Page 1 of 1

Massive Bug

Posted: Tue Jan 25, 2005 1:49 pm
by Cloud234
Hey guys I run a text based online game; recently someone has been able to gain access to the 2 Admin accounts and all moderator accounts. Now we know he doesn’t have access to the Database because he could do allot more damage than he has done.


Can anyone give me some pointers were I should be looking for this Bug; we have no idea how he can get into the accounts. We have changed the passwords for the accounts 5 times and he can still get in.

If anyone has any pointers I would be more than grateful. :cry:

Posted: Tue Jan 25, 2005 1:53 pm
by JAM
There are various of ways. You should however state what PHP version...

Code: Select all

<?php phpversion(); ?>
...is in use and what script(s) that you use.
If the script itself is homemade, someone likely need to take a look at it before making suggestions.

Posted: Tue Jan 25, 2005 10:23 pm
by shiznatix
even if u downloaded the game/script u should still post it, im sure someone can show u a flaw, maybe they be using sql injection to gain access, post some code or a link and we will help

Posted: Tue Jan 25, 2005 10:38 pm
by hunterhp
Man, what's sql injection? I always hear that, but I never know what they mean? How do you do sql injection?

It's not that I want to do it, it's just that to protect my own scripts, I want to know if it could be done to mine.

Posted: Tue Jan 25, 2005 10:49 pm
by shiznatix
well the simplest sql injection is this (good luck using this on most sites guys if u think ur gonna be a hacker now :roll: )

'hi OR 1=1--

this confuses the sql database since u usually query ur db with

Code: Select all

$query = mysql_query("SELECT * FROM adminzzz WHERE $username='username' AND $password='password'", $do_connect_stuff);
$rowzzzz = mysql_num_rows($query);
if ($rowzzzz == 1)&#123;
//log the admin in
&#125;else
die('u suck at life')
but if u use that injection for the username and password then you cofuse the databse because u use a OR statement in the query, and its like well the password is either equal to what u put in as a password OR (like else) 1=1, well 1=1 is the num_rows crap and 1 is equal to the 1 it must be equal to am i rite? bam admin access. there are many ways around this simple injection but its a breif example. google it for full explanation.

Posted: Tue Jan 25, 2005 11:28 pm
by hunterhp
Thanks. I googled it and found a very informative website. I tried injecting my shoutbox, but it didn't seem to get.. injected... :twisted:

Posted: Wed Jan 26, 2005 6:43 am
by John Cartwright
its most likely a login form, not a shoutbox :twisted:,

show us your login form and processing script.

Posted: Wed Jan 26, 2005 8:19 pm
by shiznatix
ya injecting into a shout box that dosnt require authentication (ie logging in to type stuff) then ur more looking as XSS (really css but not the style sheets thing) please try posting some code so we can check for flaws ourselves

Posted: Wed Jan 26, 2005 8:41 pm
by hunterhp
My login is at http://www.hypekillers.com/projects/login.php

I give you permission to sql inject it if you can :)

If you're successful, then I'll have to change it :(

Posted: Wed Jan 26, 2005 9:10 pm
by shiznatix
u cant, no matter what it says invalid username and password (unless ur register page is messed up but when i register then try to login it wont let me ) so either A) ur script is broke OR B) uv made it so it will never work

do somtin about it then repost, im not going to hack a broken script because that is impossible

Posted: Wed Jan 26, 2005 9:55 pm
by hunterhp
I don't get it, I can login...