Jump to content
MaxCheaters Official Group at Discord
--> Place your ad text here <--

SQL Injection

Lomkevicius
 Share

Recommended Posts

Nightw0lf Experienced

Nightw0lf

Posted
Posted

you will probably get blocked before you end up with results, and even so you have to be more specific on your request

Link to comment
Share on other sites
HugoBoss Newbie

HugoBoss

Posted
Posted
11 hours ago, Lomkevicius said:

Hello All,

 

Does anyone has any SQL Injection for interlude ?

 

If you mean sqli for the game itself, like doing something specific and triggering the exploit that might be pretty hard to find.

 

if you mean sqli for the site of a X private server, like doing something specific on that site and triggering the exploit that should be easier to find but it's per case. Since you are practically attacking the site itself and it's logic then what you find on one site most probably will not work on another. Except if these sites have both been created by the same dev team.

 

In both cases what you would be looking to find is an input that you can manipulate. 

And you would start with something simple like a field taking alphanumeric characters. So if we searched for sqli on the game itself then;

The first thing that comes to mind is the username of your character. But this field has input validation so it doesn't allow special characters. 

Then there is the characters title which i thing accepts special characters?

But even if it did, then very important is how the server executes the query.

Does it take the input blindly and placing it in the middle of the query or does it do some parsing first before executing it?

 

If you had access to the code maybe you could spot more easily if there is a possibility of an sql injection happening or not, because in the end they might have coded it that way so all queries are parsed before execution.

 

I think it would be cool if there was an sql injection present in this game, even after all this time (talking about older chronicles).

 

Link to comment
Share on other sites
Nightw0lf Experienced

Nightw0lf

Posted
Posted

did you try havij?

1 hour ago, HugoBoss said:

 

If you mean sqli for the game itself, like doing something specific and triggering the exploit that might be pretty hard to find.

 

if you mean sqli for the site of a X private server, like doing something specific on that site and triggering the exploit that should be easier to find but it's per case. Since you are practically attacking the site itself and it's logic then what you find on one site most probably will not work on another. Except if these sites have both been created by the same dev team.

 

In both cases what you would be looking to find is an input that you can manipulate. 

And you would start with something simple like a field taking alphanumeric characters. So if we searched for sqli on the game itself then;

The first thing that comes to mind is the username of your character. But this field has input validation so it doesn't allow special characters. 

Then there is the characters title which i thing accepts special characters?

But even if it did, then very important is how the server executes the query.

Does it take the input blindly and placing it in the middle of the query or does it do some parsing first before executing it?

 

If you had access to the code maybe you could spot more easily if there is a possibility of an sql injection happening or not, because in the end they might have coded it that way so all queries are parsed before execution.

 

I think it would be cool if there was an sql injection present in this game, even after all this time (talking about older chronicles).

 

 

Link to comment
Share on other sites
Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted (edited)

Thanks for your answer, just to let you know that I was playing in the server (interlude) and now that server is closed, because someone messed up server database and server settings through the NPC.

 

Admin told me that one guy injected something through the NPC and even server chat colors were blinking and different colour. All NPC showing errors, ALT+B not working, server is offline and they trying to rollback everything

 

So just wanted to ask if this is very hard to do it, or you just need special software and skills

 

He was using fake IP , so he got a ban, but server is messed up

 

Admin using l2jorion server packs

Edited by Lomkevicius
Link to comment
Share on other sites
wongerlt Collaborator

wongerlt

Posted
Posted
59 minutes ago, Lomkevicius said:

Thanks for your answer, just to let you know that I was playing in the server (interlude) and now that server is closed, because someone messed up server database and server settings through the NPC.

 

Admin told me that one guy injected something through the NPC and even server chat colors were blinking and different colour. All NPC showing errors, ALT+B not working, server is offline and they trying to rollback everything

 

So just wanted to ask if this is very hard to do it, or you just need special software and skills

 

He was using fake IP , so he got a ban, but server is messed up

 

Admin using l2jorion server packs

Or just pretext to make wipe :D

Link to comment
Share on other sites
Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted

they don't want to do Wipe, they still trying to fix it , otherwise they would say straight away and we could play right now, but just wanted to ask if this is really complicated to damage server like that ?

Link to comment
Share on other sites
AlmostGood Enthusiast

AlmostGood

Posted
Posted

L2jorion is trash based on frozen, no bigger core reworks/fixes just tons of customs added LUL

Do you have any screen from ingame errors? it could be possible to backtrack that exploit

Link to comment
Share on other sites
Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted (edited)

basically when i clicked on any NPC in the town was something like missing HTML , path and then number like 3030.HTML missing

 

I don't have any screenshots but every npc with HTML error

Edited by Lomkevicius
Link to comment
Share on other sites
HugoBoss Newbie

HugoBoss

Posted
Posted
11 hours ago, Lomkevicius said:

basically when i clicked on any NPC in the town was something like missing HTML , path and then number like 3030.HTML missing

 

I don't have any screenshots but every npc with HTML error

 

HTML missing could be just that, html files missing. If there is a db thing, then taking regular backups should at least provide them a point in time that they could restore it. Worse case should be 1 day back or even 1 hour back. Depending on how often they took backups. If it's a files missing issue / corruption, then DB backup will not do anything. They would need to have the server files backed up somewhere. Server files don't change that often except if you do manual changes to the server code. 

I understand it's a java server so even though i haven't used l2j (yet) i guess you could store all of the code somewhere in the cloud like for example, github. Then this is also your backup for the code.

 

In any case, im sorry this happened to your server and i hope they get this sorted.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Posts

    • MarGaZeaS
      smurf accounts eune + other servers

      By MarGaZeaS · Posted

      up
    • L2LIVEpro
      Are Lineage 2 Players waiting for the next server listing?

      By L2LIVEpro · Posted

      From my personal experiences 🙂   Few months ago I decided to create my own Essence project. Project needs website, and I do not specialize in frontend development (t.y. i can make web work, but it won't be pretty for eye). So I search and find a guy in Discord, which claims he can make me a good looking HTML website for 30 EUR, prove some screenshots from his previous work. I agree. 1 week later, I get my HTML website, make few changes to contents, update URLs and upload it to FTP. Site looks good, I am happy that this headache is no more.   Few months passes. I randomly crawl through other Essence server websites scouting for good ideas for my own project. Suddenly one of russians project website opens and.. it's the same website as one I have 😉 perfectly absolutely same layout, colours, etc etc etc. I contact my guy to ask what the hell, to get blocked 😉  So I find a weekend worth of my time. Find HTML5 boilerplate generator and ask it to include Bootstrap 5 and some other stuff. Open Bootstrap documentation, drink two energy drinks on instant and start working my backend-inspired HTML black magic... Once I found suiting firefly effect for header, result looked oikay for me: Absolutely no magic or beauty here, but: * Unique (and probably nobody cares to rip it) * Done for free in ~10 hours by non-frontend dev * Most modern browsers friendly * Completely static content, loads instantly. No PHP at all * Sidebar statuses (online, pvp, pk) are pulled from account manager REST API endpoint and is cached for 5 minutes. Account manager runs separately from website frontend and has access to server DB. Where could/will it get better? * Code in Vue instead of HTML - time concerns only, but Vue is superior compared to HTML/PHP for supporting desktop/mobile, easing development by miles. Need to learn how to use it properly. * Way to manage content from backend - in my instance I think account manager is not really meant for that. Vue can help here too - there are components for content building. * Currently default Bootstrap components are used. Would be nice to have custom and more vibrant buttons. Guess what, Vue can help here too.   tl;dr don't buy 30EUR website, it will be ripped or shit. you better make your own website. Be curious. I am backend developer, I obviously have general idea how frontend works. But imho everyone who can make L2 server by editing NPC HTMLs, also can make their own simple website. ChatGPT and other AIs are your friends. Bootstrap. jQuery documentations are your friends. And when you feel good and comfortable with HTML, if you like, you can continue learning Vue, or going backend. Now, as for the top sites. You really need to invest money to make new project work. I mean really, really much money. For this concept to work, top website itself must get visited. But if you can sort that your top site would be popular amongst players, then it's a really very simple concept, as far as current 2004-ish sites goes. I think simple, working concept of this, maybe without proper frontend, but with implemented backend logics (add/edit/disable server, sort by votes count (top list), vote for server with verification, callback to server endpoint - all of that can be done using Symfony in mostly 5 days, with lots of breaks for coffee and a smoke 😉. Experienced mid frontend dev would make a Vue/React frontend for it in another 5 days. it's really really simple concept 🙂  
    • zenenxd
      Design Giran - html - psd

      By zenenxd · Posted

      Thanks for share.
    • UTCHIHAmkt
      ✨FULL VERIFIED AGED DISCORD ACCOUNTS 2015–2024 Start at 0.4$

      By UTCHIHAmkt · Posted

      Need cheap aged discord accounts ? :  https://campsite.bio/utchihaamkt DISCORD USERNAME : utchiha_market TELEGRAM : https://t.me/utchiha_market Discover new products in our exclusive server today : https://discord.gg/hoodservices
    • Bullseye33
      Save ACC on login

      By Bullseye33 · Posted

      i've copyed the files from a server that has it , like all except system folder to another that didn't had the feature and it worked but i can't find any file to resemble save acc or something

  • Topics

×
×
  • Create New...