Jump to content
MakeWebGames

New exploit found!


Godhand

Recommended Posts

I was just you know doing my own thing. I then realized my crons were being launched 2x more then they SHOULD be. I also know they don't know my cron code. But I did take the time to create a way to block it. I figured... since its not really worth it to run it every minute... all I did was change my minute cron... but heres the rest of it in cron_fivemin.php Find

<?php
include "config.php";
global $_CONFIG;
if($_GET['code'] != $_CONFIG['code']) { die(""); }
define("MONO_ON", 1);
require "class/class_db_{$_CONFIG['driver']}.php";
$db=new database;
$db->configure($_CONFIG['hostname'],
$_CONFIG['username'],
$_CONFIG['password'],
$_CONFIG['database'],
$_CONFIG['persistent']);
$db->connect();
$c=$db->connection_id;
$set=array();
$settq=$db->query("SELECT * FROM settings");
while($r=$db->fetch_row($settq))
{
$set[$r['conf_name']]=$r['conf_value'];
}

add RIGHT after

if($set['cronfiveminprotect'] >= 1)
{

then FIND

 $db->query("UPDATE users SET verified=0");
}

add RIGHT after

}

Now go into cron_hour.php find

event_add($rm['userid'],"Your Gang's Organised Crime Failed. Go [url='oclog.php?ID=$i']here[/url] to view the details.",$c);
}
}
}

add RIGHT after

 $db->query("UPDATE settings SET  conf_value=12 WHERE conf_id=105");

and well since your in cron_hour.php already you might as well fix there as well. find


if(date('G')==17) {

replace with

if(date('G')==17 && $set['cronhourprotection'] == 1)
{ 
$db->query("UPDATE settings SET  conf_value=0 WHERE conf_id=22");

In cron_day.php add somewhere

$db->query("UPDATE settings SET  conf_value=1 WHERE conf_id=22");

now for the sql five min

INSERT INTO `yourdatabasename_Main`.`settings` (
`conf_id` ,
`conf_name` ,
`conf_value`
)
VALUES (
'105', 'cronfiveminprotect', '12'
);

Now for hour protection

INSERT INTO `yourdatabasename_Main`.`settings` (
`conf_id` ,
`conf_name` ,
`conf_value`
)
VALUES (
'1', 'cronhourprotection', '22'
);

Notice that part of cron_hour.php is still exploitable I just did not think it was worth adding in as I prevented players from getting their pay twice and insured that they got their job money no matter what. as for the fix well it isn't that hard just create another setting and correspond the information and set it up in cron_day.php. Also changing file names avoid this exploit as well. :-D

edit: I noticed one small mistake that would fix itself by the end of the day haha

Link to comment
Share on other sites

Re: New exploit found!

And well you could always take preventative measure... thats why I have mine. So the people who get pissed off aren't me; its the players as I make it foolproof to not be abusable. I'm half tempted to make another cron_hour.php/day/ etc and set it to fed the player who launches it. haha

Link to comment
Share on other sites

Re: New exploit found!

 

or you just work with the server time ... even if they know your path, it will only work when it's allowed to run :P

as a cron that only is supposed to launch at 05 ... won't run at 04 or 06 :)

I know but the problem there is I having to code hour by hour. or every 5 minutes or every minute depending on the cron... thats why I ran those and customized my cron site name so they will not be able to exploit it too badly if they do :wink:

Link to comment
Share on other sites

Re: New exploit found!

I had an idea earlier.

Perhaps create a table in the db. I'm not too good at sql so don't ask me to do it for you... But anyways have 1 field be set to 24 everyday with the day cron, another set to 288 by the day cron and 1 set to 3600 for the minute cron. Have each cron only run if there is any credits left and have them deduct 1 from the corresponding field in the db. Have the day cron hidden and passworded 30 different ways. That would make the crons secure enough that if somebody did decide to exploit them the crons wouldn't run more during a day then they should.

Link to comment
Share on other sites

Re: New exploit found!

 

I had an idea earlier.

Perhaps create a table in the db. I'm not too good at sql so don't ask me to do it for you... But anyways have 1 field be set to 24 everyday with the day cron, another set to 288 by the day cron and 1 set to 3600 for the minute cron. Have each cron only run if there is any credits left and have them deduct 1 from the corresponding field in the db. Have the day cron hidden and passworded 30 different ways. That would make the crons secure enough that if somebody did decide to exploit them the crons wouldn't run more during a day then they should.

Thats exactly what I did. I did it in settings though because it was easier. Except for the password. I didn't bother with the minute cron because I figured it would be worthless to run protection on it... As for the hour I prevented pay from being exploitable and theres not very many gangs and I renamed my hourly cron to something else. I was thinking of making a 10 minute cron with a new stat in my game and also a 15 minute cron (both custom) to lessen the regular 5 minute crons load. As for why I'd want to do that as you know I have a new gym code I've been trying to patch up. Reading over the code you'll notice it doesn't use energy or currency. But I'm not quite sure if it would be worth it or not.....

Link to comment
Share on other sites

Re: New exploit found!

I still cannot figure out why all of you even run the crons from your public html folders. Screw those cron codes and all that garbage. Place a folder outside of the public html directory and direct the actual cron commands to that directory and you are all set. Nobody will know what the name of the folder is name or the cron files located in it as well. It is that simple! :-)

Link to comment
Share on other sites

Re: New exploit found!

 

or you just work with the server time ... even if they know your path, it will only work when it's allowed to run :P

as a cron that only is supposed to launch at 05 ... won't run at 04 or 06 :)

I don't mean to rain on your parade, but the idea is that someone is MANUALLY running the cron... hence the hack/cheat/exploit. Any cron code can be used/run at any time. All the crontab does is curl the URL you told it to, the cron code itself doesn't automate itself, it's the crontab.

 

 

My two cents :mrgreen:

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 months later...

Re: New exploit found!

 

wanna know the best way to secure ur crons?

just go to config.php

change ur cron code to sh1 protection atm its md5 hashed so yh just change it to something harder and not just md5 hash encryption

how do i make it that

Link to comment
Share on other sites

Re: New exploit found!

Wow zeon, i just looked through your signature and noticed gangster battles

Did you know that www.gangster-battle.com is owned by me?

Well it looks like everyone now a days basicly is trying to copy me :|

Killah999 AKA Jameo is trying to make www.gangsta-nations.com look like killah-city.

Killah999 AKA Jameo is trying to copy my name "killah".

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...