Linux Urgent - cloning kk

[Skazi]

A new player (about lvl 20) started to distribute a LOT of kk's in my server's dp.

I've already checked his IP, and there's no other char that matches the same lastip.

My Account Manager is Disabled, I've tried everything i know that can make this happen

Please, help!

PS: There's no way a player can get this amount of kk's "legally".

!createguild disabled
Server's not crashing.

Distro: TFS 0.3.7

 

[WiLDTuRTLE]

^lol
@skazi, parcels could be the problem

 

[Skazi]

^lol
@skazi, parcels could be the problem

Checked.

It's not, but thank you :/

 

[seleo]

Bounty hunter
bank
auction system

 

[Skazi]

Bounty hunter
bank
auction system

Don't have any of this! :/

 

[GhostX]

It could be your guild system. When people leave/enter guilds they can manipulate it afaik (from past experience) - try removing guild commands in game and make guilds via website only.

 

[Bintzer]

Depending on your talkaction scripts for the guild commands they may leave you vulnerable to SQL injection.
If you are building your SQL query directly from the input provided from the command it could easily be manipulated.

For example say the intended use of your talkaction is:

!createguild HaxMenz

then the script creates a query as so:

onSay(cid, words, param)
  if(param ~= '') then
    db.executeQuery("INSERT INTO `guilds` (`player_id`, `date`, `name`)) VALUES ('".. getPlayerGUID(cid).."', '".. os.time() .."', '".. param .."');")
  end
end

Seems all fine and dandy right? (Forget checking to make sure the guild doesn't already exist for the sake of this example) Well just imagine if someone with a little knowledge of the structure of TFS databases and creative enough would type this:

 !createguild HaxMenz'); DROP TABLE `players`; INSERT INTO `w/e` (`w/e`, `w/e`) VALUES ('w/e', 'w/e

The "w/e" fields make no difference as long as they are valid tables and columns, just notice how it doesn't end in the expected );
because the script inserts it for them.
You now have lost your entire player table. If that makes you scared, well, it damn well should. An easy solution to that problem would be to just make a check to make sure no quotations or escape characters can be included in the param. Switching to a website registration won't make you any less vulnerable to making the same mistake but SQL Injection is a very well known hacker exploit and most AAC's out for OT's have protection against it (I know an old version of Gesiors didn't, that was catastrophic).

 

[Bilip]

He clearly said:

!createguild disabled

And most of advaces involves this problem.
I think the main idea of guys who wrote before my
is to open config.lua
and turn off
InGameGuildManager
or what ever is called but for sure begins with Ingame
so easy to find. I don't know if your enemy is Experienced or not, but if not that should be enough. =)
Don't forget to deleate/ban this rich account

 

[Fallen]

Show all of your guild commands scripts

 

[J.Dre]

I was told a while ago by a friend that there were a few bugs that most people don't know about, one of which was with the bank system. Do you use bank NPC's? He didn't disclose the specifics of the bug, but he told me the NPC was a part of the exploit. Most servers use the same bank NPC script, so, the issue exists on many servers.

 

[Bintzer]

Any script using SQL queries is potentially vulnerable. To be clear, any script using "db.executeQuery" is potentially vulnerable to SQL injection which would let the attacker do whatever he damn well pleases... Not sure if the bank script you are referring to has that in there but if it does then that's most likely the issue. Post it here if it does. You need to make sure not to allow escape characters in ANY variable being used to generate a query based on some input. I also realize that over 90% of you probably don't know what the f*ck im talking about and won't even bother googling it so just post your broken shit here for some free labor.

 

[Amiroslo]

Any script using SQL queries is potentially vulnerable. To be clear, any script using "db.executeQuery" is potentially vulnerable to SQL injection which would let the attacker do whatever he damn well pleases... Not sure if the bank script you are referring to has that in there but if it does then that's most likely the issue. Post it here if it does. You need to make sure not to allow escape characters in ANY variable being used to generate a query based on some input. I also realize that over 90% of you probably don't know what the f*ck im talking about and won't even bother googling it so just post your broken shit here for some free labor.

I'd like to learn and know more about this. could u please explain more. sounds interesting =)

 

[Bintzer]

Well you need some basic SQL knowledge to understand I guess but it is a very well-known issue. It's most common in the PHP world but when working with any language that communicates with a SQL database you should be aware of this.
SQL Injection - Explains it perfectly.


When you can, reject input that contains the following characters:

Input character	Meaning in Transact-SQL
;	Query delimiter.
'	Character data string delimiter.
--	Comment delimiter.
/* ... */	Comment delimiters. Text between /* and */ is not evaluated by the server.
xp_	Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.

(I realize this is for transact-sql but its relevant for all forms, ignore the last line)