Jump to content

Anti Ingame Injeção Sql


tierrilopes
 Share

Recommended Posts

Aparentemente é possível utilizar uma mensagem normal (provavelmente também as noticias que se deixam na guild) para injetar query sql. Isto pois o jogo não filtra devidamente a mensagem.

 

Para tal:

 

Ir até ao ficheiro input_main.cpp:

 

Procurar por:

 

case MESSENGER_SUBHEADER_CG_REMOVE:

{

if (uiBytes < CHARACTER_NAME_MAX_LEN)

return -1;

 

char char_name[CHARACTER_NAME_MAX_LEN + 1];

strlcpy(char_name, c_pData, sizeof(char_name));

MessengerManager::instance().RemoveFromList(ch->GetName(), char_name);

}

return CHARACTER_NAME_MAX_LEN;

Substituir por:

 

case MESSENGER_SUBHEADER_CG_REMOVE:

{

if (uiBytes < CHARACTER_NAME_MAX_LEN)

return -1;

 

char szCharacterName[CHARACTER_NAME_MAX_LEN + 1];

strlcpy(szCharacterName, c_pData, sizeof(szCharacterName));

 

LPCHARACTER tch = CHARACTER_MANAGER::Instance().FindPC(szCharacterName);

 

if (!tch)

{

char szCharacterNameEscaped[CHARACTER_NAME_MAX_LEN + 1];

DBManager::Instance().EscapeString(szCharacterNameEscaped, sizeof(szCharacterNameEscaped), szCharacterName, strlen(szCharacterName));

MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterNameEscaped);

return CHARACTER_NAME_MAX_LEN;

}

else if (tch == ch)

{

ch->ChatPacket(CHAT_TYPE_INFO, "Nao podes remover-te a ti proprio!");

return CHARACTER_NAME_MAX_LEN;

}

 

MessengerManager::Instance().RemoveFromList(ch->GetName(), szCharacterName);

}

return CHARACTER_NAME_MAX_LEN;

Adicionar no final do ficheiro messenger_manager.cpp:

 

bool MessengerManager::IsInList(MessengerManager::keyA account, MessengerManager::keyA companion)

{

if (m_Relation.find(account) == m_Relation.end())

return false;

 

if (m_Relation[account].empty())

return false;

 

return m_Relation[account].find(companion) != m_Relation[account].end();

}

Ainda em messenger_manager.cpp:

Procurar por:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)

Substituir a função inteira por esta:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)

{

if (companion.empty())

return;

 

// Second fix

if (m_Relation[account].find(companion) == m_Relation[account].end() || m_InverseRelation[companion].find(account) == m_InverseRelation[companion].end())

{

LPCHARACTER ch = CHARACTER_MANAGER::Instance().FindPC(account.c_str());

if (ch)

{

sys_err("MessengerManager::RemoveFromList: %s tentou usar injecao sql", ch->GetName());

DBManager::Instance().DirectQuery("UPDATE account.account SET status = 'BLOCK' WHERE id = %u", ch->GetAID());

if (ch->GetDesc())

ch->GetDesc()->DelayedDisconnect(3);

}

else

sys_err("MessengerManager::RemoveFromList: Protegido de sql injection!");

return;

}

 

sys_log(1, "MessengerManager::RemoveFromList: Remove %s %s", account.c_str(), companion.c_str());

DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'", get_table_postfix(), account.c_str(), companion.c_str());

__RemoveFromList(account, companion);

TPacketGGMessenger p2ppck;

p2ppck.bHeader = HEADER_GG_MESSENGER_REMOVE;

strlcpy(p2ppck.szAccount, account.c_str(), sizeof(p2ppck.szAccount));

strlcpy(p2ppck.szCompanion, companion.c_str(), sizeof(p2ppck.szCompanion));;

P2P_MANAGER::instance().Send(&p2ppck, sizeof(TPacketGGMessenger));

}

 

 

 

Na mesma função, procurar por:

 

if (companion.empty())

return;

Adicionar isto debaixo:

 

if (!IsInList(account, companion))

return;

Ficando assim:

 

 

Clipboardimage2015-12-15161233.png

 

 

 

 

separador.png

Ir até ao ficheiro messeger_manager.h:

Procurar por:

 

void Logout(keyA account);

Adicionar debaixo:

 

bool IsInList(MessengerManager::keyA account, MessengerManager::keyA companion);

separador.png

Nota: Caso não utilizem a source aqui colocada no fórum, devem seguir o tutorial substituindo todas as referências a:

unique_ptr

por estas:

auto_ptr

 

 

 

libsql/Asyncsql.cpp

 

Procurar por:

 

if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, CLIENT_MULTI_STATEMENTS))

Substituir por.

 

if (!mysql_real_connect(&m_hDB, m_stHost.c_str(), m_stUser.c_str(), m_stPassword.c_str(), m_stDB.c_str(), m_iPort, NULL, NULL))

 

 

 

game/src/input_main.cpp

Procurar por:

 

if (!ch->IsPC())

 

Substituir por:

 

if (!newmember->IsPC())

{

return SubPacketLen;

}

 

© Martysama

© Ken

Link to comment
Share on other sites

No código anterior procuramos por:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name));

 

Eu acho que devia de se procurar por:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), gcp.name));

 

Modificamos para:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name)); get_table_postfix(), __escape_name));

 

Eu acho que devíamos modificar para:

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), __escape_name));

 

Resultado: Sem erros e igual a print. Corrige-me se tiver errado sff.

 

 

EDIT: E já agora +1 e obrigado ;)

Link to comment
Share on other sites

  • 4 months later...

@tierrilopes

 

Um pequena questão. A parte que tinhas no tutorial ->

 

std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",

get_table_postfix(), gcp.name));

 

Que está no meu comentário em cima. Não está mais no tutorial... Gostava de saber se já não é necessária ou esqueceste de meter ela, pois tava aqui a refazer na source e deparei me com isso fiquei então na duvida.

Link to comment
Share on other sites

  • 3 weeks later...
Guest KemazI

 

Depende da source e versão de compilador da mesma.

 

Procura dentro dos ficheiros game/src por unique_ptr e auto_ptr. Os que encontrares é os que colocas.

 

A minha compilou correctamente, quer dizer que funcionou certo?

Link to comment
Share on other sites

  • 1 year later...

Estava a procurar sobre isso e achei em um fórum um tutorial sobre "[FIX][C++] SQL Injection in Messenger and Guild"

Hello,


today there were attacks to several servers all using the same exploits.
I will not further explain the method used to attack these servers.


To fix it go to messenger_manager.cpp:


Search for the function MessengerManager::RemoveFromList

Replace it with this:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)
{
    if (companion.empty())
        return;

    char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1];
    DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length());


    DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'",
                                get_table_postfix(), account.c_str(), companionEscaped);


    __RemoveFromList(account, companion);

    sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str());

    TPacketGGMessenger pack;
    pack.bHeader = HEADER_GG_MESSENGER_REMOVE;
    strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount));
    strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion));
    P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger));
}

queria saber se é a mesma coisa e se vai funcionar

Fonte: elitepvpers

Créditos: .Alpha. pelo tópico no fórum e Credits go to ricky92 and WoM2

Link to comment
Share on other sites

15 horas atrás, Luffy disse:

Estava a procurar sobre isso e achei em um fórum um tutorial sobre "[FIX][C++] SQL Injection in Messenger and Guild"

Hello,


today there were attacks to several servers all using the same exploits.
I will not further explain the method used to attack these servers.


To fix it go to messenger_manager.cpp:


Search for the function MessengerManager::RemoveFromList

Replace it with this:

 

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)
{
    if (companion.empty())
        return;

    char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1];
    DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length());


    DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'",
                                get_table_postfix(), account.c_str(), companionEscaped);


    __RemoveFromList(account, companion);

    sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str());

    TPacketGGMessenger pack;
    pack.bHeader = HEADER_GG_MESSENGER_REMOVE;
    strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount));
    strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion));
    P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger));
}

queria saber se é a mesma coisa e se vai funcionar

Fonte: elitepvpers

Créditos: .Alpha. pelo tópico no fórum e Credits go to ricky92 and WoM2

Basicamente vai dar no mesmo, só por dizer que o que está neste tópico está um pouco mais completo porque da block a pessoa que tentou usar o exploit, mas sim o codigo que postas-te vai dar ao mesmo

Link to comment
Share on other sites

  • 4 months later...
Guest Ezrekith

Instead of this:

if (!newmember->IsPC())
{
	return SubPacketLen;
}

You can use this:

if (!ch->IsPC() || !newmember->IsPC())
	return SubPacketLen;

(For those who have problem with guild name duplication.)

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...