Jump to content

SHPXLBH

Members
  • Content Count

    26
  • Joined

  • Last visited

  • Days Won

    1

SHPXLBH last won the day on November 9 2014

SHPXLBH had the most liked content!

Community Reputation

1 Neutral

About SHPXLBH

  • Rank
    Beginner

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Your [noparse][/noparse] tags are insecure. With some click bait, someone can easily do whatever they wanted. Like hijack a session.
  2. A point to note: PDO isn't inherently secure. You still need to take the appropriate actions by binding your parameters.
  3. Can I point out that someone can do whatever they like with this. Like; give themselves unlimited money, unlimited crystals, make themselves admin, put everyone in hospital, and so much more damage (basically do whatever they want with the users table). Now the above has been mentioned, let's refactor! We know each input must apply to one rule; values must be numerical (as item id's are numerical). With this, we can do a simple sanitise.   function do_item_change() { global $db,$userid; //Maybe check they have this item in their inventory... or is this done when they use on each page? $_POST['healitem'] = (int) sprintf("%u", $_POST['healitem']); $_POST['fooditem'] = (int) sprintf("%u", $_POST['fooditem']); $_POST['jailitem'] = (int) sprintf("%u", $_POST['jailitem']); $db->query("UPDATE users SET heal_item=". $_POST['heal item'] .", feed_item=". $_POST['food item'] .", jail_item=". $_POST['jail item'] ." WHERE userid=". $userid); print "Items changed"; //Maybe put this in a nice div? }   An example of input and various techniques to sanitise input: https://eval.in/238625
  4. Put the IPN listener script in the notify_url. Also, having all accounts to one paypal account (even if you use multiple email addresses to access that one wallet), if one user complains or whatever and your account gets suspended, you've stopped revenue 5 times, rather than the one. Spread the risk over 5 different wallets, or be savvy with a TOS, and log transactions to cover yourself should a user try and get a refund and suspend your account.
  5. Never understood why you'd label a menu, unless you're at a restaurant. The game looks promising though, gl!
  6. I can't wait for the movie. It's words being chucked at each other with no evidence. Take it to PM and channel everything through me; I'd like a good laugh.
  7. Hello MakeWebGames. Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement. The exploits The exploits exist in a lot of popular game engines (some not to the extent of others; but most are present). I'm not posting this for you to use. I'm posting this for you to secure your game. Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere.     Basic exploits Basic exploits are very basic, but they exists on pretty much every game engine (listed on MakeWebGames). It allows you to append multiple CSS properties to a BBCode tag, effectively defacing pages. I've used this on multiple games, and it's been pretty fun. An example of defacement is using the [noparse][/noparse] tag. [color=red;background:black;position:fixed;top:0;left;0;width:100%;height:100%;]You've just been defaced.[/color]   Why do a greedy match when we just want to accept a hex colour code, right? (https://regex101.com/r/jU0uM7/1) Let's change the current color tag bbcode match to just match a hexadecimal colour value. (https://regex101.com/r/jU0uM7/4) It's a simple whitelisted character set. Because hexadecimal colour values are a maximum of 6 characters, and HEX only has values 0-F, we can do a character set. \[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]   This would make our PHP preg_replace become; preg_replace("/\[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]/", "<span style=\"font-color:$1>$2</span>", $input);     Game-killing exploits Many games use the greedy regular expression match (.+?) within their bbcode tag. An excerpt from the McCodes bbcode engine; $this->engine->cust_tag("/\[img=(.+?)\]/ie", "check_image('\\1')");   Lovely. The img tag is extremely exploitable. For most tags, it's a simple brain quiz on deciding a whitelist, or possibly blacklist, of characters to match. I'll show you only a few. We can bring up a pop-up box with the image tag exploit, by using onerror, onload, on*. It's simple. [img=1.jpg" onerror="alert('eXpLoIt')] //No need to end the ". The BBCode engine is nice to close this for us.   Now, let's secure this. We can change your regular expression match to (for the img tag) \[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\] //https://regex101.com/r/sC5tW5/1   This will give us a callback opportunity to validate the image itself (although, theoretically we don't need to do this, unless we display any EXIF data on the image, or the image comes with a JavaScript payload embedded within it.)   $output = preg_replace_callback("/\[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\]/", function($matches) { //Do checks on the image here //Look at exif data //Grab image size and validate that //Validate the extension //etc... if( [everything_is_ok] ) { return "<img src='". $matches[1] ."' />"; //Valid image } else { return "<img src='placeholder.jpg' />"; //Invalid image. Use a placeholder or don't do anything. Up to you. } }, $input);   Nice, img tag is now secured.     Here's a list of tag fixes I have done. I've just written these and I don't have any bbcode engines with me at the moment, but at least you get the idea ;)   Image tag bbcode fix Color tag bbcode fix Font family tag bboce fix Size tag bbcode fix   Will update. Just PM me your bbcode engines, and I'll see if they're exploitable.     Now that the BBCode exploits are out of the way, let's discuss other exploits. "Blackmail" You may be thinking, zomfg you can't do that, giving people their personal information is bad! No. Their personal information is free to read on the internet. They (the user) made it that way. I, earlier today, found someones whole life on the internet. Their name, social profiles, everything. It was simple, I just reversed image searched their in-game profile picture, and boom. Everything... every piece of information was given to me just from that one image. Try not let that be you. Session hijacking Although this is part of the BBCode exploit, you should really; Bind the session_id(); to the users ip. From all the games I experimented on, only one did this. Kudos [MENTION=70303]Hybridd[/MENTION] (surprisingly). Potentially bind the user agent to the session_id(); Do the two above and patch your bbcode as detailed above   I managed to hijack a bunch of accounts on a game and they were none-the-wiser until I told them, and started chatting the chat as them. It was funny. :) SQL Injections This is a good read CSRF I believe the newest McCodes release has a built-in system to help prevent CSRF. However a good test is to set your display picture to http://gameurl.com/logout.php and see if it logs you out. This is a good read: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)     Notes Total games owned: ~20 Here's some images showing the exploit on some games: http://imgur.com/a/O5cdX I mostly checked if I could do the exploit, and if I could, I removed it and told staff. Some of which I didn't, but the staff pissed me off by spamming previous projects of mine. Some good reads Exploiting StreetMafia: http://old.makewebgames.io/showthread.php/45259-Security Exploiting ReakCity: http://old.makewebgames.io/showthread.php/45245-Dear-Hybridd?p=307603&viewfull=1#post307603 Exploting ChaoticWars: http://old.makewebgames.io/showthread.php/45290-Awesome-RPG-Game-You-All-Should-Try-Out!?p=307883&viewfull=1#post307883   TOPMOBBSS PM me your game link if you wish for a penetration test ( ͡° ͜ʖ ͡°)
  8. Yes. A much easier way. I'll give you a hint;   <?php $a = array(); for($x = 0; $x <= 10; $x++) { $a[$x] = array(); for($y = 0; $y <= 10; $y++) { $a[$x][$y] = ''; } } $my_x = 5; $my_y = 2; $a[$my_x][$my_y] = 'HERE I AM'; print_r($a);   Arrays are your friend. No need to have 100 of unique variables.
  9.   User profiles don't validate or sanitise input Still using eregi, which is deprecated PHP errors show on screen Able to deface profiles Able to hijack traffic resulting in session hijacking, via XSS   All that, and I am needing to point out that the use of iframe makes UX a 0/10; plus free-hosting? No thanks.  
  10. It's a shame the whole game is full of security holes. Don't worry your socks; I'm not going all out. Just a simple test and I've notified staff. What I could have done; Diverted all traffic to a server I own somewhere in the world, and hijack their session. I'll have free reign over their account. Even if they change their password, I'll still be in Send items to other accounts Send money to other accounts Blah blah blah Get into a staff account and execute any server side code I wanted via crime exploit Give me any item in the game Make me max level Give me max stats Blah blah blah   [*]Deface my profile [*]Deface forum topics (2 ways I can do this)  
  11. PHPMailer and (IIRC) SwiftMailer classes have the functionality to read and write from Mailboxes; shouldn't be too hard to create a simple UI that adopts one of these classes
  12. > If you decide to purchase any in game credits or points, please do so at own risk. If I were to give you money, I'd expect no risk involved. Are you trying to deter money coming your way?! [MENTION=69001]Zettieee[/MENTION] - what are the main exploits?
  13. SHPXLBH

    Security.

    The end. So I toyed with him, with them. It was fun. Some saw the humour, some didn't. I'm not God... but i'd like to be. For 3 days the owner (Mr-Killer) was ignoring me, so I had to run a few demonstrations which involved; hi-jacking regular players accounts, hi-jacking staff accounts, wiping the DOM, bringing alert boxes up everywhere. It was fun. My only request was that he was to be polite, and I'd secure the BBCode parser for him. He wasn't. So I toyed with him some more. I handed him the candy to sort it; let's see how he does second time round ;) In the screenshots below, I am TOP MOBBS - I've built quite the name for myself over there by the way :) Previously, he said in the in-game chat that he'd open the IRC channel up to the users. Two tried to join, but he banned them straight away without a reason. I asked him to apologise, he wouldn't, so I wouldn't spoon feed him with the candy i just gave him (Wow, that sounds wrong!) [ATTACH]1742[/ATTACH] [ATTACH=CONFIG]1743[/ATTACH] The BBCode Engine is using a lazy match for each tag. That means you can abuse each and every tag. I generally went after [noparse][/img][/noparse]. But there are about 30 different tags to exploit. P.S - Do not enable the RC BBCode engine unless you've secured it.
×
×
  • Create New...