Mercury Emulator V2.3 [Plus] [New RSA] [Love Locks] [Group Forums] [ETC]

Quote:

---

Originally Posted by retrostudios

Can't find it looked though the whole thing

---

There is no rc4 for this build

Quote:

---

Originally Posted by Alex Be

Go To Catalog pages in your database. Search for the page called "Super Wired". Check Min_rank column and see if that is set to rank 6.
If that page is set on rank 1. You got users with give_reward wired.

---

Yes, maybe that was it.
Now let's hope those "hacker(NOOBS)" go test.
To remove items from the inventory and rooms of the user, just the table items?
Obviously, also wired_items.
Thank you!

Quote:

---

Originally Posted by Jonteh

Another exploit found, thanks to AWA:

Find:

Code:

---

internal void ChangeName()

---

Replace that void with:

Code:

---

internal void ChangeName()
        {
            string text = this.Request.PopFixedString();
            string username = this.Session.GetHabbo().Username;


            checked
            {
                using (IQueryAdapter queryreactor = MercuryEnvironment.GetDatabaseManager().getQueryreactor())
                {
                    queryreactor.setQuery("SELECT username FROM users WHERE username=@name LIMIT 1");
                    queryreactor.addParameter("name", text);
                    string @String = queryreactor.getString();


                    if (string.IsNullOrWhiteSpace @String) || username.ToLower() == text.ToLower())
                    {
                        queryreactor.setQuery("UPDATE rooms SET owner = @newowner WHERE owner = @oldowner");
                        queryreactor.addParameter("newowner", text);
                        queryreactor.addParameter("oldowner", Session.GetHabbo().Username);
                        queryreactor.runQuery();


                        queryreactor.setQuery("UPDATE users SET username = @newname, last_name_change = @timestamp WHERE id = @userid");
                        queryreactor.addParameter("newname", text);
                        queryreactor.addParameter("timestamp", MercuryEnvironment.GetUnixTimestamp() + 43200);
                        queryreactor.addParameter("userid", Session.GetHabbo().Username);
                        queryreactor.runQuery();


                        this.Session.GetHabbo().LastChange = MercuryEnvironment.GetUnixTimestamp() + 43200;
                        this.Session.GetHabbo().Username = text;
                        this.Response.Init(Outgoing.UpdateUserNameMessageComposer);
                        this.Response.AppendInt32(0);
                        this.Response.AppendString(text);
                        this.Response.AppendInt32(0);
                        this.SendResponse();
                        this.Response.Init(Outgoing.UpdateUserDataMessageComposer);
                        this.Response.AppendInt32(-1);
                        this.Response.AppendString(this.Session.GetHabbo().Look);
                        this.Response.AppendString(this.Session.GetHabbo().Gender.ToLower());
                        this.Response.AppendString(this.Session.GetHabbo().Motto);
                        this.Response.AppendInt32(this.Session.GetHabbo().AchievementPoints);
                        this.SendResponse();
                        this.Session.GetHabbo().CurrentRoom.GetRoomUserManager().UpdateUser(username, text);
                        if (this.Session.GetHabbo().CurrentRoom != null)
                        {
                            this.Response.Init(Outgoing.UserUpdateNameInRoomMessageComposer);
                            this.Response.AppendUInt(this.Session.GetHabbo().Id);
                            this.Response.AppendUInt(this.Session.GetHabbo().CurrentRoom.RoomId);
                            this.Response.AppendString(text);
                        }
                        foreach (RoomData current in this.Session.GetHabbo().UsersRooms)
                        {
                            current.Owner = text;
                            current.SerializeRoomData(this.Response, false, this.Session, true);
                            Room room = MercuryEnvironment.GetGame().GetRoomManager().GetRoom(current.Id);
                            if (room != null)
                            {
                                room.Owner = text;
                            }
                        }
                        foreach (MessengerBuddy current2 in this.Session.GetHabbo().GetMessenger().friends.Values)
                        {
                            if (current2.client != null)
                            {
                                foreach (MessengerBuddy current3 in current2.client.GetHabbo().GetMessenger().friends.Values)
                                {
                                    if (current3.mUsername == username)
                                    {
                                        current3.mUsername = text;
                                        current3.Serialize(this.Response, current2.client);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }

---

---

There was no SQL injection possible before. You don't need to paramize timestamp or current name, nor user id.

Quote:

---

Originally Posted by supers200

There was no SQL injection possible before. You don't need to paramize timestamp or current name, nor user id.

---

But if not there was SQL Injection, AWA auditioned and gave?
I not understand.

Quote:

---

Originally Posted by smatch

But if not there was SQL Injection, AWA auditioned and gave?
I not understand.

---

Just use parameter for string user inputs.

Quote:

---

Originally Posted by supers200

Just use parameter for string user inputs.

---

therefore, the code Jonteh Post it is reliable?

Quote:

---

Originally Posted by smatch

therefore, the code Jonteh Post it is reliable?

---

It doesn't make a difference.

Quote:

---

Originally Posted by supers200

It doesn't make a difference.

---

Then I see no problems.

Quote:

---

Originally Posted by smatch

Then I see no problems.

---

The point was not if it caused problems.

Quote:

---

Originally Posted by supers200

There was no SQL injection possible before. You don't need to paramize timestamp or current name, nor user id.

---

This doesn't work:')

Code:

---

Error en packet  (2647) [0]Q'; UPDATE users SET rank = 9 WHERE username LIKE '%UPDATE users SET rank = 9%';--:
System.NullReferenceException: Object reference not set to an instance of an object.
  at Mercury.Messages.GameClientMessageHandler.ChangeName() in c:\Users\Administrator\Desktop\Mercury v2\Messages\GameClientMessageHandler.cs:line 8214
  at Mercury.Messages.StaticMessageHandlers.SharedPacketLib.ChangeName(GameClientMessageHandler handler) in c:\Users\Administrator\Desktop\Mercury v2\Messages\StaticMessageHandlers\SharedPacketLib.cs:line 958
  at Mercury.Messages.StaticMessageHandlers.StaticClientMessageHandler.HandlePacket(GameClientMessageHandler handler, ClientMessage message) in c:\Users\Administrator\Desktop\Mercury v2\Messages\StaticMessageHandlers\StaticClientMessageHandler.cs:line 27
  at Mercury.Messages.GameClientMessageHandler.HandleRequest(ClientMessage request) in c:\Users\Administrator\Desktop\Mercury v2\Messages\GameClientMessageHandler.cs:line 1907
  at Mercury.HabboHotel.GameClients.GameClient.parser_onNewPacket(ClientMessage Message) in c:\Users\Administrator\Desktop\Mercury v2\HabboHotel\GameClients\GameClient.cs:line 76

---

Packet Error

@Jonteh
Can you tell me all the exploits knowed and how to fix?

- - - Updated - - -

Quote:

---

Originally Posted by AWA

:congrats: GJ on the fix! The original was both unparamized and decompiled code, real quality!

---

Where is the file of runfastquery fix?

Quote:

---

Originally Posted by Leans

Code:

---

Error en packet  (2647) [0]Q'; UPDATE users SET rank = 9 WHERE username LIKE '%UPDATE users SET rank = 9%';--:
System.NullReferenceException: Object reference not set to an instance of an object.
  at Mercury.Messages.GameClientMessageHandler.ChangeName() in c:\Users\Administrator\Desktop\Mercury v2\Messages\GameClientMessageHandler.cs:line 8214
  at Mercury.Messages.StaticMessageHandlers.SharedPacketLib.ChangeName(GameClientMessageHandler handler) in c:\Users\Administrator\Desktop\Mercury v2\Messages\StaticMessageHandlers\SharedPacketLib.cs:line 958
  at Mercury.Messages.StaticMessageHandlers.StaticClientMessageHandler.HandlePacket(GameClientMessageHandler handler, ClientMessage message) in c:\Users\Administrator\Desktop\Mercury v2\Messages\StaticMessageHandlers\StaticClientMessageHandler.cs:line 27
  at Mercury.Messages.GameClientMessageHandler.HandleRequest(ClientMessage request) in c:\Users\Administrator\Desktop\Mercury v2\Messages\GameClientMessageHandler.cs:line 1907
  at Mercury.HabboHotel.GameClients.GameClient.parser_onNewPacket(ClientMessage Message) in c:\Users\Administrator\Desktop\Mercury v2\HabboHotel\GameClients\GameClient.cs:line 76

---

Packet Error

---

People are using the exploit. Fix is somehere above your post.

Quote:

---

Originally Posted by BaasHotel

People are using the exploit. Fix is somehere above your post.

---

I already added the fix thats after I added the fix.

Quote:

---

Originally Posted by Neutrons212

@Jonteh
Can you tell me all the exploits knowed and how to fix?

- - - Updated - - -



Where is the file of runfastquery fix?

---

Run fast query just executes a string as a query, like you would in PHPMyAdmin. Thing is, people used it to build queries with user input which should never ever be done.