• phantomrogue
    了解作者
  • SQL
    开发工具
  • 3KB
    文件大小
  • rar
    文件格式
  • 0
    收藏次数
  • 10 积分
    下载积分
  • 6
    下载次数
  • 2019-07-25 16:52
    上传日期
SQL injection for rf online 2.2.3.2
sql inject rf online 2232.rar
  • sql inject rf online 2232.txt
    7.3KB
内容介绍
RFO server generates and sends approximately the following SQL query: Quote: UPDATE tbl_AccountTrunk SET password = 'pass' WHERE Serial = 666 (the cell name with the password wrote randomly, because I do not remember the real ones, and it doesn’t matter). Pay attention to the quotes that enclose all the data. So, when another extra quote appears, the MSSQL server considers that it closes or opens a string (depending on whether it was opened). And since the closing one is already there, it is considered redundant and the SQL server returns an error to which the RFO server in turn responds with a fall (which is strange, by the way, I came to the conclusion that there is also my sql parser in the RFO server). And the trick is that we can, using a quotation mark, close the string and inject our own data into the SQL query! This will do just incredible things. For example, in the case of a password change, it will look like this: Quote: UPDATE tbl_AccountTrunk SET password = 'pass'' my_sql_query --WHERE Serial = 666 But the problem is that the password is too short to put at least something rational in the SQL query. And this is where another SQL-injection bug surfaced, which only we and the administration of some RFO servers knew about. Do you know macros? :) Have you noticed that chat macros are restored when logged in? This absolutely means that they are stored in the MSSQL database and, therefore, can be theoretically exposed to SQL injections. But the problem is that no one guessed, and who guessed - just could not check, because you cannot enter a quotation mark in the macro input field. And packages can be :) The following package successfully led to a fall: Quote: 0x00 | BE 03 0D 24 FF FF FF FF FF FF FF FF FF FF FF FF 0x10 | 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 0x20 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x30 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F60 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F70 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F80 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0F90 | FF FF FF FF 60 00 00 00 00 00 00 00 00 00 00 00 0xa0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xb0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xc0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0xd0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...... and so on, zero bits to the end of the packet. Red just highlighted quotes. The block of saved macros (messages) begins with it. Before it are the coordinates of windows, panels, which were opened by the user until the last logout. 0xFFFFFFFF - means that the window is closed. Otherwise, the X and Y coordinates of the window location. But the fall was not interested in absolutely, because In RFO, and so DoS-bugs full. The ability to access the MSSQL database of all RFO servers in the world is what is interesting. It was possible to enter a sufficiently large amount of data into the macro (somewhere around 300 bytes after the quotation mark), which was enough to put 4 (!!!) things in the inventory at once. Based on the fact that the table with the inventory in the MSSQL RFO database is called "tbl_inven", and the cells: KX is the thing ID (GID and group), where X is the slot number in the inventory. UX - sharpening things from slot X The following SQL query was made: Quote: UPDATE tbl_inven SET K1 = 43582208, K2 = 43582208 WHERE Serial = 666 - Pay attention to the tip of the query. All data that goes in the request after the dash are perceived by the server as comments, otherwise our request will not be processed. It could be placed immediately after the quotation marks in the above described package and, after receiving it, the server crashed. After the restart in the inventory of the character with ID 666 in the corresponding cells (1 and 2) things appeared in the SQL query :) In the same way, it was possible to sharpen: Quote: UPDATE tbl_inven SET U0 = 1879048192 WHERE Serial = 666 This request sharpened the ignorant by +7 thing from the zero slot (and regardless of what lies there :)). And this request: Quote: UPDATE tbl_inven SET K1 = 43582208, U1 = 1879048192, K2 = 43582208, U2 = 187904819 2 WHERE Serial = 666-- Draws two guns in the first and second slots and sharpens them by +7. Request: Quote: UPDATE tbl_AccountTrunk SET Gold 1 = 9999999 WHERE Serial = 666 I registered in the bank of the character of the race Cora 9999999 gold. The red byte is responsible for the race. And this is for fan: Quote: UPDATE tbl_general SET Map = 0, HP = 110000 WHERE Serial = 666 This request prescribed a character with ID 666 110k HP and teleports to GSH squirrels =) Of course, no matter what character a race actually is. Prescribing a level was obtained (in the Persian selection menu, he was visible), but the characters were stuck up. Apparently there are some links with the expo and you need to change several values ??in the database at once. But I did not investigate it, because it was possible to level the character through the stored procedure in the MSSQL database, which, in fact, is called when the character is legally leveled. The only disappointment was that we never managed to get the server to stay and not fall during the SQL injection. My subjective opinion is that this “backdoor” was intentionally left by Koreans, so that such bugs could not be used “without a trace”. FreeShard players will surely remember the inscription: "It is impossible to get information about the character." So this was the result of the fall of the base with SQL injection :) The one thing in this bug is not clear. According to the principles of processing SQL queries, after the quotation marks, there should be a symbol of the end of the query - a semicolon. But in RFO with it, our request did not pass .. And without it, surprisingly everything is ok. I personally have never met such an injection. Apparently some kind of parser is really built into RFO, which, if it sees several requests in one, breaks them into several parts. This is the only explanation for the fact that such a strange injection took place and that the server fell from it. I deliberately did not describe what the numbers were spelled out in SQL queries for getting the necessary thing, because such bugs are still there and will still float and float. This post does not carry the purpose of teaching noobs and cheaters to use SQL injections, but simply to show that it is possible to create in RFO :) I also want to say that due to the fact that the information was available to only a few people from the Runet, the bug was fixed only on two servers (planetwars and rfonline.ru) 5 months after its discovery, and all others only after switching to update5. Draw conclusions to those noobs who love to run around with Pi class weapons :) This is how it is. Three screenshots with a bijos that were drawn in this way are attached to the topic. On the last screenshot of PlanetWars before wipe. In the first two I don’t remember which servers ... I’ll keep silence about the offs :) Shl In principle, everything is described very simply, but in fact it took weeks to study the bug and implement it. It’s not worth thinking that it was easy for us.
评论
    相关推荐
    • aws-waf-sqli-bypass-PoC:使用单个';'绕过AWS WAF
      更具体地说,CMD_LINE TextTransformation除其他动作外,还将“以下字符替换为空格:,;”。 此外,对于URL_DECODE xform,指示“使用此选项对URL编码的值进行解码”。 但是,我们发现,当两个独立的查询以“;”...
    • OWASP Top 10 2017-en-ch.rar
      一、注入(常见sql注入) 二、失效的身份认证 三、敏感数据泄露 四、XML外部实体(XXE) 五、失效的访问控制 六、安全配置错误 七、跨站脚本攻击(XSS) 八、不安全的反序列化 九、使用含有已知漏洞的组件 ...
    • supermarket-database.rar
      小型超市管理系统 目录 1、项目计划 1.1系统开发目的 1.2背景说明 1.3项目确立 1.4应用范围 1.5定义 1.6参考资料 2、逻辑分析与详细分析 2.1系统功能 2.2数据流图 2.3用户类型与职能 2.4系统开发步骤 2.5系统环境需求 2.6系统安全问题 3、基于UML的建模 3.1语义规则 3.2 UML模型 3.3系统实现图 4、概要设计文档 5、逻辑设计文档 6、物理设计文档 7、小结
    • SQL Server精华 (CHM).rar
        这是一个sql的reference,收集得很全的,是初学者不可少的工具的, 真的很好的,我以前总是不懂的去查书,现在不用了, 有这个就足够了,
    • 200472721100970.rar
      做数据库课程设计的同学们,可以下载做为参考!一个不错的数据库系统,打开后,别忘了连数据库!
    • Jason.rar
      一个网上商城系统,JSP+MySql.源码+全套论文。涉及JavaScript,力求美观。
    • mysql3.22.zip
      mysql 3.22源码
    • studentinformationmanagement.rar
      自己用VB和SQL编写的一个学生学籍管理系统,希望对大家有帮助
    • 20080403.rar
      员工管理系统 vb+sql 文档全 管理员admin 密码 123
    • gnusql-0.7b5.1.tar.gz
      免费的Sql数据库系统