Exploit SQL Injection webzonegamerz Ranking

[shark-latan]

This needs to be repaired urgently

/ranking.php?Dios=&Order=LVL&Tribe=128%20declare%20@sql%20varchar(800)%20set%20@sql=0x(string to hex code)%20exec(@sql)%20select%201%20from%20Tantra..TantraBackup00%20where%201=1

 

[alxndr]

Seems like one of my injection methods xd, try banning 'declare' word on your anti_sql.php



To see how serious it is, here is a video guys:

 

[A v a r a]

Yeah seems so very serious.

 

[shark-latan]

this is too serious, so that IP and ID of Colombia, is doing injection attacks to a server where I am working ...

is just one of the server where the Alxndr shown in the video ...

 

[A v a r a]

this is too serious, so that IP and ID of Colombia, is doing injection attacks to a server where I am working ...

is just one of the server where the Alxndr shown in the video ...

The server in the video is from colombia? wow!

 

[metan0ia]

i think that server already fixed .. that sql injection

 

[alxndr]

i think that server already fixed .. that sql injection

I tried to help them

 

[A v a r a]

I hope the owner of that server can post what he did to fix the said problem.

 

[John]

Hahahahahahaha LOL

$variable2 = str_replace("tobanned", "toremplaze", $variable1);

 

[metan0ia]

@John

sir is that the code on how to fix the sql injection problem?

 

[John]

@John

sir is that the code on how to fix the sql injection problem?

No exactly, with this, they can be guided to create anti injection code.

 

[alxndr]

People here do not want to be guided, they want the solution, lol

 

[A v a r a]

People here do not want to be guided, they want the solution, lol

Yeah I agree but sometimes I really would like to help too. Better to exchange ideas.

 

[John]

People here do not want to be guided, they want the solution, lol

You are absolutely right, it's a shame that no longer exist hungry people of know.

 

[jbeitz107]

guys it is pretty simple to fix this issue. get rid of the get method and use post

 

[dTantra]

guys it is pretty simple to fix this issue. get rid of the get method and use post

That won't really fix it, you can use websites like

You must be registered to see links

To send post and or get to any website.

If you want to fix it, at the top of the script just connect to a mysql database first and run the following php.

	foreach ($_GET as $key => $value) 
	{ 
		$_GET[$key] = mysql_real_escape_string($value); 
	}
	foreach ($_POST as $key => $value)
	{
		$_POST[$key] = mysql_real_escape_string($value); 
	}

 

[alxndr]

That won't really fix it, you can use websites like

You must be registered to see links

To send post and or get to any website.

If you want to fix it, at the top of the script just connect to a mysql database first and run the following php.

	foreach ($_GET as $key => $value) 
	{ 
		$_GET[$key] = mysql_real_escape_string($value); 
	}
	foreach ($_POST as $key => $value)
	{
		$_POST[$key] = mysql_real_escape_string($value); 
	}

That won't fix it either, it would be better if everyone use PDO

 

[jbeitz107]

you don't need to use $_GET. there are other options besides that.

 

[alxndr]

you don't need to use $_GET. there are other options besides that.

Leaving PDO appart, you can use whatever you want, POST or GET, if you know what are you doing you can fix them both.

 

[jbeitz107]

agreed alxndr. i am not telling the other part for the fix but, yes i agree. the part i was mentioning simply removes the unnecessary text that is created using the forms in the url. it is only a start for them.