Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Plus Emulator Security Fixes

Initiate Mage
Joined
Dec 2, 2013
Messages
23
Reaction score
1
it seems that in removing a favorite group's with an error exploit
 
Joined
Sep 2, 2011
Messages
2,171
Reaction score
916
it seems that in removing a favorite group's with an error exploit

You mean, "it seems that exists an exploit in removing someone's favorite's group." (i think)..

But give any proof of that.



Also i think doesn't seems be possible an exploit in removing favorite group. Since the packet consist only in a single integer (GroupID).
So is impossible. I think. Since the Integer is handled by something like "Request.GetInt32()", so SQL Injection seems be impossible.
 
Initiate Mage
Joined
Dec 2, 2013
Messages
23
Reaction score
1
For you resolve this error exploit you have to set if the group is null, use the same packet structure but with default values, int 0 string empty and if you have any bool is false, give you makes a return or create an else to execution of which is not null



PurchaseFromCatalogEvent

find:
dbClient.RunQuery("UPDATE `catalog_items` SET `limited_sells` = '" + Item.LimitedEditionSells + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");


replace:
dbClient.SetQuery("UPDATE `catalog_items` SET `limited_sells` = @limited_sells, `gender` = '" + Item.LimitedEditionSells.gender + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");
dbClient.AddParameter("limited_sells",Item.Id.limited_sells );
dbClient.RunQuery();

obs:
if wrong please correct'm still junior

 
Initiate Mage
Joined
May 3, 2016
Messages
9
Reaction score
3
For you resolve this error exploit you have to set if the group is null, use the same packet structure but with default values, int 0 string empty and if you have any bool is false, give you makes a return or create an else to execution of which is not null



PurchaseFromCatalogEvent

find:
dbClient.RunQuery("UPDATE `catalog_items` SET `limited_sells` = '" + Item.LimitedEditionSells + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");


replace:
dbClient.SetQuery("UPDATE `catalog_items` SET `limited_sells` = @limited_sells, `gender` = '" + Item.LimitedEditionSells.gender + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");
dbClient.AddParameter("limited_sells",Item.Id.limited_sells);
dbClient.RunQuery();

obs:
if wrong please correct'm still junior

LimitedEditionSells is a integer, you can't inject here
 
Joined
Sep 2, 2011
Messages
2,171
Reaction score
916
LimitedEditionSells is a integer, you can't inject here

Exactly!



For you resolve this error exploit you have to set if the group is null, use the same packet structure but with default values, int 0 string empty and if you have any bool is false, give you makes a return or create an else to execution of which is not null



PurchaseFromCatalogEvent

find:
dbClient.RunQuery("UPDATE `catalog_items` SET `limited_sells` = '" + Item.LimitedEditionSells + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");


replace:
dbClient.SetQuery("UPDATE `catalog_items` SET `limited_sells` = @limited_sells, `gender` = '" + Item.LimitedEditionSells.gender + "' WHERE `id` = '" + Item.Id + "' LIMIT 1");
dbClient.AddParameter("limited_sells",Item.Id.limited_sells);
dbClient.RunQuery();

obs:
if wrong please correct'm still junior


What the hell are you saying João. LimitedSells is an integer, you just can't do injection here.

Also this of the Group is Null, isn't an injection.
 
Initiate Mage
Joined
Nov 1, 2012
Messages
21
Reaction score
2
Hi guys, i'm try to coded forum but i have a problem, forum don't work.

namespace Plus.Communication.Packets.Incoming.Inventory.Purse
{
class GetForumsListDataEvent : IPacketEvent
{
public void Parse(GameClient Session, ClientPacket Packet)
{
int GroupId = Packet.PopInt();
int startindex = Packet.PopInt();
int endindex = Packet.PopInt();
Group Group = null;

PlusEnvironment.GetGame().GetGroupManager().TryGetGroup(GroupId, out Group);

if (Group == null || !Group.HasForum)
return;
 
Joined
Sep 2, 2011
Messages
2,171
Reaction score
916
Code:
namespace Plus.Communication.Packets.Incoming.Inventory.Purse
{
    class GetForumsListDataEvent : IPacketEvent
    {
        public void Parse(GameClient Session, ClientPacket Packet)
        {
            int GroupId = Packet.PopInt();
            int startindex = Packet.PopInt();
            int endindex = Packet.PopInt();
            Group Group = null;

            PlusEnvironment.GetGame().GetGroupManager().TryGetGroup(GroupId, out Group);

            if (Group == null || !Group.HasForum)
                return;

What is this code? Can you send it in "
Code:
" and and send it entirely, and specify what is wrong. Also here is not a help section.
 
Initiate Mage
Joined
Dec 2, 2013
Messages
23
Reaction score
1
you could post some more of plus fix the users need
 
Initiate Mage
Joined
Jun 5, 2016
Messages
6
Reaction score
2
Hi,

When I was checking Plus I found a exploit which makes it possible to send queries, drop tables, whatever you like. I noticed that someone finally found out the exploit and I decided to release the fix because this guys just want duck some poop up.

Open the source and follow me.

1). HabboHotel\Items\Wired\Boxes\Effects\BotChangesClothesBox.cs
I'm fairly certain that User.BotData.Gender is also a string.

Besides, the SQL injection would be of no risk if the user does not have any way of providing their own figure string. On Habboon edit (which I'm certain everyone now uses) there is a figure parser which would take care of any scripting attempts to try this.
 
Last edited:
Initiate Mage
Joined
May 3, 2016
Messages
9
Reaction score
3
I'm fairly certain that User.BotData.Gender is also a string.

Besides, the SQL injection would be of no risk if the user does not have any way of providing their own figure string. On Habboon edit (which I'm certain everyone now uses) there is a figure parser which would take care of any scripting attempts to try this.

u can save your own figure with a packetlogger.
 
Initiate Mage
Joined
Jun 5, 2016
Messages
6
Reaction score
2
u can save your own figure with a packetlogger.

Even then, it's ran through the anti mutant which will prevent any invalid strings.

Code:
string Look = PlusEnvironment.GetGame().GetAntiMutant().RunLook(Packet.PopString());

If any SQL is passed through it'll simply return a figure:

85278385277353753f29ed1ec7448333 - Plus Emulator Security Fixes - RaGEZONE Forums


These SQLi patches are still useful for people not running the boon edit though.
 

Attachments

You must be registered for see attachments list
Initiate Mage
Joined
May 3, 2016
Messages
9
Reaction score
3
Even then, it's ran through the anti mutant which will prevent any invalid strings.

Code:
string Look = PlusEnvironment.GetGame().GetAntiMutant().RunLook(Packet.PopString());

If any SQL is passed through it'll simply return a figure:

85278385277353753f29ed1ec7448333 - Plus Emulator Security Fixes - RaGEZONE Forums


These SQLi patches are still useful for people not running the boon edit though.

I tried to inject and i can without problems.
 

Attachments

You must be registered for see attachments list
Back
Top