[B][U]NOTE: [/U] BEFORE YOU DECIDE TO USE THIS CHECK [URL="https://facepunch.com/showthread.php?t=1555625"]GBAY[/URL] OUT![/B]
[B][U]LMM eStore[/U][/B]
[B][U]Version: 1.2[/U][/B]
(stable version)
[B][U]What is this?[/U][/B]
This is a marketplace for garrysmod ingame! Users can currently sell shipments, weapons, and ammo!
[B][U]How does this work?[/U][/B]
(taken from the 'more info' tab ingame)
Welcome to the eStore! This is a garrysmod market place for selling weapons, shipments, and ammo!
FOR USERS/BUYERS
To buy a item simply click on the item in the estore and click 'yes' to the are you sure and then go to your local eStore delivery man and collect your item!
FOR SELLERS/MERCHANTS
To sell a item buy a shipment, weapon, or ammo box and look at it and type !estore and you will be prompted to enter a short description and a price! Next you will need to visit your profile by typing !estore and clicking 'Dashbored' and going to 'My profile', there you will click 'Buy/renew a subscription' and buy a subscription! Next go to the dashbored and click 'Manage my items' and click on your item and click 'submit to the market'! Your item will be added to the market for all to see AND for people to buy even when your offline! TO collect your income you can go to your profile and click 'collect money' you will then receive your money!
[B][U]Features[/U][/B]
Users need subscriptions to post to the store!
Subscriptions expire
My profile tab that displays money spent on store and money earned
Manage items tab to submit to store, change price/description of item, and remove item
Bot sales! Make random sales show up if no one is selling items!
Ready for this one..? MYSQL SAVING (currently only using [URL="https://facepunch.com/showthread.php?t=1442438"]tmysql4[/URL])
FREE!
eStore Delivery NPC for picking up bought items!
Admins can ban and unban players from the eStore using !estoreban/!estoreunban
!estore command to open store
Dashboard for all locations (nav is easy)
Nice GUI in my opinion and others
Offline sales meaning you can go offline and players can still buy!
Large config
Now this is one of my biggest addons that im releasing and its free! So please give me good feedback not just saying you dont like it.. tell me why tell me how i can make it better tell me features you would like to see! I want to support this addon to make it major and have many servers using it! As the system has great possibilities!
What do i need to setup?
DarkRP gmod server (currently only supports darkrp)
Webserver/mysql database
[URL="https://facepunch.com/showthread.php?t=1442438"]tmysql4[/URL] (currently only supports this)
if you visit the wiki you can see how you can use this addons api in yours!
[B][U]Common errors:[/U][/B]
Error:
[code]attempt to index global 'LMMESTOREdb' (a boolean value)[/code]
Fix:
[code]Your database is not connected.. check your username/password/mysql config info and make sure everything is correct! Also make sure tmysql is installed[/code]
[B][U][URL="https://github.com/XxLMM13xXgaming/lmm_estore"]Download(github)[/URL][/U][/B]
[B][U][URL="https://github.com/XxLMM13xXgaming/lmm_estore/wiki"]Wiki[/URL][/U][/B]
[B][U][URL="https://youtu.be/GX6gXnd_DSU"]Youtube (New video V1.0 with new gui!)[/URL][/U][/B]
Change Log:
[code]
V1.2
+More security checks :) (we will get there some day)
V1.1
+ Some security checks
+ Added a function
+ Changed link for the version check
V1.0
+ GUI change! Looks very good now!
+ Exploit fixes!
+ mysql string escape now added!
+ Fixed buying from server errors!
BetaV1.2
+ Added price checks
BetaV1.1
+ Fixed exploit in the NPC files
[/code]
Please comment some suggestions for this addon on how to make it better AND bugs that are found
This is very exploitable. Literately all of your net hooks.
Are the exploitable net receivers and SQL injection vulnerabilities a feature?
-snip-
Hm i'm pretty sure I added checks everywhere.. Where are the exploits
[QUOTE=XxLMM13xXx;50238856]Hm i'm pretty sure I added checks everywhere.. Where are the exploits[/QUOTE]
Just an example
[t]http://i.imgur.com/1ddM0cF.png[/t]
The client could set id or price to whatever they want. They could even set them to entirely new SQL statements.
jesus at least learn how to make sql safe before putting it in your addons
[QUOTE=YourStalker;50238876]Just an example
[t]http://i.imgur.com/1ddM0cF.png[/t]
The client could set id or price to whatever they want. They could even set them to entirely new SQL statements.[/QUOTE]
No there are checks server side before doing anything
[editline]1st May 2016[/editline]
[QUOTE=meharryp;50238886]jesus at least learn how to make sql safe before putting it in your addons[/QUOTE]
This is my first addin with sql so show me how to make it better instead of just yelling at me but thanks for the feedback
Don't trust the client. What you're doing is allowing the clients to completely control things they shouldn't be. It's logical to know what they should be able to change and not to change.
[QUOTE=mib999;50239129]Don't trust the client. What you're doing is allowing the clients to completely control things they shouldn't be. It's logical to know what they should be able to change and not to change.[/QUOTE]
there is a check tho... a check to see if the object has a id and if the player calling the net is the player that owns the object according to the id.. this should be enough.. it even shows it in the pic above...
You should check if the ID exists somewhere (table/variable) before attempting to concatenate it at the end of your query. I can just end that MySQL statement and start a new one that drops/truncates a table of my choosing. I could insert myself into a ranks table for your admin mod with MySQL support. The possibilities are endless. You need to make sure that whatever string you want to concatenate is exactly what you intended it to be.
[QUOTE=XxLMM13xXx;50239165]there is a check tho... a check to see if the object has a id and if the player calling the net is the player that owns the object according to the id.. this should be enough.. it even shows it in the pic above...[/QUOTE]
Don't listen to these people that wont even help you fix the exploits. :) you make simple addons and that's useful. Thanks for not being a money whore on scriptfodder.
[lua]
net.Start("LMMESTOREPickupShipment")
net.WriteString("0; DROP TABLE ammo, banned, pickup, players, shipments, subscriptions, weapons")
net.SendToServer()
[/lua]
[QUOTE=G6Darkminion;50240520]Don't listen to these people that wont even help you fix the exploits. :) you make simple addons and that's useful. Thanks for not being a money whore on scriptfodder.[/QUOTE]
Multiple people have tried to help him, what are you talking about?
[QUOTE=YourStalker;50238876]Just an example
[t]http://i.imgur.com/1ddM0cF.png[/t]
The client could set id or price to whatever they want. They could even set them to entirely new SQL statements.[/QUOTE]
[QUOTE=mib999;50239129]Don't trust the client. What you're doing is allowing the clients to completely control things they shouldn't be. It's logical to know what they should be able to change and not to change.[/QUOTE]
[QUOTE=AK to Spray;50240354]You should check if the ID exists somewhere (table/variable) before attempting to concatenate it at the end of your query. I can just end that MySQL statement and start a new one that drops/truncates a table of my choosing. I could insert myself into a ranks table for your admin mod with MySQL support. The possibilities are endless. You need to make sure that whatever string you want to concatenate is exactly what you intended it to be.[/QUOTE]
I don't usually post on facepunch but anyway here goes some 'help', google:
1) SQL Injection, Incorrect type handling
2) SQL Injection, Incorrectly filtered escape characters
also
[URL="http://meharryp.xyz/sharex/2016/05/01/chrome_2016-05-01_22-57-19.png"]http://meharryp.xyz/sharex/2016/05/01/chrome_2016-05-01_22-57-19.png[/URL]
[QUOTE=G6Darkminion;50240520]Don't listen to these people that wont even help you fix the exploits. :) you make simple addons and that's useful. Thanks for not being a money whore on scriptfodder.[/QUOTE]
Does it matter lol? This would never get accepted on ScriptFodder
[QUOTE=Klaes4Zaugen;50242168]Does it matter lol? This would never get accepted on ScriptFodder[/QUOTE]
Eh I bet it could, there are a bunch of trash addons that have got accepted.
[QUOTE=XxLMM13xXx;50238960]No there are checks server side before doing anything
[editline]1st May 2016[/editline]
This is my first addin with sql so show me how to make it better instead of just yelling at me but thanks for the feedback[/QUOTE]
For starters, if you want to make SQlite statements safe, use [img]http://wiki.garrysmod.com/favicon.ico[/img] [url=http://wiki.garrysmod.com/page/sql/SQLStr]sql.SQLStr[/url] around the net.ReadString
However, in this case, you would use Database:Escape for tmysql.
It is the same for mysqloo, but with a lower case d.
[QUOTE=G6Darkminion;50242210]Eh I bet it could, there are a bunch of trash addons that have got accepted.[/QUOTE]
Did you just called this addon trash?
[QUOTE=darth-veger;50242264]Did you just called this addon trash?[/QUOTE]
So what if they did?
[QUOTE=darth-veger;50242264]Did you just called this addon trash?[/QUOTE]
Implying it isn't lol?
[QUOTE=darth-veger;50242264]Did you just called this addon trash?[/QUOTE]
This dude cant decide if he wants to rag on the addon or not
Does tmysql do prepared queries or is that mysqloo? I seem to remember only mysqloo did
[QUOTE=YourStalker;50238876]Just an example
[t]http://i.imgur.com/1ddM0cF.png[/t]
The client could set id or price to whatever they want. They could even set them to entirely new SQL statements.[/QUOTE]
I just fixed this in the last version! add AND buyer = ply:SteamID64() so thats a check i forgot that part!
[QUOTE=KingofBeast;50240590][lua]
net.Start("LMMESTOREPickupShipment")
net.WriteString("0; DROP TABLE ammo, banned, pickup, players, shipments, subscriptions, weapons")
net.SendToServer()
[/lua][/QUOTE]
Fixed
[QUOTE=_Paul;50241936]I don't usually post on facepunch but anyway here goes some 'help', google:
1) SQL Injection, Incorrect type handling
2) SQL Injection, Incorrectly filtered escape characters
also
[URL="http://meharryp.xyz/sharex/2016/05/01/chrome_2016-05-01_22-57-19.png"]http://meharryp.xyz/sharex/2016/05/01/chrome_2016-05-01_22-57-19.png[/URL][/QUOTE]
will do now thanks!
[QUOTE=Klaes4Zaugen;50242168]Does it matter lol? This would never get accepted on ScriptFodder[/QUOTE]
Did not want it to go on SF
It's still possible to inject SQL. You didn't verify that the id is legitimate. You can still end that statement, start a new one, then finish the last one. You should have a table somewhere that contains all of the IDs for weapons/ammo/whatever. Then, in your net receiver, check if the ID supplied by the client is in that table. If it is, then the ID is legit. If not, the user tried to change the ID.
[QUOTE=AK to Spray;50244773]It's still possible to inject SQL. You didn't verify that the id is legitimate. You can still end that statement, start a new one, then finish the last one. You should have a table somewhere that contains all of the IDs for weapons/ammo/whatever. Then, in your net receiver, check if the ID supplied by the client is in that table. If it is, then the ID is legit. If not, the user tried to change the ID.[/QUOTE]
Im confused.. i have WHERE id = id... that should check to see if the id is correct... Not sure what "inject SQL" means or how someone would do it or how i could prevent it
[QUOTE=XxLMM13xXx;50244845]Not sure what "inject SQL" means or how someone would do it[/QUOTE]
When you have something like this
[CODE]
net.Receive( "MyNet", function(len)
x = net.ReadString()
sql.Query("INSERT INTO tablename(colname) VALUES ('" .. x .. "')")
end )
[/CODE]
You're literally concatenating whatever value was sent from the client into your query string...
so now when I come onto whatever server is running your addon and do this from my client:
[CODE]
net.Start("MyNet")
net.WriteString("fuckoff'); DROP TABLE tablename;-- ")
net.SendToServer()
[/CODE]
Guess what query the server's now running?
[CODE]
sql.Query("INSERT INTO tablename(colname) VALUES ('fuckoff'); DROP TABLE tablename;-- ')")
[/CODE]
There are other ways to fuck shit up but prepared statements could help you greatly in protecting against syntax stuff like this since the parametrized data is sent separately from the query and not concatenated in directly, though tmysql4 provides a way to escape strings for safe insertion ([CODE]escaped = Database:Escape( String stuff )[/CODE])
[QUOTE]there is a check tho... a check to see if the object has a id and if the player calling the net is the player that owns the object according to the id.. this should be enough..[/QUOTE]
You're literally just reading in the ID, checking if the player is banned, and then if they're not, inserting that shit into the database without doing anything to escape or filter your data
[QUOTE=timz9;50244903]When you have something like this
[CODE]
net.Receive( "MyNet", function(len)
x = net.ReadString()
sql.Query("INSERT INTO tablename(colname) VALUES ('" .. x .. "')")
end )
[/CODE]
You're literally concatenating whatever value was sent from the client into your query string...
so now when I come onto whatever server is running your addon and do this from my client:
[CODE]
net.Start("MyNet")
net.WriteString("fuckoff'); DROP TABLE tablename;--")
net.SendToServer()
[/CODE]
Guess what query the server's now running?
[CODE]
sql.Query("INSERT INTO tablename(colname) VALUES ('fuckoff'); DROP TABLE tablename;--')")
[/CODE][/QUOTE]
alright now i see what you mean so what i do to fix this?
[QUOTE=XxLMM13xXx;50244943]alright now i see what you mean so what i do to fix this?[/QUOTE]
This point has probably been beaten into you way too many times but the first thing you should do is [B]NOT TRUST THE FUCKING CLIENT[/B], and now hopefully you see why, especially with shit like this. Verify that the data you're receiving looks the way it's supposed to, escape all potentially malicious strings before inserting, don't give the client the leverage to fuck up your database. If possible, use prepared statements (even though they don't protect against EVERYTHING, they should help you avoid "stupid" injections like this), though i'm not sure again if tmysql4 can even do prepared statements.
Validate all the data, like if the price is greater than zero. Use appropriate net library functions for each data type, net.ReadFloat for numbers. And use [URL="http://wiki.garrysmod.com/page/sql/SQLStr"]sql.SQLStr[/URL] with any string variable that you're going to use in sql.Query.
Sorry, you need to Log In to post a reply to this thread.
