SHPXLBH Posted November 12, 2014 Posted November 12, 2014 (edited) Another one bites the dust. I was sent this So, I did this. They'd be then redirected to my forum post and the DOM completely wiped with this replacing the page; They will be automatically logged out, so the non-leejun will think they've been hijacked. Also, once they've fixed their MySQL socket for forums, it'll rate up my security thread as usual. I could have done the following; Hijacked anybodies account Made everyone attack anybody randomly Make everyone send me stuff Other stuff .. pretty much anything To game owners, Don't spam. Don't encourage spam. Ban those that do spam. P.S If you're planning on using RC, don't put it live until you've secured it. Edited November 13, 2014 by SHPXLBH Quote
G7470 Posted November 12, 2014 Posted November 12, 2014 Be careful when doing stuff like this because in most cases, a user is spamming like that without the owner's knowledge. I've had that happen to me several times before, and when I was an owner, I explicitly stated to not spam. Vigilante justice can be useful, but only on those of which who are encouraging as well as actively participating in such behaviors. With that in mind, where's your proof that this guy is the owner or that the owner encouraged this spam? ~G7470 Quote
SHPXLBH Posted November 13, 2014 Author Posted November 13, 2014 (edited) Be careful when doing stuff like this because in most cases, a user is spamming like that without the owner's knowledge. I've had that happen to me several times before, and when I was an owner, I explicitly stated to not spam. Vigilante justice can be useful, but only on those of which who are encouraging as well as actively participating in such behaviors. With that in mind, where's your proof that this guy is the owner or that the owner encouraged this spam? ~G7470 The site referenced in the first picture. I've managed to hijack an administrator account after he said I couldn't (even from looking at the previous 'attack', he doubted the security holes). We're on /good/ terms. I only changed his name so he'd believe me. Then I hijacked his account various other times, and a few other accounts too. We're talking terms at the moment as I'd like someone in return of my efforts. I've been told from numerous players that Joker is the admin of other sites (no urls given), a player on street mafia (although they retracted their accusation after analysing the wording used - English isn't his first language), and Joker used to be either ID 1 or ID 42 (accused from ID 42), or ID 167. All accounts are staff - 2 of which are admins. I've also been told (and I've not verified this information), that ID 1 scams donation money until the game dies and throws up a new game sometime after. [ATTACH=CONFIG]1738[/ATTACH] My request to be met so I'll patch the security holes has been denied. I've removed the XSS to take over accounts, however this is still around. (It's harmless, just wipes the DOM and logs them out) Update Request has been met. [ATTACH=CONFIG]1741[/ATTACH] [ATTACH=CONFIG]1739[/ATTACH] [ATTACH=CONFIG]1740[/ATTACH] Edited November 13, 2014 by SHPXLBH Quote
G7470 Posted November 13, 2014 Posted November 13, 2014 Ahhh, that guy. His name is very familiar to me. He asked me to fix up something for him with $$ in exchange. I supplied the fix and haven't seen any $$ from him. ~G7470 Quote
SHPXLBH Posted November 14, 2014 Author Posted November 14, 2014 (edited) The end. So I toyed with him, with them. It was fun. Some saw the humour, some didn't. I'm not God... but i'd like to be. For 3 days the owner (Mr-Killer) was ignoring me, so I had to run a few demonstrations which involved; hi-jacking regular players accounts, hi-jacking staff accounts, wiping the DOM, bringing alert boxes up everywhere. It was fun. My only request was that he was to be polite, and I'd secure the BBCode parser for him. He wasn't. So I toyed with him some more. I handed him the candy to sort it; let's see how he does second time round ;) In the screenshots below, I am TOP MOBBS - I've built quite the name for myself over there by the way :) Previously, he said in the in-game chat that he'd open the IRC channel up to the users. Two tried to join, but he banned them straight away without a reason. I asked him to apologise, he wouldn't, so I wouldn't spoon feed him with the candy i just gave him (Wow, that sounds wrong!) [ATTACH]1742[/ATTACH] [ATTACH=CONFIG]1743[/ATTACH] The BBCode Engine is using a lazy match for each tag. That means you can abuse each and every tag. I generally went after [noparse][/img][/noparse]. But there are about 30 different tags to exploit. P.S - Do not enable the RC BBCode engine unless you've secured it. Edited November 14, 2014 by SHPXLBH Quote
Zettieee Posted November 15, 2014 Posted November 15, 2014 getimagesize is a great little thing ay :O Quote
lucky3809 Posted November 15, 2014 Posted November 15, 2014 What was the actual motive behind hacking this game, other than someone may have spammed the link to the game?? Just childish IMO... I don't encourage spamming game links in other games, but in EVERY single game there are links to other games that do get spammed and there is nothing you can really do to prevent it from not happening, if a player seems to venture out to that game, than that means you are not doing something correctly in your own to hold your players interest in your game, I have always thought of it like this.... Quote
Lucifer13 Posted November 15, 2014 Posted November 15, 2014 I am SMR Owner ! but not Micheal Bradon . u say ask u to fix somethings ? if u fixing in the my SMR game ? my game is still running up and all is work ! why need to try for fix ? u need to use your brain ! thinking ! please don't do like da kid ! Quote
Markku Posted November 15, 2014 Posted November 15, 2014 I am SMR Owner ! but not Micheal Bradon . u say ask u to fix somethings ? if u fixing in the my SMR game ? my game is still running up and all is work ! why need to try for fix ? u need to use your brain ! thinking ! please don't do like da kid ! Uhm, I'm Finnish so... English isn't my first tongue, But what does the above even mean? I tried Google Translate, However it doesn't seem to recognize the language. :/ Quote
MNG Posted November 15, 2014 Posted November 15, 2014 SHPXLBH you internet bully I kid :D Nice, I was wondering if you was willing to hack my site for me and give me some pointers since I lost my old secured files, gotta start back at the bottom:( Quote
bladewolf2010 Posted November 15, 2014 Posted November 15, 2014 Uhm, I'm Finnish so... English isn't my first tongue, But what does the above even mean? I tried Google Translate, However it doesn't seem to recognize the language. :/ Lmao that's great. I'm American and I can't even understand what he is trying to say. Google can't correct poor English skills. Quote
Lucifer13 Posted November 16, 2014 Posted November 16, 2014 I am not English ! so can't expert english ! I am expect with my country language ! ကိုေမကိုလိုး မင္းေမလိုးလိုက္ လီးပဲ သိလား <== u know it ! hak hak Quote
lucky3809 Posted November 16, 2014 Posted November 16, 2014 I am not English ! so can't expert english ! I am expect with my country language ! ကိုေမကိုလိုး မင္းေမလိုးလိုက္ လီးပဲ သိလား <== u know it ! hak hak I am not English! So I am not an expert in English! I am an expert in my own countries language! blah blah...<== you know it!! ha ha Sorry had to translate... It is easy you know to use google translator if you do not know a word in English. As I take it you are from an Asian country. Most Asians are smarter than what you are typing like... Just saying... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.