Printable View
Download: IJJI GunZ website by X-Weaver (Gunz 1.5).7z
Credits:
- Me - Minor edits to make it work with Gunz 1.5
- X-Weaver - Mainly the web site
No images will be provided, since you can find previews of it in X-Weaver's thread.
P.S. All I did was fix whatever is needed for Gunz 1.5
If there is any errors that you're encountering, please post here.
Pro my friend .. you are the best :):
but tell me, Does it include anti-sqli ?
The script success.php is vulnerable to SQL injection and you can add any amount of coins to your own account by simply sending a POST request with the required variables after you're logged in.
It only checks if $paypal[business] is set, which is always true since you require a file which contains that variable.
Maybe I overlooked something, but that's what I noticed in that script.
I'll test it later today to confirm it.
---
SQLi POST request to success.php:
payment_gross=1337&txn_id=1337&payer_email=bla%40bla.bla'); UPDATE Account SET Coins = 99999 WHERE AID = 1--
Just to get a shitload of coins:
payment_gross=9999999&txn_id=1337&payer_email=bla%40bla.bla
You must be logged in though.
I haven't tested it with the Paypal Sandbox yet.
Alot of exploits and one of them in the item shop.
add items added? it is with renthour?
make sure index.php got paypal anti_injection.
hey guys m not pro at web coding blah blah but can anyone tell me what should i do with this error?
Code:Not Found
The requested URL was not found on this server.
-----------------------------------------------------------------------------------
You are Banned from My GunZ. By X-Weaver Staff
every page shows this :|
You are banned? LOL.Code:You are Banned from My GunZ. By X-Weaver Staff
the website itself shows this... You released and u dont know solution? wtf?Quote:
Originally Posted by Anju
other website work fine.
Quote:
Originally Posted by Ronny786
Lol@Ronny, I don't think anyone remembers when you ban someone or have someone with 253. it bans everyone from the website, I fixed it a long time ago, But this was back in 08, It has something to do with that though...
I never had this problem unless my UGradeID was set to 253.Quote:
Originally Posted by Ronny786
It did this for me and a lot of other people when using it back then. When you would ban someone it would show the ban page for EVERYONE. Quick fix is to just disable it in functions.php and disinclude owned.php or whatever the file was.Quote:
Originally Posted by Anju
okk..noww..i just removed those files and disabled... ! xDQuote:
Originally Posted by Forean
Odd. I had an alternative account, that was banned, in my database as a test to see if it does it to anyone that isn't UGradeID 253, but I still never encountered it before even when I used it for other private servers.
Edit:
Maybe just change the function in the ban.php from the secure folder instead of removing the owned.php
ToCode:$query = mssql_query("SELECT * FROM Account WHERE UgradeID = 253");
Code:$query = mssql_query("SELECT * FROM Account WHERE UgradeID = 253 AND AID = '{$_SESSION['AID']}'");