SQL injection???????

04/08/2011 17:43 Haxor#1
Hello guys
I heared there a way in sql injection
i hear they do it in isro in 2008 and they get like 2000 accounts and share here
and then after some time they fixed it
And i hear it happend in Pservers
I asked my friends and i saw really video of a guy getting punsh of 120 accounts in swsro2
!!
Is that possible
And if any 1 can tech me how
:D
04/08/2011 17:46 vhrut#2
teach sql injection its hard but you can do it
04/08/2011 18:44 Shane¸#3
it's hax/crax related and not sro, however epvp doesn't really support you in those. google.com > sql injection tutorials but you can't do any kind of sql injections if the sql server isn't vulnerable
04/08/2011 19:26 belgther#4
you can't do any SQL injection in SRO, because it is an Client application... You do it in [Only registered and activated users can see links. Click Here To Register...]...

Well just let me explain something : I was there as that happened... We told it to rev6, and they warned joymax. Joymax didn't toke it serious. The problem was : If you write as password a combinations of "?*_!~><^" special chars, which is not defined in the code table, you got an SQL failure... Then you could use that to make an easy SQL injection to [Only registered and activated users can see links. Click Here To Register...]

You have written : Select * From * : it gave you all DB
Than you have written

Select "Charname" , "ID","ServerName","PW"
From "Tablename of char, tablename of accounts, table name of servers
Where Tablename of char.AccountID = Tablename of accounts.AccountID
AND TablenameofServers.ServerID = Table Name of Chars.ServerID

then you get ID PW Server of a char in only 10 seconds...

rev6 automized it, putted it in his server and many people got hacked. Many players flamed and Joymaxa Fixed it before Legend 2 came out...
04/08/2011 19:32 CraYu#5
Did they had access only to account db ?
04/08/2011 20:05 belgther#6
Well Rev6 didn't wanted to hack all silkroad. Klevre did it once, to warn them... Joymax didn't toke him serious, so he hacked [Only registered and activated users can see links. Click Here To Register...]....

They had access to everything in DB what had an interface on homepage... Account DB was one of them...
04/08/2011 20:27 Haxor#7
Quote:
Originally Posted by CraYu View Post
Did they had access only to account db ?
My friend has also stole the QQ and email for every1
So he was have full access



Quote:
Originally Posted by belgther View Post
Well Rev6 didn't wanted to hack all silkroad. Klevre did it once, to warn them... Joymax didn't toke him serious, so he hacked [Only registered and activated users can see links. Click Here To Register...]....


They had access to everything in DB what had an interface on homepage... Account DB was one of them...
:bandit:
And that what i wanna want:p
04/08/2011 21:44 Keyeight#8
will to make somthing like that you must learn SQL at frist ^^
04/09/2011 09:53 Dropdead*#9
Quote:
Originally Posted by saif1999 View Post
My friend has also stole the QQ and email for every1
So he was have full access




:bandit:
And that what i wanna want:p
Uhm isro doesnt use QQ?
04/09/2011 11:23 lesderid#10
Quote:
Originally Posted by Dropdead* View Post
Uhm isro doesnt use QQ?
He never said he was talking about iSRO.