Hacking SQL with Server IP Only?

RoozeV · Jun 13, 2022

Yes, even without knowing the password or login, the guy managed to send and edit items.

I don't have a website and the SQL port is filtered for local access only.

How is this possible?

PwrDex · Jun 13, 2022

RoozeV said:
Yes, even without knowing the password or login, the guy managed to send and edit items.

I don't have a website and the SQL port is filtered for local access only.

How is this possible?

That what you saying is impossible. Did you checked the sent mail table and cash item history?

RoozeV · Jun 13, 2022

PwrDex said:
That what you saying is impossible. Did you checked the sent mail table and cash item history?

Yes I checked the history, and that's not it. He showed me that he can create characters too (within accounts I created), so I assume he can execute SQL commands.

I spoke to him on discord and he told me he can do this if port 38180 or 38181 (I can't remember for sure which one) is open. I closed those ports on the firewall and asked him to try again, and apparently he couldn't. But I don't know if I can trust him.

There's no way to be brute force because my login and password are about 10 characters long, including special symbols, and my SQL port is not the default. Also, I changed the password and he got it quickly.

It also showed me that it can crash channels, but I used that thread and blocked some packets like ''e2b70e0000000000..'' and apparently fixed it.

MrSensei · Jun 13, 2022

Why would you keep GlobalDBAgent port open?????

There is a reason why only these ports suppose to be open:
- 80 - HTTP
- 443 - HTTPS
- 1433 - Database
- 38101 - LoginSvr
- 38121 - Chatnode
- 38151 - AgentShop
- 38111 - 38116 - Channels*
- 38126 - War [170-190]*

RoozeV · Jun 13, 2022

AzureSensei said:
Why would you keep GlobalDBAgent port open?????

There is a reason why only these ports suppose to be open:
- 80 - HTTP
- 443 - HTTPS
- 1433 - Database
- 38101 - LoginSvr
- 38121 - Chatnode
- 38151 - AgentShop
- 38111 - 38116 - Channels*
- 38126 - War [170-190]*

Yeah, I didn't think something like that was possible... not on this level.

MrSensei · Jun 13, 2022

There are tools out there, since EP2 times, that are extremely damaging if you leave specific ports open, so that's the reason why the only minimal amount is needed to be public, everything else is communicating behind firewall.

PwrDex · Jun 14, 2022

AzureSensei said:
Why would you keep GlobalDBAgent port open?????

There is a reason why only these ports suppose to be open:
- 80 - HTTP
- 443 - HTTPS
- 1433 - Database
- 38101 - LoginSvr
- 38121 - Chatnode
- 38151 - AgentShop
- 38111 - 38116 - Channels*
- 38126 - War [170-190]*

Also if you have to open Port 22 and 1433 than IP filter and if you want better protection than certification authentication is recommended.

Ocid Borlan · Jun 17, 2022

sql procedure

Fur Zi · Jun 17, 2022

SQL Injection can be done in your client.

JemmyBrihm · Aug 17, 2022

It's crazy that we can do stuff like this. I always wanted to learn how to hack, but it takes too much time to learn everything, and I got bored after a while. That might be just me being lazy, but it wasn't for me. Still, I needed a hacker's services a few times, and you can find people who offer

You must be registered to see links

online.
This makes everything much easier because I don't have to do it myself. You might worry about security when hiring a hacker. Still, if you hire them from the right place, like Nobelium hackers, you won't have problems like that.

Drafys17 · Aug 17, 2022

it is possible. they do it via dbagent.ini and sql injection! you can give out any item!

Hacking SQL with Server IP Only?

RoozeV

Newbie Spellweaver

Attachments

PwrDex

PwrGames

Attachments

RoozeV

Newbie Spellweaver

MrSensei

Moderator

RoozeV

Newbie Spellweaver

MrSensei

Moderator

PwrDex

PwrGames

Ocid Borlan

Newbie Spellweaver

Fur Zi

Experienced Elementalist

JemmyBrihm

Initiate Mage

Drafys17

Newbie Spellweaver