruteforcing md5

normal md5 passwords are very fast to bruteforce,
the issue is that even the default salt has 32 characters, which makes the bruteforcing not possible

jjcamwhoresjj1 · 2021-04-14 23:51

no idea what you're talking about .... wish I took computer engineering/programming in college .... good luck

2021-04-14 23:53

(2021-04-14 23:17)Guest Wrote: you guys are dumb as fuck. good luck bruteforcing md5

Guest idiot still living in a past where md5 was "safe". Seriously go back to computing school you ASP programmer pussy, it's because of assholes like you that so much websites and apps have zero day exploits out of the box... Big Grin

2021-04-15 2:40

If you successfully crack the website, remember to perform an anti-repair check.

Zydacoman · 2021-04-15 5:18

Good luck to you fine gentlemen!

2021-04-15 16:39

That long string that's hashed makes it impossible to use highly optimized cuda kernels on hashcat (normally I get >60GH/s, with these long strings it's ~5KH/s). Does anyone have ideas for optimizing that since we only have a reasonably small part of the string that's unknown?

***user001*** · (This post was last modified: 2021-04-15 17:35 by user001.)

Spoiler

PHP Code:
<?php
/* Developed by Kernel Team.
   http://kernel-team.com
*/
include_once('admin/include/setup.php');

if ($_GET['action']=='check_ip')
{
    header("KVS-IP: $_SERVER[REMOTE_ADDR]");
    echo $_SERVER['REMOTE_ADDR'];
    die;
}

$sg_id=intval($_GET['sg_id']);
$hash=$_GET['hash'];
$hash2='';
if (strlen($hash)>32)
{
    $hash2=substr($hash,32);
    $hash=substr($hash,0,32);
}
$file=trim(rtrim($_GET['file'],"/"));
$admin_rq_server_id=intval($_GET['admin_rq_server_id']);
$is_download=trim($_GET['download']);
$download_filename=trim($_GET['download_filename']);

// check link hash validity
$hash_check=md5($config['cv'].$file);
if ($hash_check<>$hash)
{
    debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI] Invalid link hash $hash for file $file");
    header("HTTP/1.0 404 Not found");die;
}

if ($sg_id==0)
{
    // request for source file on main server
    $target_file="$config[content_url_videos_sources]/$file";
    $target_file=substr($target_file,strpos($target_file,'/',8));
    if ($config['server_type']=='nginx')
    {
        $short_file_name=end(explode("/",$file));
        if ($download_filename<>'')
        {
            $short_file_name=$download_filename;
        }
        $file_ext=strtolower(end(explode(".",$file)));
        if ($file_ext=='jpg')
        {
            header("Content-type: image/jpeg");
            header("Content-Disposition: inline; filename=\"$short_file_name\"");
        } else {
            header("Content-type: application/octet-stream");
            header("Content-Disposition: attachment; filename=\"$short_file_name\"");
        }
        header("X-Accel-Redirect: $target_file");
    } else {
        header("Location: $config[project_url]{$target_file}");
    }
    die;
}

// check format validity
$formats_videos=@unserialize(@file_get_contents("admin/data/system/formats_videos.dat"));
preg_match("|\d+/(\d+)/\d+(.+)|is",$file,$temp);
$video_id=$temp[1];
$postfix=$temp[2];

foreach($formats_videos as $format)
{
    if ($postfix==$format['postfix'])
    {
        $current_format=$format;
        break;
    }
}
if (!isset($current_format))
{
    debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  No video format is available for file $file");
    header("HTTP/1.0 404 Not found");
    echo "File format is not found";die;
}

$hotlink_info=@unserialize(@file_get_contents("admin/data/system/hotlink_info.dat"));

$disable_security_check=false;
if (isset($_REQUEST['dsc']))
{
    $disable_security_check_ttl=intval($_REQUEST['ttl']);
    if (md5("$config[cv]/$hash/$file/$disable_security_check_ttl")==$_REQUEST['dsc'])
    {
        if (abs($disable_security_check_ttl-time())<86400)
        {
            $disable_security_check=true;
        }
    }
}

if (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'google') !== false)
{
    $domain = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    if (substr($domain, -strlen('googlebot.com')) == 'googlebot.com' || substr($domain, -strlen('google.com')) == 'google.com')
    {
        debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Disabled protection for google bot: $_SERVER[HTTP_USER_AGENT], $domain");
        $disable_security_check = true;
    } else {
        debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Failed to disable protection for google bot: $_SERVER[HTTP_USER_AGENT], $domain");
    }
}

$white_ips=$hotlink_info['ANTI_HOTLINK_WHITE_IPS'];
if ($white_ips!='')
{
    $white_ips=array_map('trim',explode(',',$white_ips));
    if (in_array($_SERVER['REMOTE_ADDR'],$white_ips))
    {
        debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Disabled protection for whitelisted IP");
        $disable_security_check = true;
    }
}

// if antihotlink is enabled, check protection data
if ($hotlink_info['ENABLE_ANTI_HOTLINK']==1 && !$disable_security_check)
{
    if ($current_format['is_hotlink_protection_disabled']==0)
    {
        if (intval($hotlink_info['ANTI_HOTLINK_TYPE'])==1)
        {
            $allowed=0;
            $hash_check2=substr(md5($hash.$config['cv'].$_SERVER['REMOTE_ADDR']),0,10);
            if ($hash_check2==$hash2)
            {
                $allowed=1;
            }

            if ($allowed==0)
            {
                $hash_encoded=$hash;
                if ($hotlink_info['ANTI_HOTLINK_ENCODE_LINKS']==1)
                {
                    for ($i=0;$i<strlen($hash_encoded);$i++)
                    {
                        $new_pos=$i;
                        for ($j=$i;$j<strlen($config['ahv']);$j++)
                        {
                            $val=intval($config['ahv'][$j]);
                            $new_pos+=$val;
                        }
                        while ($new_pos>=strlen($hash_encoded))
                        {
                            $new_pos=$new_pos-strlen($hash_encoded);
                        }
                        $t=$hash_encoded[$i];
                        $hash_encoded[$i]=$hash_encoded[$new_pos];
                        $hash_encoded[$new_pos]=$t;
                    }
                    $hash_check2=substr(md5($hash_encoded.$config['cv'].$_SERVER['REMOTE_ADDR']),0,10);
                    if ($hash_check2==$hash2)
                    {
                        $allowed=1;
                    }
                }
                if ($allowed==0)
                {
                    $check_ips=array();
                    if (trim($_COOKIE['kt_ips'])!='')
                    {
                        $check_ips=explode(',', trim($_COOKIE['kt_ips']));
                    } elseif ($_SERVER['HTTP_COOKIES']!='')
                    {
                        $cookies=explode(';',$_SERVER['HTTP_COOKIES']);
                        foreach ($cookies as $cookie)
                        {
                            if (strpos(trim($cookie),'kt_ips=')===0)
                            {
                                $cookie=explode('=',$cookie,2);
                                $check_ips=explode(',',trim(urldecode($cookie[1])));
                                break;
                            }
                        }
                    }
                    if (is_array($check_ips))
                    {
                        foreach ($check_ips as $check_ip)
                        {
                            $check_ip=trim($check_ip);
                            $hash_check2=substr(md5($hash.$config['cv'].$check_ip),0,10);
                            if ($hash_check2==$hash2)
                            {
                                $allowed=1;
                                break;
                            }
                            $hash_check2=substr(md5($hash_encoded.$config['cv'].$check_ip),0,10);
                            if ($hash_check2==$hash2)
                            {
                                $allowed=1;
                            }
                        }
                    }
                }
                if ($allowed==0)
                {
                    session_start();
                    $check_ips=$_SESSION['lock_ips'];
                    if (is_array($check_ips))
                    {
                        foreach ($check_ips as $check_ip=>$v)
                        {
                            $hash_check2=substr(md5($hash.$config['cv'].$check_ip),0,10);
                            if ($hash_check2==$hash2)
                            {
                                $allowed=1;
                                break;
                            }
                            $hash_check2=substr(md5($hash_encoded.$config['cv'].$check_ip),0,10);
                            if ($hash_check2==$hash2)
                            {
                                $allowed=1;
                            }
                        }
                    }
                }
            }

            if ($allowed==0)
            {
                debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Access denied due to invalid IP: $_SERVER[REMOTE_ADDR]");
                if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0)
                {
                    header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE']));
                } else {
                    header("HTTP/1.0 403 Forbidden");
                    echo "Access denied (errno 3)";die;
                }
                die;
            }
        } else {
            if ($_SERVER['HTTP_REFERER']<>'')
            {
                $referer=str_replace("www.","",$_SERVER['HTTP_REFERER']);
                if (strpos($referer,str_replace("www.","",$config['project_url']))!==0)
                {
                    $ref_host=parse_url($referer,PHP_URL_HOST);
                    $host=parse_url(str_replace("www.","",$config['project_url']),PHP_URL_HOST);
                    if (strpos($ref_host,".$host")===false)
                    {
                        $allowed=0;
                        if ($hotlink_info['ANTI_HOTLINK_WHITE_DOMAINS']!='')
                        {
                            $white_domains=explode(',',$hotlink_info['ANTI_HOTLINK_WHITE_DOMAINS']);
                            foreach ($white_domains as $white_domain)
                            {
                                $host=trim(str_replace("http://","",str_replace("https://","",str_replace("www.","",$white_domain))));
                                if (strpos($ref_host,$host)!==false)
                                {
                                    $allowed=1;
                                    break;
                                }
                            }
                        }

                        if ($allowed==0)
                        {
                            debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Access denied due to invalid referer: $_SERVER[HTTP_REFERER]");
                            if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0)
                            {
                                header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE']));
                            } else {
                                header("HTTP/1.0 403 Forbidden");
                                echo "Access denied (errno 1)";die;
                            }
                            die;
                        }
                    }
                }
            }
        }
    }

    $range_start=0;
    if ($_SERVER['HTTP_RANGE']!='')
    {
        unset($ranges);
        if (preg_match('/^bytes=((\d*-\d*,? ?)+)$/',$_SERVER['HTTP_RANGE'],$ranges))
        {
            $ranges=explode('-',$ranges[1]);
            $range_start=intval($ranges[0]);
        }
    }

    if ($range_start==0 && intval($hotlink_info['ANTI_HOTLINK_ENABLE_IP_LIMIT'])==1)
    {
        // log ip data for ip protection
        file_put_contents("$config[project_path]/admin/data/stats/ip_data.dat", "$_SERVER[REMOTE_ADDR]|".time()."\r\n", FILE_APPEND | LOCK_EX);

        $bad_ips=@file("$config[project_path]/admin/data/stats/ip_blocked.dat");
        $bad_ips=array_map('trim',$bad_ips);

        if (in_array($_SERVER['REMOTE_ADDR'],$bad_ips))
        {
            debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Access denied due to blocked IP: $_SERVER[REMOTE_ADDR]");
            if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0)
            {
                header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE']));
            } else {
                header("HTTP/1.0 403 Forbidden");
                echo "Access denied (errno 4)";die;
            }
            die;
        }
    }
}

if ($current_format['access_level_id']>0 && !$disable_security_check)
{
    session_start();
    if ($_SESSION['userdata']['user_id']<1)
    {
        // check if user has access level for watching this video format
        if ($current_format['access_level_id']==1 && $_SESSION['user_id']<1)
        {
            debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Access denied due to member-protected file access");
            header("HTTP/1.0 403 Forbidden");
            echo "Access denied / Only active members can access this video file";die;
        } elseif ($current_format['access_level_id']==2 && $_SESSION['status_id']!=3)
        {
            $has_premium_access_as_owner=false;
            if (isset($_REQUEST['ov']) && md5($config['cv'].$_SESSION['user_id'])==$_REQUEST['ov'])
            {
                $has_premium_access_as_owner=true;
            }

            $has_premium_access_by_tokens=false;
            if ($_SESSION['status_id']==2)
            {
                foreach ($_SESSION['content_purchased'] as $purchase)
                {
                    if ($purchase['video_id']==$video_id)
                    {
                        $has_premium_access_by_tokens=true;
                        break;
                    }
                }
            }
            if (!$has_premium_access_by_tokens && !$has_premium_access_as_owner)
            {
                debug_get_file("$_SERVER[REMOTE_ADDR]  $_SERVER[REQUEST_URI]  Access denied due to premium-protected file access");
                header("HTTP/1.0 403 Forbidden");
                echo "Access denied / Only Premium members can access this video file";die;
            }
        }
    }
}

if ($_SERVER['REQUEST_METHOD']!='HEAD')
{
    $stats_settings=@unserialize(@file_get_contents("admin/data/system/stats_params.dat"));
    if (intval($stats_settings['collect_videos_stats_video_files'])==1 || intval($stats_settings['collect_memberzone_stats_video_files'])==1)
    {
        $user_id=0;
        if (intval($stats_settings['collect_memberzone_stats_video_files'])==1)
        {
            if (!session_id()) {session_start();}
            $user_id=intval($_SESSION['user_id']);
        }

        $fh=fopen("$config[project_path]/admin/data/stats/video_files.dat","a+");
        flock($fh,LOCK_EX);
        fwrite($fh,"$video_id||".date("Y-m-d H:i:s")."||$postfix||$user_id||".intval($_REQUEST['start_sec'])."\r\n");
        fclose($fh);
    }
}

$data=unserialize(file_get_contents("admin/data/system/cluster.dat"));
$countries=array();

// filter out servers from other groups and countries
$data_user_country=array();
$sum_weight_country=0;
$data_other=array();
$sum_weight_other=0;
$data_default=array();

foreach ($data as $server)
{
    if ($admin_rq_server_id==$server['server_id'])
    {
        $server_admin_rq=$server;
    } elseif ($server['status_id']==1 && intval($server['group_id'])==$sg_id)
    {
        $countries=explode(',',$server['lb_countries']);
        if (strlen($server['lb_countries'])>0 && @count($countries)>0)
        {
            foreach ($countries as $country)
            {
                if (strtolower(trim($country))==strtolower($_SERVER['GEOIP_COUNTRY_CODE']))
                {
                    $data_user_country[]=$server;
                    $sum_weight_country+=$server['lb_weight'];
                }
            }
        } else {
            $data_other[]=$server;
            $sum_weight_other+=$server['lb_weight'];
        }
        $data_default[]=$server;
    }
}

unset($target_file);
unset($target_server);
unset($is_remote);
unset($control_script);
unset($control_script_lock_ip);

// determine which server should be used for returning video
if (isset($server_admin_rq))
{
    $target_file="$server_admin_rq[urls]/$file";
    $target_server=$server_admin_rq['urls'];
    $is_remote=intval($server_admin_rq['is_remote']);
    $control_script=$server_admin_rq['control_script_url'];
    $control_script_lock_ip=intval($server_admin_rq['control_script_url_lock_ip']);
    $time_offset=$server_admin_rq['time_offset'];
    $streaming_type_id=$server_admin_rq['streaming_type_id'];
    $streaming_api_script=$server_admin_rq['streaming_script'];
    $streaming_api_name=str_replace(".php","",$streaming_api_script);
    $streaming_key=$server_admin_rq['streaming_key'];
    $streaming_param=$server_admin_rq['streaming_param'];
    $is_replace_domain_on_satellite=intval($server_admin_rq['is_replace_domain_on_satellite']);
} else
{
    if (@count($data_user_country)>0)
    {
        $data_lb=$data_user_country;
        $sum_weight=$sum_weight_country;
    } else {
        $data_lb=$data_other;
        $sum_weight=$sum_weight_other;
    }

    if (@count($data_lb)==1)
    {
        $result_server=$data_lb[0];
    } else {
        $time=time();
        $time=$time-($time%300);
        srand($time+$video_id);
        $lb_value=rand(1,$sum_weight);
        $cur_value=0;
        foreach ($data_lb as $server)
        {
            if ($lb_value<=$cur_value+$server['lb_weight'])
            {
                $result_server=$server;
                break;
            }
            $cur_value+=$server['lb_weight'];
        }
        if (!isset($result_server))
        {
            $result_server=$data_default[0];
        }
    }
    $target_file="$result_server[urls]/$file";
    $target_server=$result_server['urls'];
    $is_remote=intval($result_server['is_remote']);
    $control_script=$result_server['control_script_url'];
    $control_script_lock_ip=intval($result_server['control_script_url_lock_ip']);
    $time_offset=$result_server['time_offset'];
    $streaming_type_id=$result_server['streaming_type_id'];
    $streaming_api_script=$result_server['streaming_script'];
    $streaming_api_name=str_replace(".php","",$streaming_api_script);
    $streaming_key=$result_server['streaming_key'];
    $streaming_param=$result_server['streaming_param'];
    $is_replace_domain_on_satellite=intval($result_server['is_replace_domain_on_satellite']);
}

if ($is_replace_domain_on_satellite==1)
{
    if ($config['is_clone_db']=="true" && $config['satellite_for']!='')
    {
        $target_file=str_replace($config['satellite_for'],$config['project_licence_domain'],$target_file);
        $control_script=str_replace($config['satellite_for'],$config['project_licence_domain'],$control_script);
    }
    if ($config['mirror_for']!='')
    {
        $target_file=str_replace($config['mirror_for'],$config['project_licence_domain'],$target_file);
        $control_script=str_replace($config['mirror_for'],$config['project_licence_domain'],$control_script);
    }
}

if (floatval($_REQUEST['start'])>0)
{
    $start_param_name='start';
    if ($streaming_param<>'')
    {
        $start_param_name=$streaming_param;
    }
    $start_str="?$start_param_name=".floatval($_REQUEST['start']);
    $start_str_append="&$start_param_name=".floatval($_REQUEST['start']);
    $start_str_empty="$start_param_name=".floatval($_REQUEST['start']);
}

$limit=0;
if (intval($current_format['limit_speed_option'])+intval($current_format['limit_speed_guests_option'])+intval($current_format['limit_speed_standard_option'])+intval($current_format['limit_speed_premium_option'])+intval($current_format['limit_speed_embed_option'])>0)
{
    $limit_option=intval($current_format['limit_speed_option']);
    $limit_value=floatval($current_format['limit_speed_value']);
    if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_guests_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_guests_value'],1))
    {
        if (!session_id()) {session_start();}
        if (intval($_SESSION['user_id'])==0)
        {
            $limit_option=intval($current_format['limit_speed_guests_option']);
            $limit_value=floatval($current_format['limit_speed_guests_value']);
        }
    }
    if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_standard_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_standard_value'],1))
    {
        if (!session_id()) {session_start();}
        if (intval($_SESSION['user_id'])>0 && intval($_SESSION['status_id'])!=3)
        {
            $limit_option=intval($current_format['limit_speed_standard_option']);
            $limit_value=floatval($current_format['limit_speed_standard_value']);
        }
    }
    if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_premium_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_premium_value'],1))
    {
        if (!session_id()) {session_start();}
        if (intval($_SESSION['user_id'])>0 && intval($_SESSION['status_id'])==3)
        {
            $limit_option=intval($current_format['limit_speed_premium_option']);
            $limit_value=floatval($current_format['limit_speed_premium_value']);
        }
    }
    if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_embed_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_embed_value'],1))
    {
        if ($_REQUEST['embed']=='true')
        {
            $limit_option=intval($current_format['limit_speed_embed_option']);
            $limit_value=floatval($current_format['limit_speed_embed_value']);
        }
    }
    if ($limit_option==1)
    {
        $limit=intval($limit_value);
    } elseif ($limit_option==2 && intval($_REQUEST['br'])>0)
    {
        $limit=intval($limit_value*intval($_REQUEST['br']));
    }
}

if ($current_format['limit_speed_countries']!='')
{
    $countries=explode(',',$current_format['limit_speed_countries']);
    if (count($countries)>0)
    {
        $is_country_in_limit=false;
        foreach ($countries as $country)
        {
            if (strtolower(trim($country))==strtolower($_SERVER['GEOIP_COUNTRY_CODE']))
            {
                $is_country_in_limit=true;
                break;
            }
        }
        if (!$is_country_in_limit)
        {
            $limit=0;
        }
    }
}

if ($disable_security_check)
{
    $limit=0;
}

if ($streaming_type_id==0)
{
    $limit=intval($limit/8*1000);
    if ($is_remote==1)
    {
        $temp=explode("/",substr($target_server,8),2);
        $target_server=$temp[1];
        $target_server=trim($target_server,"/");
        if ($target_server<>'')
        {
            $file="/$target_server/$file";
        } else {
            $file="/$file";
        }
        $time=time();
        if (floatval($time_offset)<>0)
        {
            $time+=floatval($time_offset)*3600;
        }
        $download_str_append='';
        if ($is_download=='true')
        {
            $download_str_append.='&download=true';
        }
        if ($download_filename<>'')
        {
            $download_str_append.="&download_filename=$download_filename";
        }
        $ref_host=str_replace("www.","",$_SERVER['HTTP_HOST']);

        if ($control_script_lock_ip==1)
        {
            $file_info=array(
                'time'=>$time,
                'limit'=>$limit,
                'file'=>$file,
                'cv'=>md5($time.$limit.$file.$_SERVER['REMOTE_ADDR'].$config['cv']),
            );
            header("Location: $control_script?file=B64".rawurlencode(base64_encode(serialize($file_info))).$start_str_append.$download_str_append);
        } else
        {
            header("Location: $control_script?time=".$time."&cv=".md5($time.$config['cv'])."&lr=".$limit."&cv2=".md5($time.$limit.$config['cv'])."&file=".rawurlencode($file).$start_str_append.$download_str_append."&cv3=".md5($ref_host.$config['cv'])."&cv4=".md5($file.$config['cv']));
        }
    } else {
        $target_file=substr($target_file,strpos($target_file,'/',8));
        $short_file_name=basename($target_file);
        if ($download_filename<>'')
        {
            $short_file_name=$download_filename;
        }
        if (strpos($postfix,".flv")!==false)
        {
            header("Content-Type: video/x-flv");
        } elseif (strpos($postfix,".mp4")!==false)
        {
            header("Content-Type: video/mp4");
        } elseif (strpos($postfix,".webm")!==false)
        {
            header("Content-Type: video/webm");
        } else {
            header("Content-Type: application/octet-stream");
        }
        if (intval($limit)>0)
        {
            header("X-Accel-Limit-Rate: $limit");
        }
        if ($is_download=='true')
        {
            header("Content-Disposition: attachment; filename=\"$short_file_name\"");
        } else {
            header("Content-Disposition: inline; filename=\"$short_file_name\"");
        }
        header("X-Accel-Redirect: $target_file{$start_str}");
    }
} elseif ($streaming_type_id==4)
{
    if (is_file("$config[project_path]/admin/cdn/$streaming_api_script"))
    {
        include_once("$config[project_path]/admin/cdn/$streaming_api_script");
        $get_video_function="{$streaming_api_name}_get_video";
        if (function_exists($get_video_function))
        {
            $target_url=$target_file;
            $target_file=substr($target_file,strpos($target_file,'/',8));
            $video_url=$get_video_function($target_file,$target_url,$start_str_empty,$limit,$streaming_key);
            if ($video_url)
            {
                header("Location: $video_url");die;
            } else {
                header("Location: $target_url{$start_str}");die;
            }
        }
    }
    header("Location: $target_file{$start_str}");
} else {
    header("Location: $target_file{$start_str}");
}

function debug_get_file($message)
{
    global $config;

    if ($config['enable_debug_get_file']=='true')
    {
        $fp=fopen("$config[project_path]/admin/logs/get_file.txt","a+");
        flock($fp,LOCK_EX);
        if ($message=='')
        {
            fwrite($fp,"\n");
        } else {
            fwrite($fp,date("[Y-m-d H:i:s] ").$message."\n");
        }
        fclose($fp);
    }
}
?>

2021-04-15 19:41

thanks for that code snippet!

I think the way that gives us the most direct access is to get that

PHP Code:
$config['cv'] 

unfortunately. To accomplish this, I suggest someone who has good experience with a GPU accelerated md5 cracker like hashcat writes a list of masks that everyone interested in participating can throw a few of them on their system. Whoever finds the correct value PMs it to user001 who uses that to redo the bot.

Maybe I find the time on the weekend to put out a few masks, but if someone has more experience and does that more quickly it would be great. Since we know a large part of the preimage, we can probably utilize research on effective collision attacks. If someone has experience in this, please help!

St8nk · 2021-04-15 20:09

(2021-04-15 19:41)Guest Wrote: thanks for that code snippet!

I think the way that gives us the most direct access is to get that
PHP Code:
$config['cv']
unfortunately. To accomplish this, I suggest someone who has good experience with a GPU accelerated md5 cracker like hashcat writes a list of masks that everyone interested in participating can throw a few of them on their system. Whoever finds the correct value PMs it to user001 who uses that to redo the bot.

Maybe I find the time on the weekend to put out a few masks, but if someone has more experience and does that more quickly it would be great. Since we know a large part of the preimage, we can probably utilize research on effective collision attacks. If someone has experience in this, please help!

Sheldon Cooper, is that you! Tongue

I'm totally kidding. Keep up the hard work. ??

2021-04-15 22:13

Guys this discussion needs to be in a closed forum or it's pointless.

Even CWTV can see it and stay one step ahead.

camgirlfinder · 2021-04-17 0:17

(2021-04-15 17:33)user001 Wrote:
Spoiler

PHP Code:
<?php /* Developed by Kernel Team. http://kernel-team.com */ include_once('admin/include/setup.php'); if ($_GET['action']=='check_ip') { header("KVS-IP: $_SERVER[REMOTE_ADDR]"); echo $_SERVER['REMOTE_ADDR']; die; } $sg_id=intval($_GET['sg_id']); $hash=$_GET['hash']; $hash2=''; if (strlen($hash)>32) { $hash2=substr($hash,32); $hash=substr($hash,0,32); } $file=trim(rtrim($_GET['file'],"/")); $admin_rq_server_id=intval($_GET['admin_rq_server_id']); $is_download=trim($_GET['download']); $download_filename=trim($_GET['download_filename']); // check link hash validity $hash_check=md5($config['cv'].$file); if ($hash_check<>$hash) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Invalid link hash $hash for file $file"); header("HTTP/1.0 404 Not found");die; } if ($sg_id==0) { // request for source file on main server $target_file="$config[content_url_videos_sources]/$file"; $target_file=substr($target_file,strpos($target_file,'/',8)); if ($config['server_type']=='nginx') { $short_file_name=end(explode("/",$file)); if ($download_filename<>'') { $short_file_name=$download_filename; } $file_ext=strtolower(end(explode(".",$file))); if ($file_ext=='jpg') { header("Content-type: image/jpeg"); header("Content-Disposition: inline; filename=\"$short_file_name\""); } else { header("Content-type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"$short_file_name\""); } header("X-Accel-Redirect: $target_file"); } else { header("Location: $config[project_url]{$target_file}"); } die; } // check format validity $formats_videos=@unserialize(@file_get_contents("admin/data/system/formats_videos.dat")); preg_match("|\d+/(\d+)/\d+(.+)|is",$file,$temp); $video_id=$temp[1]; $postfix=$temp[2]; foreach($formats_videos as $format) { if ($postfix==$format['postfix']) { $current_format=$format; break; } } if (!isset($current_format)) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] No video format is available for file $file"); header("HTTP/1.0 404 Not found"); echo "File format is not found";die; } $hotlink_info=@unserialize(@file_get_contents("admin/data/system/hotlink_info.dat")); $disable_security_check=false; if (isset($_REQUEST['dsc'])) { $disable_security_check_ttl=intval($_REQUEST['ttl']); if (md5("$config[cv]/$hash/$file/$disable_security_check_ttl")==$_REQUEST['dsc']) { if (abs($disable_security_check_ttl-time())<86400) { $disable_security_check=true; } } } if (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'google') !== false) { $domain = gethostbyaddr($_SERVER['REMOTE_ADDR']); if (substr($domain, -strlen('googlebot.com')) == 'googlebot.com' || substr($domain, -strlen('google.com')) == 'google.com') { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Disabled protection for google bot: $_SERVER[HTTP_USER_AGENT], $domain"); $disable_security_check = true; } else { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Failed to disable protection for google bot: $_SERVER[HTTP_USER_AGENT], $domain"); } } $white_ips=$hotlink_info['ANTI_HOTLINK_WHITE_IPS']; if ($white_ips!='') { $white_ips=array_map('trim',explode(',',$white_ips)); if (in_array($_SERVER['REMOTE_ADDR'],$white_ips)) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Disabled protection for whitelisted IP"); $disable_security_check = true; } } // if antihotlink is enabled, check protection data if ($hotlink_info['ENABLE_ANTI_HOTLINK']==1 && !$disable_security_check) { if ($current_format['is_hotlink_protection_disabled']==0) { if (intval($hotlink_info['ANTI_HOTLINK_TYPE'])==1) { $allowed=0; $hash_check2=substr(md5($hash.$config['cv'].$_SERVER['REMOTE_ADDR']),0,10); if ($hash_check2==$hash2) { $allowed=1; } if ($allowed==0) { $hash_encoded=$hash; if ($hotlink_info['ANTI_HOTLINK_ENCODE_LINKS']==1) { for ($i=0;$i<strlen($hash_encoded);$i++) { $new_pos=$i; for ($j=$i;$j<strlen($config['ahv']);$j++) { $val=intval($config['ahv'][$j]); $new_pos+=$val; } while ($new_pos>=strlen($hash_encoded)) { $new_pos=$new_pos-strlen($hash_encoded); } $t=$hash_encoded[$i]; $hash_encoded[$i]=$hash_encoded[$new_pos]; $hash_encoded[$new_pos]=$t; } $hash_check2=substr(md5($hash_encoded.$config['cv'].$_SERVER['REMOTE_ADDR']),0,10); if ($hash_check2==$hash2) { $allowed=1; } } if ($allowed==0) { $check_ips=array(); if (trim($_COOKIE['kt_ips'])!='') { $check_ips=explode(',', trim($_COOKIE['kt_ips'])); } elseif ($_SERVER['HTTP_COOKIES']!='') { $cookies=explode(';',$_SERVER['HTTP_COOKIES']); foreach ($cookies as $cookie) { if (strpos(trim($cookie),'kt_ips=')===0) { $cookie=explode('=',$cookie,2); $check_ips=explode(',',trim(urldecode($cookie[1]))); break; } } } if (is_array($check_ips)) { foreach ($check_ips as $check_ip) { $check_ip=trim($check_ip); $hash_check2=substr(md5($hash.$config['cv'].$check_ip),0,10); if ($hash_check2==$hash2) { $allowed=1; break; } $hash_check2=substr(md5($hash_encoded.$config['cv'].$check_ip),0,10); if ($hash_check2==$hash2) { $allowed=1; } } } } if ($allowed==0) { session_start(); $check_ips=$_SESSION['lock_ips']; if (is_array($check_ips)) { foreach ($check_ips as $check_ip=>$v) { $hash_check2=substr(md5($hash.$config['cv'].$check_ip),0,10); if ($hash_check2==$hash2) { $allowed=1; break; } $hash_check2=substr(md5($hash_encoded.$config['cv'].$check_ip),0,10); if ($hash_check2==$hash2) { $allowed=1; } } } } } if ($allowed==0) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Access denied due to invalid IP: $_SERVER[REMOTE_ADDR]"); if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0) { header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE'])); } else { header("HTTP/1.0 403 Forbidden"); echo "Access denied (errno 3)";die; } die; } } else { if ($_SERVER['HTTP_REFERER']<>'') { $referer=str_replace("www.","",$_SERVER['HTTP_REFERER']); if (strpos($referer,str_replace("www.","",$config['project_url']))!==0) { $ref_host=parse_url($referer,PHP_URL_HOST); $host=parse_url(str_replace("www.","",$config['project_url']),PHP_URL_HOST); if (strpos($ref_host,".$host")===false) { $allowed=0; if ($hotlink_info['ANTI_HOTLINK_WHITE_DOMAINS']!='') { $white_domains=explode(',',$hotlink_info['ANTI_HOTLINK_WHITE_DOMAINS']); foreach ($white_domains as $white_domain) { $host=trim(str_replace("http://","",str_replace("https://","",str_replace("www.","",$white_domain)))); if (strpos($ref_host,$host)!==false) { $allowed=1; break; } } } if ($allowed==0) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Access denied due to invalid referer: $_SERVER[HTTP_REFERER]"); if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0) { header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE'])); } else { header("HTTP/1.0 403 Forbidden"); echo "Access denied (errno 1)";die; } die; } } } } } } $range_start=0; if ($_SERVER['HTTP_RANGE']!='') { unset($ranges); if (preg_match('/^bytes=((\d*-\d*,? ?)+)$/',$_SERVER['HTTP_RANGE'],$ranges)) { $ranges=explode('-',$ranges[1]); $range_start=intval($ranges[0]); } } if ($range_start==0 && intval($hotlink_info['ANTI_HOTLINK_ENABLE_IP_LIMIT'])==1) { // log ip data for ip protection file_put_contents("$config[project_path]/admin/data/stats/ip_data.dat", "$_SERVER[REMOTE_ADDR]|".time()."\r\n", FILE_APPEND | LOCK_EX); $bad_ips=@file("$config[project_path]/admin/data/stats/ip_blocked.dat"); $bad_ips=array_map('trim',$bad_ips); if (in_array($_SERVER['REMOTE_ADDR'],$bad_ips)) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Access denied due to blocked IP: $_SERVER[REMOTE_ADDR]"); if (trim($hotlink_info['ANTI_HOTLINK_FILE'])<>'' && $admin_rq_server_id==0) { header("Location: ".trim($hotlink_info['ANTI_HOTLINK_FILE'])); } else { header("HTTP/1.0 403 Forbidden"); echo "Access denied (errno 4)";die; } die; } } } if ($current_format['access_level_id']>0 && !$disable_security_check) { session_start(); if ($_SESSION['userdata']['user_id']<1) { // check if user has access level for watching this video format if ($current_format['access_level_id']==1 && $_SESSION['user_id']<1) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Access denied due to member-protected file access"); header("HTTP/1.0 403 Forbidden"); echo "Access denied / Only active members can access this video file";die; } elseif ($current_format['access_level_id']==2 && $_SESSION['status_id']!=3) { $has_premium_access_as_owner=false; if (isset($_REQUEST['ov']) && md5($config['cv'].$_SESSION['user_id'])==$_REQUEST['ov']) { $has_premium_access_as_owner=true; } $has_premium_access_by_tokens=false; if ($_SESSION['status_id']==2) { foreach ($_SESSION['content_purchased'] as $purchase) { if ($purchase['video_id']==$video_id) { $has_premium_access_by_tokens=true; break; } } } if (!$has_premium_access_by_tokens && !$has_premium_access_as_owner) { debug_get_file("$_SERVER[REMOTE_ADDR] $_SERVER[REQUEST_URI] Access denied due to premium-protected file access"); header("HTTP/1.0 403 Forbidden"); echo "Access denied / Only Premium members can access this video file";die; } } } } if ($_SERVER['REQUEST_METHOD']!='HEAD') { $stats_settings=@unserialize(@file_get_contents("admin/data/system/stats_params.dat")); if (intval($stats_settings['collect_videos_stats_video_files'])==1 || intval($stats_settings['collect_memberzone_stats_video_files'])==1) { $user_id=0; if (intval($stats_settings['collect_memberzone_stats_video_files'])==1) { if (!session_id()) {session_start();} $user_id=intval($_SESSION['user_id']); } $fh=fopen("$config[project_path]/admin/data/stats/video_files.dat","a+"); flock($fh,LOCK_EX); fwrite($fh,"$video_id||".date("Y-m-d H:i:s")."||$postfix||$user_id||".intval($_REQUEST['start_sec'])."\r\n"); fclose($fh); } } $data=unserialize(file_get_contents("admin/data/system/cluster.dat")); $countries=array(); // filter out servers from other groups and countries $data_user_country=array(); $sum_weight_country=0; $data_other=array(); $sum_weight_other=0; $data_default=array(); foreach ($data as $server) { if ($admin_rq_server_id==$server['server_id']) { $server_admin_rq=$server; } elseif ($server['status_id']==1 && intval($server['group_id'])==$sg_id) { $countries=explode(',',$server['lb_countries']); if (strlen($server['lb_countries'])>0 && @count($countries)>0) { foreach ($countries as $country) { if (strtolower(trim($country))==strtolower($_SERVER['GEOIP_COUNTRY_CODE'])) { $data_user_country[]=$server; $sum_weight_country+=$server['lb_weight']; } } } else { $data_other[]=$server; $sum_weight_other+=$server['lb_weight']; } $data_default[]=$server; } } unset($target_file); unset($target_server); unset($is_remote); unset($control_script); unset($control_script_lock_ip); // determine which server should be used for returning video if (isset($server_admin_rq)) { $target_file="$server_admin_rq[urls]/$file"; $target_server=$server_admin_rq['urls']; $is_remote=intval($server_admin_rq['is_remote']); $control_script=$server_admin_rq['control_script_url']; $control_script_lock_ip=intval($server_admin_rq['control_script_url_lock_ip']); $time_offset=$server_admin_rq['time_offset']; $streaming_type_id=$server_admin_rq['streaming_type_id']; $streaming_api_script=$server_admin_rq['streaming_script']; $streaming_api_name=str_replace(".php","",$streaming_api_script); $streaming_key=$server_admin_rq['streaming_key']; $streaming_param=$server_admin_rq['streaming_param']; $is_replace_domain_on_satellite=intval($server_admin_rq['is_replace_domain_on_satellite']); } else { if (@count($data_user_country)>0) { $data_lb=$data_user_country; $sum_weight=$sum_weight_country; } else { $data_lb=$data_other; $sum_weight=$sum_weight_other; } if (@count($data_lb)==1) { $result_server=$data_lb[0]; } else { $time=time(); $time=$time-($time%300); srand($time+$video_id); $lb_value=rand(1,$sum_weight); $cur_value=0; foreach ($data_lb as $server) { if ($lb_value<=$cur_value+$server['lb_weight']) { $result_server=$server; break; } $cur_value+=$server['lb_weight']; } if (!isset($result_server)) { $result_server=$data_default[0]; } } $target_file="$result_server[urls]/$file"; $target_server=$result_server['urls']; $is_remote=intval($result_server['is_remote']); $control_script=$result_server['control_script_url']; $control_script_lock_ip=intval($result_server['control_script_url_lock_ip']); $time_offset=$result_server['time_offset']; $streaming_type_id=$result_server['streaming_type_id']; $streaming_api_script=$result_server['streaming_script']; $streaming_api_name=str_replace(".php","",$streaming_api_script); $streaming_key=$result_server['streaming_key']; $streaming_param=$result_server['streaming_param']; $is_replace_domain_on_satellite=intval($result_server['is_replace_domain_on_satellite']); } if ($is_replace_domain_on_satellite==1) { if ($config['is_clone_db']=="true" && $config['satellite_for']!='') { $target_file=str_replace($config['satellite_for'],$config['project_licence_domain'],$target_file); $control_script=str_replace($config['satellite_for'],$config['project_licence_domain'],$control_script); } if ($config['mirror_for']!='') { $target_file=str_replace($config['mirror_for'],$config['project_licence_domain'],$target_file); $control_script=str_replace($config['mirror_for'],$config['project_licence_domain'],$control_script); } } if (floatval($_REQUEST['start'])>0) { $start_param_name='start'; if ($streaming_param<>'') { $start_param_name=$streaming_param; } $start_str="?$start_param_name=".floatval($_REQUEST['start']); $start_str_append="&$start_param_name=".floatval($_REQUEST['start']); $start_str_empty="$start_param_name=".floatval($_REQUEST['start']); } $limit=0; if (intval($current_format['limit_speed_option'])+intval($current_format['limit_speed_guests_option'])+intval($current_format['limit_speed_standard_option'])+intval($current_format['limit_speed_premium_option'])+intval($current_format['limit_speed_embed_option'])>0) { $limit_option=intval($current_format['limit_speed_option']); $limit_value=floatval($current_format['limit_speed_value']); if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_guests_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_guests_value'],1)) { if (!session_id()) {session_start();} if (intval($_SESSION['user_id'])==0) { $limit_option=intval($current_format['limit_speed_guests_option']); $limit_value=floatval($current_format['limit_speed_guests_value']); } } if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_standard_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_standard_value'],1)) { if (!session_id()) {session_start();} if (intval($_SESSION['user_id'])>0 && intval($_SESSION['status_id'])!=3) { $limit_option=intval($current_format['limit_speed_standard_option']); $limit_value=floatval($current_format['limit_speed_standard_value']); } } if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_premium_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_premium_value'],1)) { if (!session_id()) {session_start();} if (intval($_SESSION['user_id'])>0 && intval($_SESSION['status_id'])==3) { $limit_option=intval($current_format['limit_speed_premium_option']); $limit_value=floatval($current_format['limit_speed_premium_value']); } } if (intval($current_format['limit_speed_option'])!=intval($current_format['limit_speed_embed_option']) || number_format($current_format['limit_speed_value'],1)!=number_format($current_format['limit_speed_embed_value'],1)) { if ($_REQUEST['embed']=='true') { $limit_option=intval($current_format['limit_speed_embed_option']); $limit_value=floatval($current_format['limit_speed_embed_value']); } } if ($limit_option==1) { $limit=intval($limit_value); } elseif ($limit_option==2 && intval($_REQUEST['br'])>0) { $limit=intval($limit_value*intval($_REQUEST['br'])); } } if ($current_format['limit_speed_countries']!='') { $countries=explode(',',$current_format['limit_speed_countries']); if (count($countries)>0) { $is_country_in_limit=false; foreach ($countries as $country) { if (strtolower(trim($country))==strtolower($_SERVER['GEOIP_COUNTRY_CODE'])) { $is_country_in_limit=true; break; } } if (!$is_country_in_limit) { $limit=0; } } } if ($disable_security_check) { $limit=0; } if ($streaming_type_id==0) { $limit=intval($limit/8*1000); if ($is_remote==1) { $temp=explode("/",substr($target_server,8),2); $target_server=$temp[1]; $target_server=trim($target_server,"/"); if ($target_server<>'') { $file="/$target_server/$file"; } else { $file="/$file"; } $time=time(); if (floatval($time_offset)<>0) { $time+=floatval($time_offset)*3600; } $download_str_append=''; if ($is_download=='true') { $download_str_append.='&download=true'; } if ($download_filename<>'') { $download_str_append.="&download_filename=$download_filename"; } $ref_host=str_replace("www.","",$_SERVER['HTTP_HOST']); if ($control_script_lock_ip==1) { $file_info=array( 'time'=>$time, 'limit'=>$limit, 'file'=>$file, 'cv'=>md5($time.$limit.$file.$_SERVER['REMOTE_ADDR'].$config['cv']), ); header("Location: $control_script?file=B64".rawurlencode(base64_encode(serialize($file_info))).$start_str_append.$download_str_append); } else { header("Location: $control_script?time=".$time."&cv=".md5($time.$config['cv'])."&lr=".$limit."&cv2=".md5($time.$limit.$config['cv'])."&file=".rawurlencode($file).$start_str_append.$download_str_append."&cv3=".md5($ref_host.$config['cv'])."&cv4=".md5($file.$config['cv'])); } } else { $target_file=substr($target_file,strpos($target_file,'/',8)); $short_file_name=basename($target_file); if ($download_filename<>'') { $short_file_name=$download_filename; } if (strpos($postfix,".flv")!==false) { header("Content-Type: video/x-flv"); } elseif (strpos($postfix,".mp4")!==false) { header("Content-Type: video/mp4"); } elseif (strpos($postfix,".webm")!==false) { header("Content-Type: video/webm"); } else { header("Content-Type: application/octet-stream"); } if (intval($limit)>0) { header("X-Accel-Limit-Rate: $limit"); } if ($is_download=='true') { header("Content-Disposition: attachment; filename=\"$short_file_name\""); } else { header("Content-Disposition: inline; filename=\"$short_file_name\""); } header("X-Accel-Redirect: $target_file{$start_str}"); } } elseif ($streaming_type_id==4) { if (is_file("$config[project_path]/admin/cdn/$streaming_api_script")) { include_once("$config[project_path]/admin/cdn/$streaming_api_script"); $get_video_function="{$streaming_api_name}_get_video"; if (function_exists($get_video_function)) { $target_url=$target_file; $target_file=substr($target_file,strpos($target_file,'/',8)); $video_url=$get_video_function($target_file,$target_url,$start_str_empty,$limit,$streaming_key); if ($video_url) { header("Location: $video_url");die; } else { header("Location: $target_url{$start_str}");die; } } } header("Location: $target_file{$start_str}"); } else { header("Location: $target_file{$start_str}"); } function debug_get_file($message) { global $config; if ($config['enable_debug_get_file']=='true') { $fp=fopen("$config[project_path]/admin/logs/get_file.txt","a+"); flock($fp,LOCK_EX); if ($message=='') { fwrite($fp,"\n"); } else { fwrite($fp,date("[Y-m-d H:i:s] ").$message."\n"); } fclose($fp); } } ?>

Where did you get this from? And where (if at all) does it run on camwhores.tv? Because the premium/members only check in this can probably be circumvented by pretending to be a google bot.
In functionality it looks similar to the get_file urls like "https://www.camwhores.tv/get_file/98/4944617cff690f10c9525b10adb2dd23fd1217f82b/6539000/6539430/6539430.mp4". But the format does not match the php file, it does not use GET parameters.

Another hurdle would be to get a valid md5($config['cv'].$file) hash for private videos. It looks like this is not included in the page html of private videos. But once we got it, it will not change because no ip address or timestamp is included. Maybe there is some other api endpoint which can provide this.

2021-04-17 0:41

(2021-04-14 23:53)Guest Wrote:
(2021-04-14 23:17)Guest Wrote: you guys are dumb as fuck. good luck bruteforcing md5

Guest idiot still living in a past where md5 was "safe". Seriously go back to computing school you ASP programmer pussy, it's because of assholes like you that so much websites and apps have zero day exploits out of the box...

This has nothing to do with the past or passwords. That applies to rainbow tables for bruteforcing passwords and collision attacks. but in this case it's GUESSING or bruteforcing a completely randomized MD5 hash. GOOD LUCK BUDDY

CW reverse engineering - HELP!

Index