Printable View
Hello Ragezone,
I just want to inform you that i discovered a new very harmful exploit.
It is possible to execute a SQL Injection through the Fortresswar Administrator NPC with the "About Guild" dialog.
example:this example will shutdown the sql serverCode:test' shutdown--
Screenshot:
http://image.prntscr.com/image/ded84...ec5c327e5d.png
sounds like " welcome to hell " for the community lmao.
nice exploit
easy to patch - open the related stored procedure and modify it to be SQL inject proof. Then add checks and validators to make sure everything is run properly.
You could also just remove the npc, but i do recommend that people learn how to counter SQL injects.
1st)Quote:
Originally Posted by Jangan
The gameserver sends an update statement to the sql server that means there isn't anything to modify.
2nd)
Even if it would be a procedure it wont work lemme show you why. I use the _ADD_NEW_ITEM procedure as example (red = static by server / green = input by user)
Normal:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'
Injection:
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE' UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'
Injection (added formating to make it more clear):
EXEC _ADD_NEW_ITEM 'Syloxx', 'ITEM_CH_TBLADE_01_C_RARE'
UPDATE _Char SET RemainGold = 999999999999 WHERE CharName16 = 'Syloxx'--'
As you see, the server executed the procedure with a valid string and executes an update statement right after the procedure got executed.
It is impossible to fix an sql injection inside the sql server, you have to fix the application or use an work around (packet filter for example)
-Syloxx
i do believe you are a moron because stored procedures dont accept querys only params so example say inside the stored proceedure u have a query that requires a username the program or script would called exec storedprocname and the params it needs and then runs the query with the data inside the sql server
@UniverseGaming looks like you are the moron...Quote:
Originally Posted by UniverseGaming
You close the string, give all required parameters and adds your query to it.
I will write an example protecure with 3 parameters (string1 is set by the player through the message box and int1 and int2 is set by the server (example CharID and ItemID)
Try to understand what the GameServer sends to the SQL Server and what does the SQL Server execute.
In the solution spoiler you find the whole command with T-SQL highlights for better understanding. Please try to solve it by your self first.
example call:
exec _Procedure 'string1', int1, int2 (string1 = your input)
input:
string1', int1, int2; DROP DATABASE();--
SOLUTION:
Spoiler:
Oh dear...
1) Relationship design.
2) Tables design.
3) Stored procedure design.
Work on those 3 and you will never see sql injection in your life again.
Everything you wrote can be stopped by properly re-writing the procedure, or altering the table, from being varchar(255)/varchar(max) to varchar(20/30) for example, and the game server should work fine. If not "since i havent touched sro in years", you can basically just modify the stored procedure.
By your logic, i should be able to inject every single game made in life because there is no way to stop sql injection right?
anyways -> Are stored procedures safe against SQL injection? - Paladion Networks ; How to prevent SQL Injection in Stored Procedures - CodeProject
Have a great day :)
varchar limit:Quote:
Originally Posted by Jangan
Spoiler:
about stored procedure injection:
Spoiler:
about the "every game would be vulnerable"
Spoiler:
http://image.prntscr.com/image/5278c...1bc7c21a34.png
as you see, the sql procedure isn't invalid all you do is you add an additional query to that call.