C++ [FIX][C++] SQL Injection in Messenger and Guild

Stato
Discussione chiusa ad ulteriori risposte.
Ordina per data Ordina commenti per reazioni
P

Paranoimia

Utente Bronze
15 Novembre 2014
6
3
4
40
Hello,

today there were attacks to several servers all using the same exploits.
I will not further explain the method used to attack these servers.

To fix it go to messenger_manager.cpp:

Search for the function MessengerManager::RemoveFromList

Replace it with this:

Codice: 
void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)

{
    if (companion.empty())
        return;

    char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1];
    DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length());


    DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'",
                                get_table_postfix(), account.c_str(), companionEscaped);


    __RemoveFromList(account, companion);

    sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str());

    TPacketGGMessenger pack;
    pack.bHeader = HEADER_GG_MESSENGER_REMOVE;
    strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount));
    strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion));
    P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger));
}

Also in guild_manager.cpp find the function CGuildManager::CreateGuild

Find:

Codice: 
std::unique_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                                                                   get_table_postfix(), __escape_name));

Or:

Codice: 
std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), gcp.name));

And above this add:

Codice: 
static char __escape_name[GUILD_NAME_MAX_LEN * 2 + 1];
    DBManager::instance().EscapeString(__escape_name, sizeof(__escape_name), static_cast<const char *>(gcp.name), sizeof(gcp.name));

Also replace

Codice: 
get_table_postfix(), gcp.name

with

Codice: 
get_table_postfix(), __escape_name

In

Codice: 
std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), gcp.name));

C++11 -> unique_ptr
Normal Metin2 Code -> auto_ptr




Credits go to ricky92 and WoM2
 
  • Mi piace
Reazioni: Hik, Stayaway, CicileuZ e un'altra persona
Stato
Discussione chiusa ad ulteriori risposte.
Top Bottom
Indietro