Blasts, Injections, and how to stop them

**themad** · 21-11-06

CzF explanation: Simple but effective Server Security

Blasts - server files manipulations
The muserver files are quite good, but some of them are not with a good security level.
- Dataservers
  
  The dataservers are used to connect the ODBC Data source to the GameServer, but there is no ip limitations and basicly the unlimited (untouched) dataserver can be connected through any other host pretending to be a persistant gameserver. Which may cause the all known of you item,stats blast and other server manipulations
  Solution: install a firewall or portblocker and stop the incomming/outgoing traffic from the dataservers (Allow only for the host on remote server (IF) working remotely)
- MSSQL Server 2000
  
  The server is used to store all your server online info. It connects to the ODBC. However there are some exploits,hacks,hijacking applications to break up mssql's security (google it).
  Solution: same as dataserver...allowing traffic for a specific host should be only for your remote mueditor or dataserver or just a machine you want to have access to the server
Web code manipulations
- SQL injections in php
  
  How does it work?
  lets suppose we have a page containing the registration form the server the code
  
  PHP Code:
  
  <?php mssql_connect(..); mssql_select_db(..); $account = $_POST['acc']; // account field $password = $_POST['pass']; // password field // other vars bla bla.. // Now here is the base query // First we check if this acc exists $query = mssql_query("select count(*) from [memb_info] where [memb___id]='$account'"); // This is where the 'hacker" (lame kiddie) will hit you //other code does not matter ?>
  
  lets change the $account with
  
  '; shutdown; --
  
  the code becomes
  
  PHP Code:
  
  <?php mssql_connect(..); mssql_select_db(..); $account = $_POST['acc']; // account field $password = $_POST['pass']; // password field // other vars bla bla.. // Now here is the base query // First we check if this acc exists $query = mssql_query("select count(*) from [memb_info] where [memb___id]='[COLOR=Green]'; shutdown; --[/COLOR]'"); // This is where the 'hacker" (lame kiddie) will hit you //other code does not matter ?>
  
  defining the ';shutdown; --
  
  ' - ends the define of the acc name
  ; - ends the current query line
  shutdown - our new query (shuts down mssql server)
  ; -- - completes our new query (in case there is further code after the if memb___id bit)
  
  This way everyone can inject whatever query he likes into ur database. Really easy
  Most people think that by limiting there fields to maxlength=10 they will avoid anything - nah totally wrong...the only thing that our NEWB hacker must do is to create the same form in his own html file and remove the maxlength...and KABOOOM..you get fucked up again
  
  Solution: A way to avoid this w/o disabeling any symbols ?
  
  PHP Code:
  
  <?php mssql_connect(..); mssql_select_db(..); $account = addslashes($_POST['acc']); // account field $password = addslashes($_POST['pass']); // password field // other vars bla bla.. // Now here is the base query // First we check if this acc exists $query = mssql_query("select count(*) from [memb_info] where [memb___id]='$account'"); // This is where the 'hacker" (lame kiddie) will hit you //other code does not matter ?>
  
  effective and easy
  
  Injections can be done in $_POST, $_GET or $_REQUEST, $_COOKIE or every value that the user has access to, so i suggest you addslashes() to all (addslashes changes ' to \' and " to "\ - this way user cannot end ur current query)
- XSS web vunrability
  
  What is XSS? - Cross Style Sheeting
  Usable: Stealing user passwords (Cookies or Session issues)
  Ends a html code and may execute a js in client side (retreiving cookies)
  Php - Solution: htmlspecialchars(); in every variable that is entered by the user and DISPLAYED in the server page

Basicly thats most of the stuff you need to do to stay alive .... :)
But NOTHING online is secured enough u know ^^

Credits: [CzF] Savoy

**MentaL**

Blasts, Injections, and how to stop them

**heartagram** · 21-11-06

nice

**didi3d** · 23-11-06

hey themad i try to post in your post down but i can

**=Master=** · 03-12-06

I have try with addslashes, and same, work to inject
i have tryed with sql code: ' or 1=1; drop table Character; --
And successfully works to drop the table...

**digitalspy** · 05-12-06

really good post . tnx :)

**Boossik** · 06-12-06

$account = stripslashes($_POST['account']);
$password = stripslashes($_POST['password']);

stripslashes is ok?

**sobix** · 11-12-06

Very nice guide ;)

**powerx** · 18-12-06

Nice guide.

Thanks

**razu3** · 22-12-06

When i hacked mu servers, i was using "my own form page" to post on their db's, but you are now completely right, thx for this guid, you deffinetly helped someone out there, even me, so thx and keep it on.
:)

**ceacovarulz** · 29-01-07

how can i be sure?

**ca_ale_16** · 29-01-07

great guide... congrats

**pouli** · 22-03-07

gamw tn mana sas :@

**oleg35** · 03-04-07

where i need put that codes ?:eek:

**stopa2005** · 26-04-07

PHP Anti SQL Injection script :

<?php
$xa = getenv('REMOTE_ADDR');
$badwords = array(";","'","\"","*","union","del","DEL","insert","update","=","drop","sele","$","UPDATE","Resets","Dexterity","CLevel","TABLE","cLevel","Energy");

foreach($_POST as $value)
foreach($badwords as $word)
if(substr_count($value, $word) > 0)
die("SQL Injection Detected!");
?>

you cand add values in array , if needed ...:technolog

Blasts, Injections, and how to stop them

Thread Tools

Search Thread

Blasts, Injections, and how to stop them

Re: [Guide] Blasts, Injections, and how to stop them

Re: [Guide] Blasts, Injections, and how to stop them

Re: [Guide] Blasts, Injections, and how to stop them

Advertisement