Jump to content
MakeWebGames

Secure your game.

SHPXLBH

By SHPXLBH
in General

 Share

Recommended Posts

SHPXLBH Newbie

SHPXLBH

Posted
Posted (edited)

Hello MakeWebGames.

Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement.

The exploits

The exploits exist in a lot of popular game engines (some not to the extent of others; but most are present). I'm not posting this for you to use. I'm posting this for you to secure your game.

Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere.

 

rule.jpg

 

Basic exploits

Basic exploits are very basic, but they exists on pretty much every game engine (listed on MakeWebGames). It allows you to append multiple CSS properties to a BBCode tag, effectively defacing pages. I've used this on multiple games, and it's been pretty fun.

An example of defacement is using the [noparse][/noparse] tag.

[color=red;background:black;position:fixed;top:0;left;0;width:100%;height:100%;]You've just been defaced.[/color]

 

Why do a greedy match when we just want to accept a hex colour code, right? (https://regex101.com/r/jU0uM7/1)

Let's change the current color tag bbcode match to just match a hexadecimal colour value. (https://regex101.com/r/jU0uM7/4)

It's a simple whitelisted character set. Because hexadecimal colour values are a maximum of 6 characters, and HEX only has values 0-F, we can do a character set.

\[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]

 

This would make our PHP preg_replace become;

preg_replace("/\[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]/", "<span style=\"font-color:$1>$2</span>", $input);

 

rule.jpg

 

Game-killing exploits

Many games use the greedy regular expression match (.+?) within their bbcode tag. An excerpt from the McCodes bbcode engine;

$this->engine->cust_tag("/\[img=(.+?)\]/ie", "check_image('\\1')");

 

Lovely. The img tag is extremely exploitable.

For most tags, it's a simple brain quiz on deciding a whitelist, or possibly blacklist, of characters to match. I'll show you only a few.

We can bring up a pop-up box with the image tag exploit, by using onerror, onload, on*. It's simple.

[img=1.jpg" onerror="alert('eXpLoIt')] //No need to end the ". The BBCode engine is nice to close this for us.

 

Now, let's secure this.

We can change your regular expression match to (for the img tag)

\[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\] //https://regex101.com/r/sC5tW5/1

 

This will give us a callback opportunity to validate the image itself (although, theoretically we don't need to do this, unless we display any EXIF data on the image, or the image comes with a JavaScript payload embedded within it.)

 

$output = preg_replace_callback("/\[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\]/", function($matches) {
   //Do checks on the image here
   //Look at exif data
   //Grab image size and validate that
   //Validate the extension
  //etc...

   if( [everything_is_ok] ) {
      return "<img src='". $matches[1] ."' />"; //Valid image
   } else {
      return "<img src='placeholder.jpg' />"; //Invalid image. Use a placeholder or don't do anything. Up to you.
   }

}, $input);

 

Nice, img tag is now secured.

 

rule.jpg

 

Here's a list of tag fixes I have done. I've just written these and I don't have any bbcode engines with me at the moment, but at least you get the idea ;)

 

 

Will update. Just PM me your bbcode engines, and I'll see if they're exploitable.

 

rule.jpg

 

Now that the BBCode exploits are out of the way, let's discuss other exploits.

"Blackmail"

You may be thinking, zomfg you can't do that, giving people their personal information is bad! No. Their personal information is free to read on the internet. They (the user) made it that way.

I, earlier today, found someones whole life on the internet. Their name, social profiles, everything. It was simple, I just reversed image searched their in-game profile picture, and boom. Everything... every piece of information was given to me just from that one image. Try not let that be you.

Session hijacking

Although this is part of the BBCode exploit, you should really;

  • Bind the session_id(); to the users ip. From all the games I experimented on, only one did this. Kudos [MENTION=70303]Hybridd[/MENTION] (surprisingly).
  • Potentially bind the user agent to the session_id();
  • Do the two above and patch your bbcode as detailed above

 

I managed to hijack a bunch of accounts on a game and they were none-the-wiser until I told them, and started chatting the chat as them. It was funny. :)

SQL Injections

This is a good read

CSRF

I believe the newest McCodes release has a built-in system to help prevent CSRF. However a good test is to set your display picture to http://gameurl.com/logout.php and see if it logs you out. This is a good read: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

 

rule.jpg

 

Notes

Total games owned: ~20

Here's some images showing the exploit on some games: http://imgur.com/a/O5cdX

I mostly checked if I could do the exploit, and if I could, I removed it and told staff. Some of which I didn't, but the staff pissed me off by spamming previous projects of mine.

Some good reads

 

TOPMOBBSS

PM me your game link if you wish for a penetration test ( ͡° ͜ʖ ͡°)

Edited by SHPXLBH
  • Thanks 2
Link to comment
Share on other sites
HauntedDawg Newbie

HauntedDawg

Posted
Posted
Hello MakeWebGames.

Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement.

Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere.

Retirement, yet the part above in bold had me in tears with laughter. Who use's hack anymore? Is this the 1990's?? Well done script kiddy :)

Link to comment
Share on other sites
  • 9 months later...
  • 5 years later...
SwiftGameR Contributor

SwiftGameR

Posted
Posted

pretty crazy shit you can do wow 

On 9/15/2015 at 6:33 AM, -BRAIDZ- said:

Can anyone tell me exploits for RC Engine that I can try and then patch them up?

  • RC Engine has poor security if poor is the even correct word for it they secure there numbers by simpley putting $_GET['someid'] = abs(intval($_GET['someid'])) which alone will secure it yea but the security is so weak it doesn't even do any checks in the code for example 
$_GET['someid'] = array_key_exists('someid', $_GET) && ctype_digit($_GET['someid']) && $_GET['someid'] > 0 ? $_GET['someid'] : 0;

//its not the best but it checks the its set and that its a number being recivied via the get variable and then it checks if its greater than 0 if so return //the $_GET['someid'] otherwise return 0;

//even tho we made a check above to make sure the number is greater than 0 you could always do a simple empty check to make sure and go that little extra way to block someone trying to do stuff!.
if (empty($_GET['someid'])) {
	echo 'Invalid ID found please try again';
}

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...