In game sql injection

[mmhelm]

Turn on the equipment manager, the equipment name field is subject to injection at the moment. Soon to be fixed to take advantage of it fast.

(Brief because most people dont know sql, and if they do they will know how to take advantage of this.)

tested on ArcEmu btw. might be other emulators with this exploit open too.

[stoneharry]

How do you do an SQL injection from in game? Are you just tampering with the data sent and received when it queries the database upon opening the equipment manager, or is there actually a way to SQL inject from inside the game?

Edit: Looks like it's about to be fixed anyway:

Code:

Index: src/arcemu-world/EquipmentSetMgr.cpp
===================================================================
--- src/arcemu-world/EquipmentSetMgr.cpp        (revision 3738)
+++ src/arcemu-world/EquipmentSetMgr.cpp        (working copy)
@@ -128,7 +128,7 @@
                        ss << ownerGUID << "','";
                        ss << set->SetGUID << "','";
                        ss << set->SetID << "','";
-                       ss << set->SetName << "','";
+                       ss << CharacterDatabase.EscapeString(string(set->SetName)) << "','";
                        ss << set->IconName << "'";
 
                        for( uint32 j = 0; j < set->ItemGUID.size(); ++j ){

[mmhelm]

Indeed, that's why I figured I would post since its being fixed soonish, great havoc for the time being :P


You run the sql from inside of the equipment name field, as I said above. Basically, it allows you to run a query in that box on the database. Probably something like

Code:

; REPLACE INTO

it tampers with nothing, just a mistake while coding. - basically its a unsecured input to the DB thats ran on equipment save, you would have to probably terminate that code you posted above and then input it, see the rough example ^

http://www.partyvan.info/index.php?t...on&redirect=no <- rough examples and explanations

Meh, could probably add a sql user with it to the top private servers if they are dumb enough to use root access or something similar.

/sigh fixed with http://cia.vc/stats/project/ArcEmu/.message/56fad2
it'll still be up on servers reluctant to update to the latest rev.

[hamcakee]

A long time ago I tried for hours to do this on my own server without the escape string. It is pretty tricky with the very short character limit in that field in the UI. You can however overcome this with a macro

Code:

/script SaveEquipmentSet("name", iconIndex)

It does let you create equipment sets up to a significantly higher character limit, however I still couldn't ever inject anything. Hopefully this helps and someone figures out how to do this.

[Johnny Zoo]

A long time ago I tried for hours to do this on my own server without the escape string. It is pretty tricky with the very short character limit in that field in the UI. You can however overcome this with a macro

Code:

/script SaveEquipmentSet("name", iconIndex)

It does let you create equipment sets up to a significantly higher character limit, however I still couldn't ever inject anything. Hopefully this helps and someone figures out how to do this.

That command has a limit of 30 characters =/ So any useful query short enough ?

[bobtehnerd]

Well you could remove a item or a object with 30 characters

[Rebex]

Can i create an in-game's injection for unban an account in a Trinity server?

[l0l1dk]

Can i create an in-game's injection for unban an account in a Trinity server?

I don't know very much about SQL, but I think you could.

[thebigman]

Can i create an in-game's injection for unban an account in a Trinity server?

the answer is yes, as long as its a short amount of characters

[Facerolling]

The answer is actually no, this was not even an issue for TrinityCore, it was for ArcEmu, and it was fixed in 3738, over 300 revisions ago.
Let this thread die, the exploit is fixed.