- Apocalipsa dupa Nemessis
- Cand dorinta de afirmare depaseste granitele bunului simt – PaxNwo un leecher ordinar
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac?
- Experiment social II – andimoisescu.ro
- Pentru posteritate
- In curand…
- “Hot” de id-uri messenger
- Chiar ca sunteti retardati
- Ce nu se invata la scoala – Vendetta (6)
- Apocalipsa dupa Nemessis in (103 Visits)
- Ce servicii de mail folositi? in (42 Visits)
- This is the end in (28 Visits)
- Hackersblog.org is now blog.rstcenter.com in (27 Visits)
- Short news in (22 Visits)
- La multi ani România, la multi ani românilor in (22 Visits)
- Azi este ziua userilor hackersblog.org in (15 Visits)
- Raportare vulnerabilitati in (14 Visits)
- Inca o pierdere de timp in (14 Visits)
- Update in (11 Visits)
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac? in (314 Visits)
- Hi5.com coders read this in (37 Visits)
- SMS scam (1) in (28 Visits)
- Phishing Bancpost in (12 Visits)
- Dezinformare sau proasta informare? in (11 Visits)
- Si tentativele de phishing pot fi amuzante in (9 Visits)
- Phishing Raiffeisen cu atasament html in (6 Visits)
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta in (96 Visits)
- [Utilitare] Suna gratis de pe internet sau de pe iPhone in (55 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (49 Visits)
- Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (42 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (34 Visits)
- Virusi in clipuri video [how to] in (33 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (29 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (24 Visits)
- Yahoo! redirects - a big issue (with video) in (15 Visits)
- Ca musca in... in (12 Visits)
- usa.kaspersky.com hacked ... full database acces , sql injection in (173 Visits)
- Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (114 Visits)
- Yahoo! epic fail - permanent xss unleashed in (90 Visits)
- Telegraph.co.uk hacked, sql injection in (66 Visits)
- RedTube.com ... The Free Sex Video Community in (60 Visits)
- Kaspersky Thailand hacked by TinKode in (48 Visits)
- Conquiztador Hacked Again in (48 Visits)
- Telegraph.co.uk hacked - when will they learn? in (43 Visits)
- Simona Sensual si profilul ei de hi5 in (40 Visits)
- F-Secure.com - SQL Injection + Cross Site Scripting in (39 Visits)
- Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (33 Visits)
- Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (30 Visits)
- Digital Photocopiers Loaded With Secrets in (27 Visits)
- Hacker Uses XSS and Google Street View Data to Determine Physical Location in (16 Visits)
- Oldies but goodies - Freedom Downtime - The Story of Kevin Mitnick in (11 Visits)
- [Video] The History Of Hacking in (9 Visits)
- OWASP Phishing demo in (9 Visits)
- Christopher "moot" Poole: The case for anonymity online in (9 Visits)
- Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (8 Visits)
- Owasp5005 Part1 - New zero-day browser exploits - ClickJacking in (8 Visits)
- Se poate sparge parola de Yahoo? in (347 Visits)
- phpBB.ro hacked in (105 Visits)
- Experiment social in (71 Visits)
- Cand dorinta de afirmare depaseste granitele bunului simt - PaxNwo un leecher ordinar in (61 Visits)
- Oare cum e pana la urma? in (57 Visits)
- "Hot" de id-uri messenger in (53 Visits)
- Concurs fara premii in (52 Visits)
- Forumul Andreei Balan spart in (47 Visits)
- Ce nu se invata la scoala – Vendetta (6) in (45 Visits)
- Experiment social II - andimoisescu.ro in (44 Visits)
Posted on February 26th, 2009
What is Tribal Wars?
For those who dont know, we can look it up on google: Tribal Wars is a browserbased online game. Every player controls a small village, striving for power and glory”.
It is played in many countries on alot of servers.
By altering a parameter you can access the DB. Because the plaform / software is the same everywhere, it means you can gain access on ALL the servers. You can access the DB on each and every server.
Here you have the version, user and name of the DB for server 9, Romania:
Lets see now what we can find in tabel ds_player.
Besides username, email and password (crypted, but any pass cn be easily decrypted) we can also find the number of “gold” each player has. Fans of this game would know what I am talking about. You can buy gold or transfer it to another player and is one of the most important resources / comodities of the game. First, I concatenated all of these on server 9, Romania:
To show that through the vulnerable parameter you can access any data base on any server, here you have a screenshot for server 11, Holland
The vulnerable parameter is already patched and therefor it is left visible.
Ce este tribal wars? Pentru cine nu stie, cautam definitia jocului in google: “Tribal Wars is a browserbased online game. Every player controls a small village, striving for power and glory”
Un joc ce se joaca in multe tari , pe diferite servere. Un parametru prost sanitizat permite un sql injection, deci acces la bazele de date. Deoarece softul, platforma este comuna parametrul vulnerabil este prezent pe toate serverele. Adica se pot accesa bazele de date pe fiecare server in parte. Prima data sa vedem versiunea, userul si numele bazei de date pentru serverul 9, romania :
Acum sa vedem ce gasim in tabelul ds_player. Pe langa username, email si parola (criptat, dar orice parola poate fi decriptat relativ usor) mai gasim si numarul gold-urilor avute. Cine joaca stie ce este un gold. Goldul se poate cumpara pe bani, dar se si poate transfera la alt jucator, deci gold-ul este ceva foarte valoros. Am concatanat , prima data, toate astea pt serverul 9, romania:
Pentru a arata ca prin parametrul vulnerabil se pot accesa bazele de date de pe orice server, am facut un print screen pentru serverul 11, olanda.
Nu am blurat parametrul vulnerabil, deoarece deja este sanitizat, patched.
February 26th, 2009 at 8:58 am
Parolele hash-uite cu md5, sha1, pot fi aflate si in alt mod decat prin forta bruta?
February 26th, 2009 at 10:33 am
Forta bruta sau cauti in una din bazele de date cu hash-uri md5 existente.
February 26th, 2009 at 2:58 pm
iar dai ideii la copii
February 26th, 2009 at 7:14 pm
nice write up..
February 26th, 2009 at 9:59 pm
http://www.evz.ro/articole/detalii-articol/841278/Hacker-roman-angajat-de-procuratura-italiana/ …. Se cam ingroasa gluma , aveti grija , ca mie imi place sa citesc in fiecare zi ceva nou
February 28th, 2009 at 1:59 pm
Zdes’ blyat po-russki kto-nit’ govorit?
March 2nd, 2009 at 7:13 pm
Nice work, i have a big project which i have informed few top hackers to work on.I hope you can join us.
July 10th, 2009 at 12:25 pm
da io tot nam inteles nik din asta
April 24th, 2010 at 11:35 pm
Fugiti Triburile un joc cu reguli aberante, si care nu sunt scrise niciunde,pentru a stii ce strategie sa abordezi. Si de ce ? CA vezi doamne ar avea 100 de pagini, zise d-na de la suport de la triburile.
Bulshit !! Daca va apucati si jucati fiti atenti ca atunci cand vi mai draga lumea o luati in barba.
Cum ??!! De exemplu :- Daca aveti mai multe sate si trimite-ti o armata (ex 2000 de toporasi) sprijin de la un sat la altul, iar satul de unde ati trimis armata este cucerit, va dispare si armata ( deci cei 2000 de toporasi dispar asa pur si simplu) din satul unde a fost sa sprijine, desi poate mai ai inca 2-3 sate si ar prinde bine cei 2000 de toporasi sau sa ramana in satul unde au ajuns, nu sa dispara !.
Da nu e asta bataie de joc ??!!!! Ce regula e asta ?
Alt ex: -Daca trimiteti o armata sa sprijine un sat de-al vostru sau al nuni coleg de trib si intre timp satul destinatie este cucerit de un dusman ce credeti ca se intampla?! Armata mea mere ca proasta si sprijina dusmanul, “ca-s prosti ” nu stiu ca satul a fost cucerit de un dusman.
Si daca faceti o scrisoare la suport va raspunde ” Nu luati in serios ca este un joc !”
Pai sa-i ff de neseriosi!! Plus ca daca mai dai si niste bani si te chinui sa-ti faci armata si trece 4 luni iar apoi pierzi tot din cauza unor nerozi ce nu au minim de logica ??!!
Asa ca FUGITI !!! de jocul asta.