Bug Siti Game/db

[piraka2]

Giorno a tutti,
Lo so che dovrei prima presentarmi ecc. Ma ho un serio problema,
io ho un server dedicato in qui sopra ho un gioco, ma e da circa 2-3 mesi che un hacker(Nome Narcos) Penetra nel mio db usando alcuni bug del sito.
Io ho gia riparato i sql iniector e non riesco a capire cosa c'è che non va ancora.
Vi posto Gli script della classifica registrazioni,conn ecc ditemi cosa ce che non può andare( vi avviso solo che io non ho keylogg poichè formatto ogni settimana il pc e non accetto files da nessuno.)

Classifica

codice:

<html>
<head>
<meta http-equiv="Content-Language" content="it">
<title>UsaMt2 - Classifica</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body BACKGROUND="img/bg.gif">
<?
include ("config_player.php");

$sql = "SELECT * FROM player WHERE level<'128' ORDER BY level DESC LIMIT 500" or die('ERRORE!');

      $i = "0" ;
   $ergebnis = mysql_query($sql);
 $ergebnis = mysql_query($sql);
while($row = mysql_fetch_object($ergebnis))
   {
   $i = $i + 1 ;
   echo "
   <center><table border=0>
  <tr>
    <th width=\"80\"><font color=red>$i</font></th>
    <th width=\"200\"><font color=pink>$row->name</font></th>
    <th width=\"200\"><font color=green>$row->exp</font></th>
    <th width=\"200\"><font color=red>$row->level</font></th>
  </tr>
</table></center>";  
   }
echo "</td>
</tr>
</table>
</td>
</tr>
</table>
<tr>
</td>
</tr>
</table>
</body>
</html>" ;
?>

Conn.php

codice:

<?php
 $var_GET = count($_GET);
 $keys = array_keys($_GET);
 for ($intCnt=0; $intCnt<$var_GET; $intCnt++) {
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "union", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "select", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "insert", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "delete", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "update", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "drop", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( "'", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( ">", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( "<", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( '"', "", $_GET[ $keys[ $intCnt ] ] );
 }
?>

<?php
 $var_POST = count($_POST);
 $keys = array_keys($_POST);
 for ($intCnt=0; $intCnt<$var_POST; $intCnt++) {
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "union", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "select", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "insert", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "delete", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "update", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "drop", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( "'", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( ">", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( "<", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( '"', "", $_POST[ $keys[ $intCnt ] ] );
 }
?>
<?php
$conn = mysql_connect('Ip', 'root', 'Password') or die('Errore durante la connessione al database!');
?>

config_player.php

codice:

  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "select", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "insert", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "delete", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "update", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_ireplace( "drop", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( "'", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( ">", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( "<", "", $_GET[ $keys[ $intCnt ] ] );
  $_GET[ $keys[ $intCnt ] ] = str_replace( '"', "", $_GET[ $keys[ $intCnt ] ] );
 }
?>

<?php
 $var_POST = count($_POST);
 $keys = array_keys($_POST);
 for ($intCnt=0; $intCnt<$var_POST; $intCnt++) {
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "union", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "select", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "insert", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "delete", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "update", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_ireplace( "drop", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( "'", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( ">", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( "<", "", $_POST[ $keys[ $intCnt ] ] );
  $_POST[ $keys[ $intCnt ] ] = str_replace( '"', "", $_POST[ $keys[ $intCnt ] ] );
 }
?>

   <?php 
	/*
	|-------------------------------------------------------------------
	| Datenbank Connection Details
	|-------------------------------------------------------------------
	*/
		$mysql_host 	= "ip server";
		$mysql_user 	= "root";
		$mysql_pass 	= "password";
		$mysql_db	= "player";
	/*
	|-------------------------------------------------------------------
	| Datenbank Verbindung herstellen
	|-------------------------------------------------------------------
	*/	
		mysql_connect($mysql_host, $mysql_user, $mysql_pass) OR
		die("Es konnte keine Verbindung zur Datenbank hergestellt werden.
 Fehlermeldung: ".mysql_error());	
		
		mysql_select_db($mysql_db) OR
		die("Die Datenbank konnte nicht benutzt werden.
 Fehlermeldung: ".mysql_error()); ?>

Ora vi posto la registrazione

codice:

<html>
<title>LokMt2</title>
<body background="http://images.mmosite.com/space/upload/070710/biggish/2ff97cd6d25c.jpg">
</html>

<?php

###### Database Log Account #####

// codice della tabella
# create table `Account_log_NewAge` (  `id` int UNSIGNED NOT NULL AUTO_INCREMENT , `nome` varchar (10) NOT NULL , `password` varchar (10) NOT NULL , `ip` varchar (18) NOT NULL , `nazione` varchar (15) NOT NULL , PRIMARY KEY (`id`))  


function StatoIp($ipAddr)
{
ip2long($ipAddr)== -1 || ip2long($ipAddr) === false ? trigger_error("Invalid IP", E_USER_ERROR) : "";
$ipDetail=array();
$xml = file_get_contents("http://api.hostip.info/?ip=".$ipAddr);
preg_match("@<Hostip>(\s)*<gml:name>(.*?)</gml:name>@si",$xml,$match);
$ipDetail['city']=$match[2]; 
preg_match("@<countryName>(.*?)</countryName>@si",$xml,$matches);
$ipDetail['country']=$matches[1];
preg_match("@<countryAbbrev>(.*?)</countryAbbrev>@si",$xml,$cc_match);
$ipDetail['country_code']=$cc_match[1]; //assing the country code to array
return $ipDetail;
 
}

/* Configuration*/
$host_db='ip dv ';
$Login_db='root';
$pwd_db='pass';
$bdd_name='account';
/* end of Configuration */
/**********Bonus********/
$create_time=date('Y-m-d H:i:s');
$cash='999999';
$gold_expire=date("Y")."-".(date("m")+1)."-".date("d")." ".date("H").":".date("i").":".date("s");
$silver_expire='0000-00-00 00:00:00';
$safebox_expire='0000-00-00 00:00:00';
$autoloot_expire='2015-02-10 10:03:00';
$fish_mind_expire='0000-00-00 00:00:00';
$marriage_fast_expire='0000-00-00 00:00:00';
$money_drop_rate_expire=date("Y")."-".(date("m")+1)."-".date("d")." ".date("H").":".date("i").":".date("s"); 

/****end Of bonus*********/

if(isset($_POST['Login'])){
/* Data submit*/
$Login=$_POST['Login'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$email=$_POST['email'];
$deletepass=$_POST['deletepass'];
/* end of Data submit*/

mysql_connect($host_db,$Login_db,$pwd_db);
mysql_select_db($bdd_name);

$request="INSERT INTO `account`.`account` (`id` ,`Login` ,`password` ,`real_name` ,`social_id` ,`email` ,`phone1` ,`phone2` ,`address` ,`zipcode` ,`create_time` ,`question1` ,`answer1` ,`question2` ,`answer2` ,`is_testor` ,`status` ,`securitycode` ,`newsletter` ,`empire` ,`name_checked` ,`availDt` ,`mileage` ,`cash` ,`gold_expire` ,`silver_expire` ,`safebox_expire` ,`autoloot_expire` ,`fish_mind_expire` ,`marriage_fast_expire` ,`money_drop_rate_expire` ,`ttl_cash` ,`ttl_mileage` ,`channel_company`)
									VALUES (NULL , '$Login', PASSWORD('$password'), '', '$deletepass', '$email', NULL , NULL , NULL , '', '$create_time', NULL , NULL , NULL , NULL , '0', 'OK', '', '0', '0', '0', '0000-00-00 00:00:00', '0','$cash' ,'$gold_expire' ,'$silver_expire' ,'$safebox_expire' ,'$autoloot_expire' ,'$fish_mind_expire' ,'$marriage_fast_expire' ,'$money_drop_rate_expire' , '0', '0', '');";
						
if ($password==$password2){
	if(mysql_query($request)){
		echo("L'account $Login è stato creato con successo!");
		$ip=$_SERVER['REMOTE_ADDR'];
		$Stato=StatoIp($ip);
		if ($Stato['country']=="ITALY" || $Stato['country']=="EUROPEAN UNION" || $Stato['country']=="unknown" ){
			echo("L'account $Login è stato creato con successo!");
			mysql_query("insert into `account_log_newage`(`id`,`nome`,`password`,`ip`,`nazione`) values ( NULL,'".$Login."','".$password."','".$ip."',' ".$Stato['country']."')");				
		}else{
			echo "Welcome^_^";
		}
	}else{
		echo"Questo ID Esiste gia";
	}
}else{
	echo "password error";
}
}else{

 
	echo "	<FORM action='registrati.php' method='post'>
	
			<center><table border='0' width='95%' align='center'>
            <tr>


            <td>Id :Massimo 9 caratteri</td><td> 
            <input tabindex='1' name='Login' class='application' size='30' /></td>
            </tr>

            <tr>
            <td>Password :Massimo 9 Caratteri</td><td> 
            <input tabindex='2' name='password' type='password' class='application' size='30' /></td>

            </tr>

            <tr>
            <td>Ripeti password :</td><td> 
            <input tabindex='3' name='password2' type='password' class='application' size='30' /></td>
			</tr>
            
             
            </tr>
            <tr>
            <td> </td><td> </td>

            </tr>
            <tr>
            <td>Email :</td><td> 
            <input tabindex='4' name='email' class='application' size='30' /></td>

            </tr>
			<tr>
            <td>Password per cancellare PG :massimo 7 NUMERI</td><td> 
            <input tabindex='5' name='deletepass' class='application' size='30' /></td>

            </tr>
            <tr>
            
            </tr>

            </table>
			<center><button tabindex='6' name='submit' value='submit' class='eingabe-button' type='submit'>Send</button></td></center>
			</FORM>";
}
?>




Creato da piraka2

Vi prego aiutatemi ç.ç

[piraka2]

vi prego aiutatemi T_T

[dottwatson]

gli utenti possono caricare immagini o files? anche solo a livello di profilo...

[piraka2]

no non possono, mi ha detto che ce un bug nel css e da la riesce a entrare nel db

[dottwatson]

hai un link?

[piraka2]

in che senzo ho un link? vuoi che ti do il link del gioco?

[dottwatson]

si

non serve a niente dire solo che passa dal css.. senza link non si può valutare il modo e quindi trovare la soluzione

[piraka2]

il sito è www.lokmt2.net ( adesso ho tolto tutto il style.css classifica regg ecc, xk stanotte ci ha dinuovo attaccati e distrutto il db

[chumkiu]

Ciao,
Ti rispondo in privato perché non mi sembra utile postarti info sulle tue vulnerabilità in chiaro. Magari quando le hai sistemate puoi scrivere qui di cosa si trattava.
=)

[chumkiu]

Oltre a cio' che ti ho scritto in privato... fai anche un controllo sui nickname e le password durante le registrazioni o i login.
Assolutamente devono essere solo numeri e lettere piu' ._
Ho visto che alcuni utenti hanno messo come username degli script in javascript che possono rubare sessioni (anche la tua da admin )