Lady Gaga Posted March 10, 2010 Share Posted March 10, 2010 I FOUND THIS ON IMMORTAL-DARKNESS FORUM I THINK IT WILL HELP In this thread I will enlighten everyone to the information I've learned in my McCodes adventure as well as a few tips and tricks on how to make your game a bit safer. Granted there will always be more to add, but this should get you started, enjoy. Step 1. Securing your IP Variable to stop some older versions of firefox using the x forward sploofer to auto admin themselves on your site In ALL of these files. header.php login.php register.php forums.php global_func authenticate.php Find: $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; Replace With: $IP = $_SERVER['REMOTE_ADDR']; $IP=addslashes($IP); $IP=mysql_real_escape_string($IP); $IP=strip_tags($IP); Step 2. Basic Security vs The Forums and Cmarket Hack. --This hack is done off a simple URL injection forming a long string of code that is basically inserting false info into your php script and database. The quickest way to secure this, tho not "full proof" as other hacks will eventually be written around leaky PhP code is the following. Open header and find function userdata($ir,$lv,$fm,$cm,$dosessh=1) { global $db,$c,$userid, $set; Beneath this should be your new IP variable. Directly under the IP variable query add $_GET['ID'] = abs(@intval($_GET['ID'])); $_GET['reply'] = abs(@intval($_GET['reply'])); Step 3. On most McCodes games the ability to change ones User Level is by calling to the table in users known as user_level. A few hundred hacks have been formed to use this, and the display Pic, or Signature function in your viewuser.php file, to automatically make an Admin, Admin another person. For example. If you are an admin you have a file normally called staff_special.php in your staff menu. Going here and selecting a user can you make them admin. This hack is basically the function that you would select when making someone an admin. They insert it into their display picture instead of an actual URL link to a valid image. In turn, when an Admin views the users profile, there is some hidden work going on the admin is unaware of where they are actually running through the process of setting that user as an admin. There is no quick fix for this. As there are a few ways for this to be done. If you stop them from entering staff_special.php they will try a re-direct with the <meta tag> hack via the same process. Or perhaps Bug report, Player report, Forums, Player Ads, just about any place that posts user info. The best Option here is to create an Off-Site host that users must upload pictures to and only accept Links from that site for your display pic. While this is a HUGE hassle this will stop ALL Shell uploads and Re-Directs via this option. I might suggest if you have gangpics you use that as well as it's just as vulnerable. Another option is having them upload pictures to a secure folder on your site and making 110% sure it's not a .php/shell type upload by using a whitelist. URL's can always be re-directed if not secured properly and rather than just show 1 way, i'd rather explain how it works as it's not easy to stop. A sudo quick fix that i've done, among other things, is change your user_level. Re-Vamp your user level system, change table names, change staff file names and disable errors from displaying on your screen to give away your new tables. This brings us to step 4 Step 4. Stop displaying critical Table Data anytime a User makes a booboo. In your class/class_db_mysql.php file located in the class folder of your Root Directory. In this file, are several queries that convert in your main database. You will find the function in this file that looks of the following function query_error() Replace the ENTIRE query_error function should be about 5 lines or so, to this function query_error() { if(isset($_SESSION['loggedin']) && $_SESSION['userid'] == 1) { die("QUERY ERROR: ".mysql_error()." Query was {$this->last_query}"); } else { echo "An error has been detected, please report this error to ID 1 stating exactly where you found it (copy the URL if possible)"; exit; } } This will enable your error to ONLY show to ID 1. If they are anything other than ID 1 it will simply tell them an error has been detected. Step 5. All $_GET and $_POST variables MUST be secured to insure proper data input. Not cleaning data that goes into or comes out of your database can be hazardous to your site. Image a .php script in your game. Something along the lines of.. if($_POST['data'] = blah) { $db->query("UPDATE users SET money=money+500 WHERE userid=$userid"); } Imagine if someone inserted blah ' OR ("DROP TABLE users"); Now the string would look like this if($_POST['data'] = blah ' OR ("DROP TABLE users")); and there went your users table. Granted that's not going to work as i just used for an example, but now you get the idea of how important it is to secure your variables. How to secure INPUT / POST variables. $_POST['blah'] Not Secure $_POST['blah'] = mysql_real_escape_string(htmlentities($_POST['blah'])); Secure. You can either do the above for EACH $_POST you see, or Define it in advance and use it only once. This will secure all STRINGS. For Integers you would just need to do this $_POST['integer'] = abs(@intval($_POST['integer'])); The abs(@intval insures that it's a Positive integer and isnt a decimal. Step 6. Securing OutPut All data that is traveled from the database and output on your site can also be potentially harmful. Why this part is also important. Wherever data that users enter, such as signature, forum data, etc, is fetched from the Database and then printed on your site could be deadly. Secure it as such $_GET['string'] unsecure $_GET['string'] = stripslashes(htmlspecialchars($_GET['string'])); Secure For integers you again can use $_GET['integer'] = abs(@intval($_GET['integer'])); Step 7. Some debate on sprintf and it's values as it tends to lag smaller servers. However, this will trim and clean data to slow or stop RHI hacks. Proper Use of sprintf ("UPDATE users SET money=money-$loss WHERE userid=$userid"); That is insecure, and can be fiddled around with. So we'd sprintf() it, and go about doing it like this. $sprintf = sprintf("UPDATE `users` SET `money` = `money` - %d WHERE (`userid` = $userid)", abs(@intval($loss))); $db->query($sprintf); Miscellanious info Here is a little function you could use to secure your get and post info, bare in mind you'd have to call to it, just entering this will do nothing. function anti_inject($campo) { foreach($campo as $key => $val) { //remove words that contains syntax sql $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); //Remove empty spaces $val = trim($val); //Removes tags html/php $val = strip_tags($val); //Add inverted bars to a string $val = addslashes($val); // store it back into the array $campo[$key] = $val; } return $campo; //Returns the the var clean } $_GET = anti_inject($_GET); $_POST = anti_inject($_POST); EVEN MORE $_POST['var'] = preg_replace('/<(.+?)>/ims', '', $_POST['var']); $_POST['var'] = mysql_real_escape_string($_POST['var'], $connection); echo htmlspecialchars(stripslashes($_GET['var'])); Re-Name your staff files. Re-Adjust your important tables. Hide Staff-Files in a folder, lock it from outside users. Include a staff password protection on each staff page, only give the password to your staff. Things i've done extra. Include a database table in users called staff password. Add a password of your choice. Then in header, Put a check for all users above user level 1. If they dont have the staff password in their users table, it auto Feds them. Insert Hacklogs, can be found on several forums, I'll post link later when I find it. This tells you who has tried to hack your site so you can take pre-emptive action. Have trustworthy staff, dont just make anyone who begs for staff an admin as they can prove more harmful than helpful. Never Share your Cpanel info with ANYONE Ever unless absolutely necessary and you know for sure you can trust this person. Do background searches on random people via the forums and see what type of post history they have. Again, this is not all that can be done, but it is a start. I offer to do all of the above for reasonable rates if you do not feel you are capeable of doing it yourself. I really hope this helps you all. Enjoy. Quote Link to comment Share on other sites More sharing options...
srachit Posted March 10, 2010 Share Posted March 10, 2010 Thanks for this real great :) Quote Link to comment Share on other sites More sharing options...
Lady Gaga Posted March 10, 2010 Author Share Posted March 10, 2010 Well glad to hear that Who ever made this top security for People that cannot secure Needs A Top Rating :) Let me know :D Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted March 10, 2010 Share Posted March 10, 2010 Some of the information in that post is just simple ways of doing things, really if you want it done properly it's best to hire someone. [mp]17[/mp] Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted March 10, 2010 Share Posted March 10, 2010 Who ever made this top security for People that cannot secure Needs A Top Rating :) Let me know :D There are MANY places where you can find out how to secure so no, He don't need a top rating nor does anyone else who create these nice guides. These hack's are the baby one's. Hackers are moving up in the world, These hacks are used by n00bs, Such as Decio and his crew Quote Link to comment Share on other sites More sharing options...
Equinox Posted March 10, 2010 Share Posted March 10, 2010 I wouldn't advise following this, most of the things here are bad practice. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted March 10, 2010 Share Posted March 10, 2010 function anti_inject($campo) { foreach($campo as $key => $val) { //remove words that contains syntax sql $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); //Remove empty spaces $val = trim($val); //Removes tags html/php $val = strip_tags($val); //Add inverted bars to a string $val = addslashes($val); // store it back into the array $campo[$key] = $val; } return $campo; //Returns the the var clean } $_GET = anti_inject($_GET); $_POST = anti_inject($_POST); Let me know how that works for you.... Quote Link to comment Share on other sites More sharing options...
DISTORTED Posted March 10, 2010 Share Posted March 10, 2010 nice I will be trying this in a moment thanks alot hope it helps... Quote Link to comment Share on other sites More sharing options...
Djkanna Posted March 10, 2010 Share Posted March 10, 2010 Don't use what I quoted it was mearly sarcasim ;) Quote Link to comment Share on other sites More sharing options...
Danny696 Posted March 10, 2010 Share Posted March 10, 2010 $IP=addslashes($IP); $IP=mysql_real_escape_string($IP); $IP=strip_tags($IP); Someone shoot me Quote Link to comment Share on other sites More sharing options...
Djkanna Posted March 10, 2010 Share Posted March 10, 2010 Will do xD I didn't notice that.. Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted March 10, 2010 Share Posted March 10, 2010 function anti_inject($campo) { foreach($campo as $key => $val) { //remove words that contains syntax sql $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); //Remove empty spaces $val = trim($val); //Removes tags html/php $val = strip_tags($val); //Add inverted bars to a string $val = addslashes($val); // store it back into the array $campo[$key] = $val; } return $campo; //Returns the the var clean } $_GET = anti_inject($_GET); $_POST = anti_inject($_POST); yea when i first started coding i tried this function this is something that you should not put on your website. All it really does is screw up the data in your $_GET and $_POST when u have certain characters in there. And its not very well thought out. It could be useful in some cases but in all cases it is not useful. Something better to use instead of this would be a simple preg_replace() or an htmlspcialchars() but like i said 1 thing cant solve everything so it will not be useful in all cases. also sprintf :thumbdown: its confusing and there are things that can be used in place of it. and the $IP variable mysql escape should be enough the only reason you would need anything else like htmlspecialchars is when u r printing it in the case there might be html/java in it But apart from that good job on the explanation. Quote Link to comment Share on other sites More sharing options...
Guest Drizzle Posted March 10, 2010 Share Posted March 10, 2010 Since alot of ppl use Cpanel-type hosting, you could also hint to change your password to something along the lines of: *yo0|_||-\P@s_ZvV0|-\|)*&@*gG@nn3(\)@nN3*)*^!@# If you have good converting skills you will be able to see that that line converts to *YourPASSWORD*&*GameName*)*^!@#, and is more secure of a password than what cpanel generates most of the time. While this is certainly not hack proof, nor is anything on the net, this will render it 99% impossible to brute force. Another tip is instead of shared hosting, try vps, or if u can run a few servers at the same time, if u understand basic server set ups, etc. then try hosting yourself. But this creates a problem, as if your not good with security, and im not just talking about just php security, im talking shell,all the stuff. So if you are a beginner and serious about gaming, get a vps and either learn to secure, or have a friend secure it, or pay one of these lovely people(if someone named decio says ill secure your site, just say ok and give him all the money, then give him ur cpanel info, or the equivalent, and watch him delete ur files, because he certainly cant hack them unless the newb decides to get out of huggies, and be happy), but seriously many people such as immortal thug, crimgame(Zero EEEEEEffect),magictallguy(aka. mtg), and others. Quote Link to comment Share on other sites More sharing options...
Joshua Posted March 11, 2010 Share Posted March 11, 2010 I should probably update those forums as i dont even use them and havent for quite some time.... Some of that stuff ..well most of that stuff was found and copied off other sites as info for users that frequented the forums, however a lot of that stuff, tho will stop majority of basic hacks is not good practice. There are far better tutorials to follow, heck i've written some since that will help you out a bit better and more properly :) <---I own those forums tho I dont use them anymore >,< I use MasterMccodes.com Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted March 11, 2010 Share Posted March 11, 2010 crimgame(Zero EEEEEEffect) Ok it's kind of getting annoying now lol AFFECT! FFS lol may interest anyone looking for security... (just click the word "Security" below for my offer) [mp]17[/mp] @ BUG - redirect to mastermccodes then numb nuts (lol @ you not using your own forum that's like me saying i own my own car but i take the bus). Quote Link to comment Share on other sites More sharing options...
Joshua Posted March 12, 2010 Share Posted March 12, 2010 lol I started that forum as i wanted my own, then i got mastermccodes so bleh no use :P Quote Link to comment Share on other sites More sharing options...
Nicholas Posted March 19, 2010 Share Posted March 19, 2010 Step 4. Stop displaying critical Table Data anytime a User makes a booboo. In your class/class_db_mysql.php file located in the class folder of your Root Directory. In this file, are several queries that convert in your main database. You will find the function in this file that looks of the following function query_error() Replace the ENTIRE query_error function should be about 5 lines or so, to this function query_error() { if(isset($_SESSION['loggedin']) && $_SESSION['userid'] == 1) { die("QUERY ERROR: ".mysql_error()." Query was {$this->last_query}"); } else { echo "An error has been detected, please report this error to ID 1 stating exactly where you found it (copy the URL if possible)"; exit; } } does that even work? just asking? as i made a error on purpose and changed && $_SESSION['userid'] == 1 into && $_SESSION['userid'] == 2 but it still shown me the error? Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted March 19, 2010 Share Posted March 19, 2010 Well at quick glance, this "Might" block some stuff but overall this is a complete "Fail" on security... It is done completely wrong. Don't ask me to show you the right way because it has been done on here atleast 300 times.Just search. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.