L2J Server

L2J Revision Number: 4422

I have a specific username and password exclusive for LoginServer. This username have privileges only localhost.

My LoginServer config:
URL = jdbc:mysql://localhost/l2jdb-login
# Database user info (default is "root" but it's not recommended)
Login = L2j_Login_cRaZyLL

The username L2j_Login_cRaZyLL have access only localhost on mysql. External access is blocked.

Username on mysql (can only SELECT, INSERT, DELETE, UPDATE): L2j_Login_cRaZyLL@localhost

When I ban a specific player, this banned player can disban the account every time. See the MySQL log:

75238 Connect L2j_Login_cRaZyLL@localhost on
75238 Init DB l2jdb-login
75238 Query SET NAMES 'utf8'
75238 Query UPDATE `accounts` SET `accessLevel`='0' WHERE (`login`='johny') AND (`accessLevel`='-100')

How this player can run this sql query with user L2j_Login_cRaZyLL@localhost? There are a new L2 Hack for this????

HELP!

anyone?

do you have a web interface for account management? or any other web page script that accesses the database and uses that db user?

Yes, I have a web interface, but the web have another exclusive username and I use two Anti SQL Injection on fileds POST and GET:

function anti_sql_injection($var) {
$filter = array("null", "NULL", "update", "UPDATE", "select", "SELECT", "insert", "INSERT", "delete", "DELETE", "like", "LIKE", "!", "#", "$", "%", "¨", "&", "*", "(", ")", "+", "-", "=", "§", "`", "´", "{", "[", "}", "]", "<", ">", ":", "?", ";", "/", "|", "*", "-");
$filter_sql_injection = array("' or 1=1 or ''='", "' or 1=1--", "' or 1=1#", "' or 1=1/*", "') or '1'='1--", "') or ('1'='1--", " or 1=1--", "or 1=1--");

$Text = $var;
$s = $Text;
$s = ereg_replace("[áàâãª]","a",$s);
$s = ereg_replace("[ÁÀÂÃ]","A",$s);
$s = ereg_replace("[éèê]","e",$s);
$s = ereg_replace("[ÉÈÊ]","E",$s);
$s = ereg_replace("[óòôõº]","o",$s);
$s = ereg_replace("[ÓÒÔÕ]","O",$s);
$s = ereg_replace("[úùû]","u",$s);
$s = ereg_replace("[ÚÙÛ]","U",$s);
$s = str_replace("ç","c",$s);
$s = str_replace("Ç","C",$s);
$s = ereg_replace(" ","",$s);
$Text = $s;
$Text = str_replace($filter, "", $Text);
$Text = str_replace($filter_sql_injection, "", $Text);

return $Text;
}

function anti_sql_injection2($var) {
$filter = array("%20", "NULL");
$filter_sql_injection = array("' or 1=1 or ''='", "' or 1=1--", "' or 1=1#", "' or 1=1/*", "') or '1'='1--", "') or ('1'='1--", " or 1=1--", "or 1=1--");

$Text = $var;
$Text = str_replace($filter, "", $Text);
$Text = str_replace($filter_sql_injection, "", $Text);

return $Text;
}

if he install own script on your host, your 'anti_sql_injection' are uselles.

you can enable httpd logs and watch what files are accessed.

you can search if some new file was added even if name looks corect. they sometimes use I l exchange in name so on first look you cannot see difference.

also you can search for all files for 'mysql_connect', 'mysql_query' strings. or even 'base64_decode' they sometimes use that method to inject own code in php files. just check if all files looks correctly

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement

http://php.net/manual/en/function.mysql ... string.php

THANK YOU JANIII!!!
THANK YOU GNACIK!!!

I'm your fan!

The problem was a "new file" insered by banned player. This file can run sql commands.