|
Proteccion
contra blasts y SQL Injection
Blasts (
manipulacion de server files )
Los archivos de servidor son muy
buenos, pero algunos de ellos no tienen un buen nivel de
seguridad.
- Dataservers
Los dataserver son usado para
conectar la fuente ODBC al gameserver, pero aqui no hay
limitacion de IPS ( excepto en las versiones nuevas, donde
la IP se configura en el archivo allowableiplist.txt
), y basicamente el dataserver puede ser conectado a traves
de cualquier host pretendiendo ser un GameServer
persistente. Entonces, a traves de paginas web pueden
blastear el servidor y editarse los stats, items, o
manipular tu servidor.
SOLUCION: Bloquear los
dataservers mediante un firewall ( Sygate o ZoneAlarm ), e
impedir que tenga acceso a internet. Permitir unicamente el
trafico hacia el host o el servidor remoto.
- MSSQL
Server 2000
El servidor SQL Server 2000 es
usado para almacenar toda la informacion de los jugadores y
tu servidor. Este se conecta a la ODBC. Sin embargo, hay
exploits, hacks y otros programas que pueden manipular el
servidor.
SOLUCION: Se aplica lo
mismo que con los dataservers, instale un firewall y permita
el trafico sólo para la misma PC, y su mueditor remoto si es
que tiene configurado uno, o simplemente solo la PC del
servidor MuOnline.
Web code
manipulations
- SQL
injections in
php
How does it
work?
lets suppose
we have a
page
containing
the
registration
form the
server the
code
PHP
Code:
<?php
mssql_connect(..);
mssql_select_db(..);
$account = $_POST['acc']; // account field
$password = $_POST['pass']; // password field
// other vars bla bla..
// Now here is the base query
// First we check if this acc exists
$query = mssql_query("select count(*) from [memb_info] where [memb___id]='$account'"); // This is where the 'hacker" (lame kiddie) will hit you
//other code does not matter
?>
lets change
the $account
with
the code
becomes
PHP
Code:
<?php
mssql_connect(..);
mssql_select_db(..);
$account = $_POST['acc']; // account field
$password = $_POST['pass']; // password field
// other vars bla bla..
// Now here is the base query
// First we check if this acc exists
$query = mssql_query("select count(*) from [memb_info] where [memb___id]='[color=Green]'; shutdown; --[/color]'"); // This is where the 'hacker" (lame kiddie) will hit you
//other code does not matter
?>
defining the
';shutdown;
--
' - ends the
define of
the acc name
; - ends the
current
query line
shutdown -
our new
query (shuts
down mssql
server)
; -- -
completes
our new
query (in
case there
is further
code after
the if
memb___id
bit)
This way
everyone can
inject
whatever
query he
likes into
ur database.
Really easy
Most people
think that
by limiting
there fields
to
maxlength=10
they will
avoid
anything -
nah totally
wrong...the
only thing
that our
NEWB hacker
must do is
to create
the same
form in his
own html
file and
remove the
maxlength...and
KABOOOM..you
get fucked
up again
Solution: A
way to avoid
this w/o
disabeling
any symbols
?
PHP
Code:
<?php
mssql_connect(..);
mssql_select_db(..);
$account = addslashes($_POST['acc']); // account field
$password = addslashes($_POST['pass']); // password field
// other vars bla bla..
// Now here is the base query
// First we check if this acc exists
$query = mssql_query("select count(*) from [memb_info] where [memb___id]='$account'"); // This is where the 'hacker" (lame kiddie) will hit you
//other code does not matter
?>
effective
and easy
Injections
can be done
in $_POST,
$_GET or
$_REQUEST,
$_COOKIE or
every value
that the
user has
access to,
so i suggest
you
addslashes()
to all
(addslashes
changes ' to
\' and " to
"\ - this
way user
cannot end
ur current
query)
XSS web
vunrability
What is XSS?
- Cross
Style
Sheeting
Usable:
Stealing
user
passwords
(Cookies or
Session
issues)
Ends a html
code and may
execute a js
in client
side
(retreiving
cookies)
Php -
Solution:
htmlspecialchars();
in every
variable
that is
entered by
the user and
DISPLAYED in
the server
page Basicly thats most of
the stuff you need to do
to stay alive .... :)
But NOTHING online is
secured enough u know ^^
Credits: [CzF] Savoy
|