[Development!] Perfect MatchServer!!

Code:

---

Writting a GunZ emulator in C++

---

This will be the 100% fix [If its going to be public :D]

Quote:

---

Originally Posted by Trilest

Omg more prove to call you a pro :P
And yeah atleast i'm looking for something like that.
In what language did you code that?
C++ ?

---

Yes, I looked through the ASM code and explored there are 2 functions in the MatchServer where a Query goes through. Now in the stored procedure the variables mostly are declared as varchar(24), which isn't enough to do an UPDATE Account SET UGradeID = '255' query. Now the roomname for the InsertGameLog is declared as varchar(64) (at least somewhere in 60), so it has plenty of space to do a huge SQL injection. My hook (in C++, reversed the ASM back to C++, then did a CDetour on it) checks for UPDATE, DELETE, DROP TABLE, and such things. If it detects something like that in one of the functions, it doesn't execute the query.

Quote:

---

Originally Posted by ThePhailure772

You just did two things in that image.
1.Gave me a HUGE idea.
2.Gave me a reason to worry ;_;.

---

Hehe, lol. Ijji can be injected at the same way, IF you are using an emulator.

I'm glad I logged the query's for a while, otherwise I wouldn't have found out the GameLog query.

Quote:

---

Originally Posted by KillerStefan

Just use 2008 MatchServer?

---

If even ijji has it...

Quote:

---

Originally Posted by Wizkidje

Yes, I looked through the ASM code and explored there are 2 functions in the MatchServer where a Query goes through. Now in the stored procedure the variables mostly are declared as varchar(24), which isn't enough to do an UPDATE Account SET UGradeID = '255' query. Now the roomname for the InsertGameLog is declared as varchar(64) (at least somewhere in 60), so it has plenty of space to do a huge SQL injection. My hook (in C++, reversed the ASM back to C++, then did a CDetour on it) checks for UPDATE, DELETE, DROP TABLE, and such things. If it detects something like that in one of the functions, it doesn't execute the query.



Hehe, lol. Ijji can be injected at the same way, IF you are using an emulator.

I'm glad I logged the query's for a while, otherwise I wouldn't have found out the GameLog query.



If even ijji has it...

---

So you are saying, that it is possible to sql inject ingame like a room name ?

Quote:

---

Originally Posted by Trilest

So you are saying, that it is possible to sql inject ingame like a room name ?

---

Exactly........

Another reason emulators will have a fighting chance on combating some of the hacking issues match server wise.

Mostly that's SQL injection, since everyone making a Private server these days are just using shared or leaked websites, but if you write your own Installation / Ranking scripts and Anti-Inject them, it would be even harder to SQL inject them.

Plus, there's nothing such as a "Perfect MatchServer". GunZ Servers will always be hacked, it always comes to the antihack to detect if there's something wrong in the game or not, and ban/kick the hackers.

Quote:

---

Originally Posted by omgisavedu

You have noooo idea about what you talking about arent uu

---

Ye lol'd first of all mssql injection mostly goes trough the Register page.
if not they will Nmap their current SQL info.. Then use mssql_preauth2000 exploit too Password dump and add Administrators accounts!

i'm not going too say anything more..

By the way in this matchserver.exe they have holes in their protection, good luck tough!

And if ur wanna be save:
OBDC connected Register pages.
Anti MSSQL in ur website & server.
Try too hide ur current Proxy, cause they use it too Nmap and Detect ur SQL info.
Make daily Back-up's since they could attack every time..
Delete unnessecary DBO tables like,

Code:

---

dbo.AccountItem, dbo.AccountPenaltyPeriod, dbo.BringAccountItemLog
dbo.CashItemPresentLog, dbo.ItemPurchaseLogByCash and dbo.SetItemPurchaseLogByCash

---

[QUOTE=Chanel;4990208]Ye lol'd first of all mssql injection mostly goes trough the Register page.
if not they will Nmap their current SQL info.. Then use mssql_preauth2000 exploit too Password dump and add Administrators accounts!
QUOTE]

Nmap isn't a verb, don't use it as one. And, the odds of anyone running MSSQL 2000 are zero to none.

Quote:

---

Originally Posted by Chanel

By the way in this matchserver.exe they have holes in their protection, good luck tough!

And if ur wanna be save:
OBDC connected Register pages.
Anti MSSQL in ur website & server.
Try too hide ur current Proxy, cause they use it too Nmap and Detect ur SQL info.
Make daily Back-up's since they could attack every time..
Delete unnessecary DBO tables like,

Code:

---

dbo.AccountItem, dbo.AccountPenaltyPeriod, dbo.BringAccountItemLog
dbo.CashItemPresentLog, dbo.ItemPurchaseLogByCash and dbo.SetItemPurchaseLogByCash

---

---

Okay, using a proxy isn't the solution you would look for - the solution is disabling remote MSSQL access, and keeping all registration scripts handled through a local network, or directly on the server itself.

Deleting unnecessary tables is not a solution - and preventing the use of MSSQL on the website isn't a solution either. The solution is to escape back slashes, single quotes, and double quotes. When needed, escape HTML entities, such as tags.

Quote:

---

Originally Posted by [S]pirit

Mostly that's SQL injection, since everyone making a Private server these days are just using shared or leaked websites, but if you write your own Installation / Ranking scripts and Anti-Inject them, it would be even harder to SQL inject them.

Plus, there's nothing such as a "Perfect MatchServer". GunZ Servers will always be hacked, it always comes to the antihack to detect if there's something wrong in the game or not, and ban/kick the hackers.

---

The anti-cheat is NOT the solution to protect a server, from say, overflow attacks. Server-sided patches are the solution, and running matchserver as a limited/jailed account, with as minimal privilages as possible, is the solution to not being rooted. Hashing/salting valuable data such as passwords is the solution to cut down on loss if arbitrary access is gained through matchserver.

Quote:

---

Originally Posted by 00niels00

The problems we have are this right?
- SQL injectable in runable
- An exploit in runable

Does someone know exactly where is the SQL injection exploit?

---

The lack-of sanitization is NOT handled by the client - client sided verification is the leading cause behind many vulnerabilities in various projects (e.g.: IJJI's security question bug, varying XSS faults, PeanutLab's G Coin completion-check vulnerability, etc).

Anyways, all you need to do now is create a proxy script to intercept queries coming from the matchserver, escape all backslashes/quotes, and pass on the data. Or even an MSSQL plugin would do.

I am not that one who can code asm..

I can only work in the Runnable..., say me what must be done in the runnable, and i will do as soon i get some time :S (Final Exams leaving school yaya + working in my father's University as a Computer Global engineer :P )
So, i am really ****in busy :D

#1000's Post xD