[Admin] tierrilopes Posted December 15, 2015 at 03:05 PM Share Posted December 15, 2015 at 03:05 PM Aparentemente é possível utilizar uma mensagem normal (provavelmente também as noticias que se deixam na guild) para injetar query sql. Isto pois o jogo não filtra devidamente a mensagem. Para tal: Ir até ao ficheiro input_main.cpp: Procurar por: case MESSENGER_SUBHEADER_CG_REMOVE: { if (uiBytes < CHARACTER_NAME_MAX_LEN) return -1; char char_name[CHARACTER_NAME_MAX_LEN + 1]; strlcpy(char_name, c_pData, sizeof(char_name)); MessengerManager::instance().RemoveFromList(ch->GetName(), char_name); } return CHARACTER_NAME_MAX_LEN; Substituir por: case MESSENGER_SUBHEADER_CG_REMOVE: { if (uiBytes < CHARACTER_NAME_MAX_LEN) return -1; char szCharacterName[CHARACTER_NAME_MAX_LEN + 1]; strlcpy(szCharacterName, c_pData, sizeof(szCharacterName)); LPCHARACTER tch = CHARACTER_MANAGER::Instance().FindPC(szCharacterName); if (!tch) { char szCharacterNameEscaped[CHARACTER_NAME_MAX_LEN + 1]; DBManager::Instance().EscapeString(szCharacterNameEscaped, sizeof(szCharacterNameEscaped), szCharacterName, strlen(szCharacterName)); MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterNameEscaped); return CHARACTER_NAME_MAX_LEN; } else if (tch == ch) { ch->ChatPacket(CHAT_TYPE_INFO, "Nao podes remover-te a ti proprio!"); return CHARACTER_NAME_MAX_LEN; } MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterName); } return CHARACTER_NAME_MAX_LEN; Adicionar no final do ficheiro messenger_manager.cpp: bool MessengerManager::IsInList(MessengerManager::keyA account, MessengerManager::keyA companion) { if (m_Relation.find(account) == m_Relation.end()) return false; if (m_Relation[account].empty()) return false; return m_Relation[account].find(companion) != m_Relation[account].end(); } Ainda em messenger_manager.cpp: Procurar por: void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion) Substituir a função inteira por esta: void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion) { if (companion.empty()) return; // Second fix if (m_Relation[account].find(companion) == m_Relation[account].end() || m_InverseRelation[companion].find(account) == m_InverseRelation[companion].end()) { LPCHARACTER ch = CHARACTER_MANAGER::Instance().FindPC(account.c_str()); if (ch) { sys_err("MessengerManager::RemoveFromList: %s tentou usar injecao sql", ch->GetName()); DBManager::Instance().DirectQuery("UPDATE account.account SET status = 'BLOCK' WHERE id = %u", ch->GetAID()); if (ch->GetDesc()) ch->GetDesc()->DelayedDisconnect(3); } else sys_err("MessengerManager::RemoveFromList: Protegido de sql injection!"); return; } sys_log(1, "MessengerManager::RemoveFromList: Remove %s %s", account.c_str(), companion.c_str()); DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'", get_table_postfix(), account.c_str(), companion.c_str()); __RemoveFromList(account, companion); TPacketGGMessenger p2ppck; p2ppck.bHeader = HEADER_GG_MESSENGER_REMOVE; strlcpy(p2ppck.szAccount, account.c_str(), sizeof(p2ppck.szAccount)); strlcpy(p2ppck.szCompanion, companion.c_str(), sizeof(p2ppck.szCompanion));; P2P_MANAGER::instance().Send(&p2ppck, sizeof(TPacketGGMessenger)); } Na mesma função, procurar por: if (companion.empty()) return; Adicionar isto debaixo: if (!IsInList(account, companion)) return; Ficando assim: Ir até ao ficheiro messeger_manager.h: Procurar por: void Logout(keyA account); Adicionar debaixo: bool IsInList(MessengerManager::keyA account, MessengerManager::keyA companion); Nota: Caso não utilizem a source aqui colocada no fórum, devem seguir o tutorial substituindo todas as referências a: unique_ptr por estas: auto_ptr libsql/Asyncsql.cpp Procurar por: if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, CLIENT_MULTI_STATEMENTS)) Substituir por. if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, NULL)) game/src/input_main.cpp Procurar por: if (!ch->IsPC()) Substituir por: if (!newmember->IsPC()) { return SubPacketLen; } © Martysama © Ken Link to comment Share on other sites More sharing options...
pedrorrr Posted December 19, 2015 at 01:17 PM Share Posted December 19, 2015 at 01:17 PM No código anterior procuramos por: std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'", get_table_postfix(), __escape_name)); Eu acho que devia de se procurar por: std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'", get_table_postfix(), gcp.name)); Modificamos para: std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'", get_table_postfix(), __escape_name)); get_table_postfix(), __escape_name)); Eu acho que devíamos modificar para: std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'", get_table_postfix(), __escape_name)); Resultado: Sem erros e igual a print. Corrige-me se tiver errado sff. EDIT: E já agora +1 e obrigado Link to comment Share on other sites More sharing options...
pedrorrr Posted May 9, 2016 at 05:43 AM Share Posted May 9, 2016 at 05:43 AM @tierrilopes Um pequena questão. A parte que tinhas no tutorial -> std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'", get_table_postfix(), gcp.name)); Que está no meu comentário em cima. Não está mais no tutorial... Gostava de saber se já não é necessária ou esqueceste de meter ela, pois tava aqui a refazer na source e deparei me com isso fiquei então na duvida. Link to comment Share on other sites More sharing options...
[Admin] tierrilopes Posted May 12, 2016 at 04:35 PM Author Share Posted May 12, 2016 at 04:35 PM Já não é preciso, tópico atualizado Link to comment Share on other sites More sharing options...
pedrorrr Posted May 12, 2016 at 04:54 PM Share Posted May 12, 2016 at 04:54 PM Ok muito obrigado então Link to comment Share on other sites More sharing options...
Guest KemazI Posted May 30, 2016 at 02:40 PM Share Posted May 30, 2016 at 02:40 PM Já não preciso mudar o unique_ptr com o tutorial atualizado? Link to comment Share on other sites More sharing options...
[Admin] tierrilopes Posted May 30, 2016 at 07:23 PM Author Share Posted May 30, 2016 at 07:23 PM Depende da source e versão de compilador da mesma. Procura dentro dos ficheiros game/src por unique_ptr e auto_ptr. Os que encontrares é os que colocas. Link to comment Share on other sites More sharing options...
Guest KemazI Posted May 30, 2016 at 08:34 PM Share Posted May 30, 2016 at 08:34 PM Depende da source e versão de compilador da mesma. Procura dentro dos ficheiros game/src por unique_ptr e auto_ptr. Os que encontrares é os que colocas. A minha compilou correctamente, quer dizer que funcionou certo? Link to comment Share on other sites More sharing options...
pedrorrr Posted May 31, 2016 at 03:28 PM Share Posted May 31, 2016 at 03:28 PM @tierrilopes mas o unique_ptr e o auto_ptr era para aquela cena que já não é preciso xD. Por isso acho que essa parte está a mais. Link to comment Share on other sites More sharing options...
Guest KemazI Posted May 31, 2016 at 10:56 PM Share Posted May 31, 2016 at 10:56 PM Encontrei um bug, ao convidar guild não dá Link to comment Share on other sites More sharing options...
Luffy Posted July 2, 2017 at 11:00 PM Share Posted July 2, 2017 at 11:00 PM Estava a procurar sobre isso e achei em um fórum um tutorial sobre "[FIX][C++] SQL Injection in Messenger and Guild" Hello, today there were attacks to several servers all using the same exploits. I will not further explain the method used to attack these servers. To fix it go to messenger_manager.cpp: Search for the function MessengerManager::RemoveFromList Replace it with this: void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion) { if (companion.empty()) return; char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1]; DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length()); DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'", get_table_postfix(), account.c_str(), companionEscaped); __RemoveFromList(account, companion); sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str()); TPacketGGMessenger pack; pack.bHeader = HEADER_GG_MESSENGER_REMOVE; strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount)); strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion)); P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger)); } queria saber se é a mesma coisa e se vai funcionar Fonte: elitepvpers Créditos: .Alpha. pelo tópico no fórum e Credits go to ricky92 and WoM2 Link to comment Share on other sites More sharing options...
Dynamic Things Posted July 3, 2017 at 02:03 PM Share Posted July 3, 2017 at 02:03 PM 15 horas atrás, Luffy disse: Estava a procurar sobre isso e achei em um fórum um tutorial sobre "[FIX][C++] SQL Injection in Messenger and Guild" Hello, today there were attacks to several servers all using the same exploits. I will not further explain the method used to attack these servers. To fix it go to messenger_manager.cpp: Search for the function MessengerManager::RemoveFromList Replace it with this: void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion) { if (companion.empty()) return; char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1]; DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length()); DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'", get_table_postfix(), account.c_str(), companionEscaped); __RemoveFromList(account, companion); sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str()); TPacketGGMessenger pack; pack.bHeader = HEADER_GG_MESSENGER_REMOVE; strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount)); strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion)); P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger)); } queria saber se é a mesma coisa e se vai funcionar Fonte: elitepvpers Créditos: .Alpha. pelo tópico no fórum e Credits go to ricky92 and WoM2 Basicamente vai dar no mesmo, só por dizer que o que está neste tópico está um pouco mais completo porque da block a pessoa que tentou usar o exploit, mas sim o codigo que postas-te vai dar ao mesmo Link to comment Share on other sites More sharing options...
Guest Ezrekith Posted November 28, 2017 at 08:20 AM Share Posted November 28, 2017 at 08:20 AM Instead of this: if (!newmember->IsPC()) { return SubPacketLen; } You can use this: if (!ch->IsPC() || !newmember->IsPC()) return SubPacketLen; (For those who have problem with guild name duplication.) Link to comment Share on other sites More sharing options...
Leandro Posted January 6, 2020 at 07:56 AM Share Posted January 6, 2020 at 07:56 AM Ty Ty Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now