SQL Injection on Runnable (creating a ^ color name)

Results 1 to 11 of 11
  1. #1
    Be a kicker than cheater. cheaterastic is offline
    MemberRank
    Dec 2009 Join Date
    764Posts

    SQL Injection on Runnable (creating a ^ color name)

    Help me please.

    Some of cheater in my Gunz Server is doing an SQL Injection from the Runnable. They can create a Color Character Name like ^2My^3Char^4, and I really believe it is an SQL Injection, some of my Gunz Friends also said.

    I have change my MSSQL passwords from 'sa' account and other accounts Login. I am using MSSQL 2008 R2

    Please help me, why they are able to Inject?

    Does this is because of Windows Authentication with no UserName and Password needed?

    Please help, they are able to SQL Inject, and they can have color name, only few knows it, almost 5 characters, but if this won't stop, then OMG, this will be bigger. Please help.

    I am using Gregon13's Modified Source (CTF + Anti-Lead + DamageCounter + Fixes)


  2. #2
    Apprentice ClGames is offline
    MemberRank
    Jan 2010 Join Date
    17Posts

    Re: SQL Injection on Runnable (creating a ^ color name)


  3. #3
    Account Upgraded | Title Enabled! Wish Q is offline
    MemberRank
    Jul 2012 Join Date
    LiveScoreLocation
    456Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    make sure your website isn't injected able. if it is then they can do into your database and change names i think.

  4. #4
    Valued Member a1tl4 is offline
    MemberRank
    Sep 2012 Join Date
    BrazilLocation
    112Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    StrStrI or strstr does the work for you.

  5. #5
    Be a kicker than cheater. cheaterastic is offline
    MemberRank
    Dec 2009 Join Date
    764Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Thanks for reply Guys BUT.....

    Quote Originally Posted by ClGames View Post
    That's refer to LOGIN screen. Not on character making.
    And I have already activated that / apply it on my source T_T.....

    Quote Originally Posted by Wish Q View Post
    make sure your website isn't injected able. if it is then they can do into your database and change names i think.
    Yes. It is not inject able. My website is cannot be SQL Inject. It is on Runnable, I've followed two of Hack/Cheat Color Name, and they said that it is about on Runnable, they are able to create with Color Name and it is about SQL Injection to Runnable.


    I know some one expert here can help, please help on SQL Injection on Runnable.
    Or please I want to clear up my mind if there is a Hack/DLL that can be used on Runnable / Gregon13's new released / Gunz 1.5. Any ANTI HACK?


    1 more thing, they are able to crash my server.

  6. #6
    Enthusiast ngskRabbit is offline
    MemberRank
    Sep 2012 Join Date
    32Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Quote Originally Posted by cheaterastic View Post
    They can create a Color Character Name like ^2My^3Char^4,
    Any problems with it?
    They can use more characters for name. Nice to have unique names.
    It's great feature for your server.

    Quote Originally Posted by cheaterastic View Post
    they are able to crash my server.
    Close your MatchServer port (default is TCP 6000). Now server become very safety.

  7. #7
    DRGunZ 2 Creator wesman2232 is offline
    MemberRank
    Jan 2007 Join Date
    Erie, PALocation
    4,872Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Quote Originally Posted by ngskRabbit View Post
    Any problems with it?
    They can use more characters for name. Nice to have unique names.
    It's great feature for your server.
    Maybe he wants his users to donate for a special name?

  8. #8
    Fuck Army. sahar042 is offline
    MemberRank
    Jul 2009 Join Date
    833Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Quote Originally Posted by cheaterastic View Post
    Thanks for reply Guys BUT.....

    That's refer to LOGIN screen. Not on character making.
    And I have already activated that / apply it on my source T_T.....

    Yes. It is not inject able. My website is cannot be SQL Inject. It is on Runnable, I've followed two of Hack/Cheat Color Name, and they said that it is about on Runnable, they are able to create with Color Name and it is about SQL Injection to Runnable.


    I know some one expert here can help, please help on SQL Injection on Runnable.
    Or please I want to clear up my mind if there is a Hack/DLL that can be used on Runnable / Gregon13's new released / Gunz 1.5. Any ANTI HACK?


    1 more thing, they are able to crash my server.
    You want to block it? you need to pay, no one going to help you here for free.
    Get developer like everyone.

  9. #9
    Currently Stoned ! Ronny786 is offline
    MemberRank
    Dec 2011 Join Date
    Lost WorldLocation
    984Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Instead of trying above shits , you can block ^ this function in source or simply block it in database. -___-

  10. #10
    Be a kicker than cheater. cheaterastic is offline
    MemberRank
    Dec 2009 Join Date
    764Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    Quote Originally Posted by Ronny786 View Post
    Instead of trying above shits , you can block ^ this function in source or simply block it in database. -___-
    Thanks for idea, I will try studying about Character Creation disallowing ^ character.

    Quote Originally Posted by sahar042 View Post
    You want to block it? you need to pay, no one going to help you here for free.
    Get developer like everyone.
    Don't be mad bro. This is FORUM, you are a bad influence! Just shut up, and do your job, go find people to pay for you, money hungry.

  11. #11
    Praise the Sun! Solaire is offline
    MemberRank
    Dec 2007 Join Date
    Undead BurgLocation
    2,862Posts

    Re: SQL Injection on Runnable (creating a ^ color name)

    MMatchServer::OnRequestCreateChar()

    if (strstr(szCharName, "^")) {
    return;
    }

    /thread



Advertisement