Lizardstresser.su User Enumeration

Background

LizardSquad, the “hacker” group that recently DDoSed Microsoft’s and Playstation’s gaming networks, released a DDoS tool/service that can be found on www.lizardstresser.su.

LizardStresser is simply another booter, a tool that anyone (mostly script-kiddies) can pay to DDoS a target. Like every other booter, LizardStresser is accessible through a webpage (www.lizardstresser.su) where users can signup and pay for booter access.

Lizard Stresser purchase page

Not surprisingly, LizardStresser is extremely poorly written, which led to me to find a user enumeration vulnerability in a few minutes.

Dumping Usernames and UIDs

Through lizardstresser.su’s ticket system, users can request customer support from admins.

After a ticket is created, a user can send messages through the ticket.

Ticket message thread

When the “Send” button is pressed, an XHR request is sent to “http://lizardstresser.su/ajax/addticketreply.php” with the parameters “content”, “tid”, and “uid”. The content refers to the message, tid is the ticket id, and uid is (you guessed it) the sender’s user id.

So what happens when we resend the request with a different UID?

Changing the UID

With an easy Python script, we can now fully enumerate all users:

And we get something like:

User enumeration preview

For a list of UID’s and usernames, visit the following link:
https://www.ericzhang.me/dl/?file=lizardstresser-user-dump.txt

Conclusions

Not surprisingly, I don’t recommend ever paying for LizardStresser (or any booter service). While user enumeration isn’t as interesting as a full database dump, I wouldn’t be surprised if anyone manages to find more vulnerabilities, especially since their platform is so poorly written.

Bonus Bugs

Bypassing Registration Limits
It seems that the front-end only lets you register one account per IP. This can easily be bypassed by manually setting an X-Forwarded-For header.

.htaccess Visible
LizardStresser.su’s htaccess file is publicly viewable. Doesn’t contain anything interesting though. Source

TitaniumStresser Clone
It seems that LizardStresser is a clone of TitaniumStressor. Aside from the same graphics, LizardStresser’s robots.txt contains: “sitemap: http://www.titaniumstresser.net/sitemap.xml”

10 Comments
Inline Feedbacks
View all comments
jenny
4 years ago

we are child learning India has launched one education application that is parent teacher app. its help you to communicate with teacher by sitting at home. there are so many features available in this application for more you can follow our website : https://childlearning.in/

donatella
5 years ago

00985,’AlexXLegit’,’ucantguess99′,’josephmorgan5699@yahoo.com’,0,0,0,0,0,”
100986,’Wuij’,’Tracegaming’,’Tater2north2@yahoo.com’,0,0,0,0,0,”
100987,’Pamroni’,’sophiek50′,’aramponi@sbcglobal.net’,0,0,0,0,0,”
100991,’Temperistic’,’R1ph473e’,’nckclause@yahoo.com’,0,0,0,0,0,”
100992,’ZachCS’,’Imawesome1′,’zcs731@yahoo.com’,0,0,0,0,0,”
100993,’Flawless’,’clemson80′,’jahlil3003@aol.com’,0,0,0,0,0
Epson error code 0x97

Zero
8 years ago

TitaniumStresser is the same owner as LizardStresser.

Stephen Archer
9 years ago

This is the leader of Lizard squad if anyone bothers reading it !!!

Victor Monserrate from Zaragoza, Aragon, Spain AKA Antichrist – leader of lizard squad

http://steamcommunity.com/id/AnTiChRiSt_zGz

https://soundcloud.com/antichrist_zgz

https://twitter.com/antichrist_zgz

See sound cloud account for photo !!!

Softex
9 years ago

Part of lizzus login names

71,’titrifle’,’niggerpickle’,’lolikyra@asscock.com’,1,0,2147483647,0,0,”
100974,’dick’,’dicks’,’dick@dick.dick’,0,20,2147483647,0,0,”
100975,’antichrist’,’b6d784f2bb4bbf896d15f827dd721602944ad39719539e4e4fedd3048960e2662e5e57ed5c7fceaf’,’antichrist@ic.fbi.gov’,1,17,1736626097,0,0,”
100976,’IRET’,’8IqauvXLlIbRbC6z’,’omaol@ro.ru’,0,0,2147483647,0,0,”
100977,’jcole’,’killer’,’jcole_@live.com’,0,0,2147483647,0,0,”
100978,’nottchf’,’madeyer’,’nottchf@hotmail.co.uk’,1,17,1735590157,0,0,”
100979,’lolrooted’,’lolrooted’,’lolrooted@lolrooted.com’,0,0,2147483647,0,0,”
100980,’vendi’,’assman123′,’andrei@hydrapvp.net’,0,0,0,0,0,”
100981,’VorlemLS’,’Christian12!’,’VorlemLS@yahoo.com’,0,0,0,0,0,”
100982,’God’,’CodN156′,’Hacks@inbox.com’,0,0,0,0,0,”
100985,’AlexXLegit’,’ucantguess99′,’josephmorgan5699@yahoo.com’,0,0,0,0,0,”
100986,’Wuij’,’Tracegaming’,’Tater2north2@yahoo.com’,0,0,0,0,0,”
100987,’Pamroni’,’sophiek50′,’aramponi@sbcglobal.net’,0,0,0,0,0,”
100991,’Temperistic’,’R1ph473e’,’nckclause@yahoo.com’,0,0,0,0,0,”
100992,’ZachCS’,’Imawesome1′,’zcs731@yahoo.com’,0,0,0,0,0,”
100993,’Flawless’,’clemson80′,’jahlil3003@aol.com’,0,0,0,0,0,”

prettyboy
9 years ago

cool article btw

FuckLizardSquad
9 years ago

Is this anyway to execute finding the passwords for this website and decrypting the Hashs other then md5 if so how?

Miguel Ripoll
9 years ago

Just curious, why that range specifically?

Johnny Chang
9 years ago
Reply to  Miguel Ripoll

Those are the UIDs. Test to find the earliest available UID then go and register an account and see what UID it gives you. Since they are sequential you just UID=UID+1 to iterate through them until you reach your newly registered ID.

P5Y Naut
9 years ago
Reply to  Miguel Ripoll

If you read Brian’s article at: http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/, he mentions the user antichrist. Antichrist’s un and pwd appear in that range. I’m guessing BK had a hunch, somehow, in regards to what antichrist’s un would be, and threw up a range that we see in the modification of the XFF script