Welcome to Laser Pointer Forums - discuss green laser pointers, blue laser pointers, and all types of lasers

LPF Donation via Stripe | LPF Donation - Other Methods

Links below open in new window

ArcticMyst Security by Avery

WickedLasers hacked!

Joined
Jan 7, 2007
Messages
6,309
Points
83
IWSMIKE --
Sorry --- I have been "Mike" here for so long, it looked like something for me. I deleted the post.

Mike ---- Hemlock Mike

There are now so many Mikes here, I'll try to remember to sign as HMike in the future to prevent problems like this.
 
Last edited:





Trevor

0
Joined
Jul 17, 2009
Messages
4,386
Points
113
common guys, we've been through this already, let him rest :)

My bad for not reading the thread all the way through. Forgive me while I threadjack:

For those of you unfamiliar with SQL injection, it's the act of place SQL statements in an online form such that when the query is executed, it will cause damage to a database - or otherwise give the injecting individual power over its contents. On the other hand, it will not allow the injector implicit access into It can be done by typing straight SQL into a text box or using browser plugins (like TamperData for Firefox - there's also another one out there that turns all inputs into textboxes). It works because sometimes a programmer will forget to validate input before it is plugged straight into a query and executed on the database. Take this poorly written query (this is PHP syntax) for example:

PHP:
$query = "UPDATE customers SET firstname = '".$fname."' WHERE uid = ".$_SESSION['uid'].";";

If you know sort of what's in the query, you can manipulate this lack of validation to your advantage by inputting:

Code:
James' WHERE uid = 76; DROP TABLE orders; DROP TABLE customers; --

This finishes out the first query with BS data, adds in a second and third one to cause damage, and comments out the rest of the original - essentially yielding:

Code:
UPDATE customers SET firstname = 'James' WHERE uid = 76;
DROP TABLE orders;
DROP TABLE customers; --' WHERE uid = 8523;

Any PHP programmer worth his or her salt would use a function (ctype_alnum(); for example) to check to make sure that input is alphanumeric, or one can also escape unwanted characters (like quotation marks and other things used in SQL syntax) to prevent this from happening.

Trevor
 

Moptsp

0
Joined
Sep 23, 2009
Messages
429
Points
0
Yeah I know all about this. I've been programming in the web area for a few years.

To add to what twhite said -
The easiest and probably best way to secure dynamic/non-static parts of a query, in PHP you can use the mysql function, "mysql_real_escape_string()" or, but not as secure, "mysql_escape_string()".
 

Trevor

0
Joined
Jul 17, 2009
Messages
4,386
Points
113
Yeah I know all about this. I've been programming in the web area for a few years.

To add to what twhite said -
The easiest and probably best way to secure dynamic/non-static parts of a query, in PHP you can use the mysql function, "mysql_real_escape_string()" or, but not as secure, "mysql_escape_string()".

Thanks for the addendum; I'll have to check that out next time I'm working on a script. :thanks:

I've only ever had the occasion to use ctype_alnum(); based on the nature of what I do.

Trevor
 
Joined
Sep 27, 2009
Messages
5
Points
0
i tried to create an account in their lasercommunity forum but still hacked anyone can confirm this hacker is amazing
 

Jaseth

0
Joined
Jan 30, 2009
Messages
1,630
Points
0
Whoever he is, he has certainly got his revenge, if that was what he wanted. He must have costed WL many many days of work already, and LC is still down. Also, even though they have restored the WL site more or less completely, nobody is going to buy anything until they can be sure that he no longer has access.. jwc is very right, he has probably installed a back door so he can get in easily the moment someone sends their credit card info for their next purchase.
The fact that a guy with such bad grammar can even get access to their site is already worrying, and for me it is enough of a reason never to buy anything from there. Not that I was going to anyway with those prices but.. still.

Seb
 
Last edited:

jwc

0
Joined
Oct 20, 2008
Messages
337
Points
0
Thanks for the addendum; I'll have to check that out next time I'm working on a script. :thanks:

I've only ever had the occasion to use ctype_alnum(); based on the nature of what I do.

Trevor

I've always used mysql_escape_string() because I've never used weird character sets. I see that it's now deprecated, so I suppose I should go ahead and switch all those instances over to mysql_real_escape_string().

SQL injections are a classic case of insecurity by sloppy coding. I would venture to guess that Wicked uses a standard shopping cart system, so I highly doubt there would be any exploits unless they are using an outdated version of the software.

It's more likely that the hacker got in through a poor password choice or something like that. He clearly has access to an SSH or FTP account because he is editing files, not database information. That's usually how these things work.
 
D

Deleted member 8382

Guest
@jaseth, that he doesn't have a good grammar could mean that he is an idiot or that he is not an English speaker, you gonna blame him for that?

Nowadays I almost don't make mistakes when using English, but some years ago I couldn't make a single right sentence and on every forum I tried to participate everyone laughed at me, calling me "noob" or "idiot" for not knowing their language. At that moment I could speak perfectly Catalan and Spanish, and fluently English. This from my point of view shows that the only idiots there were them that knew English as native language and nothing else and thought everyone else was just an ignorant.

Not saying that you are an idiot, but you might reconsider this:

The fact that a guy with such bad grammar can even get access to their site is already worrying

What if he knows Chinese, Japanese, Korean but not English? He is still an idiot?

Again, there's not any intention of offending anyone eh ;)

Yours,
Albert
 

Trevor

0
Joined
Jul 17, 2009
Messages
4,386
Points
113
SQL injections are a classic case of insecurity by sloppy coding. I would venture to guess that Wicked uses a standard shopping cart system, so I highly doubt there would be any exploits unless they are using an outdated version of the software.

I agree - for some reason I really highly doubt that there's vulnerability of this nature.

It's more likely that the hacker got in through a poor password choice or something like that. He clearly has access to an SSH or FTP account because he is editing files, not database information. That's usually how these things work.

Which makes me wonder - is it a current or former employee, or did they update their webserver to a new version that has a security flaw in it (a friend of mine had an issue with this on a forum)?

Trevor
 

Things

0
Joined
May 1, 2007
Messages
7,517
Points
0
yes legal age is 18!! 4 more months CHEERING!!



Sure it is!!!

Only nerds would think it's porn :p :p :D

untitled.PNG


:p
 

Things

0
Joined
May 1, 2007
Messages
7,517
Points
0
It's a gamemode for my Grand Theft Auto San Andreas multiplayer server. Funnily enough, the language is called "pawn" :p
 

Things

0
Joined
May 1, 2007
Messages
7,517
Points
0
It's in Pawn, for SA-MP (Grand Theft Auto San Andreas Multiplayer) ...

Pawn is sort of a variation of C++/C#

And no, the server is not open source, however what it does pretty much relies on what you script it to do ...

That part of the script I posted was the main gamemode, which is sort of the main script of the game, and then there are addon filterscripts, which are also in pawn.

Code:
//DO NOT REMOVE THE CREDITS FROM ANY PART OF THIS SCRIPT!
//BlueFusion and I put alot of work and time into this FS
//I dont like scripts that advertise themselves when people join, so I didnt add them
//But you MUST keep the credits in ALL parts to continue using this script!
//Thanks to a few members on the sa-mp forum that helped me with a few errors in this script ;)
//**************************************************************************************
//**************************************************************************************
//The car spawned by this script is invincible, and will set ALL vehicles that come near it on fire
//A command to destroy the deathcar was added, since there is no other way to get rid of it quickly.
//If you find any bugs/errors in this script, please email me at lpfthings@gmail.com and let me know the problem
//You may modify this scripts functions, but the credits are NOT to be removed. If you want a credit free version, please email me.
// YOU CAN ONLY HAVE 1 DEATHCAR ON THE SERVER AT ONCE, UNTILL THE FIRST DEATHCAR WAS DESTROYED USING /destroydeathcar  , its just the nature of the script.
// Enjoy the script!


#include <a_samp>

#define COLOR_LIGHTBLUE 0x33CCFFAA

new God[MAX_PLAYERS];
forward GodCar(playerid);

stock GetDistanceBetweenVehicles(vehicleid, vehicleid2)//Adds the Function to get the distance between vehicles
{
	new Float:x1,Float:y1,Float:z1,Float:x2,Float:y2,Float:z2;
	new Float:tmpdis;
	GetVehiclePos(vehicleid,x1,y1,z1);
	GetVehiclePos(vehicleid2,x2,y2,z2);
	tmpdis = floatsqroot(floatpower(floatabs(floatsub(x2,x1)),2)+floatpower(floatabs(floatsub(y2,y1)),2)+floatpower(floatabs(floatsub(z2,z1)),2));
	return floatround(tmpdis);
}

public OnFilterScriptInit()
{
	print("******************************************");// Prints this in your server window, DO NOT REMOVE!!
	print("**_-_-_-_ Death Car Filterscript_-_-_-_-**");// prints this in your server window, DO NOT REMOVE!!
	print("**_Created by Thingszors and BlueFusion_**");// prints this in your server window, DO NOT REMOVE!!
	print("***************V 1.0**********************");// prints this in your server window, DO NOT REMOVE!!
	return 1;
}

public OnFilterScriptExit()
{
	return 1;
}

public OnPlayerCommandText(playerid, cmdtext[])// Just that!
{
if(strcmp(cmdtext, "/deathcar", true) == 0)// Here you can configure the command to spawn the death car.
{
	SendClientMessage(playerid,COLOR_LIGHTBLUE, "*** Death car spawned!");// pints that when people use the command.
	SendClientMessage(playerid,COLOR_LIGHTBLUE, "*** Make sure you type /destroydeathcar before you hop out of the vehicle!");//Same as above
	new Float:x, Float:y, Float:z, Float:a;// creates new float's for the positions below
	SendClientMessage(playerid,COLOR_LIGHTBLUE, "*** Deathcar script created by Thingszors and BlueFusion");// DO NOT REMOVE! Doing so will corrupt this script!
	GetPlayerPos(playerid,x,y,z);//writes the player posistion to floats x,y and z
	GetPlayerFacingAngle(playerid,a);//writes the angle to float a
    God[playerid] = CreateVehicle(411, x+2, y, z+1, a, 3,3,99999999); // 411 is the modelID of the Infernous, you may change this to another vehicle, the other numbers do not need to be changed!
 	PutPlayerInVehicle(playerid,God[playerid],0);//Puts you in the deathcar once its spawned.
    SetTimerEx("GodCar",100,true,"i",playerid);//Starts a timer for use below. This is where you can change the time rate. DO not set it too high, otherwise the deathcar might not work properly
    return 1;
}
if(strcmp(cmdtext, "/destroydeathcar", true) == 0) { // The command that will destroy the car. Since its invincible, its a good idea to do this command when you leave the vehicle
	DestroyVehicle(God[playerid]);//Destroys the deathcar
	SendClientMessage(playerid,COLOR_LIGHTBLUE, "*** Death Cars destroyed!");//prints to player when command is used
    return 1;
}

return 0;
}
public GodCar(playerid)// When the timer activates every 100ms
{
    for (new v=1; v<=200; v++)//Checks the distance between the death car and ALL the other vehicles.
    {
	if(God[playerid] != v)//if the deathcar.....
        {
            if(GetDistanceBetweenVehicles(God[playerid],v) < 10)//If there is a vehicle within 10 units of the deathcar...
            {
                SetVehicleHealth(v,10.0);//sets the health of the vehicle in range to 10, catches fire instantly.
            }
        }
    }
    SetVehicleHealth(God[playerid],1000);//sets the health of the deathcar to full.
    return 1;
}//This above bit of script, repeats every 100ms! The deathcar heals every 100ms, and it chcks the distance between vehicles every 100ms
//If you notice people crashing excessively, you may want to change the "100" to a higher number in the timer noted above


//DO NOT REMOVE THE CREDITS FROM ANY PART OF THIS SCRIPT!
//BlueFusion and I put alot of work and time into this FS
//I dont like scripts that advertise themselves when people join, so I didnt add them
//But you MUST keep the credits in ALL parts to continue using this script!
// Enjoy the script!

This is a script BlueFusion and I made a while ago, it has lots of comments :)
 
Last edited:




Top