Printable View
Hi ragezone,
Somewhere around this afternoon, a very strange thing happened to my hotel. All the group names were changed to "hoijkj" and all the group descriptions were changed to ''Y". It's not somebody who fucked up the database, because there is nothing else changed and only 3 people can enter our database. So there should be an exploit in the source somewhere, I've gone through the groups but I can't seem to find it....
Having this problem again. Some guy named fentu ranked himself admin and did the same with all of our groups. When I posted this thread this guy ranked himself MOD, we weren't sure if he was the one who did this, but now we're pretty sure. I still don't know where this exploit is.
Seems like you have exploits in cms or something, if they make an sql injection they can access your db.Quote:
Originally Posted by BaasHotel
What CMS you using..
UberCMS 2.0(live demo @ http://baashotel.eu)Quote:
Originally Posted by Clawed
Check your emulator SQL error logs to see where he injects it. It triggers an error when he does it wrong ;)
Except fromQuote:
Originally Posted by tdid
which I'm aware of, this happens when you kick a pet out of your room, I found this:Quote:
MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command execution. ---> MySql.Data.MySqlClient.MySqlException (0x80004005): Parameter '@name' must be defined.
I don't expect this fentu-kid to be pony addict(lol), but it cannot insert the ' into the database. Does this mean that there is an exploit in update group names though?Quote:
Error in query: UPDATE groups SET Name = '|fc pony's|', Description = 'lekker paardrijden met je vrienden' WHERE Id = '786'
MySql.Data.MySqlClient.MySqlException (0x80004005): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's|', Description = 'lekker paardrijden met je vrienden' WHERE Id = '786'' at line 1
at MySql.Data.MySqlClient.MySqlStream.ReadPacket()
at MySql.Data.MySqlClient.NativeDriver.GetResult(Int32& affectedRow, Int32& insertedId)
at MySql.Data.MySqlClient.Driver.GetResult(Int32 statementId, Int32& affectedRows, Int32& insertedId)
at MySql.Data.MySqlClient.Driver.NextResult(Int32 statementId, Boolean force)
at MySql.Data.MySqlClient.MySqlDataReader.NextResult()
at MySql.Data.MySqlClient.MySqlCommand.ExecuteReader(CommandBehavior behavior)
at MySql.Data.MySqlClient.MySqlCommand.ExecuteReader()
at MySql.Data.MySqlClient.MySqlCommand.ExecuteNonQuery()
at Database_Manager.Database.Session_Details.QueryAdapter.runQuery()
NO.Quote:
Originally Posted by BaasHotel
Because SQL uses ' for values (EC. '4','Hello') you CAN'T use ' in a value (EC. '4','Hello this is my brother's'), in that example, the value is 'Hello this is my brother' and the ' after brother will stop the value, making s NO valid MySQL query..
HOWEVER, I think if you use it as MySQL parameter, it WON'T use the ' as value (EC. @name as 'my brother's') will insert in query only my brother's, but I'm not sure.
I understand thatQuote:
Originally Posted by Tha
isn't valid sql.Code:UPDATE groups SET Name = '|fc pony's|', Description = 'lekker paardrijden met je vrienden' WHERE Id = '786'
But if I would insertin the group settings where I can edit the name, would that actually be valid sql? In that case this can be the way all the group names got changed, but I don't know much about sql injections.Code:somegroupname' AND sometablename='someshit
I'm gonna try to use it as mysql parameter. I hope that's gonna solve the problem. (and the possible exploit?)
EDIT:
So now all the group names got changed to ''omg'', just a few seconds ago. I'm just staring with some WTF-head at the moment.
I think this is an CMS exploit u need to check ur cms on every line off every page because the guy can make your hotel fucked up
No, there is a cool exploit into bcstorm :-)
Would you mind sharing it? :-)Quote:
Originally Posted by Ryan
I actually think everything is unfiltered for groups as inputting an ' into a string triggers an SQL error. PM me your skype and I'll help you out over TV.
No, you stole my index.Quote:
Originally Posted by BaasHotel
Actually its not.. In bcstorm is a cool exploit, you can run it by example create a program which made a connection and send a string to something. Easy to fix like check the querys.. #No parameter = hackable# enjoy finding.Quote:
Originally Posted by tdid
Don't wanna help the community get out of here.Quote:
Originally Posted by Ryan
We don't like people who think there big, either share it or gtfo.
Also with params things can still be injectable.