[INFORMATION] SQL Injection (ingame)

[Syloxx]

Hello Ragezone,
I just want to inform you that i discovered a new very harmful exploit.
It is possible to execute a SQL Injection through the Fortresswar Administrator NPC with the "About Guild" dialog.

example:

Code:

 test' shutdown--

this example will shutdown the sql server

Screenshot:

[MentaL_BOT]

[NourAyman]

sounds like " welcome to hell " for the community lmao.

[PlayerSRO]

nice exploit

[Jangan]

easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.

[Syloxx]

easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.

1st)
The gameserver sends an update statement to the sql server that means there isn't anything to modify.

2nd)
Even if it would be a procedure it wont work lemme show you why. I use the _ADD_NEW_ITEM procedure as example (red = static by server / green = input by user)

Normal:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'

Injection:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE' UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'

Injection (added formating to make it more clear):
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'
UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'

As you see, the server executed the procedure with a valid string and executes an update statement right after the procedure got executed.

It is impossible to fix an sql injection inside the sql server, you have to fix the application or use an work around (packet filter for example)

-Syloxx

[UniverseGaming]

Syloxx

i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server

[Syloxx]

Syloxx

i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server

@UniverseGaming looks like you are the moron...

You close the string, give all required parameters and adds your query to it.

I will write an example protecure with 3 parameters (string1 is set by the player through the message box and int1 and int2 is set by the server (example CharID and ItemID)

Try to understand what the GameServer sends to the SQL Server and what does the SQL Server execute.

In the solution spoiler you find the whole command with T-SQL highlights for better understanding. Please try to solve it by your self first.

example call:
exec _Procedure 'string1', int1, int2 (string1 = your input)

input:
string1', int1, int2; DROP DATABASE();--

SOLUTION:

Spoiler:

Code:

exec _Procedure 'string1', int1, int2; DROP DATABASE();--', int1, int2

[Jangan]

Oh dear...

1) Relationship design.
2) Tables design.
3) Stored procedure design.

Work on those 3 and you will never see sql injection in your life again.

Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


anyways -> Are stored procedures safe against SQL injection? - Paladion Networks ; How to prevent SQL Injection in Stored Procedures - CodeProject

Have a great day :)

[Syloxx]

Oh dear...

1) Relationship design.
2) Tables design.
3) Stored procedure design.

Work on those 3 and you will never see sql injection in your life again.

Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


anyways -> Are stored procedures safe against SQL injection? - Paladion Networks ; How to prevent SQL Injection in Stored Procedures - CodeProject

Have a great day :)

varchar limit:

Spoiler:

xxx'; DROP DATABASE() --varchar(3) is enough

about stored procedure injection:

Spoiler:

i didn't read the blog but i am pretty sure all he talks about is that queries INSIDE the procedure can't be used for sql injection (the call itself can)

about the "every game would be vulnerable"

Spoiler:

no, the job is that the application who sends the call command filters the stuff (remove the ' or escapes it etc)

as you see, the sql procedure isn't invalid all you do is you add an additional query to that call.