SHPXLBH Posted December 8, 2014 Posted December 8, 2014 (edited) Hello MakeWebGames. Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement. The exploits The exploits exist in a lot of popular game engines (some not to the extent of others; but most are present). I'm not posting this for you to use. I'm posting this for you to secure your game. Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere. Basic exploits Basic exploits are very basic, but they exists on pretty much every game engine (listed on MakeWebGames). It allows you to append multiple CSS properties to a BBCode tag, effectively defacing pages. I've used this on multiple games, and it's been pretty fun. An example of defacement is using the [noparse][/noparse] tag. [color=red;background:black;position:fixed;top:0;left;0;width:100%;height:100%;]You've just been defaced.[/color] Why do a greedy match when we just want to accept a hex colour code, right? (https://regex101.com/r/jU0uM7/1) Let's change the current color tag bbcode match to just match a hexadecimal colour value. (https://regex101.com/r/jU0uM7/4) It's a simple whitelisted character set. Because hexadecimal colour values are a maximum of 6 characters, and HEX only has values 0-F, we can do a character set. \[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\] This would make our PHP preg_replace become; preg_replace("/\[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]/", "<span style=\"font-color:$1>$2</span>", $input); Game-killing exploits Many games use the greedy regular expression match (.+?) within their bbcode tag. An excerpt from the McCodes bbcode engine; $this->engine->cust_tag("/\[img=(.+?)\]/ie", "check_image('\\1')"); Lovely. The img tag is extremely exploitable. For most tags, it's a simple brain quiz on deciding a whitelist, or possibly blacklist, of characters to match. I'll show you only a few. We can bring up a pop-up box with the image tag exploit, by using onerror, onload, on*. It's simple. [img=1.jpg" onerror="alert('eXpLoIt')] //No need to end the ". The BBCode engine is nice to close this for us. Now, let's secure this. We can change your regular expression match to (for the img tag) \[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\] //https://regex101.com/r/sC5tW5/1 This will give us a callback opportunity to validate the image itself (although, theoretically we don't need to do this, unless we display any EXIF data on the image, or the image comes with a JavaScript payload embedded within it.) $output = preg_replace_callback("/\[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\]/", function($matches) { //Do checks on the image here //Look at exif data //Grab image size and validate that //Validate the extension //etc... if( [everything_is_ok] ) { return "<img src='". $matches[1] ."' />"; //Valid image } else { return "<img src='placeholder.jpg' />"; //Invalid image. Use a placeholder or don't do anything. Up to you. } }, $input); Nice, img tag is now secured. Here's a list of tag fixes I have done. I've just written these and I don't have any bbcode engines with me at the moment, but at least you get the idea ;) Image tag bbcode fix Color tag bbcode fix Font family tag bboce fix Size tag bbcode fix Will update. Just PM me your bbcode engines, and I'll see if they're exploitable. Now that the BBCode exploits are out of the way, let's discuss other exploits. "Blackmail" You may be thinking, zomfg you can't do that, giving people their personal information is bad! No. Their personal information is free to read on the internet. They (the user) made it that way. I, earlier today, found someones whole life on the internet. Their name, social profiles, everything. It was simple, I just reversed image searched their in-game profile picture, and boom. Everything... every piece of information was given to me just from that one image. Try not let that be you. Session hijacking Although this is part of the BBCode exploit, you should really; Bind the session_id(); to the users ip. From all the games I experimented on, only one did this. Kudos [MENTION=70303]Hybridd[/MENTION] (surprisingly). Potentially bind the user agent to the session_id(); Do the two above and patch your bbcode as detailed above I managed to hijack a bunch of accounts on a game and they were none-the-wiser until I told them, and started chatting the chat as them. It was funny. :) SQL Injections This is a good read CSRF I believe the newest McCodes release has a built-in system to help prevent CSRF. However a good test is to set your display picture to http://gameurl.com/logout.php and see if it logs you out. This is a good read: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Notes Total games owned: ~20 Here's some images showing the exploit on some games: http://imgur.com/a/O5cdX I mostly checked if I could do the exploit, and if I could, I removed it and told staff. Some of which I didn't, but the staff pissed me off by spamming previous projects of mine. Some good reads Exploiting StreetMafia: http://makewebgames.io/showthread.php/45259-Security Exploiting ReakCity: http://makewebgames.io/showthread.php/45245-Dear-Hybridd?p=307603&viewfull=1#post307603 Exploting ChaoticWars: http://makewebgames.io/showthread.php/45290-Awesome-RPG-Game-You-All-Should-Try-Out!?p=307883&viewfull=1#post307883 TOPMOBBSS PM me your game link if you wish for a penetration test ( ͡° ͜ʖ ͡°) Edited December 8, 2014 by SHPXLBH 2 Quote
Tangled Posted December 8, 2014 Posted December 8, 2014 Thank you so much for this, its awesome! Quote
HauntedDawg Posted December 8, 2014 Posted December 8, 2014 Hello MakeWebGames. Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement. Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere. Retirement, yet the part above in bold had me in tears with laughter. Who use's hack anymore? Is this the 1990's?? Well done script kiddy :) Quote
-BRAIDZ- Posted September 15, 2015 Posted September 15, 2015 Can anyone tell me exploits for RC Engine that I can try and then patch them up? Quote
G7470 Posted September 15, 2015 Posted September 15, 2015 Can anyone tell me exploits for RC Engine that I can try and then patch them up? The exploits listed here (I'm sure) exist on RC Engine as well. ~G7470 Quote
-BRAIDZ- Posted September 15, 2015 Posted September 15, 2015 Thanks, will. Try them The exploits listed here (I'm sure) exist on RC Engine as well. ~G7470 Quote
~Rob0t Posted September 15, 2015 Posted September 15, 2015 Thanks, will. Try them plus more, because RC sucks more than McCodes (I'm going on-record when I say this) Quote
-BRAIDZ- Posted September 15, 2015 Posted September 15, 2015 plus more, because RC sucks more than McCodes (I'm going on-record when I say this) Haha well none of the exploits worked ;) Quote
~Rob0t Posted September 15, 2015 Posted September 15, 2015 Haha well none of the exploits worked ;) okay, good luck in life if you didn't adapt any and just c&p. Quote
IllegalPigeon Posted September 15, 2015 Posted September 15, 2015 okay, good luck in life if you didn't adapt any and just c&p. Ignore Rob0t. He cannot code. Copy and pasting is how to hack. Quote
SwiftGameR Posted November 17, 2020 Posted November 17, 2020 pretty crazy shit you can do wow On 9/15/2015 at 6:33 AM, -BRAIDZ- said: Can anyone tell me exploits for RC Engine that I can try and then patch them up? RC Engine has poor security if poor is the even correct word for it they secure there numbers by simpley putting $_GET['someid'] = abs(intval($_GET['someid'])) which alone will secure it yea but the security is so weak it doesn't even do any checks in the code for example $_GET['someid'] = array_key_exists('someid', $_GET) && ctype_digit($_GET['someid']) && $_GET['someid'] > 0 ? $_GET['someid'] : 0; //its not the best but it checks the its set and that its a number being recivied via the get variable and then it checks if its greater than 0 if so return //the $_GET['someid'] otherwise return 0; //even tho we made a check above to make sure the number is greater than 0 you could always do a simple empty check to make sure and go that little extra way to block someone trying to do stuff!. if (empty($_GET['someid'])) { echo 'Invalid ID found please try again'; } Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.