SQL Injecting FlyFF MMO

04/18/2020 02:10 Seedlord#1

I just read an article about SQL Injecting in Flyff. I never really played FlyFF but this seems pretty interesting.
I dont know if this is still possible, seems to be fixxed on the official servers, but on some (old) Pservers it might work.

[Only registered and activated users can see links. Click Here To Register...]

04/18/2020 02:57 cookie69#2

Quote:

Originally Posted by Seedlord

I just read an article about SQL Injecting in Flyff. I never really played FlyFF but this seems pretty interesting.
I dont know if this is still possible, seems to be fixxed on the official servers, but on some (old) Pservers it might work.

[Only registered and activated users can see links. Click Here To Register...]

Looooooool! who leaked that info, last 2 weeks I was doing this in some pservers and the offi.
No, it seems fixed in most pservers. It only worked on my v15 local server.

04/18/2020 03:09 netHoxInc#3

Quote:

Originally Posted by Seedlord

I just read an article about SQL Injecting in Flyff. I never really played FlyFF but this seems pretty interesting.
I dont know if this is still possible, seems to be fixxed on the official servers, but on some (old) Pservers it might work.

[Only registered and activated users can see links. Click Here To Register...]

Lol at first i thought, who the heck digs out that kinda old stuff, then realizing it been posted not very long ago.

Still weird to see a documentation for something thats fixed on almost every server, specially those where it would actually be useful, taking apart those pinoy-ripoff servers lol....

You might be a little late to join the SQL injection squad haha, recently alot of stuff got patched up as some rude people had some fun on the xblubbs page, which apparently, 98% of server's are using, atleast in a variant.

Feel free to check out the fix for it, it might give you an idea how to perform it. It's probably going to work on fresh servers, and some pinoy ones which arent reading epvp lol

Quote:

Originally Posted by cookie69

Looooooool! who leaked that info, last 2 weeks I was doing this in some pservers and the offi.
No, it seems fixed in most pservers. It only worked on my v15 local server.

Lol Cookie, go to bed its late :'D

04/18/2020 03:15 cookie69#4

Main issue comes from this shitty code where unhandled packet will be sent directly to the database server.
=> g_dpDBClient.SendToServer( idFrom, lpMsg, dwMsgSize );

Code:

void CDPLoginSrvr::UserMessageHandler( LPDPMSG_GENERIC lpMsg, DWORD dwMsgSize, DPID idFrom )
{
	static size_t	nSize	= sizeof(DPID);
	CAr ar( (LPBYTE)lpMsg + nSize, dwMsgSize - nSize );		// Skip dpid

	if( dwMsgSize < 8 )		// INVALID PACKET
	{
		FLERROR_LOG( PROGRAM_NAME, _T( "PACKET//0" ) );
		return;
	}

	GETTYPE( ar );
	PACKET_HANDLER_FUNC pfn	=	GetHandler( dw );
	
	if( pfn )
	{
		( this->*( pfn ) )( ar, idFrom );
	}
	else
	{
		g_dpDBClient.SendToServer( idFrom, lpMsg, dwMsgSize );
	}

As a fix you can for example check the account_name the same way as for checking the player_name (IsInvalidName) in the function:

Code:

void CDbManager::CreatePlayer( CQuery *qry, LPDB_OVERLAPPED_PLUS lpDbOverlappedPlus )

Code:

	

	if( prj.IsInvalidName( lpDbOverlappedPlus->AccountInfo.szPlayer ) 
		|| prj.IsAllowedLetter( lpDbOverlappedPlus->AccountInfo.szPlayer ) == FALSE 
		|| prj.IsInvalidName(lpDbOverlappedPlus->AccountInfo.szAccount)
		|| prj.IsAllowedLetter(lpDbOverlappedPlus->AccountInfo.szAccount) == FALSE
		)
	{
		FreeRequest( lpDbOverlappedPlus );
		return;
	}

04/18/2020 16:43 ZeroTwo02#5

Quote:
Originally Posted by cookie69
Main issue comes from this shitty code where unhandled packet will be sent directly to the database server.
=> g_dpDBClient.SendToServer( idFrom, lpMsg, dwMsgSize );
Code:
void CDPLoginSrvr::UserMessageHandler( LPDPMSG_GENERIC lpMsg, DWORD dwMsgSize, DPID idFrom )
{
	static size_t	nSize	= sizeof(DPID);
	CAr ar( (LPBYTE)lpMsg + nSize, dwMsgSize - nSize );		// Skip dpid

	if( dwMsgSize < 8 )		// INVALID PACKET
	{
		FLERROR_LOG( PROGRAM_NAME, _T( "PACKET//0" ) );
		return;
	}

	GETTYPE( ar );
	PACKET_HANDLER_FUNC pfn	=	GetHandler( dw );
	
	if( pfn )
	{
		( this->*( pfn ) )( ar, idFrom );
	}
	else
	{
		g_dpDBClient.SendToServer( idFrom, lpMsg, dwMsgSize );
	}
As a fix you can for example check the account_name the same way as for checking the player_name (IsInvalidName) in the function:
Code:
void CDbManager::CreatePlayer( CQuery *qry, LPDB_OVERLAPPED_PLUS lpDbOverlappedPlus )
Code:
	if( prj.IsInvalidName( lpDbOverlappedPlus->AccountInfo.szPlayer ) || prj.IsAllowedLetter( lpDbOverlappedPlus->AccountInfo.szPlayer ) == FALSE )
	{
		return;
	}

You check 2 time szPlayer, think you forgot to change the second one to szPassword.

04/18/2020 21:56 miniman06#6

aren't they using binds in v21 ? not sure how u got it to work on offi?

04/18/2020 23:10 ZeroTwo02#7

Quote:

Originally Posted by miniman06

aren't they using binds in v21 ? not sure how u got it to work on offi?

Official is fix, they use different type of bindsparam.
One of the smartest thing they did in 10 years actually lol.

You can also use them to your v.15 sources, you just have to check the follow bindsparam & copy them :

Code:

	BOOL	BindParameterByte( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterShort( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUShort( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterInt( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUInt( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterInt64( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUInt64( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterFloat( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterChar( SQLSMALLINT ParamType, SQLUINTEGER ColumnSize, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterVarChar( SQLSMALLINT ParamType, SQLUINTEGER ColumnSize, SQLPOINTER ParameterValuePtr );

04/19/2020 12:50 miniman06#8

Quote:

Originally Posted by ZeroTwo02

Code:

	BOOL	BindParameterByte( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterShort( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUShort( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterInt( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUInt( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterInt64( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterUInt64( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterFloat( SQLSMALLINT ParamType, SQLPOINTER ParameterValuePtr );

	BOOL	BindParameterChar( SQLSMALLINT ParamType, SQLUINTEGER ColumnSize, SQLPOINTER ParameterValuePtr );
	BOOL	BindParameterVarChar( SQLSMALLINT ParamType, SQLUINTEGER ColumnSize, SQLPOINTER ParameterValuePtr );

Ah no nvm I derped yday, cookie was talking about how the login servers just passes to the DB the parameters are passed correctly just they aren't verified

06/25/2020 09:54 jhaycee2123#9

how to use sql injection in flyff private server? teach me how or send tutorial please thanks

06/25/2020 15:52 Flogolo#10

Quote:

Originally Posted by jhaycee2123

how to use sql injection in flyff private server? teach me how or send tutorial please thanks

no requests allowed

06/25/2020 22:25 Lumi#11

It seems it doesn't work for offi anymore.