Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[INFORMATION] SQL Injection (ingame)

Initiate Mage
Joined
Aug 22, 2014
Messages
68
Reaction score
19
Hello Ragezone,
I just want to inform you that i discovered a new very harmful exploit.
It is possible to execute a SQL Injection through the Fortresswar Administrator NPC with the "About Guild" dialog.

example:
Code:
 test' shutdown--
this example will shutdown the sql server

Screenshot:
Syloxx - [INFORMATION] SQL Injection (ingame) - RaGEZONE Forums
 
(⌐■_■)
Joined
Feb 2, 2012
Messages
681
Reaction score
102
sounds like " welcome to hell " for the community lmao.
 
Joined
Jul 18, 2007
Messages
1,054
Reaction score
1,039
easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.
 
Initiate Mage
Joined
Aug 22, 2014
Messages
68
Reaction score
19
easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.

You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.

1st)
The gameserver sends an update statement to the sql server that means there isn't anything to modify.

2nd)
Even if it would be a procedure it wont work lemme show you why. I use the _ADD_NEW_ITEM procedure as example (red = static by server / green = input by user)

Normal:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'

Injection:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE' UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'

Injection (added formating to make it more clear):
EXEC _ADD_NEW_ITEM 'Syloxx', '
ITEM_CH_TBLADE_01_C_RARE'
UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--
'

As you see, the server executed the procedure with a valid string and executes an update statement right after the procedure got executed.

It is impossible to fix an sql injection inside the sql server, you have to fix the application or use an work around (packet filter for example)

-Syloxx
 
Last edited:
Skilled Illusionist
Joined
May 4, 2014
Messages
307
Reaction score
30
Syloxx
i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server
 
Initiate Mage
Joined
Aug 22, 2014
Messages
68
Reaction score
19
Syloxx
i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server
@UniverseGaming looks like you are the moron...

You close the string, give all required parameters and adds your query to it.

I will write an example protecure with 3 parameters (string1 is set by the player through the message box and int1 and int2 is set by the server (example CharID and ItemID)

Try to understand what the GameServer sends to the SQL Server and what does the SQL Server execute.

In the solution spoiler you find the whole command with T-SQL highlights for better understanding. Please try to solve it by your self first.

example call:
exec _Procedure 'string1', int1, int2 (string1 = your input)

input:
string1', int1, int2; DROP DATABASE();--

SOLUTION:
Code:
[COLOR=#0000cd]exec[/COLOR] _Procedure [COLOR=#ff0000]'string1'[/COLOR], int1, int2; [COLOR=#0000cd]DROP DATABASE[/COLOR]();[COLOR=#008000]--', int1, int2[/COLOR]
 
Last edited:
Joined
Jul 18, 2007
Messages
1,054
Reaction score
1,039
Oh dear...

1) Relationship design.
2) Tables design.
3) Stored procedure design.

Work on those 3 and you will never see sql injection in your life again.

Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


anyways -> ;

Have a great day :)
 
Initiate Mage
Joined
Aug 22, 2014
Messages
68
Reaction score
19
Oh dear...

1) Relationship design.
2) Tables design.
3) Stored procedure design.

Work on those 3 and you will never see sql injection in your life again.

Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.

By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?


anyways -> ;

Have a great day :)

varchar limit:
xxx'; DROP DATABASE() --varchar(3) is enough

about stored procedure injection:
i didn't read the blog but i am pretty sure all he talks about is that queries INSIDE the procedure can't be used for sql injection (the call itself can)

about the "every game would be vulnerable"
no, the job is that the application who sends the call command filters the stuff (remove the ' or escapes it etc)

Syloxx - [INFORMATION] SQL Injection (ingame) - RaGEZONE Forums


as you see, the sql procedure isn't invalid all you do is you add an additional query to that call.
 
Last edited:
Back
Top