Jump to content
MakeWebGames

Security.

SHPXLBH

By SHPXLBH
in Chit Chat

 Share

Recommended Posts

SHPXLBH Newbie

SHPXLBH

Posted
Posted (edited)

Another one bites the dust.

I was sent this

9XX1cIj.jpg

So, I did this.

IKnAdgL.png

ZtWJ7L8.png

E8DHXOn.png

ULOW6g9.png

They'd be then redirected to my forum post and the DOM completely wiped with this replacing the page;

ywJpP7I.png

They will be automatically logged out, so the non-leejun will think they've been hijacked. Also, once they've fixed their MySQL socket for forums, it'll rate up my security thread as usual.

I could have done the following;

  • Hijacked anybodies account
  • Made everyone attack anybody randomly
  • Make everyone send me stuff
  • Other stuff .. pretty much anything

 

To game owners,

Don't spam. Don't encourage spam. Ban those that do spam.

P.S If you're planning on using RC, don't put it live until you've secured it.

Edited by SHPXLBH
Link to comment
Share on other sites
G7470 Newbie

G7470

Posted
Posted

Be careful when doing stuff like this because in most cases, a user is spamming like that without the owner's knowledge. I've had that happen to me several times before, and when I was an owner, I explicitly stated to not spam.

Vigilante justice can be useful, but only on those of which who are encouraging as well as actively participating in such behaviors.

With that in mind, where's your proof that this guy is the owner or that the owner encouraged this spam?

~G7470

Link to comment
Share on other sites
SHPXLBH Newbie

SHPXLBH

Posted
  • Author
Posted (edited)
Be careful when doing stuff like this because in most cases, a user is spamming like that without the owner's knowledge. I've had that happen to me several times before, and when I was an owner, I explicitly stated to not spam.

Vigilante justice can be useful, but only on those of which who are encouraging as well as actively participating in such behaviors.

With that in mind, where's your proof that this guy is the owner or that the owner encouraged this spam?

~G7470

The site referenced in the first picture.

I've managed to hijack an administrator account after he said I couldn't (even from looking at the previous 'attack', he doubted the security holes). We're on /good/ terms. I only changed his name so he'd believe me. Then I hijacked his account various other times, and a few other accounts too. We're talking terms at the moment as I'd like someone in return of my efforts.

I've been told from numerous players that Joker is the admin of other sites (no urls given), a player on street mafia (although they retracted their accusation after analysing the wording used - English isn't his first language), and Joker used to be either ID 1 or ID 42 (accused from ID 42), or ID 167. All accounts are staff - 2 of which are admins.

I've also been told (and I've not verified this information), that ID 1 scams donation money until the game dies and throws up a new game sometime after.

[ATTACH=CONFIG]1738[/ATTACH]

My request to be met so I'll patch the security holes has been denied.

I've removed the XSS to take over accounts, however this is still around. (It's harmless, just wipes the DOM and logs them out)

Update

Request has been met.

attachment.php?attachmentid=1741&d=1415843227

[ATTACH=CONFIG]1741[/ATTACH]

attachment.php?attachmentid=1739&d=1415843197

[ATTACH=CONFIG]1739[/ATTACH]

attachment.php?attachmentid=1740&d=1415843214

[ATTACH=CONFIG]1740[/ATTACH]

649806973_ScreenShot2014-11-13at01_13_12.png.61d0d84fa736b4c7ab8ad414ff53545d.png

dmv5nJF-2.thumb.jpg.f17d2a4e24cb3281b7797447a9884e4e.jpg

ES4X2q9.thumb.jpg.a597929ecbc592e559372e325423c1a4.jpg

oFSIP0v.thumb.jpg.59a0ca5f803b692dfa71aa133b0f2937.jpg

Edited by SHPXLBH
Link to comment
Share on other sites
SHPXLBH Newbie

SHPXLBH

Posted
  • Author
Posted (edited)

The end.

So I toyed with him, with them. It was fun. Some saw the humour, some didn't. I'm not God... but i'd like to be.

For 3 days the owner (Mr-Killer) was ignoring me, so I had to run a few demonstrations which involved; hi-jacking regular players accounts, hi-jacking staff accounts, wiping the DOM, bringing alert boxes up everywhere. It was fun. My only request was that he was to be polite, and I'd secure the BBCode parser for him. He wasn't. So I toyed with him some more.

I handed him the candy to sort it; let's see how he does second time round ;)

In the screenshots below, I am TOP MOBBS - I've built quite the name for myself over there by the way :)

Previously, he said in the in-game chat that he'd open the IRC channel up to the users. Two tried to join, but he banned them straight away without a reason. I asked him to apologise, he wouldn't, so I wouldn't spoon feed him with the candy i just gave him (Wow, that sounds wrong!)

[ATTACH]1742[/ATTACH]

attachment.php?attachmentid=1742&d=1416004997

[ATTACH=CONFIG]1743[/ATTACH]

attachment.php?attachmentid=1743&d=1416005020

The BBCode Engine is using a lazy match for each tag. That means you can abuse each and every tag. I generally went after [noparse][/img][/noparse]. But there are about 30 different tags to exploit.

P.S - Do not enable the RC BBCode engine unless you've secured it.

786782518_ScreenShot2014-11-14at22_02_15.png.519a3cd87591d9cc5dff47ab234c5702.png

781238226_ScreenShot2014-11-14at22_24_38.png.cabd8e607ecad4bc4ede3b1093f4f9c1.png

Edited by SHPXLBH
Link to comment
Share on other sites
lucky3809 Newbie

lucky3809

Posted
Posted

What was the actual motive behind hacking this game, other than someone may have spammed the link to the game?? Just childish IMO...

I don't encourage spamming game links in other games, but in EVERY single game there are links to other games that do get spammed and there is nothing you can really do to prevent it from not happening, if a player seems to venture out to that game, than that means you are not doing something correctly in your own to hold your players interest in your game, I have always thought of it like this....

Link to comment
Share on other sites
Markku Apprentice

Markku

Posted
Posted
I am SMR Owner ! but not Micheal Bradon . u say ask u to fix somethings ? if u fixing in the my SMR game ? my game is still running up and all is work ! why need to try for fix ? u need to use your brain ! thinking ! please don't do like da kid !

Uhm, I'm Finnish so... English isn't my first tongue, But what does the above even mean?

I tried Google Translate, However it doesn't seem to recognize the language. :/

Link to comment
Share on other sites
lucky3809 Newbie

lucky3809

Posted
Posted
I am not English ! so can't expert english ! I am expect with my country language ! ကိုေမကိုလိုး မင္းေမလိုးလိုက္ လီးပဲ သိလား <== u know it ! hak hak

I am not English! So I am not an expert in English! I am an expert in my own countries language! blah blah...<== you know it!! ha ha

Sorry had to translate... It is easy you know to use google translator if you do not know a word in English. As I take it you are from an Asian country. Most Asians are smarter than what you are typing like... Just saying...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...