Welcome!

Join our community of MMORPG enthusiasts and private server developers! By registering, you'll gain access to in-depth discussions on source codes, binaries, and the latest developments in MMORPG server files. Collaborate with like-minded individuals, explore tutorials, and share insights on building and optimizing private servers. Join us today and unlock the full potential of MMORPG server development!

Join Today!

[SECURITY] Clan System Flaws

Joined
Feb 22, 2008
Messages
2,415
Reaction score
738
Location
Brazil
If you are using this version, or even a derivated version of this clan system files ([Sharing] Working Sandurr's Clan System Version 2.0 - RaGEZONE forums) you should be aware of:

Every ASP file has SqlInjection vulnerabilities. I could delete members from your clan, delete your clans, databases, insert records, change records, and even change your SQL password. I'm not giving ANY info on HOW to do that.


How to protect yourself:

Just edit your scripts and add check for illegal characters in every value received for the QueryString. (usually they are like this: Trim(Request("chname")) )



Learning purposes:

The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw.
 
Last edited:
haha yeah. I used this exploit years ago in ept to create clans.
The clan master was not working after the change of companies, and continued not to work for a good 1 and a half to 2 years after that.

I got quite rich in game charging people gold for me to make clans for them XD

Shhh don't tell anyone...
 
haha you smart a**!

The flaw that enables you to create clans or delete clans are not exactly Sql Injection flaws, in fact, they are coding flaws. Not enough checks to ensure the account is real, etc.

If I open ClanInsert.aspx, complete all the query strings needed, but with fake info (any fake info) would result in a successfully created clan. :P:

IMO, I think the scrips need a GOOD rewrite. From scratch. This is a really old flaw, but almost no one knew it =p
 
The best form of protection here would be to use stored procedures.

It's more time consuming to do, but the end result is more secure.

Though not as secure, you can also remove all non-AlphaNumberic characters. Here's a procedure for doing so:


Good luck guys. You'll need it...Bwahahahaha!
 
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.
 
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.


...we are equal opportunity here.
Either everyone knows, or no one knows.

He told you the problem and he told you how to fix it.
That is beyond good enough. It is not his job to pick and choose certain private servers to contact to tell them of this problem before posting it here.

If you feel your server may be compromised take down these files for emergency maintenance and manually create/edit clans for people who need it until the problem is solved.
 
Last edited:
The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw. He should know better :P:
He did! That statement, and my response, have been made before. The usual assumption is that, that being the case, he left it in there so he had a backdoor to attack other servers.

That's not the correct implication at all. I'm sure I've also seen him say (though it may have been either Quantum or Shagpub, who where also active in that releases development) that that code was worked on by developers, for developers to test and debug. It was not created for pServers to use on a day to day basis.

In other words, it's pseudo code for you to test the limits within a safe environment and base your own, release version on. It's not meant to be secure, it's meant to be simple enough for everyone to understand, and treat as a basic prototype.
This is a really old flaw, but almost no one knew it =p
I always thought *everyone* knew it!

There where several threads on it in the past, I thought there where posts in the release thread and Gregoo had posted an excellent guide, warning everyone about the dangers with details (though, possibly in php?) on how to avoid this exploit.

I also know that he did some "ethical hacking" to prove to popular, existing servers at the time that they had not patched these flaws, offering to help them.
IDK if he was asking money or not, but the server admins who spoke to me about it where highly offended by his actions, and felt they where being "held to ransom". I would have considered it a warning and an offer of help, but I know where they are coming from.
I'm very glad this thread is up, and hope that it will stay (where Gregoos did not) because it seems that (contrary to my previous understanding) this is *news* for some people! :scared:

--- EDIT ---
From memory, the most basic advise (which is about all I understand of server side scripting) was to strip anything which may be interpreted as a string enclosure by SQL, and limit the length of input fields.

ie. Something like
Code:
If Len(userName) > 15 Then userName = Left(userName, 15)
If InStr(userName, Chr(33)) <> 0 Then userName = Left(userName, InStr(userName, Chr(33)) - 1))
If InStr(userName, "'") <> 0 Then userName = Left(userName, InStr(userName, "'") - 1))
[highlight]This is NOT real code... this is an example of the process you should perform on every variable filled by a user submitted field![/highlight]
Making it a subroutine in an script included on every page which does any real processing would be good, but clean up and fix my (off the top of my head) code first please. :wink:

That doesn't remove the exploit, but I believe it pretty much neuters it. Any attempted SQL command of any use should simply crash, and the worst that would do is bring down your IIS / SQL server.

At least, that's my *basic* understanding.
 
Last edited:
I always thought *everyone* knew it!
:lol:

I thought that anybody knew it because I never saw any threads discussing about it, at least any new ones... I think people forgot about it? never saw it mentioned in any place too, though it should be nice to let everyone know :thumbup:
 
It was. And I've watched threads about it being deleted because those who contributed most have cleared out their posts. (not just Gregoo, and he didn't do it to those posts specifically, that was a more general protest)

I have no idea why people who report about this point pull the information later. Maybe they get bored of being accused of being haxors who rape and bring down servers.

For the record, exposing exploits with the intention of helping others prevent attacks is not a malicious act! It's one of charity and community which we should all be practising. :ott1:

BTW... that + Rep I just gave Sheen is a big one, because I just hadn't realised this issue had dropped off the radar like that. I recommend everyone else this expo has helped give him one too. Even if it only alerts you to the fact that your security is as week as a used teabag and you have to find the rest out yourself. :wink:

--- EDIT ---
Oops! When I say "give him one too" I mean a rep +... and a like... you can "give him one" something else if you're female I suppose. He may appreciate that. :lol:
 
I have protected clan files.
PM me if you would like more information.
 
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.
It's been known for literally years that these files were subject to SQL injection. This is just the first time it has been addressed in a large way though. Easy fix regardless.
 
And you never think about to mention my name?
So selfish. Keep the credits.
 
hum... credits for what? You didn't discovered it, it was already there and pointed out by several members in the past. :wink: And AFAIK you didn't create the clan script aswell :P: And I am sure you didn't tell me that flaw, since I already knew it for years... :/:

Just decided to share it with everyone after some troubles with some BR PServers :ott1: (shame on me.... :lol:)


Turns out that they just edited their posts and removed the information. You would know if you have read bobsobol's post, it is very interesting tho.

I belive thats the main reason Gregoo had released his clan files - flawless I guess - and then removed them by some unknow reason. (at least for me)

I hope some older member can enlighten you about this subject. =p
 
Last edited:
I would be surprised if the popularity of SQL inject insecure Clan / SoD sites in PT pServers wasn't a primary inspiration for Gregoo developing his site, but since it was never finished, we'll never know how "flawless" it would have been.
 
And don't assume that, just because they fscked up the security, that was done with malicious intent. Remember that most of us create and share these things for free, in our spare time.

There is a limit to the "quality control" with such an arrangement. ;)
 
tnrh1 aka imri,

i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
connect and delete them freely.

i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.
 
Back