ignite Posted January 25, 2008 Posted January 25, 2008 Does anyone know how to prevent the crystal marekt exploit that everyone seem to know how to do? Quote
Will Posted January 25, 2008 Posted January 25, 2008 Re: Crystal market exploit? Easy: After: function crystal_buy() { global $ir,$c,$userid,$h; Put: $_GET['ID'] = abs((int) $_GET['ID']); Quote
ignite Posted January 26, 2008 Author Posted January 26, 2008 Re: Crystal market exploit? Thanks, does this need to go anywhere else like item market ? +1 Edit: Don't think i can give you +1 anymore Quote
Guest Anonymous Posted January 26, 2008 Posted January 26, 2008 Re: Crystal market exploit? No the system was removed as it was abused and misused. +1 Edit: Don't think i can give you +1 anymore No the system was removed as it was abused and misused. Quote
UCC Posted January 26, 2008 Posted January 26, 2008 Re: Crystal market exploit? Anytime SQL statements use codes from the location bar or from user input, and said data is numeric, you should absolute int the input to prevent sql injection and other manipulation Quote
boggl Posted January 27, 2008 Posted January 27, 2008 Re: Crystal market exploit? missed a , in the query: CREATE TABLE `cheater_catcher` ( `cc_id` int(11) NOT NULL auto_increment, `cc_userid` int(11) NOT NULL default '0', `cc_count` int(11) NOT NULL default '0', PRIMARY KEY (`cc_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; Quote
boggl Posted January 27, 2008 Posted January 27, 2008 Re: Crystal market exploit? originally I was going too.....but then I foresaw your pm filling up...even though you said not to ask...lol Quote
ignite Posted January 27, 2008 Author Posted January 27, 2008 Re: Crystal market exploit? Corr, that was much more than i expected thanks very much it works great for stopping the exploit but it's not inserting to the db, ill have a play around with it i guess. Quote
QBD Posted January 31, 2008 Posted January 31, 2008 Re: Crystal market exploit? How i stopped this was very easy.. first you find the.. $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}"); under the function crystal_buy() and replace it with.. $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID='".mysql_real_escape_string($_GET['ID'])."'"); and it stops the exploit from working. Hope this helps. :-) Quote
Haunted Dawg Posted February 1, 2008 Posted February 1, 2008 Re: Crystal market exploit? woooooh here is a more eficient code for those who have gang markets and such: if($_GET['ID']) { die('Go to hell scumbag :D'); $_GET['ID']=mysql_real_escape_string($_GET['ID']); }['/code] Add that in ur header just under ur health energy and other things. NOTE: You have add a load of them if u dont just use a ID part for instance there is an exploit in the view users wich ive stoped using: [code] if($_GET['u']) { die('Go to hell scumbag :D'); $_GET['u']=mysql_real_escape_string($_GET['u']); } PS: This has not been tested since mine is a different one and i dont want to go into my database :P[/code] Quote
Tonka Posted February 2, 2008 Posted February 2, 2008 Re: Crystal market exploit? which version of the code is the exploit in? Quote
Godhand Posted February 2, 2008 Posted February 2, 2008 Re: Crystal market exploit? Well a better way to check is check if you have abs(somecodehere) in there. Could also check if$post<0 {die"Stop trying to cheat"} else [ at the end of the page before the end page function or ?> (being lazy) add ] Quote
Klikoka Posted February 2, 2008 Posted February 2, 2008 Re: Crystal market exploit? does anyone know what the exploit is or what it does exactly cos im confused :? Quote
Tezza` Posted February 2, 2008 Posted February 2, 2008 Re: Crystal market exploit? Using a certain... URL, you can get as many crystals and in v1 money as you want... im pretty sure that correct, correct me if im wrong... -Tezza` Quote
Jesse60905 Posted February 3, 2008 Posted February 3, 2008 Re: Crystal market exploit? I know/knew the URL. One of the players sold it to me in return for a dp. Afterwards I banned his IP and deleted his account of course. I think the URL is still sitting in my MSN logs somewhere but I just know if I post it there will be a message in my inbox in the morning and a: EDIT: Please do not post exploits on CE on this post... So for that reason I will tell you the basics of it. It uses the union part of sql scripting to add an additional query that adds onto the code making the user get money and crystals. It's just 1 more reason why I hate hackers... Quote
carlg Posted February 7, 2008 Posted February 7, 2008 Re: Crystal market exploit? nice i have been having problems and did not know how they were doing it so i made him admin he told me and i have banned his ass Quote
Godhand Posted February 7, 2008 Posted February 7, 2008 Re: Crystal market exploit? In other words you let him see your ip.... Well that was "bright" Quote
carlg Posted February 7, 2008 Posted February 7, 2008 Re: Crystal market exploit? s##t happens lol Quote
HITMAN 17 Posted February 13, 2008 Posted February 13, 2008 Re: Crystal market exploit? wats this v2 Create a table: CREATE TABLE `cheater_catcher` ( `cc_id` int(11) NOT NULL auto_increment, `cc_userid` int(11) NOT NULL default '0', `cc_count` int(11) NOT NULL default '0' PRIMARY KEY (`cc_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; Then use this code in the cmarket.php page, Below $h->menuarea(); // Checks to see if the ID field in the URL is numeric value if(eregi("[^0-9]", $_GET[iD])) { // Selects from the cheater table to see if they have a previous record $select_data = mysql_query("SELECT * FROM cheater_catcher WHERE cc_userid = ".$ir[userid].""); // If they dont have a previous record, Create one if(!mysql_num_rows($select_data)) { mysql_query("INSERT INTO `cheater_catcher` VALUES ('', '".$ir[userid]."', '1'"); } // Else else { // Update the cheater catcher to add 1 to their existing count $data = mysql_fetch_object($select_data); mysql_query("UPDATE `cheater_catcher` SET cc_count = cc_count + 1 WHERE cc_userid = '".$ir[userid]."'"); // Now we check what their count is, If its above or equal to 3, Fed the scumbag =P if($data->cc_count >= 3) { mysql_query("UPDATE users SET fedjail = '1' WHERE userid = '".$ir[userid]."'"); mysql_query("INSERT INTO `fedjail` VALUES ('', '".$ir[userid]."', '300', '1', 'Trying to exploit the game')"); } } // Echo some result, Kill the page and finish the function echo "Quit trying to abuse you scumbag"; $h->endpage(); exit; } Edit Code is not tested as i dont have a game to test on, But should work. Although, If it doesnt, Im not offering support, So you either learn and fix it yourself, get someone else to help or simply dont use it. Quote
HITMAN 17 Posted November 19, 2008 Posted November 19, 2008 Re: Crystal market exploit? Create a table: CREATE TABLE `cheater_catcher` ( `cc_id` int(11) NOT NULL auto_increment, `cc_userid` int(11) NOT NULL default '0', `cc_count` int(11) NOT NULL default '0' PRIMARY KEY (`cc_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; Then use this code in the cmarket.php page, Below $h->menuarea(); // Checks to see if the ID field in the URL is numeric value if(eregi("[^0-9]", $_GET[iD])) { // Selects from the cheater table to see if they have a previous record $select_data = mysql_query("SELECT * FROM cheater_catcher WHERE cc_userid = ".$ir[userid].""); // If they dont have a previous record, Create one if(!mysql_num_rows($select_data)) { mysql_query("INSERT INTO `cheater_catcher` VALUES ('', '".$ir[userid]."', '1'"); } // Else else { // Update the cheater catcher to add 1 to their existing count $data = mysql_fetch_object($select_data); mysql_query("UPDATE `cheater_catcher` SET cc_count = cc_count + 1 WHERE cc_userid = '".$ir[userid]."'"); // Now we check what their count is, If its above or equal to 3, Fed the scumbag =P if($data->cc_count >= 3) { mysql_query("UPDATE users SET fedjail = '1' WHERE userid = '".$ir[userid]."'"); mysql_query("INSERT INTO `fedjail` VALUES ('', '".$ir[userid]."', '300', '1', 'Trying to exploit the game')"); } } // Echo some result, Kill the page and finish the function echo "Quit trying to abuse you scumbag"; $h->endpage(); exit; } Edit Code is not tested as i dont have a game to test on, But should work. Although, If it doesnt, Im not offering support, So you either learn and fix it yourself, get someone else to help or simply dont use it. QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Query was INSERT INTO `cheater_catcher` VALUES ('', '2', '1' i got that Quote
ADN Posted November 19, 2008 Posted November 19, 2008 Re: Crystal market exploit? CREATE TABLE `cheater_catcher` ( `cc_id` int(11) NOT NULL auto_increment, `cc_userid` int(11) NOT NULL default '0', `cc_count` int(11) NOT NULL default '0', PRIMARY KEY (`cc_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; Read all posts, then start using a script. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.