Jump to content
MakeWebGames

Bladewolf2010: Is he trusted

criminal wars

By criminal wars
in General

 Share

Recommended Posts

bladewolf2010 Newbie

bladewolf2010

Posted
Posted
A while ago when I was looking for security, he offered me some for like $35 I think... I asked for an example, and this is what I got:

 

<?php
$housequery=1;
$atkpage=1;
include "globals.php"; 
$userid=$_SESSION['userid']; 
if (eregi("[^0-9]", $_GET[iD])) {
print"Click... Click.. BOOM";
mysql_query("INSERT INTO fedjail VALUES('',".$ir['userid'].",999999,1,'Attempted URL Injection in a file.')");
mysql_query("UPDATE users SET fedjail=1 WHERE userid=$userid");
exit;
}
/*+++++++++++++++++++++++++++++++++++++*/
/*            SQL Protection Start                                      */
/*+++++++++++++++++++++++++++++++++++++*/
//check if incomingData is not empty and of the expected length
function checkIncomingData($idata, $minsize, $maxsize) 
{
if ( 
  strlen($idata)<$minsize
  or  
  strlen($idata)>$maxsize 
  ) 
{
return false;
}
  else
{
  return true;
  }
}
//make sure that nothing bad can be entered by the user (-->sql injection attack)
function cleanIncomingData($idata) 
{
$cleaned = trim($idata); 
$cleaned = mysql_real_escape_string($cleaned);
return $cleaned;
}
/*+++++++++++++++++++++++++++++++++++++*/
/*            SQL Protection  Ended                                  */
/*+++++++++++++++++++++++++++++++++++++*/
if($ir['fedjail'])

{

print "Error - while in fedjail you cannot access this page ";

$h->endpage();

exit;

}
print "<h3>Bank</h3>";
if($ir['bankmoney']>-1)
{
switch($_GET['action'])
{
case "deposit":
deposit();
break;

case "withdraw":
withdraw();
break;

default:
index();
break;
}

}
else
{
if(isset($_GET['buy']))
{
if($ir['money']>49999)
{
print "Congratulations, you bought a bank account for \$50,000!

[url='bank.php']Start using my account[/url]";
$db->query("UPDATE users SET money=money-50000,bankmoney=0 WHERE userid=$userid");
}
else
{
print "You do not have enough money to open an account.
[url='explore.php']Back to town...[/url]";
}
}
else
{
print "Open a bank account today, just \$50,000!

[url='bank.php?buy']> Yes, sign me up![/url]";
}
}
function index()
{
global $db, $ir,$c,$userid,$h;
print "\n[b]You currently have \${$ir['bankmoney']} in the bank.[/b]

At the end of each day, your bank balance will go up by 2% for donators for balances up to 200 Trillion.

And you have to be active within the last 4 days.

<table width='75%' cellspacing=1 class='table'> <tr> <td width='50%'>[b]Deposit Money[/b]

It will cost you 1% of the money you deposit if the deposit is $1,000,000 or more. <form action='bank.php?action=deposit' method='post'>
Amount: <input type='text' name='deposit' value='{$ir['money']}' />

<input type='submit' value='Deposit' /></form></td> <td>
[b]Withdraw Money[/b]

There is no fee on withdrawals.<form action='bank.php?action=withdraw' method='post'>
Amount: <input type='text' name='withdraw' value='{$ir['bankmoney']}' />

<input type='submit' value='Withdraw' /></form></td> </tr> </table>";
}
function deposit()
{
global $db,$ir,$c,$userid,$h;
$_POST['deposit']=$_POST['deposit'];
if($_POST['deposit'] < 0)
{
print"Click... Click.. BOOM";
mysql_query("INSERT INTO fedjail VALUES('',".$ir['userid'].",5000,1,'Exploiting a game bug.')");
mysql_query("UPDATE users SET fedjail=1 WHERE userid=$userid");
    exit;
}
if($_POST['deposit'] > $ir['money'])
{
print "You do not have enough money to deposit this amount.";
}
else
{
$fee=ceil($_POST['deposit']*1/100);
if($fee < 10001) { $fee=0; }
$gain=$_POST['deposit'] - $fee;
$ir['bankmoney']+=$gain;
$db->query("UPDATE users SET bankmoney=bankmoney+$gain, money=money-{$_POST['deposit']} where userid=$userid");
print "You hand over \${$_POST['deposit']} to be deposited, 

after the fee is taken $ $fee, \$$gain is added to your account. 

[b]You now have \${$ir['bankmoney']} in the bank.[/b]

[url='bank.php']> Back[/url]";
}
}
function withdraw()
{
global $db,$ir,$c,$userid,$h;
$_POST['withdraw']=$_POST['withdraw'];
if($_POST['withdraw'] < 0)
{
print"Click... Click.. BOOM";
mysql_query("INSERT INTO fedjail VALUES('',".$ir['userid'].",5000,1,'Exploiting a game bug.')");
mysql_query("UPDATE users SET fedjail=1 WHERE userid=$userid");
    exit;
}
if($_POST['withdraw'] > $ir['bankmoney'])
{
print "You do not have enough banked money to withdraw this amount.";
}
else
{

$gain=$_POST['withdraw'];
$left=($ir['bankmoney']-$gain);
$db->query("UPDATE users SET bankmoney=bankmoney-$gain, money=money+$gain where userid=$userid");
print "You ask to withdraw $gain, 

the banking lady grudgingly hands it over. 

[b]You now have \$$left in the bank.[/b]

[url='bank.php']> Back[/url]";
}
}
$h->endpage();
?>

 

Quite clearly putting a useless function at the top of a file WILL NOT secure your game...

 

I never offered to secure anything for you first off. I don't even use that, so before you go saying shit make sure you know what your saying ;)

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Joshua Newbie

Joshua

Posted
Posted

Ok, just to clarify on "security" regarding McC.

There is no simple script that will secure the site(Been stated before)

What I myself normally do.

I go through all files, roughly 100 of them (that can be exploited in one way or another)

Secure them individually, by scanning them, cleaning variables, securing input and output, re-writing if necessary.

a few .htaccess re-writes that i have used for quite some time that HELP with stopping xss injections incase i miss something.

(this is something i googled a long while back and have tested and works) I can't write htaccess code worth a flip.

Add some aftermarket modifications i designed as well as installing a few that i have found on the forums (slightly re-written) done by Illusions to keep track of any attempts.

Secure the heck out of staff system using DEFINE functions via staff.php, staff password, ban on unauthorized staff etc.

I like to re-structure the database as well "if i'm bored" not because it's safer, but simply because the amount of crap in the users table bugs me and when i'm bored i tend to....alter it.

A lot of files i also merge into 1 larger file as well, such as send cash, bank, cyber, the search features etc.

Slap staff files and crons etc into a sub folder and secure that folder from direct access, simply because i hate a cluttered pub root directory and it orginizes it a bit better.

There are a few other minor quirks i do as well I'm sure, but this is why we usually charge 150.00 USD.

I wouldnt do half of this stuff for 50.00 USD

There are a lot of files in the McC engine, a lot.

And while yes, i could probably spend 30 minutes and secure vs the known hacks, (if that) it wouldn't be air tight.

there never really is air tight, but i like to come as close to it as i can get.

rulerofzu Newbie

rulerofzu

Posted
Posted

Unless your going to show you can code to a decent level Bladewolf2010 which in over 300 posts you have not then I think we are pretty much done here and you wont be hired for security work anytime soon.

Joshua Newbie

Joshua

Posted
Posted

LMAAAAAAAAAAO owned by screenshot hahah reply button took entirely to long i was laughing to hard lol

:edit:

Kieran you have been offering to do the same thing as well for 50.00 and it's not securing either ;-)

Djkanna Apprentice

Djkanna

Posted
Posted
Ok, just to clarify on "security" regarding McC.

There is no simple script that will secure the site(Been stated before)

What I myself normally do.

I go through all files, roughly 100 of them (that can be exploited in one way or another)

Secure them individually, by scanning them, cleaning variables, securing input and output, re-writing if necessary.

a few .htaccess re-writes that i have used for quite some time that HELP with stopping xss injections incase i miss something.

(this is something i googled a long while back and have tested and works) I can't write htaccess code worth a flip.

Add some aftermarket modifications i designed as well as installing a few that i have found on the forums (slightly re-written) done by Illusions to keep track of any attempts.

Secure the heck out of staff system using DEFINE functions via staff.php, staff password, ban on unauthorized staff etc.

I like to re-structure the database as well "if i'm bored" not because it's safer, but simply because the amount of crap in the users table bugs me and when i'm bored i tend to....alter it.

A lot of files i also merge into 1 larger file as well, such as send cash, bank, cyber, the search features etc.

Slap staff files and crons etc into a sub folder and secure that folder from direct access, simply because i hate a cluttered pub root directory and it orginizes it a bit better.

There are a few other minor quirks i do as well I'm sure, but this is why we usually charge 150.00 USD.

I wouldnt do half of this stuff for 50.00 USD

There are a lot of files in the McC engine, a lot.

And while yes, i could probably spend 30 minutes and secure vs the known hacks, (if that) it wouldn't be air tight.

there never really is air tight, but i like to come as close to it as i can get.

That is major overkill, I do what I am paid to do, to busy to add little quirks as well. But hey if you have the time for that then go for it. XD

Paul Evans Newbie

Paul Evans

Posted
Posted

and i can better than you... whats your point?

i secure by looking over the code most people on here secure by copy and paste... i find quite afew exploits by hacking the game first (with permission of course) and that's without code side help.

 

I go through all files, roughly 100 of them (that can be exploited in one way or another)
Really... name the security problems (all of them in 100 separate files) excluding staff_*.php files.

^Remember i said security problems...

I think you kind of overkill with your clients Joshua... why make the job more difficult (if you move anything from users table then in the future mods won't work)... and when i say mods i mean free installs.

Say for example you move `laston` so now if a mod grabs when a user was laston the instructions for the mod won't work. Taking to note if your doing the security the owner of the site is a novice, they waste money on a mod they will never be able to install (if it's a paid mod) or do they come to you 2 years down the line and you'll install 'em free? (too much work)

stick to the basics... secure what needs to be secured, why fix something when it's not broken.

EDIT:

You mustn't have much work if you have enough time to do all that. (which would imply your not that good (not me saying that but seems like it))

Joshua Newbie

Joshua

Posted
Posted

Due to being absent, I don't have much work really so yea :-)

I know a lot of it is overkill but the more i do the more i get into it and i get carried away of course.

There are a lot of files that have tiny exploits in them, and even a lot of the staff files can be tampered with if you have a bad staff member. Just saying.

Do I do more than I'm paid to?

Of course I do, I like to get customers so going above and beyond helps.

Hacking there site is the first thing done of course. Test every aspect to see what's insecure etc etc.

But again, I'm an overkill kinda guy i guess ;P

bladewolf2010 Newbie

bladewolf2010

Posted
Posted

@Ruler- Do remember that MWG is not the only place that McCode users go to. This site is where a little bit of them go to. I get security jobs often, thank you very much. If I'm not getting anyone from here then so be it. I could care less honestly.

@Kieran-R- It's really easy to edit a screen shot.

Joshua Newbie

Joshua

Posted
Posted

Blade, Before you go off on the whole "screenshots can be edited speel"

Moderators can view the PM's and verify if it's real ;-)

Or maybe it's admins, but one of them :p

Kieran-R Newbie

Kieran-R

Posted
Posted

LOL bladewolf.

You honestly think I would go to the time and effor to edit a screenshot?

Especially that there are code tags in the screenshot. I'm pretty sure thatthe source HTML for that ain't just

...

There are mail logs also. So your just making your self look even more pathetic. And blade maker, how can you honestly think he's trusted. After seeing that screenshot? Or are you one of those people who believe the screenys edited? LOL

Dominion Newbie

Dominion

Posted
Posted
lol, Blade two things pal.

A) This is the MAIN site for MCCode users..

B) Screenshots can not be easily edited and I bet if I was to check the result would be truthful. Own up and be a man.

You can edit it on the site, and just take a screen shot. There are Firefox addons hell even Google will tell you how to do basic edits. Takes no knowledge what so ever to fake a screen shot. As for editing one already around it’s a little more difficult, but not if can make it look original e.g. same font size etc...

@ bladewolf – I advice posting something you can do. Find 20 mins to run up a nice mod, and post it. Once people see you can/can’t do something it will help you can costumers.

Joshua Newbie

Joshua

Posted
Posted
The code posted by Kieran-R isn't my code.. I claimed it as mine at the time because I was a money hungry bastard.. I got the code from a different game that I was helping.

So now you're saying it's not "edited" ? ;-)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...