It's possible to execute an SQL Injection attack using the player polls functionality. this can be done by abusing Topic() and HREF's
On the live server we have poll ID 28 for the "Should clockcult be removed from rotation?", i'll be using this poll as an example.
Performing the exploit
Get your mob id by shift+ctrl clicking "Setup Character", this will open Internet Explorer with a url containing your Mob ID
Clear the chat box and enter this message byond:///?src=[];pollidshow=1 OR id=28
You should see a new window open with the poll results.
How it works
The raw input from the pollidshow field is passed straight into the SQL query with no input validation
How to fix
Add an is_num check to the pollidshow field before its inserted into the query.
This is just a small example where you could open any poll you like, this could be expanded upon though to allow an attacker to drop tables or give themselves permissions.
It's possible to execute an SQL Injection attack using the player polls functionality. this can be done by abusing Topic() and HREF's
On the live server we have poll ID 28 for the "Should clockcult be removed from rotation?", i'll be using this poll as an example.
Performing the exploit
Get your mob id by shift+ctrl clicking "Setup Character", this will open Internet Explorer with a url containing your Mob ID
Clear the chat box and enter this message byond:///?src=[];pollidshow=1 OR id=28
You should see a new window open with the poll results.
How it works
The raw input from the pollidshow field is passed straight into the SQL query with no input validation
How to fix
Add an is_num check to the pollidshow field before its inserted into the query.
This is just a small example where you could open any poll you like, this could be expanded upon though to allow an attacker to drop tables or give themselves permissions.