Welcome!

Join our community of MMORPG enthusiasts and private server developers! By registering, you'll gain access to in-depth discussions on source codes, binaries, and the latest developments in MMORPG server files. Collaborate with like-minded individuals, explore tutorials, and share insights on building and optimizing private servers. Join us today and unlock the full potential of MMORPG server development!

Join Today!

[SECURITY] Clan System Flaws

SheenBR - [SECURITY] Clan System Flaws - RaGEZONE Forums
 
tnrh1 aka imri,

i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
connect and delete them freely.

i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.
That's actually *close* to, "an ethical hack". Strictly speaking, you should have informed Imri before hand, and given him the opportunity to fix the problem.

Still, you did inform him how the exploit was achieved so he can fix it and if he doesn't have a recent backup, he should have learned the value of that now.

FYI, Imri, changing the password isn't a fix, since every password is vulnerable. The fix is disabling the open remote admin port.

If you need to get to a remote admin, the "correct" (secure) method is to limit it to access on a secure VLAN via SSH tunnel only. That is considered abstract enough to secure any secondary password system. Which isn't to say it can't be hacked, but does slow a hacker down enough that your continued vigilance (keep watching your IP and Security logs) should catch intrusion and give you the chance to re-arrange your security and put this hacker back to square one.

An unmanned battlement is quickly breeched no matter how thick or high the walls. ;)
 
Disclaimer: As it is hard to detail a flaw and its fix without explaining how it is exploited, the following post contains both the attack and its fix. I assume the RZ community is mature enough not to go on a SQL injection rampage on every server they encounter.

I didn't read thoroughly but I've seen people suggesting uber-mega-check function to look for illegal characters. That is too troublesome, and unecessarily bloated.

To understand how to protect itself against injections, we first need to understand how it actually works.

For instance if you have a piece of code like this,
Code:
Dim name = request("name")
odbc.Open "SELECT TOP 1 * FROM [ul] WHERE [chname] = '" & name &"'", __, __

You would normally access this page via something like page.asp?name=Gregoo, and the SQL server would be indeed sent the correct request
Code:
SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo'

However, if someone was to access this page via page.asp?name=Gregoo';DROP%20DATABASE%20[accountdb];--, the SQL server would be sent this
Code:
SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo';DROP DATABASE [accountdb];--'
(%20 is an url-encoded space).

This query contains 3 elements.
  1. SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo'; the orignal query that we made syntaxically correct with ' at the end. The semi-colon (;) allows us to chain another query after this one
  2. DROP DATABASE [accountdb]; is our second query and a nasty piece of code that will simply delete a database (in this case, the accounts)
  3. --' that last part start with a comment (--). Whatever is behind will be discarded. That allows us to keep the query syntaxically correct. If we didn't comment, there would be a quote ' at the end of the query. The parser would detect the error and execute none of the 2 queries.

As of now, we already have one simple way to protect ourselves, that's a basic of security.
You should never give a privileges such as dropping databases, or tables to the database user for the clan.
I've seen pretty much everyone using the sysadmin (sa) account for the clan files. This user has pretty much EVERY rights on your database. If you used an user with less privileges you would not have this problem. What the clan user really needs is SELECT, UPDATE and DELETE. Nothing else.

Using a different user will solve the DROP problem, but one can still wipe your whole database with the DELETE privilege. Unfortunately you can't remove it, otherwise players won't be able to leave clans, kick users or disband clans.

The second part of the protection from SQL injections in SQL Server is to simply escape single quotes. We've seen that it's the troublesome character that causes it all.

In SQL Server syntax, you simply need to add a second quote to escape it. If you do that, the injection will just be plain text inside your query and it won't match anything.

If we take the previous example, with escape quotes, the SQL server will receive this
Code:
SELECT TOP 1 * FROM [ul] WHERE [chname] = 'Gregoo''; DROP DATABASE [accountdb];--'

The SQL server will understand this query as it was intended to be, and will look for the data where chname equals Gregoo'; DROP DATABASE [accountdb];--. As you can see, no more database dropping, and I doubt you have a character one your server with that name. So it'll we simply return nothing.

In my files, in function.asp you can see the G (for GET) function doing exactly that.
Code:
' Fetch data from the query string. The data is escaped to prevent SQL injection
' @param key : string
' @return string
Function G(my_key)
	G = Replace(trim(request(my_key)), "'", "''")
End Function
  • request grabs the values from the URI query string
  • trim removes lead/trailing spaces (just to clean up, doesn't do anything for security)
  • and Replace( , "'", "''") (double-quote single-quote double-quote, double-quote single-quote single-quote double-quote) adds a single quote in front of every single quote (that's the security fix)

Our piece of code, with the protection, will look like this
Code:
Dim name = Replace(request("name"), "'", "''")
odbc.Open "SELECT TOP 1 * FROM [ul] WHERE [chname] = '" & name &"'", __, __

TL;DR
  • Use an unprivileged SQL account (you only need SELECT, UPDATE, DELETE)
  • Protect your files, escape the single quotes. Wrap each of the request call inside Replace( , "'", "''")
Code:
Replace(request() , "'", "''")

----
I also know that he did some "ethical hacking" to prove to popular, existing servers at the time that they had not patched these flaws, offering to help them.
IDK if he was asking money or not, but the server admins who spoke to me about it where highly offended by his actions, and felt they where being "held to ransom". I would have considered it a warning and an offer of help, but I know where they are coming from.
I did unethical hacking as retaliation. Dropped the database of a few servers that sent hackers to the server I was working with. That was the wtfish days of PT, when nobody shared anything. That was the only way to keep an edge.
Then I stopped being retarded, started sharing my stuff and making people aware of that. I did grab one of the GMs password from a popular server through the clan files (with very complex injects) and sent a screenshot of the inventory (and did nothing else!) so they would take it seriously. I don't remember if I had the time to help them fix it, I was pretty busy back then.
However, I've never asked any server for any money (/ransom).
 
Last edited:
Okay, I've just deleted a flame-bait.

Yes, I know several people who where very upset by Gregoos former actions. However, I think we've all done things we regret... or worse, have mixed feelings about.
You know... that guy you always hated that you couldn't do anything about because he's special to someone else you care about and you just kind of snapped and punched out. Neeyae, I probably shouldn't've done that but... boy it felt good.
Revenge is a funny thing because, people tend to disguise themselves when doing these things, so the person you get attacked by is usually not the person who attacked you.

It's kinda like pinching a girls ass from your buddies angle so he gets the slap in the face?

I think Gregoo is being very mature in admitting his former crimes and trying to move past them. I also thank him for the clear guide he's given us here.

Thanks Gregoo.

P.S. Doesn't SQL take double quotes the same way? I seem to remember being told to escape those as well.
 
Thanks Gregoo.
You're welcome.

P.S. Doesn't SQL take double quotes the same way? I seem to remember being told to escape those as well.
In T-SQL (that's the language you use to converse with a MS SQL Server), strings are declared with single quotes. Double quotes would throw an error.

For instance, this is correct:
Code:
SELECT * FROM [clandb].[dbo].[ul] WHERE [chname] = 'Gregoo'
This isn't:
Code:
SELECT * FROM [clandb].[dbo].[ul] WHERE [chname] = "Gregoo"

You can use double quotes for column names though. This is perfectly valid:
Code:
SELECT * FROM [clandb].[dbo].[ul] WHERE "chname" = 'Gregoo'

As for double quotes in text, they are interpreted as... a double quote:
Code:
SELECT '"'
Returns
Code:
"

This would cause an error:
Code:
SELECT '"''
There's an unescaped single quote, inside your string.

If you escape it:
Code:
SELECT '"'''
It returns:
Code:
"'

Here you go (-:
 
Awesome. Thanks. It may be different SQL Dialects. I was taught SQL back at Uni on a very old version of FoxPro. (like, really old, even back then) I don't really like it, and spend more time pouring over books trying to get the right syntax than actually writing anything. So I wouldn't spot it. But I scraped through my exams and still remember the odd lecture I didn't fall asleep in. (too much, or maybe just enough Pro Plus? :lol:)
The problem with taking caffine pills after pulling an all-nighter to complete an essay I couldn't be arsed with until the last minuet before a DBMS lecture in the morning, is that if a Digital Systems or Low Level lecture / seminar followed it I was really, really hyper. And I mean *really really*, coz I was pretty pepped in those anyway. XD

Horses for courses though, coz I know a fair few of my peers felt the exact opposite.
 
tnrh1 aka imri,

i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
connect and delete them freely.

i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.

Don't be so proud at your self since there is nothing to be proud of. "Good reasons" name 1 and I'm deleting my rz account.
 
and I'm deleting my rz account.
Why is *your* rz account being held responsible for the actions of an individual who isn't even on our staff? Also, why would he care; honestly?

I'm not sure that I mind if you choose to shoot yourself in the foot because someone was mean to you. But I am a little upset that you would lash out at an organisation which has set out entirely with the intention of supporting you (and I think we've succeeded on several occasions) simply because of the actions of an individual who is no more under our control than you are.

On a personal level, if you choose to go I'll miss you around.
 
I won't delete my ragezone account since I havn't done anything bad to a server ever! I even used to pm some admins with suggestions how to improve their servers in order to keep this beautiful community alive so I'm 100% sure that rovarav can't provide any good reason and if he would that would be a lie.

This community taught me so much and I'm thankful for that and that's why I trying to help to new developers on the forum when I can.
I won't leave this community ever! =] and if I would I'll probably miss you too bobsbol :)
 
Last edited:
Ahh! I see now. It's one of those "I'll eat my hat" things. Sorry, I misunderstood.

No, this is the trouble isn't it. I mean, you already have experience of being the "fall guy", Imri, when another member (present on this thread) was attacked through you.

This is what I mean about the source of the attack not necessarily being the real culprit. (by which I mean, the one who was knowingly, and probably maliciously going out to do harm)

I'd advise everyone to avoid such hasty retaliation because, the PT scene in particular, has had waves of this stuff go around to the extent that it comes back to the one who first thought of "revenge". It's just a vicious cycle. :wink:
 
dim chkchar as char
for i = 0 to len(charname) - 1
chkchar = str(i,charname)
if chkchar > "z" or chkchar > "Z" then
conn().close
console.writeline("You have used illegal character)
i = i + 1
next i

EDIT:

dim chkchar as char
for i = 0 to len(charname) - 1
chkchar = str(i,i + 1,charname)
if chkchar > "z" or chkchar > "Z" then
conn().close
console.writeline("You have used illegal character)
i = i + 1
next i

EDIT 2:

If you were just trying to block the use of * to stop querying which would make more sense then you could simply:

dim chkchar as char
dim unauthc as char = "*"
for i = 0 to len(charname) - 1
chkchar = str(i,i + 1,charname)
if chkchar = unauthc then
conn().close
console.writeline("You have used illegal character)
i = i + 1
next i
 
Code:
dim chkchar as char
for i = 0 to len(charname) - 1
chkchar = str(i,i + 1,charname)
if not ((chkchar => "a" and chkchar <= "z") or (chkchar => "A" and chkchr <= "Z") or (chkchar => "0" and chkchar <= "0"))  then
conn().close
console.writeline("You have used illegal character)
i = i + 1
next i
That allows any character in any case or any number, but nothing else. That kind of logic really upset me when applied to character names. No spaces, no hyphens, no underscore, no apostrophe etc. So O'Mally is not a valid character name. :(
 
security > pronunciation of char names im affraid bob. Those characters could simply be removed from allowed char list in game.exe so to create a safer environment. Im obviously not saying that this is the best method, but most likely more secure than what there was previous.

The alternative is to create an array of dissallowed statements ie.

dim unauthw(4)
unauthw(1) = "SELECT *"
unauthw(2) = "INSERT *"
unauthw(3) = "DELETE *"

for i = 0 to 4 - 1 step 1

if charname.contains(unauthw(i)) then
conn().close
console.writeline("Illegal Opperation Detected")
response.redirect("addphrase.aspx?phrase=charname")
end if
next i


Response.redirect would make use of shared variables moving the value to a form which would submit it to a database somewhere for analysis, which then can be added to the list of disallowed phrases

EDIT------

Values of unauthw could be stored in phrases database, this would server to create a dynamic table that would not require the admin update it as any phrases not allowed would simply be added straight into the database. With regards to the loop could apply:
for i = 0 to rs.recordcount - 1

such a method would also be great as databases could be shared publicly here for users to protect their servers from injection. Obviously a hacker could analyse the database to find meaning but a user could create a simple form of encryption by creating a unique string before data entry and data extraction in their aspx script.
 
Im obviously not saying that this is the best method, but most likely more secure than what there was previous.
Escape characters is the "better method". But you need to define all the places you need characters escaped, and all the places you need them plain, then translate between the two.

So, it should appear plain in game, but be escaped anywhere in the DB / Web. Like in URLs, where " " becomes %20.
 
Back