Beware of fantasy-kings.gq

[kchoman]

What is fantasy-kings.gq?
fantasy-kings.gq is another Adventure Quest Worlds private server that's vulnerable to an SQL injection.

You can exploit this vulnerability by adding

Code:

' or '1'='1

at the end of the char.php page (I tried this with char.php?id=kirito and it worked fine)

The site attempts to authenticate user traffic using PHP sessions, but somehow forgets to extend that session authentication to the char.php page which allows for the SQL injection to take place. (Seriously guys?)

What can we do?
Well for starters you can start by grabbing a password keychain or an encrypted text container (like CryptoTE) and stop sharing the same password(s) among different sites if you're doing that. (I used to do that, but nowadays I keep seeing databases getting leaked by the minute)

Should we stop playing on fantasy-kings.gq?
Again, the damage is already done by now and the database has been breached. So just make sure you don't share any passwords with the one you have on fantasy-kings.gq and you should be fine. (Unless you like to keep your in-game efforts intact, which I can't say whether those are in jeopardy or not)

If you own fantasy-kings.gq, then get in contact with me and I'll assist in patching this vulnerability, I'll get your sessions to function on every page of the site so that future attempts can be halted before they can begin, and I'll even throw in some bcrypt for your password hashes.

STOP STORING PASSWORDS IN THE CLEAR IF YOU OPERATE AN AQW PRIVATE SERVER!

[EDIT]

This was far worse than I'd imagined at first; so let's start from the beginning:

1. The server is running on an Amazonaws EC2 instance running Windows Server and XAMPP
2. There's no rules set up to prevent remote access to the /server-info and /server-status pages
3. The /server-status pages show public IPs and requests as they're being processed

I don't know what I can say to this, I've never seen a server in such a dismal state of security.

[Krunix]

How they can contact you when you cant even get messages?..

[Trash]

Lol, this practically means all "new" servers are vulnerable because they don't know wtf they're doing before release.

[[MPGH]Hugo Boss]

Simply have a different & complex password for each account you register regardless of what it is for.

[kchoman]

How they can contact you when you cant even get messages?..

You're in contact with me right now as you're posting in the thread, even without private messages there's still means of contacting me.

- - - Updated - - -

Lol, this practically means all "new" servers are vulnerable because they don't know wtf they're doing before release.

These guys are probably using an older version of CoreAQ and DeltaWorlds as the base of their private servers which have SQL vulnerabilities in them. Overproject and fantasy-kings both have these SQL vulnerabilities in the character ranks area.

There are some larger AQW private servers out there that aren't vulnerable in this sense.

I'm currently working on an AQW private server package; patching out all SQL injections, XSS exploits, and other forms of vulnerabilities that I may come across.

- - - Updated - - -

Simply have a different & complex password for each account you register regardless of what it is for.

That's why I recommend an encrypted key container or an encrypted document editor such as CryptoTE since it's nearly impossible to keep up with a different secure password for every site we use.

[Krunix]

I told one of their moderators to contact you, and sent them this thread. They wont even believe and even called me a rank-digger smh. They are saying that I'm lying and just wants a promotion (???) lmao. Should you give it a hit?

[kchoman]

I told one of their moderators to contact you, and sent them this thread. They wont even believe and even called me a rank-digger smh. They are saying that I'm lying and just wants a promotion (???) lmao. Should you give it a hit?

Sounds like they're not interested in having these problems fixed.

Plus what do you mean by "give it a hit"?

[Trash]

Sounds like they're not interested in having these problems fixed.

Plus what do you mean by "give it a hit"?

@Krunix if you mean what I think you do, maybe don't recommend a private server database raid, that's not exactly allowed I think...

[Krunix]

I had a conversation with one of the so called "owners" and he doesnt know anything about this for fuck sake. This is our conversation:

Owner: wtf is that?

Me:soo.. you dont know what is it
let me contact the owner then
e.e

Owner :why?
-_-
lwel
*lewl

Me:so you guys made a private server
and doesnt know anything about security

Owner:lol
sure
tell the owner
-_-
bye.

Owner: bro i am owner
tell me wahts the problem
ill try to fix it

Me:THE PROBLEM IS ON THE THREAD

Owner:and there is nothing wrong with my db
-_-

Owner:bro

Me: YOU KNOW SQL INJECTION?

Owner:nope
-_-
lol

Me:then you cant fix this
thats why i need ashley

Ownerkay sure

Me:give me her fb

Owner:i dont care whatever happens

[kchoman]

I had a conversation with one of the so called "owners" and he doesnt know anything about this for fuck sake. This is our conversation:

I suppose it's time for me to make a small guide about securing private servers from various methods of attack; otherwise, this is just going to keep happening.

[Krunix]

yo bro any updates for its new site? its https://galaxyworlds.ga/game.html

[kchoman]

yo bro any updates for its new site? its https://galaxyworlds.ga/game.html

So here's a list of things that I noticed about that site:

1. It was mirrored using WinHTTrack so there's no PHP files on there at the moment. (Just HTML and Flash as far as I can determine)
2. I couldn't find any directories that weren't protected from being viewed unlike the old server.
3. I couldn't access the /server-status page but it's still there which means it's still operated using XAMPP on an AmazonAWS EC2 Instance.
4. There's no top-100 page which if one gets added later on, then I'll try to test that out to see if the owner got it right this time around.

So far it seems a bit more secure, but lacking as it's still brand new. I'll give it about a month to develop before going back on and running some tests.