Posts Tagged ‘CodeIgniter bug’

How the browser MMO and CodeIgniter Hacked

Written by AbiusX on . Posted in Security

This one is intended to be an educational/tutorial post on how I hacked an MMORPG web browser Persian game known as Removed From Text and along with it, the well known PHP framework CodeIgniter used for developing it. Reading this might help you learn a thing or two about information security.

First of all, you're not encouraged at all to do anything against Removed From or any other CodeIgniter powered website using this technique or any equivalent technique. I am a world-class professional hacker and it's practically impossible to track my actions in the Internet, I use well implemented anonymity/privacy networks and BOTNETs to perform my tasks and infiltrate systems in a way that's very hard to detect.

Defacing any website - for any purpose - and/or stealing its private data it's a felony in international treaties and therefore is condemned highly. The intent of this article is only educational.

* * *

Finding the vulnerability

A few days ago, I visited Removed From Text to play an online web-based browser game which is purely Persian. I was well aware of the game and it's developers, since I was the coordinator for their participation in 3rd Digital Media Fair of Tehran. I played for a while, and started thinking this might take a long time, so I decided to cheat.

Probing the site and its features for a while, I figured a SQL Injection vulnerability in it's "Forgot Password" feature. It's worthy of note that SQL Injection vulnerabilities are usually found in the least attended, most obsolete sections of a website. Like a small polling dialog, or a forgot password dialog.

The vulnerability which can be seen at http://Removed From by entering foo as username and 1' morgh as the password, brings up the following dialog at http://uc.Removed From :

A Database Error Occurred

Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'morgh'' at line 1 SELECT `uid` FROM uc_users WHERE username='foo' and email='1' morgh' Filename: /var/www/universalcommander/models/forgetmodel.php Line Number: 17