Urgent help needed - SQL Injections

[kiz5000]

Ok so today a hacker has been targeting my game all day with different sql injections for the cmarket ect, i have a system that logs them and he was trying things like

[/cmarket.phpaction=buy&ID=2 union all select 1,99999999,0,0].

[/cmarket.phpaction=remove&ID=2 union all select 1,CHAR(57,57,57,57,57,44,109,111,110,101,121,61,109,111,110,101,121,43,53),0,0 –]..

 

Unfortunately with all the sql injections he has been using he has found a way to change everybody's password in the game at once to a password of his choice, i don't know how he's doing this but he is doing it repeatedly and is managing to ruin my game does anybody know how he is doing this or is their any known exploits?

[Dragon Blade]

You have the OLD Mccode's V2 script.

 

Crystal Market

Fourms

Sig Change

And much more.

PM your game link.

[Dominion]

First off did the two attacks you posted actually work or fail?

[sniko]

I've not heard of this one before.

Unfortunately with all the sql injections he has been using he has found a way to change everybody's password in the game at once to a password of his choice, i don't know how he's doing this but he is doing it repeatedly and is managing to ruin my game does anybody know how he is doing this or is their any known exploits?

Check your cpanel access logs, ftp accounts. Look for suspicious activity. Likelihood is, he has gained access to the back-end. If so, easily rectifiable - well, easier than finding the hole, if there was one.

[Dragon Blade]

Sniko, he probaly has a script wich he made of his own or someone made for him, most likely thats how it got exploited.

[sniko]

Sniko, he probaly has a script wich he made of his own or someone made for him, most likely thats how it got exploited.

In these kind of situations, exhaust all possibilities :)

[kiz5000]

The first 2 attacks did not work, i have people trying them all the time, im checking the logs now but cant find anything suspicious, one thing im noticing is that everytime the password are changed they are 5 digit number passwords which makes me think the password is being auto produced by the system?

[Dragon Blade]

Kiz5000, send me a mail of your game url.

[kiz5000]

Pm has now been Sent.

[sniko]

I, too.

-tooshort-

[URBANZ]

give me a PM with proof of your licence and ill send you a PDO version of McCodes its worth changing as mysql is slowly get Deprecated and very hackable

[SRB]

And me.

--tooshort--

[sniko]

After spending a few hours with the OP on Skype, I believe (90%) that I have found the hole. Read it here :)

#trafficwhore.

[SRB]

Shouldn't have taken so long, Sniko *tut tut*

Given the first 2 lines posted in the original post, which can both be found here: http://teachthe.net/?cat=60

It was only a matter of time to also notice: http://teachthe.net/?p=1626

Me, Seanybob and Decepti0n had a lot of fun with that one back in '09/10 (TeachThe.net was the domain me, Seanybob and Scarlet got that was supposed to become a forum, but we all lost interest, so Seanybob updated it at a later date)

[sniko]

Shouldn't have taken so long, Sniko *tut tut*

Given the first 2 lines posted in the original post, which can both be found here: http://teachthe.net/?cat=60

It was only a matter of time to also notice: http://teachthe.net/?p=1626

Me, Seanybob and Decepti0n had a lot of fun with that one back in '09/10 (TeachThe.net was the domain me, Seanybob and Scarlet got that was supposed to become a forum, but we all lost interest, so Seanybob updated it at a later date)

I know Guest, I know!

I did spend a lot of time looking into who did it, as I like to know the kind of person I'm dealing with; mind games :p (Although I failed on that part)

Anyway, issue is hopefully resolved, and I'll be checking up on OPs site during the week, just to ensure.

[Guest]

I know Guest, I know!

I did spend a lot of time looking into who did it, as I like to know the kind of person I'm dealing with; mind games :p (Although I failed on that part)

Anyway, issue is hopefully resolved, and I'll be checking up on OPs site during the week, just to ensure.

Just read your post, was a good find :), what fix did you implement, are you willing to share it?

[SRB]

Would have been images, since that's where the worms hit.

So profile images and forum images.

Since there are no checks, you can insert malicious JavaScript and when viewed, copies it to your own too.

Since its then in your own account, you have full auth to change your password etc

That's assuming you have some sort of csrf protection which would make this harder. Of course, it's not csrf that's actually occurring, the token on forms etc should block rogue updates like this one.

Furthermore, without any tokens on preferences and the fact McCord forum BB tag for images isnt secure, means that's a possibility also, to add malicious JavaScript.

Conclusion: security is lax and I'm unsure of its been updated in newer versions.

[Guest]

So changing the bbcode for images should fix the issue above, correct?

[jcvenom]

try replacing

cmID={$_GET['ID']}”); to this cmID={$_GET['ID'] = abs((int) $_GET['ID']);

[Guest]

try replacing

cmID={$_GET['ID']}”); to this cmID={$_GET['ID'] = abs((int) $_GET['ID']);

Cheers

-tooshort-

[jcvenom]

Cheers

-tooshort-

did it work

[Guest]

did it work

I haven't test it, I'm at work.

[jcvenom]

I haven't test it, I'm at work.

ok it should work

[Djkanna]

did it work

No it was sarcasm. Edit: Apparently it is not sarcasm, in which case don't disregard below.

It's already been ascertained that the problem is with more than likely malicious input within the context of images, rather than the crystal market.

Edit2: In fact it was verified it was not a crystal market problem on the front page.

[Guest]

No it was sarcasm. Edit: Apparently it is not sarcasm, in which case don't disregard below.

It's already been ascertained that the problem is with more than likely malicious input within the context of images, rather than the crystal market.

Edit2: In fact it was verified it was not a crystal market problem on the front page.

Thanks for totally confusing me >.< ha