Yes, even without knowing the password or login, the guy managed to send and edit items.
I don't have a website and the SQL port is filtered for local access only.
How is this possible?
Hacking SQL with Server IP Only?
Yes, even without knowing the password or login, the guy managed to send and edit items.
I don't have a website and the SQL port is filtered for local access only.
How is this possible?
That what you saying is impossible. Did you checked the sent mail table and cash item history?Originally Posted by RoozeV
Yes, even without knowing the password or login, the guy managed to send and edit items.
I don't have a website and the SQL port is filtered for local access only.
How is this possible?
Yes I checked the history, and that's not it. He showed me that he can create characters too (within accounts I created), so I assume he can execute SQL commands.
I spoke to him on discord and he told me he can do this if port 38180 or 38181 (I can't remember for sure which one) is open. I closed those ports on the firewall and asked him to try again, and apparently he couldn't. But I don't know if I can trust him.
There's no way to be brute force because my login and password are about 10 characters long, including special symbols, and my SQL port is not the default. Also, I changed the password and he got it quickly.
It also showed me that it can crash channels, but I used that thread and blocked some packets like ''e2b70e0000000000..'' and apparently fixed it.
Last edited by RoozeV; 13-06-22 at 09:56 PM.
Why would you keep GlobalDBAgent port open?????
There is a reason why only these ports suppose to be open:
- 80 - HTTP
- 443 - HTTPS
- 1433 - Database
- 38101 - LoginSvr
- 38121 - Chatnode
- 38151 - AgentShop
- 38111 - 38116 - Channels*
- 38126 - War [170-190]*
Yeah, I didn't think something like that was possible... not on this level. :P
There are tools out there, since EP2 times, that are extremely damaging if you leave specific ports open, so that's the reason why the only minimal amount is needed to be public, everything else is communicating behind firewall.
Also if you have to open Port 22 and 1433 than IP filter and if you want better protection than certification authentication is recommended.
sql procedure
SQL Injection can be done in your client.
It's crazy that we can do stuff like this. I always wanted to learn how to hack, but it takes too much time to learn everything, and I got bored after a while. That might be just me being lazy, but it wasn't for me. Still, I needed a hacker's services a few times, and you can find people who offer hacking services for hire online.
This makes everything much easier because I don't have to do it myself. You might worry about security when hiring a hacker. Still, if you hire them from the right place, like Nobelium hackers, you won't have problems like that.
Last edited by JemmyBrihm; 21-08-22 at 02:37 PM.
it is possible. they do it via dbagent.ini and sql injection! you can give out any item!
Reply With Quote