How they can contact you when you cant even get messages?..
What is fantasy-kings.gq?
fantasy-kings.gq is another Adventure Quest Worlds private server that's vulnerable to an SQL injection.
You can exploit this vulnerability by adding
at the end of the char.php page (I tried this with char.php?id=kirito and it worked fine)Code:' or '1'='1
The site attempts to authenticate user traffic using PHP sessions, but somehow forgets to extend that session authentication to the char.php page which allows for the SQL injection to take place. (Seriously guys?)
What can we do?
Well for starters you can start by grabbing a password keychain or an encrypted text container (like CryptoTE) and stop sharing the same password(s) among different sites if you're doing that. (I used to do that, but nowadays I keep seeing databases getting leaked by the minute)
Should we stop playing on fantasy-kings.gq?
Again, the damage is already done by now and the database has been breached. So just make sure you don't share any passwords with the one you have on fantasy-kings.gq and you should be fine. (Unless you like to keep your in-game efforts intact, which I can't say whether those are in jeopardy or not)
If you own fantasy-kings.gq, then get in contact with me and I'll assist in patching this vulnerability, I'll get your sessions to function on every page of the site so that future attempts can be halted before they can begin, and I'll even throw in some bcrypt for your password hashes.
STOP STORING PASSWORDS IN THE CLEAR IF YOU OPERATE AN AQW PRIVATE SERVER!
[EDIT]
This was far worse than I'd imagined at first; so let's start from the beginning:
- The server is running on an Amazonaws EC2 instance running Windows Server and XAMPP
- There's no rules set up to prevent remote access to the /server-info and /server-status pages
- The /server-status pages show public IPs and requests as they're being processed
I don't know what I can say to this, I've never seen a server in such a dismal state of security.
Last edited by kchoman; 03-10-2017 at 09:56 PM.
How they can contact you when you cant even get messages?..
Lol, this practically means all "new" servers are vulnerable because they don't know wtf they're doing before release.
Past Name(s):
ImThrowingMyLifeAway
Simply have a different & complex password for each account you register regardless of what it is for.
You're in contact with me right now as you're posting in the thread, even without private messages there's still means of contacting me.
- - - Updated - - -
These guys are probably using an older version of CoreAQ and DeltaWorlds as the base of their private servers which have SQL vulnerabilities in them. Overproject and fantasy-kings both have these SQL vulnerabilities in the character ranks area.
There are some larger AQW private servers out there that aren't vulnerable in this sense.
I'm currently working on an AQW private server package; patching out all SQL injections, XSS exploits, and other forms of vulnerabilities that I may come across.
- - - Updated - - -
That's why I recommend an encrypted key container or an encrypted document editor such as CryptoTE since it's nearly impossible to keep up with a different secure password for every site we use.
I told one of their moderators to contact you, and sent them this thread. They wont even believe and even called me a rank-digger smh. They are saying that I'm lying and just wants a promotion (???) lmao. Should you give it a hit?
@Krunix if you mean what I think you do, maybe don't recommend a private server database raid, that's not exactly allowed I think...
Past Name(s):
ImThrowingMyLifeAway
I had a conversation with one of the so called "owners" and he doesnt know anything about this for fuck sake. This is our conversation:
Owner: wtf is that?
Me:soo.. you dont know what is it
let me contact the owner then
e.e
Owner :why?
-_-
lwel
*lewl
Me:so you guys made a private server
and doesnt know anything about security
Owner:lol
sure
tell the owner
-_-
bye.
Owner: bro i am owner
tell me wahts the problem
ill try to fix it
Me:THE PROBLEM IS ON THE THREAD
Owner:and there is nothing wrong with my db
-_-
Owner:bro
Me: YOU KNOW SQL INJECTION?
Owner:nope
-_-
lol
Me:then you cant fix this
thats why i need ashley
Ownerkay sure
Me:give me her fb
Owner:i dont care whatever happens
Last edited by Krunix; 03-11-2017 at 12:11 AM.
yo bro any updates for its new site? its https://galaxyworlds.ga/game.html
So here's a list of things that I noticed about that site:
1. It was mirrored using WinHTTrack so there's no PHP files on there at the moment. (Just HTML and Flash as far as I can determine)
2. I couldn't find any directories that weren't protected from being viewed unlike the old server.
3. I couldn't access the /server-status page but it's still there which means it's still operated using XAMPP on an AmazonAWS EC2 Instance.
4. There's no top-100 page which if one gets added later on, then I'll try to test that out to see if the owner got it right this time around.
So far it seems a bit more secure, but lacking as it's still brand new. I'll give it about a month to develop before going back on and running some tests.