Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

IJJI Gunz website for Gunz 1.5

Status
Not open for further replies.
In Progress... FFXIV...
Member
Joined
Oct 5, 2010
Messages
1,695
Reaction score
456
Download:

Credits:
  • Me - Minor edits to make it work with Gunz 1.5
  • X-Weaver - Mainly the web site

No images will be provided, since you can find previews of it in X-Weaver's thread.

P.S. All I did was fix whatever is needed for Gunz 1.5

If there is any errors that you're encountering, please post here.
 
Pee Aitch Pee
Joined
Mar 30, 2011
Messages
630
Reaction score
422
The script success.php is vulnerable to SQL injection and you can add any amount of coins to your own account by simply sending a POST request with the required variables after you're logged in.

It only checks if $paypal[business] is set, which is always true since you require a file which contains that variable.

Maybe I overlooked something, but that's what I noticed in that script.

I'll test it later today to confirm it.

---
SQLi POST request to success.php:
payment_gross=1337&txn_id=1337&payer_email=bla%40bla.bla'); UPDATE Account SET Coins = 99999 WHERE AID = 1--

Just to get a shitload of coins:
payment_gross=9999999&txn_id=1337&payer_email=bla%40bla.bla

You must be logged in though.
 
Last edited:
Elite Diviner
Joined
Jul 27, 2012
Messages
411
Reaction score
49
make sure index.php got paypal anti_injection.
 
Currently Stoned !
Joined
Dec 6, 2011
Messages
879
Reaction score
108
hey guys m not pro at web coding blah blah but can anyone tell me what should i do with this error?

Code:
Not Found

The requested URL was not found on this server.
-----------------------------------------------------------------------------------
You are Banned from My GunZ. By X-Weaver Staff


every page shows this :|
 
Currently Stoned !
Joined
Dec 6, 2011
Messages
879
Reaction score
108
Code:
You are Banned from My GunZ. By X-Weaver Staff

You are banned? LOL.

the website itself shows this... You released and u dont know solution? wtf?


other website work fine.
 
人◕ ‿‿ ◕人
Member
Joined
Jul 11, 2008
Messages
1,078
Reaction score
90
the website itself shows this... You released and u dont know solution? wtf?


other website work fine.



Lol@Ronny, I don't think anyone remembers when you ban someone or have someone with 253. it bans everyone from the website, I fixed it a long time ago, But this was back in 08, It has something to do with that though...
 
人◕ ‿‿ ◕人
Member
Joined
Jul 11, 2008
Messages
1,078
Reaction score
90
I never had this problem unless my UGradeID was set to 253.

It did this for me and a lot of other people when using it back then. When you would ban someone it would show the ban page for EVERYONE. Quick fix is to just disable it in functions.php and disinclude owned.php or whatever the file was.
 
Currently Stoned !
Joined
Dec 6, 2011
Messages
879
Reaction score
108
It did this for me and a lot of other people when using it back then. When you would ban someone it would show the ban page for EVERYONE. Quick fix is to just disable it in functions.php and disinclude owned.php or whatever the file was.

okk..noww..i just removed those files and disabled... ! xD
 
In Progress... FFXIV...
Member
Joined
Oct 5, 2010
Messages
1,695
Reaction score
456
Odd. I had an alternative account, that was banned, in my database as a test to see if it does it to anyone that isn't UGradeID 253, but I still never encountered it before even when I used it for other private servers.

Edit:
Maybe just change the function in the ban.php from the secure folder instead of removing the owned.php
Code:
$query = mssql_query("SELECT * FROM Account WHERE UgradeID = 253");

To

Code:
$query = mssql_query("SELECT * FROM Account WHERE UgradeID = 253 AND AID = '{$_SESSION['AID']}'");
 
Last edited:
人◕ ‿‿ ◕人
Member
Joined
Jul 11, 2008
Messages
1,078
Reaction score
90
Odd. I had an alternative account, that was banned, in my database as a test to see if it does it to anyone that isn't UGradeID 253, but I still never encountered it before even when I used it for other private servers.

Very odd it is, either way, I blame apache setup, I was most likley doing it wrong, but again it was back in 08 or whenever this web was released.
 
Status
Not open for further replies.
Back
Top