Butterstorm Danger (Alert)

[Jose Carlos]

It was discovered a flaw in SQL Injection and butterstrom that possible to use sql commands within the Client.
It works like this:
And one must type the command sql injection option in the browser look of the room!
Immediately following type the following command: >>> owner:'; DROP TABLE users; <<




result :


The Reason I are releasing the code here and for some programmer correct the problem.
The code works on butterstrom (based)!



By: Josecsm (Team Ejogoo) [url=http://www.ejogoo.com]Ejogoo - Hotel - Fa

[MentaL]

[LulzAllDay]

Nice find! Just tested it for myself and (unfortunately) it worked.

[Jose Carlos]

Yes, now and just wait a programmer post the fix here.

[Wbeu]

Can you explain it an little better?

[Jose Carlos]

Possible And delete the database inside the game with commands sql injection.
the images explains how it works.

[Wbeu]

did try it on swift @ my own hotel and it's not working :p

[Gaby]

A fix for this has already been released.

[Jose Carlos]

2 posted the fix does not work.
Still possible and owna with him.
it only filters the words typed in the chat but the bug is in the browser on the "SEARCH"

[Gaby]

2 posted the fix does not work.
Still possible and owna with him.
it only filters the words typed in the chat but the bug is in the browser on the "SEARCH"

I know, it never fixed it completely. However, you can use parameters to get rid of the exploit. If you have edited your emu and used the released fix, do this:
Go to

PHP Code:

if (SearchQuery.StartsWith("owner:")) 


And change it to:

PHP Code:

if (SearchQuery.StartsWith("owner:"))                    
{                        
adapter.setQuery("SELECT * FROM rooms WHERE owner LIKE @owner ORDER BY id DESC LIMIT 50");       } 


Then go to:

PHP Code:

adapter.addParameter("query", ProtectedSearch); 


And add this under there:

PHP Code:

adapter.addParameter("owner", ProtectedSearch.Replace("owner:", "")); 


[Jose Carlos]

thank you

[AKllX]

There are fixes for that in this thread http://forum.ragezone.com/f353/swift...d-01-a-947652/

You should consider updating your server to Swift too if you are using any other BCStorm. You won't need to wipe your database, just to run some few querys which are all provided in my release thread. It's better than BCStorm, at least lol.

Anyway

@Navigator.cs

Code:

internal ServerMessage SerializeSearchResults(string SearchQuery)        {
            DataTable table = new DataTable();
            using (IQueryAdapter adapter = ButterflyEnvironment.GetDatabaseManager().getQueryreactor())
            {
                if (SearchQuery.Length > 0)
                {
                    if (SearchQuery.StartsWith("owner:"))
                    {
                        adapter.setQuery("SELECT * FROM rooms WHERE owner LIKE @name ORDER BY id DESC LIMIT 50");
                        adapter.addParameter("name",SearchQuery.Replace("owner:", ""));
                    }
                    else if (adapter.dbType == DatabaseType.MySQL)
                    {
                        adapter.setQuery("SELECT rooms.*, room_active.active_users FROM rooms LEFT JOIN room_active ON (room_active.roomid = rooms.id) WHERE owner = @query AND roomtype = 'private' UNION ALL SELECT rooms.*, room_active.active_users FROM rooms LEFT JOIN room_active ON (room_active.roomid = rooms.id) WHERE caption = @query AND roomtype = 'private' ORDER BY active_users DESC LIMIT 50");
                    }
                    else
                    {
                        adapter.setQuery("SELECT TOP 50 rooms.*, room_active.active_users FROM rooms LEFT JOIN room_active ON (room_active.roomid = rooms.id) WHERE owner = @query AND roomtype = 'private' UNION ALL SELECT rooms.*, room_active.active_users FROM rooms LEFT JOIN room_active ON (room_active.roomid = rooms.id) WHERE caption = @query AND roomtype = 'private' ORDER BY active_users DESC");
                    }


                    adapter.addParameter("query", SearchQuery);
                    table = adapter.getTable();
                }
            }
            List<RoomData> list = new List<RoomData>();
            if (table != null)
            {
                foreach (DataRow row in table.Rows)
                {
                    RoomData item = ButterflyEnvironment.GetGame().GetRoomManager().FetchRoomData(Convert.ToUInt32(row["id"]), row);
                    list.Add(item);
                }
            }
            ServerMessage message = new ServerMessage(Outgoing.NavigatorPacket);
            message.AppendInt32(8);
            message.AppendString(SearchQuery);
            message.AppendInt32(list.Count);
            foreach (RoomData data2 in list)
            {
                data2.Serialize(message, false);
            }
            message.AppendBoolean(false);
            return message;
        }

Imma playing ejogoo right now btw, it looks like you got phoenix

[Jose Carlos]

Could you pass me that the tables missing for me to change BCStorm Swift would be grateful if you send me the SQL.

Yes I switched emulator because my hotel was invaded.
Now that has the fix I'll back again.

[AKllX]

Ok

Spoiler:

DROP TABLE IF EXISTS `user_relationships`;
CREATE TABLE `user_relationships` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`requester_id` int(10) unsigned NOT NULL,
`target_id` int(10) unsigned NOT NULL,
`relationshipstatus` int(1) NOT NULL DEFAULT '0',
PRIMARY KEY (`id`),
KEY `requester_id` (`requester_id`) USING BTREE,
KEY `target_id` (`target_id`) USING BTREE,
KEY `rstatus` (`relationshipstatus`) USING BTREE
) ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;


DROP TABLE IF EXISTS `user_bots`;
CREATE TABLE `user_bots` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`room_id` int(10) unsigned NOT NULL DEFAULT '0',
`ai_type` enum('generic','guide','pet') NOT NULL DEFAULT 'generic',
`name` varchar(100) NOT NULL,
`motto` varchar(120) NOT NULL,
`look` text NOT NULL,
`x` int(11) NOT NULL DEFAULT '0',
`y` int(11) NOT NULL DEFAULT '0',
`z` int(11) NOT NULL DEFAULT '0',
`rotation` int(11) NOT NULL DEFAULT '0',
`walk_mode` enum('stand','freeroam','specified_range') NOT NULL DEFAULT 'stand',
`min_x` int(11) NOT NULL DEFAULT '0',
`min_y` int(11) NOT NULL DEFAULT '0',
`max_x` int(11) NOT NULL DEFAULT '0',
`max_y` int(11) NOT NULL DEFAULT '0',
`user_id` int(11) NOT NULL DEFAULT '0',
`template_id` int(11) NOT NULL DEFAULT '0',
`automatic_chat` enum('false','true') NOT NULL DEFAULT 'false',
`speaking_interval` int(11) NOT NULL DEFAULT '7',
PRIMARY KEY (`id`),
KEY `room_id` (`room_id`) USING BTREE
) ENGINE=MyISAM AUTO_INCREMENT=11 DEFAULT CHARSET=latin1;


ALTER TABLE catalog_items_copy ADD badge VARCHAR(20) NOT NULL DEFAULT '';INSERT INTO catalog_pages VALUES ('1060', '9999', 'Rewards', '3', '983', '1', '1', '1', '0', '0', '2', 'recycler_prizes', 'catalog_header_furnimatic', '', '', '', '', '', '', '', '', '', '0', '', '');


DROP TABLE IF EXISTS `user_gifts`;
CREATE TABLE `user_gifts` (
`gift_id` int(10) NOT NULL AUTO_INCREMENT,
`page_id` int(10) unsigned NOT NULL DEFAULT '5',
`item_id` mediumint(10) NOT NULL,
`extradata` varchar(50) NOT NULL DEFAULT '',
`target_name` varchar(50) NOT NULL,
`message` varchar(115) NOT NULL DEFAULT '',
`ribbon` tinyint(1) NOT NULL DEFAULT '0',
`color` tinyint(1) NOT NULL DEFAULT '0',
`gift_sprite` int(10) NOT NULL,
`show_sender` tinyint(4) NOT NULL DEFAULT '1',
`rare_id` int(10) NOT NULL DEFAULT '0',
`inventory_id` int(10) NOT NULL DEFAULT '0',
PRIMARY KEY (`gift_id`)
) ENGINE=MyISAM AUTO_INCREMENT=48 DEFAULT CHARSET=latin1;

[Jose Carlos]

Could someone pass me the Swift Emu with all fix with this problem!

[Bloodraven]

Then patch it, a patch for this was released ages ago. And this isn't the only exploit I have found.