[Metharon]

Ok , so i have to debate this with you.


Today , somehow a player succesed into 'entering' an admin account, the weird part is that he didn't delete the database, or destroyed something inside the database so , a sql injection = NEAH


Other way to 'hack into' it was if he could figure out my 'Pin' number, to reset my password (4 numbers)


So maybe it was a brute forcer .. ?


Other 'suspicion' maybe is a vulnearbility in this command ?

pawn Код:

if(strcmp(cmd, "/changepass", true) == 0) // by Ellis
    {
        if(IsPlayerConnected(playerid))
        {
            tmp = strtok(cmdtext, idx);
            if(!strlen(tmp))
            {
                SCM(playerid, COLOR_GRAD1, "USAGE:  /changepass [password]");
                return 1;
            }
            new query[MAX_STRING];
            format(query, MAX_STRING, "UPDATE players SET ");
            strmid(PlayerInfo[playerid][pKey], tmp, 0, strlen(cmdtext), 255);
            new MyHash[256];

            SHA256_PassHash(tmp, "78sdjs86d2h", MyHash, sizeof(MyHash));
            format(PlayerInfo[playerid][pKey], 256, MyHash);

            format(MyHash, 256, PlayerInfo[playerid][pKey]);

            MySQLUpdatePlayerStr(query, PlayerInfo[playerid][pMysqlID], "Password", MyHash);
            format(string,sizeof(string),"Parola ta a fost schimbata in [%s] cu succes.", tmp);
            SCM(playerid, COLOR_GRAD1,string);
        }
        return 1;
    }

forward MySQLUpdatePlayerStr(query[], sqlplayerid, sqlvalname[], sqlupdatestr[]);
public MySQLUpdatePlayerStr(query[], sqlplayerid, sqlvalname[], sqlupdatestr[])
{
    new string[300];
    format(string,sizeof(string), "%s %s = '%s' WHERE id = %d",query, sqlvalname, sqlupdatestr, sqlplayerid);
    mysql_tquery(mysql, string, "", "");
    return 1;
}

So... what it could be maybe? The gamemode is made from scratch by me , so it can't be any 'hidden commands'

Another suspicion: my login dialog ? maybe something is wrong ?

pawn Код:

if(dialogid == DIALOG_LOGIN)
    {
        if (!response) return Kick(playerid);
        if(response)
        {
            if(strlen(inputtext))
            {
                new query[100];
                new MyHash[256];
                SHA256_PassHash(inputtext, "78sdjs86d2h", MyHash, sizeof(MyHash));
                if(!strcmp(MyHash, PlayerInfo[playerid][pKey]))
                {
                    mysql_format(mysql, query, sizeof(query), "SELECT * FROM `players` WHERE `Name` = '%s' LIMIT 1", GetName(playerid));
                    mysql_tquery( mysql, query, "OnAccountLoad", "i", playerid);
                }
                else
                {
                    new stringx[256];
                    format(stringx, 456, "{FF2A1A}[ Parola introdusa de tine in chenar este gresita ]\n{a9c4e4}Acest cont este inregistrat in data de %s\nTe poti autentifica in joc tastand parola mai jos.", PlayerInfo[playerid][pRegisterDate]);
                    ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD,"Account Login", stringx,"Login","Quit");
                }
            }
            else
            {
                new stringx[256];
                format(stringx, 456, "Acest cont este inregistrat in data de %s\nTe poti autentifica in joc tastand parola mai jos.", PlayerInfo[playerid][pRegisterDate]);
                ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD,"Account Login", stringx,"Login","Quit");
            }
        }
    }

[Crayder]

This is not relative to this section.

[Metharon]

Yes but i'm seeking help...

[Virtual1ty]

Код:

strtok... ?!!
strmid(PlayerInfo[playerid][pKey], tmp, 0, strlen(cmdtext), 255);
new MyHash[256];

SHA256_PassHash(tmp, "78sdjs86d2h", MyHash, sizeof(MyHash));
format(PlayerInfo[playerid][pKey], 256, MyHash);

format(MyHash, 256, PlayerInfo[playerid][pKey]);

Seriously, what the heck? I expected better from you, Metharon.
That /changepass cmd is just some convoluted... I don't know what that is.

What I would do is at least escape the name under the dialog, since you don't escape anything.
Use the "%e" specifier with "mysql_format". Oh and thanks for sharing with us your "salt".
Other than that I don't know what the problem is, or where it is. One thing that strikes me though
is in your dialog: "if (strlen(inputtext)". No, please just no. Use "isnull".

I expect better coding from you in the future mister.


Edit: oh yeah, also:

Код:

new stringx[256];
format(stringx, 456, ...

I have no idea on how "format" works, but ain't that just plain memory leak or something? Fix that. Always use "sizeof", it does add more to processing time adding up to compile time but it is safer and quicker (in the long run) to use.

[itsCody]

A shit password, shitty password hashing, not escaping strings when needed when sending queries, and more could be the cause.

[Sew_Sumi]

Log more to your console. Log people who have admin logging in and changes being made via that account.

Also check your servers logs regarding remote access to see whether he has box access, or simply has some way of exploiting your gamemode/setup.