Jump to content
The Best Lineage 2 Mods – Free & Custom
Get Free Banners - Giveaway MaxCheaters.com
We're Rebuilding – Join Our Staff Team

SQL Injection

Lomkevicius
 Share

Recommended Posts

HugoBoss Newbie

HugoBoss

Posted
Posted
11 hours ago, Lomkevicius said:

Hello All,

 

Does anyone has any SQL Injection for interlude ?

 

If you mean sqli for the game itself, like doing something specific and triggering the exploit that might be pretty hard to find.

 

if you mean sqli for the site of a X private server, like doing something specific on that site and triggering the exploit that should be easier to find but it's per case. Since you are practically attacking the site itself and it's logic then what you find on one site most probably will not work on another. Except if these sites have both been created by the same dev team.

 

In both cases what you would be looking to find is an input that you can manipulate. 

And you would start with something simple like a field taking alphanumeric characters. So if we searched for sqli on the game itself then;

The first thing that comes to mind is the username of your character. But this field has input validation so it doesn't allow special characters. 

Then there is the characters title which i thing accepts special characters?

But even if it did, then very important is how the server executes the query.

Does it take the input blindly and placing it in the middle of the query or does it do some parsing first before executing it?

 

If you had access to the code maybe you could spot more easily if there is a possibility of an sql injection happening or not, because in the end they might have coded it that way so all queries are parsed before execution.

 

I think it would be cool if there was an sql injection present in this game, even after all this time (talking about older chronicles).

 

Nightw0lf Mentor

Nightw0lf

Posted
Posted

did you try havij?

1 hour ago, HugoBoss said:

 

If you mean sqli for the game itself, like doing something specific and triggering the exploit that might be pretty hard to find.

 

if you mean sqli for the site of a X private server, like doing something specific on that site and triggering the exploit that should be easier to find but it's per case. Since you are practically attacking the site itself and it's logic then what you find on one site most probably will not work on another. Except if these sites have both been created by the same dev team.

 

In both cases what you would be looking to find is an input that you can manipulate. 

And you would start with something simple like a field taking alphanumeric characters. So if we searched for sqli on the game itself then;

The first thing that comes to mind is the username of your character. But this field has input validation so it doesn't allow special characters. 

Then there is the characters title which i thing accepts special characters?

But even if it did, then very important is how the server executes the query.

Does it take the input blindly and placing it in the middle of the query or does it do some parsing first before executing it?

 

If you had access to the code maybe you could spot more easily if there is a possibility of an sql injection happening or not, because in the end they might have coded it that way so all queries are parsed before execution.

 

I think it would be cool if there was an sql injection present in this game, even after all this time (talking about older chronicles).

 

 

HugoBoss Newbie

HugoBoss

Posted
Posted
8 hours ago, Nightw0lf said:

did you try havij?

 

 

No i haven't. Have you tried it? Did you get any interesting results for lineage2?

 

Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted (edited)

Thanks for your answer, just to let you know that I was playing in the server (interlude) and now that server is closed, because someone messed up server database and server settings through the NPC.

 

Admin told me that one guy injected something through the NPC and even server chat colors were blinking and different colour. All NPC showing errors, ALT+B not working, server is offline and they trying to rollback everything

 

So just wanted to ask if this is very hard to do it, or you just need special software and skills

 

He was using fake IP , so he got a ban, but server is messed up

 

Admin using l2jorion server packs

Edited by Lomkevicius
wongerlt Collaborator

wongerlt

Posted
Posted
59 minutes ago, Lomkevicius said:

Thanks for your answer, just to let you know that I was playing in the server (interlude) and now that server is closed, because someone messed up server database and server settings through the NPC.

 

Admin told me that one guy injected something through the NPC and even server chat colors were blinking and different colour. All NPC showing errors, ALT+B not working, server is offline and they trying to rollback everything

 

So just wanted to ask if this is very hard to do it, or you just need special software and skills

 

He was using fake IP , so he got a ban, but server is messed up

 

Admin using l2jorion server packs

Or just pretext to make wipe :D

Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted

they don't want to do Wipe, they still trying to fix it , otherwise they would say straight away and we could play right now, but just wanted to ask if this is really complicated to damage server like that ?

AlmostGood Enthusiast

AlmostGood

Posted
Posted

L2jorion is trash based on frozen, no bigger core reworks/fixes just tons of customs added LUL

Do you have any screen from ingame errors? it could be possible to backtrack that exploit

Lomkevicius Newbie

Lomkevicius

Posted
  • Author
Posted (edited)

basically when i clicked on any NPC in the town was something like missing HTML , path and then number like 3030.HTML missing

 

I don't have any screenshots but every npc with HTML error

Edited by Lomkevicius
HugoBoss Newbie

HugoBoss

Posted
Posted
11 hours ago, Lomkevicius said:

basically when i clicked on any NPC in the town was something like missing HTML , path and then number like 3030.HTML missing

 

I don't have any screenshots but every npc with HTML error

 

HTML missing could be just that, html files missing. If there is a db thing, then taking regular backups should at least provide them a point in time that they could restore it. Worse case should be 1 day back or even 1 hour back. Depending on how often they took backups. If it's a files missing issue / corruption, then DB backup will not do anything. They would need to have the server files backed up somewhere. Server files don't change that often except if you do manual changes to the server code. 

I understand it's a java server so even though i haven't used l2j (yet) i guess you could store all of the code somewhere in the cloud like for example, github. Then this is also your backup for the code.

 

In any case, im sorry this happened to your server and i hope they get this sorted.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • MarGaZeaS
      L2j Orion help for epic raids stats

      By MarGaZeaS · Posted

      if is pvp server change type to raidboss 🙂 and check stats from xml
    • ak4n1
      L2smr Java 17 Upgrade with Search and Flexible Windows

      By ak4n1 · Posted

      Hello community, I’d like to share an improved version of the L2smr editor for StaticMeshes, focused on solving some workflow issues I found in the original tool. CreditsThis project is based on the original acmi/L2smr repository https://github.com/acmi/L2smr , created by acmi, and I updated it to Java 17 with some additional features. Issues in the original L2smr Too many windows: each StaticMesh opened in a new one → cluttered desktop. No search: navigating through hundreds of StaticMeshActors was slow and tedious. Added improvements Flexible views Single Window Mode: reuse one window instead of opening new ones. Multiple Window Mode: still available for those who prefer having several views open simultaneously. Real-time Search Field Instant filtering as you type. Case-insensitive search. “Reset” button to quickly clear the search.     Installation and Execution: Clone the repository: git clone https://github.com/Jeep12/l2smr.git cd l2smr        2.Build the project:   ./gradlew build        3. Run the application:     ./run.bat      Or simply double-click on run.bat.     The run.bat script automatically extracts JavaFX from the included javafx-17.0.2.zip file in the javafx/ directory, sets up the required libraries, and launches the application. You don’t    need to install JavaFX separately.      Repository: https://github.com/Jeep12/l2smr     Maybe these features already existed in another version or fork, and they might not be very big changes, but since I didn’t know about them and found them necessary, I decided to          implement them myself and wanted to share them.      
    • sandeagle
      Need L2FileEditor for Grand Crusade

      By sandeagle · Posted

      no....Mobius L2Clientdat and L2FileEditor can do that...but still cant works with TaiWanese Grand Crusade ,especially Armorgrp.dat and Armorgrp-Classic.dat
    • ZOUMHS
      (L2OFF) L2GOLD - Halcyon x45 | Classic Interlude

      By ZOUMHS · Posted

      L2GOLD - Halcyon x45 Project Classic Interlude   C6 - Classic Interlude: Protocol 110     Is a complete copy of L2Gold in Classic [110 Protocol] with L2OFF files.   Fully L2Gold Features - Daily Quest - Daily Mining Quest - Ancient Weapons -Refine System  -Rebirth System -Fully configurable everything you want -Gold stats/Gold skills/Gold items working 100% -Zones 100% alike  -Unique donations system (npc or voicedcommand .donate) - On Enchant success announcement ( if +16 for weapon, 8 for armor , 7 for jewel) - Announce of Castle Lord - Announce of Hero  - Olympiad Max A grade - Olympiad Buffs on matches changed to Gold Alike - Working fully Dreadbane   - AI Mods: Static Time for RB   Automated Events: Squash Watermelon RB Event High rate  (those are fully automated)   Server is running a Test Server: Online to anyone can test it.   Game Client: https://www.mediafire.com/file/1d8xe18rvgi04lx/L2_Classic_Interlude_Client_V2.rar/file   Game Patch: https://www.mediafire.com/file/3z4b8ezy93h2z1g/L2Halcyon+Gold+Patch.rar/file   GM Accounts: ID: root pass root [ accounts go from  root1 until root20 ]   Regular Accounts Registrations: http://84.247.164.27/?page=register   Some Screenshots: https://imgur.com/a/o7TxzTN   Contact me here via PM (only serious buyers).    Price of the product: Fully Server Pack + Source ( 250 Euros )
    • VibeSms
      Vibe-sms.net – sms activations. Over 60 countries

      By VibeSms · Posted

      ✨ A Service with Vibes  Vibe SMS ✨   Vibe SMS is not just a platform for working with numbers. We’ve built it to be simple, convenient, and stress-free, so your tasks get done without hassle. We value real communication: we listen to your ideas, provide support, and make sure everyone feels calm and confident. With us, you’re not just a client  you’re part of a space built on trust, support, and a human touch. Vibe SMS is a place where people matter and where we create an atmosphere you’ll want to stay in.   Website link — https://vibe-sms.net/ Our Telegram channel — https://t.me/vibe_sms

  • Topics

×
×
  • Create New...

AdBlock Extension Detected!

Our website is made possible by displaying online advertisements to our members.

Please disable AdBlock browser extension first, to be able to use our community.

I've Disabled AdBlock