|
You last visited: Today at 11:09
Advertisement
[WARNING]Don't use Vsro Reg page v2
Discussion on [WARNING]Don't use Vsro Reg page v2 within the SRO Private Server forum part of the Silkroad Online category.
03/09/2012, 07:50
|
#1
|
elite*gold: 60
Join Date: Feb 2012
Posts: 3,942
Received Thanks: 6,475
|
[WARNING]Don't use Vsro Reg page v2
Hey guys title said it all don't even try to use reg page mentioned in that link.
I've just checked the security of it actually the thing with ctype_alnum is that it isn't an escape function to prevent sql injection. It is a function to validate alphanumeric strings. To escape strings for using in queries you need anti injection function.
An important distinction you have to understand is the one between input validation and escaping of data for use in a database query.
You can even execute shells through it.
Don't say that my server is hacked and you're using this register page because you will get ****** with it anyway.
Ciao,
Thief
|
|
|
03/09/2012, 09:59
|
#2
|
elite*gold: 0
Join Date: Sep 2011
Posts: 419
Received Thanks: 59
|
Thx alot
|
|
|
03/09/2012, 12:12
|
#3
|
elite*gold: 0
Join Date: Jan 2012
Posts: 224
Received Thanks: 39
|
thanks for warrning us
|
|
|
03/09/2012, 12:18
|
#4
|
Chat Killer In Duty
elite*gold: 5
Join Date: May 2008
Posts: 16,310
Received Thanks: 6,470
|
thnx for the warn
|
|
|
03/09/2012, 13:01
|
#5
|
elite*gold: 0
Join Date: Jan 2012
Posts: 1,867
Received Thanks: 1,091
|
Quote:
Originally Posted by PortalDark
thnx for the warn
|
press thanks button better than ( thnx / thx / awesome / etc. )
btw ThEliteEyes you should update your webpage
|
|
|
03/09/2012, 13:31
|
#6
|
Chat Killer In Duty
elite*gold: 5
Join Date: May 2008
Posts: 16,310
Received Thanks: 6,470
|
Quote:
Originally Posted by •ᵔBeGodOfWarᵔ•
press thanks button better than ( thnx / thx / awesome / etc. )
btw ThEliteEyes you should update your webpage
|
im not expressing a thnx that pressing the thnx button can express
i dont have server or webpage based on this one, im just saying thnx for the tip
nothing more
but i press thnx button, if that makes you feel better
|
|
|
03/09/2012, 22:28
|
#7
|
elite*gold: 0
Join Date: Nov 2011
Posts: 333
Received Thanks: 186
|
maybe show us example and i will release hotfix
|
|
|
03/09/2012, 22:35
|
#8
|
elite*gold: 60
Join Date: Feb 2012
Posts: 3,942
Received Thanks: 6,475
|
Quote:
Originally Posted by ThElitEyeS
maybe show us example and i will release hotfix
|
Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function
|
|
|
03/09/2012, 22:38
|
#9
|
Chat Killer In Duty
elite*gold: 5
Join Date: May 2008
Posts: 16,310
Received Thanks: 6,470
|
Quote:
Originally Posted by LastThief*
Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function
|
talk in pm with him, is better, at least to avoid this going out public
you already said you can execute shells via this, so thats a tip, ppl, consider the basic part XD
|
|
|
03/09/2012, 22:44
|
#10
|
elite*gold: 0
Join Date: Feb 2009
Posts: 1,064
Received Thanks: 539
|
...
|
|
|
03/09/2012, 22:44
|
#11
|
elite*gold: 0
Join Date: Nov 2011
Posts: 333
Received Thanks: 186
|
you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix
|
|
|
03/09/2012, 22:48
|
#12
|
elite*gold: 60
Join Date: Feb 2012
Posts: 3,942
Received Thanks: 6,475
|
Quote:
Originally Posted by ThElitEyeS
you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix
|
it seems like some one told people before me and I didn't even notice but yea shickl explained it well
|
|
|
03/09/2012, 22:48
|
#13
|
elite*gold: 0
Join Date: Feb 2009
Posts: 1,064
Received Thanks: 539
|
Quote:
Originally Posted by ThElitEyeS
you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix
|
and as I said in my post the query i posted there is always executed and backslashes don't escape ' in mssql
|
|
|
03/09/2012, 22:52
|
#14
|
elite*gold: 60
Join Date: Feb 2012
Posts: 3,942
Received Thanks: 6,475
|
ctype_alnum is actually fail use something like this
PHP Code:
function ms_escape_string($data) { if (!isset($data) or empty($data)) return ''; if (is_numeric($data)) return $data; $non_displayables = array( '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 '/%1[0-9a-f]/', // url encoded 16-31 '/[\x00-\x08]/', // 00-08 '/\x0b/', // 11 '/\x0c/', // 12 '/[\x0e-\x1f]/' // 14-31 ); foreach ($non_displayables as $regex) $data = preg_replace($regex, '', $data); $data = str_replace("'", "''", $data); return $data; }
to escape the data before sending it
|
|
|
03/09/2012, 23:13
|
#15
|
elite*gold: 0
Join Date: Feb 2009
Posts: 1,064
Received Thanks: 539
|
Quote:
Originally Posted by LastThief*
ctype_alnum is actually fail use something like this
PHP Code:
function ms_escape_string($data) { if (!isset($data) or empty($data)) return ''; if (is_numeric($data)) return $data; $non_displayables = array( '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 '/%1[0-9a-f]/', // url encoded 16-31 '/[\x00-\x08]/', // 00-08 '/\x0b/', // 11 '/\x0c/', // 12 '/[\x0e-\x1f]/' // 14-31 ); foreach ($non_displayables as $regex) $data = preg_replace($regex, '', $data); $data = str_replace("'", "''", $data); return $data; }
to escape the data before sending it
|
Nice function, but urls are decoded by the server and shouldn't do any harm at all
And writing a function that just replaces invalid chars isn't really good imo
Easiest thing would be to use a regex(or create 2 loops and one array with the valid chars and check every single character yourself; could be a little faster) to check if it only contains the chars you want and if it doesn't, the query isn't even executed to avoid some random data in the db
|
|
|
Similar Threads
|
[Help] Vsro Reg Page
01/23/2012 - SRO Private Server - 1 Replies
Can any one give me a full guide for how to make a simple reg page ?? =)
|
[VSRO]Reg Page
12/25/2011 - SRO Private Server - 4 Replies
Hey guys,
anyone can give me a registration page which really works?
i tried some pages and all didnt create a new account.
i hope you can help me
|
Hi, vsro reg page with silk add
11/24/2011 - SRO Private Server - 2 Replies
Hi , I know how to do a reg page but i can t add silks , i've search methods but no1 work.
Please help me to do a reg pagw who add silks to every acc.
p.s.: I need a better explication.
Ty:handsdown:
|
reg page vsro
09/25/2011 - SRO Private Server - 8 Replies
help me I want to webpage for register vsro :( :handsdown:
|
[HELP]Reg page for Vsro
09/25/2011 - SRO Private Server - 6 Replies
Help me to make Vsro reg page ..I will pay you 10$
send me a private msg
|
All times are GMT +2. The time now is 11:09.
|
|