Deleted
🎃💀👽 Nightmare[Conquer] Best Private Server👽💀🎃
05/02/2018 07:05
BishoLv#1
05/03/2018 03:34
Spirited#2
Lol
💯% 🔥 🐴 💩
💯% 🔥 🐴 💩
05/03/2018 03:36
AnimuNazi#3
what in the world is this
05/03/2018 06:14
BishoLv#4
It's a Private Server :DQuote:
what in the world is this
05/03/2018 07:47
boDil#5
Another shitty camel server that will be gone within a week.Quote:
05/03/2018 08:51
Spirited#6
Well, with the emojis removed, there goes my fun. On a more serious note, this server was purchased from the server that existed back in 2013... and the website is pretty awful. Just a copied WoW website template that they broke by inserting an annoying music player. Text that's blurry but isn't an image? A link to 4botters which closed down half a decade ago? Explains the 2012 copyright. Running on two year old hosting software ([Only registered and activated users can see links. Click Here To Register...] and [Only registered and activated users can see links. Click Here To Register...]), but hey, at least it's not 10 year old software. The server itself is going to die very very very quickly. 100 million CPs for winning guild war on a server of 5 online people? Yikes.
Account registration is spammable. Put in a password of 4 characters and it says "Password only English letters and numbers.lenght of 4 to 12 ." Guessing that's not inclusive then. You should add captcha. Also, tested your website's folder scope. You installed it to "C:\AppServ\www". I know that because I managed to break your website using an exploit I won't list here (update your bloody hosting software). Your website is in debug mode. Your "forgot password" page just brings you back to home. A SQL injection exploit allows you to access registered accounts .... which is hilarious because I can teleport people around and waste 1,000,000 CPs apparently? Jesus. Not even hard to login... (I won't post my form data due to player security).
Oh, and if accessing anyone's account wasn't bad...
It's also very easy to ddos because it's not behind cloudflare or anything.
[Only registered and activated users can see links. Click Here To Register...]
And I'm sure there's a lot worse I could do if I tried with a fake client (which I'm going to make now that my post utility is doing well). Do us a favor and leave this back in 2013... we don't need another featureless, unoriginal copy server by some illiterate non-programmer. We need servers that are maintainable by competent and interested people.
PS: it's not Conquer 3D. It's Conquer 3.0. It's a version, not a higher dimension.
Account registration is spammable. Put in a password of 4 characters and it says "Password only English letters and numbers.lenght of 4 to 12 ." Guessing that's not inclusive then. You should add captcha. Also, tested your website's folder scope. You installed it to "C:\AppServ\www". I know that because I managed to break your website using an exploit I won't list here (update your bloody hosting software). Your website is in debug mode. Your "forgot password" page just brings you back to home. A SQL injection exploit allows you to access registered accounts .... which is hilarious because I can teleport people around and waste 1,000,000 CPs apparently? Jesus. Not even hard to login... (I won't post my form data due to player security).
Code:
post -f login.json -c cookies.json -v http://nightmarepvp.ddns.net/inc/login_do.php post -f change.json -c cookies.json -v http://nightmarepvp.ddns.net/inc/changepass_do.php
It's also very easy to ddos because it's not behind cloudflare or anything.
Code:
post -u -l -i -r 500 -b playername.txt http://nightmarepvp.ddns.net/inc/check.php
And I'm sure there's a lot worse I could do if I tried with a fake client (which I'm going to make now that my post utility is doing well). Do us a favor and leave this back in 2013... we don't need another featureless, unoriginal copy server by some illiterate non-programmer. We need servers that are maintainable by competent and interested people.
PS: it's not Conquer 3D. It's Conquer 3.0. It's a version, not a higher dimension.
05/03/2018 10:10
B1Q#7
it still amazes me how they're still using mysql with the stripslashes and mysql_real_escape_string in 2018
05/04/2018 09:14
Spirited#8
That's the real nightmare.Quote:
05/21/2018 10:12
Xijezu#9
#moved