Godhand Posted February 1, 2008 Share Posted February 1, 2008 I was just you know doing my own thing. I then realized my crons were being launched 2x more then they SHOULD be. I also know they don't know my cron code. But I did take the time to create a way to block it. I figured... since its not really worth it to run it every minute... all I did was change my minute cron... but heres the rest of it in cron_fivemin.php Find <?php include "config.php"; global $_CONFIG; if($_GET['code'] != $_CONFIG['code']) { die(""); } define("MONO_ON", 1); require "class/class_db_{$_CONFIG['driver']}.php"; $db=new database; $db->configure($_CONFIG['hostname'], $_CONFIG['username'], $_CONFIG['password'], $_CONFIG['database'], $_CONFIG['persistent']); $db->connect(); $c=$db->connection_id; $set=array(); $settq=$db->query("SELECT * FROM settings"); while($r=$db->fetch_row($settq)) { $set[$r['conf_name']]=$r['conf_value']; } add RIGHT after if($set['cronfiveminprotect'] >= 1) { then FIND $db->query("UPDATE users SET verified=0"); } add RIGHT after } Now go into cron_hour.php find event_add($rm['userid'],"Your Gang's Organised Crime Failed. Go [url='oclog.php?ID=$i']here[/url] to view the details.",$c); } } } add RIGHT after $db->query("UPDATE settings SET conf_value=12 WHERE conf_id=105"); and well since your in cron_hour.php already you might as well fix there as well. find if(date('G')==17) { replace with if(date('G')==17 && $set['cronhourprotection'] == 1) { $db->query("UPDATE settings SET conf_value=0 WHERE conf_id=22"); In cron_day.php add somewhere $db->query("UPDATE settings SET conf_value=1 WHERE conf_id=22"); now for the sql five min INSERT INTO `yourdatabasename_Main`.`settings` ( `conf_id` , `conf_name` , `conf_value` ) VALUES ( '105', 'cronfiveminprotect', '12' ); Now for hour protection INSERT INTO `yourdatabasename_Main`.`settings` ( `conf_id` , `conf_name` , `conf_value` ) VALUES ( '1', 'cronhourprotection', '22' ); Notice that part of cron_hour.php is still exploitable I just did not think it was worth adding in as I prevented players from getting their pay twice and insured that they got their job money no matter what. as for the fix well it isn't that hard just create another setting and correspond the information and set it up in cron_day.php. Also changing file names avoid this exploit as well. :-D edit: I noticed one small mistake that would fix itself by the end of the day haha Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted February 1, 2008 Share Posted February 1, 2008 Re: New exploit found! wanna know the best way to secure ur crons? just go to config.php change ur cron code to sh1 protection atm its md5 hashed so yh just change it to something harder and not just md5 hash encryption Quote Link to comment Share on other sites More sharing options...
Godhand Posted February 2, 2008 Author Share Posted February 2, 2008 Re: New exploit found! And if they get lucky and decrypt it? Yea.. I know I also changed my crons quite a bit. So they don't get launched by anyone except myself and my automated server Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted February 2, 2008 Share Posted February 2, 2008 Re: New exploit found! Or have tehm in a folder 1000 folders deep in your server. I don't even know where mine are unless I look in my c-panel. Quote Link to comment Share on other sites More sharing options...
Godhand Posted February 2, 2008 Author Share Posted February 2, 2008 Re: New exploit found! And well you could always take preventative measure... thats why I have mine. So the people who get pissed off aren't me; its the players as I make it foolproof to not be abusable. I'm half tempted to make another cron_hour.php/day/ etc and set it to fed the player who launches it. haha Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted February 2, 2008 Share Posted February 2, 2008 Re: New exploit found! And if they get lucky and decrypt it? Yea.. I know I also changed my crons quite a bit. So they don't get launched by anyone except myself and my automated server dude seriusly i dont think no one can decrypt sh1 atm XD Quote Link to comment Share on other sites More sharing options...
ignite Posted February 2, 2008 Share Posted February 2, 2008 Re: New exploit found! Can you not password the cron files ? Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted February 2, 2008 Share Posted February 2, 2008 Re: New exploit found! just add this at the top of ur cron page: if($_GET['tryitoutagainandifugetitrightluckyforyou'] == hellomyfriendiamanautomatedcron) { Your codes here } then in ur place to run crons just use curl http://www.yourgame.com/cron.php?tryito ... omatedcron I doubt anyone can get that right :D Quote Link to comment Share on other sites More sharing options...
Nickson Posted February 2, 2008 Share Posted February 2, 2008 Re: New exploit found! or you just work with the server time ... even if they know your path, it will only work when it's allowed to run :P as a cron that only is supposed to launch at 05 ... won't run at 04 or 06 :) Quote Link to comment Share on other sites More sharing options...
Godhand Posted February 2, 2008 Author Share Posted February 2, 2008 Re: New exploit found! or you just work with the server time ... even if they know your path, it will only work when it's allowed to run :P as a cron that only is supposed to launch at 05 ... won't run at 04 or 06 :) I know but the problem there is I having to code hour by hour. or every 5 minutes or every minute depending on the cron... thats why I ran those and customized my cron site name so they will not be able to exploit it too badly if they do :wink: Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted February 3, 2008 Share Posted February 3, 2008 Re: New exploit found! I had an idea earlier. Perhaps create a table in the db. I'm not too good at sql so don't ask me to do it for you... But anyways have 1 field be set to 24 everyday with the day cron, another set to 288 by the day cron and 1 set to 3600 for the minute cron. Have each cron only run if there is any credits left and have them deduct 1 from the corresponding field in the db. Have the day cron hidden and passworded 30 different ways. That would make the crons secure enough that if somebody did decide to exploit them the crons wouldn't run more during a day then they should. Quote Link to comment Share on other sites More sharing options...
Godhand Posted February 3, 2008 Author Share Posted February 3, 2008 Re: New exploit found! I had an idea earlier. Perhaps create a table in the db. I'm not too good at sql so don't ask me to do it for you... But anyways have 1 field be set to 24 everyday with the day cron, another set to 288 by the day cron and 1 set to 3600 for the minute cron. Have each cron only run if there is any credits left and have them deduct 1 from the corresponding field in the db. Have the day cron hidden and passworded 30 different ways. That would make the crons secure enough that if somebody did decide to exploit them the crons wouldn't run more during a day then they should. Thats exactly what I did. I did it in settings though because it was easier. Except for the password. I didn't bother with the minute cron because I figured it would be worthless to run protection on it... As for the hour I prevented pay from being exploitable and theres not very many gangs and I renamed my hourly cron to something else. I was thinking of making a 10 minute cron with a new stat in my game and also a 15 minute cron (both custom) to lessen the regular 5 minute crons load. As for why I'd want to do that as you know I have a new gym code I've been trying to patch up. Reading over the code you'll notice it doesn't use energy or currency. But I'm not quite sure if it would be worth it or not..... Quote Link to comment Share on other sites More sharing options...
MaKaVeLi Posted February 9, 2008 Share Posted February 9, 2008 Re: New exploit found! I still cannot figure out why all of you even run the crons from your public html folders. Screw those cron codes and all that garbage. Place a folder outside of the public html directory and direct the actual cron commands to that directory and you are all set. Nobody will know what the name of the folder is name or the cron files located in it as well. It is that simple! :-) Quote Link to comment Share on other sites More sharing options...
Vorlen Posted February 9, 2008 Share Posted February 9, 2008 Re: New exploit found! or you just work with the server time ... even if they know your path, it will only work when it's allowed to run :P as a cron that only is supposed to launch at 05 ... won't run at 04 or 06 :) I don't mean to rain on your parade, but the idea is that someone is MANUALLY running the cron... hence the hack/cheat/exploit. Any cron code can be used/run at any time. All the crontab does is curl the URL you told it to, the cron code itself doesn't automate itself, it's the crontab. My two cents :mrgreen: Quote Link to comment Share on other sites More sharing options...
Godhand Posted February 27, 2008 Author Share Posted February 27, 2008 Re: New exploit found! Believe it or not I was doing some digging from it. It was completely automated. How I could tell- I doubt someone would stay and keep running the cron without realizing it has been failing. Quote Link to comment Share on other sites More sharing options...
HITMAN 17 Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! wanna know the best way to secure ur crons? just go to config.php change ur cron code to sh1 protection atm its md5 hashed so yh just change it to something harder and not just md5 hash encryption how do i make it that Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! http://md5encryption.com/ encrypt a keyword. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! Wow zeon, i just looked through your signature and noticed gangster battles Did you know that www.gangster-battle.com is owned by me? Well it looks like everyone now a days basicly is trying to copy me :| Killah999 AKA Jameo is trying to make www.gangsta-nations.com look like killah-city. Killah999 AKA Jameo is trying to copy my name "killah". Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! Actually, did not notice that i searched up www.gangster-battles.com, and regged it as it was available. Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! Looked both domains up... gangster-battle.com - Created:2008-04-03 - http://whois.domaintools.com/gangster-battle.com gangster-battles.com - Created:2008-03-20 - http://whois.domaintools.com/gangster-battles.com Looks, like i created mine first. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted May 8, 2008 Share Posted May 8, 2008 Re: New exploit found! Then the person who told me to register that domain must of copied yours. Sorry. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted May 15, 2008 Share Posted May 15, 2008 Re: New exploit found! That's one way to put your foot in it! xD Quote Link to comment Share on other sites More sharing options...
kronow Posted May 18, 2008 Share Posted May 18, 2008 Re: New exploit found! or to save all your problems run it in root :| Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.