[SECURITY] Clan System Flaws

Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 37
  1. #16
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws


    RaGEZONE Recommends

    RaGEZONE Recommends

    I would be surprised if the popularity of SQL inject insecure Clan / SoD sites in PT pServers wasn't a primary inspiration for Gregoo developing his site, but since it was never finished, we'll never know how "flawless" it would have been.

  2. #17
    Imri Persiado tnrh1 is offline
    True MemberRank
    May 2008 Join Date
    948Posts

    Re: [SECURITY] Clan System Flaws

    ahhh that's why my sql db's were deleted once a week
    I don't code ASP so I trusted the developer of those scripts and I guess it was a very bad choice lol.

  3. #18
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Ja├║, BrazilLocation
    2,391Posts

    Re: [SECURITY] Clan System Flaws

    trust anybody but yourself (Have just a few friends.)

  4. #19
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    And don't assume that, just because they fscked up the security, that was done with malicious intent. Remember that most of us create and share these things for free, in our spare time.

    There is a limit to the "quality control" with such an arrangement. ;)

  5. #20
    Account Inactive Rovarav is offline
    InactiveRank
    Nov 2010 Join Date
    31Posts

    Re: [SECURITY] Clan System Flaws

    tnrh1 aka imri,

    i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
    connect and delete them freely.

    i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.

  6. #21
    Professional Aussie SunnyZ is online now
    True MemberRank
    Jul 2006 Join Date
    AustraliaLocation
    615Posts

    Re: [SECURITY] Clan System Flaws


  7. #22
    Professional Aussie SunnyZ is online now
    True MemberRank
    Jul 2006 Join Date
    AustraliaLocation
    615Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by sungam_3d View Post

    Well that was weird, instinctively typed in an old acc login without noticing.
    Turned out to be a real account I registered in 2006 XD
    Totally forgot about it hahaha!

  8. #23
    Account Inactive Vormav is offline
    InactiveRank
    Jan 2009 Join Date
    1,342Posts

    Re: [SECURITY] Clan System Flaws

    When I was rewriting this to PHP I must have missed it, or I was using fixed version from beginning. I hope my php version don't have those WTF moments =P

  9. #24
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by Rovarav View Post
    tnrh1 aka imri,

    i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
    connect and delete them freely.

    i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.
    That's actually *close* to, "an ethical hack". Strictly speaking, you should have informed Imri before hand, and given him the opportunity to fix the problem.

    Still, you did inform him how the exploit was achieved so he can fix it and if he doesn't have a recent backup, he should have learned the value of that now.

    FYI, Imri, changing the password isn't a fix, since every password is vulnerable. The fix is disabling the open remote admin port.

    If you need to get to a remote admin, the "correct" (secure) method is to limit it to access on a secure VLAN via SSH tunnel only. That is considered abstract enough to secure any secondary password system. Which isn't to say it can't be hacked, but does slow a hacker down enough that your continued vigilance (keep watching your IP and Security logs) should catch intrusion and give you the chance to re-arrange your security and put this hacker back to square one.

    An unmanned battlement is quickly breeched no matter how thick or high the walls. ;)

  10. #25
    . Gregoo is offline
    True MemberRank
    Apr 2009 Join Date
    352Posts

    Re: [SECURITY] Clan System Flaws

    Disclaimer: As it is hard to detail a flaw and its fix without explaining how it is exploited, the following post contains both the attack and its fix. I assume the RZ community is mature enough not to go on a SQL injection rampage on every server they encounter.

    I didn't read thoroughly but I've seen people suggesting uber-mega-check function to look for illegal characters. That is too troublesome, and unecessarily bloated.

    Spoiler:

    To understand how to protect itself against injections, we first need to understand how it actually works.

    For instance if you have a piece of code like this,
    Code:
    Dim name = request("name")
    odbc.Open "SELECT TOP 1 * FROM [ul] WHERE [chname] = '" & name &"'", __, __
    You would normally access this page via something like page.asp?name=Gregoo, and the SQL server would be indeed sent the correct request
    Code:
    SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo'
    However, if someone was to access this page via page.asp?name=Gregoo';DROP%20DATABASE%20[accountdb];--, the SQL server would be sent this
    Code:
    SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo';DROP DATABASE [accountdb];--'
    (%20 is an url-encoded space).

    This query contains 3 elements.
    1. SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo'; the orignal query that we made syntaxically correct with ' at the end. The semi-colon (;) allows us to chain another query after this one
    2. DROP DATABASE [accountdb]; is our second query and a nasty piece of code that will simply delete a database (in this case, the accounts)
    3. --' that last part start with a comment (--). Whatever is behind will be discarded. That allows us to keep the query syntaxically correct. If we didn't comment, there would be a quote ' at the end of the query. The parser would detect the error and execute none of the 2 queries.


    As of now, we already have one simple way to protect ourselves, that's a basic of security.
    You should never give a privileges such as dropping databases, or tables to the database user for the clan.
    I've seen pretty much everyone using the sysadmin (sa) account for the clan files. This user has pretty much EVERY rights on your database. If you used an user with less privileges you would not have this problem. What the clan user really needs is SELECT, UPDATE and DELETE. Nothing else.

    Using a different user will solve the DROP problem, but one can still wipe your whole database with the DELETE privilege. Unfortunately you can't remove it, otherwise players won't be able to leave clans, kick users or disband clans.

    The second part of the protection from SQL injections in SQL Server is to simply escape single quotes. We've seen that it's the troublesome character that causes it all.

    In SQL Server syntax, you simply need to add a second quote to escape it. If you do that, the injection will just be plain text inside your query and it won't match anything.

    If we take the previous example, with escape quotes, the SQL server will receive this
    Code:
    SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo''; DROP DATABASE [accountdb];--'
    The SQL server will understand this query as it was intended to be, and will look for the data where chname equals Gregoo'; DROP DATABASE [accountdb];--. As you can see, no more database dropping, and I doubt you have a character one your server with that name. So it'll we simply return nothing.

    In my files, in function.asp you can see the G (for GET) function doing exactly that.
    Code:
    ' Fetch data from the query string. The data is escaped to prevent SQL injection
    ' @param key : string
    ' @return string
    Function G(my_key)
    	G = Replace(trim(request(my_key)), "'", "''")
    End Function
    • request grabs the values from the URI query string
    • trim removes lead/trailing spaces (just to clean up, doesn't do anything for security)
    • and Replace( , "'", "''") (double-quote single-quote double-quote, double-quote single-quote single-quote double-quote) adds a single quote in front of every single quote (that's the security fix)


    Our piece of code, with the protection, will look like this
    Code:
    Dim name = Replace(request("name"), "'", "''")
    odbc.Open "SELECT TOP 1 * FROM [ul] WHERE [chname] = '" & name &"'", __, __


    TL;DR
    • Use an unprivileged SQL account (you only need SELECT, UPDATE, DELETE)
    • Protect your files, escape the single quotes. Wrap each of the request call inside Replace( , "'", "''")

    Code:
    Replace(request() , "'", "''")
    ----
    Quote Originally Posted by bobsobol View Post
    I also know that he did some "ethical hacking" to prove to popular, existing servers at the time that they had not patched these flaws, offering to help them.
    Spoiler:
    IDK if he was asking money or not, but the server admins who spoke to me about it where highly offended by his actions, and felt they where being "held to ransom". I would have considered it a warning and an offer of help, but I know where they are coming from.
    I did unethical hacking as retaliation. Dropped the database of a few servers that sent hackers to the server I was working with. That was the wtfish days of PT, when nobody shared anything. That was the only way to keep an edge.
    Then I stopped being retarded, started sharing my stuff and making people aware of that. I did grab one of the GMs password from a popular server through the clan files (with very complex injects) and sent a screenshot of the inventory (and did nothing else!) so they would take it seriously. I don't remember if I had the time to help them fix it, I was pretty busy back then.
    However, I've never asked any server for any money (/ransom).
    Last edited by Gregoo; 03-02-13 at 02:49 PM.

  11. #26
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Okay, I've just deleted a flame-bait.

    Yes, I know several people who where very upset by Gregoos former actions. However, I think we've all done things we regret... or worse, have mixed feelings about.
    Spoiler:
    You know... that guy you always hated that you couldn't do anything about because he's special to someone else you care about and you just kind of snapped and punched out. Neeyae, I probably shouldn't've done that but... boy it felt good.
    Revenge is a funny thing because, people tend to disguise themselves when doing these things, so the person you get attacked by is usually not the person who attacked you.

    It's kinda like pinching a girls ass from your buddies angle so he gets the slap in the face?

    I think Gregoo is being very mature in admitting his former crimes and trying to move past them. I also thank him for the clear guide he's given us here.

    Thanks Gregoo.

    P.S. Doesn't SQL take double quotes the same way? I seem to remember being told to escape those as well.

  12. #27
    . Gregoo is offline
    True MemberRank
    Apr 2009 Join Date
    352Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by bobsobol View Post
    Thanks Gregoo.
    You're welcome.

    Quote Originally Posted by bobsobol View Post
    P.S. Doesn't SQL take double quotes the same way? I seem to remember being told to escape those as well.
    In T-SQL (that's the language you use to converse with a MS SQL Server), strings are declared with single quotes. Double quotes would throw an error.

    For instance, this is correct:
    Code:
    SELECT * FROM [clandb].[dbo].[ul] WHERE [chname] = 'Gregoo'
    This isn't:
    Code:
    SELECT * FROM [clandb].[dbo].[ul] WHERE [chname] = "Gregoo"
    You can use double quotes for column names though. This is perfectly valid:
    Code:
    SELECT * FROM [clandb].[dbo].[ul] WHERE "chname" = 'Gregoo'
    As for double quotes in text, they are interpreted as... a double quote:
    Code:
    SELECT '"'
    Returns
    Code:
    "
    This would cause an error:
    Code:
    SELECT '"''
    There's an unescaped single quote, inside your string.

    If you escape it:
    Code:
    SELECT '"'''
    It returns:
    Code:
    "'
    Here you go (-:

  13. #28
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Awesome. Thanks. It may be different SQL Dialects. I was taught SQL back at Uni on a very old version of FoxPro. (like, really old, even back then) I don't really like it, and spend more time pouring over books trying to get the right syntax than actually writing anything. So I wouldn't spot it. But I scraped through my exams and still remember the odd lecture I didn't fall asleep in. (too much, or maybe just enough Pro Plus? )
    Spoiler:
    The problem with taking caffine pills after pulling an all-nighter to complete an essay I couldn't be arsed with until the last minuet before a DBMS lecture in the morning, is that if a Digital Systems or Low Level lecture / seminar followed it I was really, really hyper. And I mean *really really*, coz I was pretty pepped in those anyway. XD

    Horses for courses though, coz I know a fair few of my peers felt the exact opposite.

  14. #29
    Imri Persiado tnrh1 is offline
    True MemberRank
    May 2008 Join Date
    948Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by Rovarav View Post
    tnrh1 aka imri,

    i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
    connect and delete them freely.

    i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.
    Don't be so proud at your self since there is nothing to be proud of. "Good reasons" name 1 and I'm deleting my rz account.

  15. #30
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by tnrh1 View Post
    and I'm deleting my rz account.
    Why is *your* rz account being held responsible for the actions of an individual who isn't even on our staff? Also, why would he care; honestly?

    I'm not sure that I mind if you choose to shoot yourself in the foot because someone was mean to you. But I am a little upset that you would lash out at an organisation which has set out entirely with the intention of supporting you (and I think we've succeeded on several occasions) simply because of the actions of an individual who is no more under our control than you are.

    On a personal level, if you choose to go I'll miss you around.




Page 2 of 3 FirstFirst 123 LastLast

Advertisement