Jump to content
Sign in to follow this  
tierrilopes

Anti Ingame Injeção Sql

Recommended Posts

Aparentemente é possível utilizar uma mensagem normal (provavelmente também as noticias que se deixam na guild) para injetar query sql. Isto pois o jogo não filtra devidamente a mensagem.

 

Para tal:

 

Ir até ao ficheiro input_main.cpp:

 

Procurar por:

 

case MESSENGER_SUBHEADER_CG_REMOVE:

{

if (uiBytes < CHARACTER_NAME_MAX_LEN)

return -1;

 

char char_name[CHARACTER_NAME_MAX_LEN + 1];

strlcpy(char_name, c_pData, sizeof(char_name));

MessengerManager::instance().RemoveFromList(ch->GetName(), char_name);

}

return CHARACTER_NAME_MAX_LEN;

Substituir por:

 

case MESSENGER_SUBHEADER_CG_REMOVE:

{

if (uiBytes < CHARACTER_NAME_MAX_LEN)

return -1;

 

char szCharacterName[CHARACTER_NAME_MAX_LEN + 1];

strlcpy(szCharacterName, c_pData, sizeof(szCharacterName));

 

LPCHARACTER tch = CHARACTER_MANAGER::Instance().FindPC(szCharacterName);

 

if (!tch)

{

char szCharacterNameEscaped[CHARACTER_NAME_MAX_LEN + 1];

DBManager::Instance().EscapeString(szCharacterNameEscaped, sizeof(szCharacterNameEscaped), szCharacterName, strlen(szCharacterName));

MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterNameEscaped);

return CHARACTER_NAME_MAX_LEN;

}

else if (tch == ch)

{

ch->ChatPacket(CHAT_TYPE_INFO, "Nao podes remover-te a ti proprio!");

return CHARACTER_NAME_MAX_LEN;

}

 

MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterName);

}

return CHARACTER_NAME_MAX_LEN;

Adicionar no final do ficheiro messenger_manager.cpp:

 

bool MessengerManager::IsInList(MessengerManager::keyA account, MessengerManager::keyA companion)

{

if (m_Relation.find(account) == m_Relation.end())

return false;

 

if (m_Relation[account].empty())

return false;

 

return m_Relation[account].find(companion) != m_Relation[account].end();

}

Ainda em messenger_manager.cpp:

Procurar por:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)

Substituir a função inteira por esta:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)

{

if (companion.empty())

return;

 

// Second fix

if (m_Relation[account].find(companion) == m_Relation[account].end() || m_InverseRelation[companion].find(account) == m_InverseRelation[companion].end())

{

LPCHARACTER ch = CHARACTER_MANAGER::Instance().FindPC(account.c_str());

if (ch)

{

sys_err("MessengerManager::RemoveFromList: %s tentou usar injecao sql", ch->GetName());

DBManager::Instance().DirectQuery("UPDATE account.account SET status = 'BLOCK' WHERE id = %u", ch->GetAID());

if (ch->GetDesc())

ch->GetDesc()->DelayedDisconnect(3);

}

else

sys_err("MessengerManager::RemoveFromList: Protegido de sql injection!");

return;

}

 

sys_log(1, "MessengerManager::RemoveFromList: Remove %s %s", account.c_str(), companion.c_str());

DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'", get_table_postfix(), account.c_str(), companion.c_str());

__RemoveFromList(account, companion);

TPacketGGMessenger p2ppck;

p2ppck.bHeader = HEADER_GG_MESSENGER_REMOVE;

strlcpy(p2ppck.szAccount, account.c_str(), sizeof(p2ppck.szAccount));

strlcpy(p2ppck.szCompanion, companion.c_str(), sizeof(p2ppck.szCompanion));;

P2P_MANAGER::instance().Send(&p2ppck, sizeof(TPacketGGMessenger));

}

 

 

 

Na mesma função, procurar por:

 

if (companion.empty())

return;

Adicionar isto debaixo:

 

if (!IsInList(account, companion))

return;

Ficando assim:

 

Please login or register to see this spoiler.

Nota: Caso não utilizem a source aqui colocada no fórum, devem seguir o tutorial substituindo todas as referências a:

unique_ptr

por estas:

auto_ptr

 

 

 

libsql/Asyncsql.cpp

 

Procurar por:

 

if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, CLIENT_MULTI_STATEMENTS))

Substituir por.

 

if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, NULL))

 

 

 

game/src/input_main.cpp

Procurar por:

 

if (!ch->IsPC())

 

Substituir por:

 

if (!newmember->IsPC())

{

return SubPacketLen;

}

 

© Martysama

© Ken

  • Upvote 3

Share this post


Link to post
Share on other sites

No código anterior procuramos por:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name));

 

Eu acho que devia de se procurar por:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), gcp.name));

 

Modificamos para:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name)); get_table_postfix(), __escape_name));

 

Eu acho que devíamos modificar para:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name));

 

Resultado: Sem erros e igual a print. Corrige-me se tiver errado sff.

 

 

EDIT: E já agora +1 e obrigado Please login or register to see this image. /uploads/emoticons/xenforo-smilies-sprite.png.4a4a9fa87ba1790fde78e48a590c163b.png">

  • Upvote 2

Share this post


Link to post
Share on other sites

@tierrilopes

 

Um pequena questão. A parte que tinhas no tutorial ->

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), gcp.name));

 

Que está no meu comentário em cima. Não está mais no tutorial... Gostava de saber se já não é necessária ou esqueceste de meter ela, pois tava aqui a refazer na source e deparei me com isso fiquei então na duvida.

Share this post


Link to post
Share on other sites

Ok muito obrigado então Please login or register to see this image. /uploads/emoticons/xenforo-smilies-sprite.png.4a4a9fa87ba1790fde78e48a590c163b.png">

Share this post


Link to post
Share on other sites
Guest KemazI

Já não preciso mudar o unique_ptr com o tutorial atualizado?

Share this post


Link to post
Share on other sites

Depende da source e versão de compilador da mesma.

 

Procura dentro dos ficheiros game/src por unique_ptr e auto_ptr. Os que encontrares é os que colocas.

Share this post


Link to post
Share on other sites
Guest KemazI
Please login or register to see this quote.

A minha compilou correctamente, quer dizer que funcionou certo?

Share this post


Link to post
Share on other sites

@tierrilopes mas o unique_ptr e o auto_ptr era para aquela cena que já não é preciso xD. Por isso acho que essa parte está a mais.

Share this post


Link to post
Share on other sites
Guest KemazI

Encontrei um bug, ao convidar guild não dá

Share this post


Link to post
Share on other sites

Estava a procurar sobre isso e achei em um fórum um tutorial sobre "[FIX][C++] SQL Injection in Messenger and Guild"

Hello,


today there were attacks to several servers all using the same exploits.
I will not further explain the method used to attack these servers.


To fix it go to messenger_manager.cpp:


Search for the function MessengerManager::RemoveFromList

Replace it with this:

 

Please login or register to see this code.

queria saber se é a mesma coisa e se vai funcionar

Fonte: elitepvpers

Créditos: .Alpha. pelo tópico no fórum e Credits go to ricky92 and WoM2

Share this post


Link to post
Share on other sites
Please login or register to see this quote.

Basicamente vai dar no mesmo, só por dizer que o que está neste tópico está um pouco mais completo porque da block a pessoa que tentou usar o exploit, mas sim o codigo que postas-te vai dar ao mesmo

Share this post


Link to post
Share on other sites
Guest Ezrekith

Instead of this:

Please login or register to see this code.

You can use this:

Please login or register to see this code.

(For those who have problem with guild name duplication.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.

Our website is made possible by displaying online advertisements to our visitors.
Please consider supporting us by disabling your ad blocker.
You will be able to see content when you disable your adblocker and enable javascript.