[WARNING]Char rez script

[[Boss]FemmeFatale]

Guys today I found a huge problem... Thankfully I back up quite regularly.

The Char_res.php I got from here and have been using for months suddenly decided to delete both My Users_Master and Chars table.

Jus a warning to all who use and a query on whether it is able to be fixed or should i just bin it?

[cypherxxl]

Its not the res script, that are hackers, on all known servers that are postet on epepvers.

[[Boss]FemmeFatale]

Thank you for reply but it was definitely the rez script

[STIV123]

Same happened here, and it was when i put char rez script.. just a day or 2 after that.. ^^ So yeah it's that for sure. SQL Injectible i quess.

[[Boss]FemmeFatale]

I guess so Jus thought I would post a warning to others using it been one hell of a day fixing the situation.

Hope noone else has the day I just had

[KarmaIsMe]

If you know anything about php you may want to look at the MSSQL escape string or lack of it in the script. You should always proof read the scripts that you put up. Its unfortunate but sometimes people miss things or just dont think its nessassary. Best of luck to you on your server and this has been happening on a few servers. Make sure you actually fix the script before putting it back up or they will just do it again.

[Bаne]

Quote:

Originally Posted by [Boss]FemmeFatale

Guys today I found a huge problem... Thankfully I back up quite regularly.

The Char_res.php I got from here and have been using for months suddenly decided to delete both My Users_Master and Chars table.

Jus a warning to all who use and a query on whether it is able to be fixed or should i just bin it?

That's impossible, the script does what is writen in the code, if there was a portion of it that deleted tables I think people would have noticed/removed it.

[JohnHeatz]

Which script exactly are you working with exactly? I never heard of any resurrection script doing that, nor one not being secure for SQL injection

[treica]

Why don't you guys use an php sql protection google for "sql injection php protection" and attacker will be unable to use the command "drop" "create" etc..if you use it as index.php on all ur web folders..yes admin panel and char ress script has an injection "because is comunicating directly with the database".
I know stars was a target yesterday of these tables scheduled for deletion which mean or you keep offline the server till your "users" change their password or clean and start from begin since the hacker has the tables and can do what ever he wants on the attacked server with users accounts.

Kind Regards,
treica.

[STIV123]

@John,


It was released here in EPvP, here's the link:

[JohnHeatz]

Asking her directly due to the possibility of being using a different one, or even a customized one

[KarmaIsMe]

Again, the one released on epvp is incomplete and has a security flaw. Fix the script D:<

Just because it is a release doesn't mean its perfect. We are all human and we all make mistakes or simple errors.

If you are using ODBC;

Code:

<?php
  function mssql_escape_string($data)
  {
      if (!isset($data) or empty($data))
          return '';
      if (is_numeric($data))
          return $data;
      $non_displayables = array('/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
      '/%1[0-9a-f]/', // url encoded 16-31
      '/[\x00-\x08]/', // 00-08
      '/\x0b/', // 11
      '/\x0c/', // 12
      '/[\x0e-\x1f]/'); // 14-31
      foreach ($non_displayables as $regex)
          $data = preg_replace($regex, '', $data);
      $data = str_replace("'", "''", $data);
      return $data;
  }
  
  $host = '127.0.0.1';
  $dbuser = 'Your Login';
  $dbpass = 'Your Password';
  
  $class = array(0 => 'Warrior', 1 => 'Guardian', 2 => 'Assasin', 3 => 'Hunter', 4 => 'Pagan', 5 => 'Oracle', 6 => 'Fighter', 7 => 'Defender', 8 => 'Ranger', 9 => 'Archer', 10 => 'Mage', 11 => 'Priest');
  
  $conn = @odbc_connect("Driver={SQL Server};Server=$host;", $dbuser, $dbpass) or die("Database Connection Error!");
  $UserID = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
  $Pass = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
  $Char = isset($_POST['char']) ? mssql_escape_string(trim($_POST['char'])) : '';
  
  if (isset($_POST['submit'])) {
      if (strlen($UserID) < 1)
          die("User Name too short");
      if (strlen($Pass) < 1)
          die("Password too short.");
      
      $res = odbc_exec($conn, "SELECT * FROM [PS_UserData].[dbo].[Users_Master] WHERE UserID = '" . $UserID . "' AND Pw = '" . $Pass . "'"); 
      
      if (odbc_num_rows($res) == 0) {
          die("Username/Password is incorrect");
      } else {
          $res2 = odbc_exec($conn,"SELECT umg.Country, c.Family, c.CharName, c.CharID, c.Job, c.Level
FROM [PS_GameData].[dbo].[UserMaxGrow] AS umg 
INNER JOIN [PS_GameData].[dbo].[Chars] AS c ON umg.UserUID = c.UserUID
WHERE c.UserID = '" . $UserID . "' AND c.Del=1");
          
          if (odbc_num_rows($res2) == 0) {
              echo "<font color=#FFFFFF>Account does not contain any dead characters.";
          } else {
              echo "<form action=\"" . $_SERVER['PHP_SELF'] . "\" method=\"POST\"><font color=#FFFFFF>Select toon to resurrect :<br />
<input type=\"hidden\" name=\"username\" value=\"" . $UserID . "\">
<table cellspacing=4 cellpadding=5 border=2 style=\"border-style:white;\"><body bgcolor=4D101F>
<tr><td><font color=#FFFFFF>Select</td><td><font color=#FFFFFF>CharName</td><td><font color=#FFFFFF>Class</td><td><font color=#FFFFFF>Level</td></tr>";
              while ($chars = odbc_fetch_array($res2)) {
                  if ($chars['Country'] == 0) {
                      if ($chars['Family'] == 0 || $chars['Family'] == 1) {
                          echo "<tr>";
                          echo "<td><font color=white><input type=\"radio\" name =\"char\" value=\"" . $chars['CharName'] . "," . $chars['CharID'] . "\"></font></td>";
                          echo "<td><font color=white>" . $chars['CharName'] . "</font></td><td><font color=white>" . $class[$chars['Job'] + 6] . "</font></td>";
                          echo "<td><font color=white>" . $chars['Level'] . "</font></td>";
                          echo "</tr>";
                      }
                  } elseif ($chars['Country'] == 1) {
                      if ($chars['Family'] == 2 || $chars['Family'] == 3) {
                          echo "<tr><font color=#FFFFFF>";
                          echo "<td><FONT COLOR=WHITE><input type=\"radio\" name =\"char\" value=\"" . $chars['CharName'] . "," . $chars['CharID'] . "\"></font></td>";
                          echo "<td><font color=white>" . $chars['CharName'] . "</font></td><td><font color=white>" . $class[$chars['Job']] . "</font></td>";
                          echo "<td><font color=white>" . $chars['Level'] . "</font></td>";
                          echo "</tr>";
                      }
                  }
              }
              echo "</table><input type=\"submit\" value=\"Submit\" name=\"submit2\" /></form>";
          }
      }
  } elseif (isset($_POST['submit2'])) {
      $slot = -1;
      $res1 = odbc_exec($conn, "
SELECT MIN(Slots.Slot) AS OpenSlot FROM
(SELECT 0 AS Slot UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4) AS Slots
LEFT JOIN
(SELECT c.Slot
FROM PS_UserData.dbo.Users_Master AS um
INNER JOIN PS_GameData.dbo.Chars AS c ON c.UserUID = um.UserUID
WHERE um.UserID = '" . $UserID . "'
AND c.Del = 0) AS Chars ON Chars.Slot = Slots.Slot
WHERE Chars.Slot IS NULL");
      $slot = odbc_fetch_array($res1);
      $toon2 = explode(',', $Char);
	  $charID = mssql_escape_string($toon2[1]);
	  $openSlot = mssql_escape_string($slot['OpenSlot']);
      if ($slot['OpenSlot'] > -1 && $slot['OpenSlot'] < 5) {
          odbc_exec($conn, "UPDATE PS_GameData.dbo.Chars SET Del=0, Slot={$openSlot}, Map=42, PosX=63 , PosZ=57, DeleteDate=NULL WHERE CharID = {$charID}");
          echo "<body bgcolor=4D101F><font color=white>Successfully resurrected <br /> Login = " . $UserID . "<br />Slot = " . ($slot['OpenSlot'] + 1) . "<br />Char = $toon2[0]</font>";
      } else
          echo "<body bgcolor=4D101F><font color=white>No slots avaliable</font>";
  } else {
?>
<html>
<head>
<title>Character Ressurection</title></head>
<body bgcolor=4D101F>
<form action="<?php
      echo $_SERVER['PHP_SELF'];
?>" method="POST">
<fieldset style="font:100% trebuchet ms;width:0px;">
<legend ><font color=white>Resurrection Form </font></legend>
<font face="Trebuchet MS">
<table>
<tr>
<font size=1><font color=white><i>*Toon will be resurrected in an avaliable free slot.</i></font>
</tr>
<tr>
<td><font color=white>Account Login:</td><td>  <input type="text" name="username" maxlength=20/></td>
</tr>
<tr>
<td><font color=white>Account Password:</td><td><input type="password" name="password" maxlength=20/></td>
</tr>
</font>
</table>
<input type="submit" value="Submit" name="submit" />
</fieldset>
</form>
</body>
</html>
<?php
  }
?>

This is the security fix to prevent SQL Injection. *No 100% guarantee this is perfect but it can't be worse than what you are using now.*

Credits go to Tnelis for the ODBC version rewrite and Abrasive for fixing the security flaw.
So tell the haters to shove it ^_~

Karma