Beware of Overproject.cf

**kchoman** · 03-02-2017

What is Overproject.cf?
Overproject.cf is an AQW private server hosted in Canada that has some popularity among AQW players in Brazil. The site has been around since 2014 according to their copyright information in the site footer.

What is the problem with Overproject.cf?
Overproject.cf has an SQL Injection vulnerability in their character.php page which led to the leakage of over 4000 user accounts and passwords which were stored in the clear (no hashing, no salting, no protection against an intruder)

You can exploit this vulnerability by adding

Code:

' or '1'='1

at the end of the URL for your character page and it should show you the account name Hefesto with default character design and garments with every single achievement given to the members of Overproject.cf.

What can we do?
If you share any passwords with your Overproject.cf account, I strongly recommend that you stop using that password and start looking into encrypted password containers (keychains or CryptoTE) which allows for you to handle complex passwords without too much trouble.

Should we stop playing on Overproject.cf?
The damage is already done, so there's no need to stop playing on Overproject.cf if you enjoy playing on that private server.

If you own Overproject.cf, then get in contact with me and I'll assist in patching this vulnerability and I'll even throw in some bcrypt hashing for your database passwords.

**Trash** · 03-02-2017

We already knew this if you looked in the original advertised post; thanks though.
The owner hasn't been here once, just an ambassador that doesn't show up anymore.

**Volt** · 03-02-2017

Owner got hacked twice, I got banned again and some others got banned as well.

**Krunix** · 03-02-2017

Originally Posted by kchoman

You can exploit this vulnerability by adding
Code:
' or '1'='1
at the end of the URL for your character page and it should show you the account name Hefesto with default character design and garments with every single achievement given to the members of Overproject.cf.

what do you mean by these?
I have contact with the owner, I sent him these and told him to message you asap.

**kchoman** · 03-02-2017

Originally Posted by Krunix

what do you mean by these?
I have contact with the owner, I sent him these and told him to message you asap.

Since the

Code:

overproject.cf/characters?u=test

page is handling data using the GET method (gathering data from a predefined query) that means you have to insert the SQL injection into the URL which then gets added to the predefined query.

So in this instance the code could look something like this:

Code:

$query = "SELECT * FROM characters WHERE username='".$_GET['u']."'";
$data = $db->gather($db->connect(),$query);
echo $data;

So the query that's being sent by going to

Code:

?u=test

would be

Code:

SELECT * FROM characters WHERE username='test'

which would return everything if that username is found in the database.

If we're sending the SQL injection like this

Code:

?u=test' or '1'='1

then the query would look like this

Code:

SELECT * FROM characters WHERE username='test' or '1'='1'

Even if there was no user by the username 'test' in the database, the 2nd part of that query would return TRUE since 1 is equal to 1. (It's pretty much asking the database "Is there a user named 'test', otherwise does one equal to one?"

An OR statement doesn't require both outputs to be TRUE unlike an AND statement.

Refer to this chart below for a rather lazy explanation of an AND and an OR statement:

Code:

test AND 0=0 -> TRUE AND TRUE == TRUE
t3st AND 0=0 -> FALSE AND TRUE == FALSE
test AND 0=1 -> TRUE AND FALSE == FALSE
t3st AND 0=1 -> FALSE AND FALSE == FALSE
test OR 0=0 -> TRUE OR TRUE == TRUE
t3st OR 0=0 -> FALSE OR TRUE == TRUE
test OR 0=1 -> TRUE OR FALSE == TRUE
t3st OR 0=1 -> FALSE OR FALSE == FALSE

**Krunix** · 03-02-2017

I am sorry i cant understand anything on this. But i have a question. How Can i message you?

**kchoman** · 03-02-2017

Originally Posted by Krunix

I am sorry i cant understand anything on this. But i have a question. How Can i message you?

Through a PM on this site.

**Krunix** · 03-02-2017

kchoman has chosen not to receive private messages or may not be allowed to receive private messages. Therefore you may not send your message to him/her.

**Trash** · 03-02-2017

Originally Posted by kchoman

Through a PM on this site.

Reach 10 posts before trying to PM around here, would expect it from a 2013 but idk.

**kchoman** · 03-03-2017

Originally Posted by ImThrowingMyLifeAway

Reach 10 posts before trying to PM around here, would expect it from a 2013 but idk.

Well it looks like I gotta make a few more posts.

**Krunix** · 03-03-2017

do you have skype? fb? twitter?

**Silent** · 03-06-2017

I'll stick for a few days, Pretty useful information, Thanks for the heads up!

**Bryansuper** · 03-30-2017

question do you guys know what i need to use to be able to use ID shops for AQW

Thread: Beware of Overproject.cf

Thread Tools

Display