What is Overproject.cf?
Overproject.cf is an AQW private server hosted in Canada that has some popularity among AQW players in Brazil. The site has been around since 2014 according to their copyright information in the site footer.
What is the problem with Overproject.cf?
Overproject.cf has an SQL Injection vulnerability in their character.php page which led to the leakage of over 4000 user accounts and passwords which were stored in the clear (no hashing, no salting, no protection against an intruder)
You can exploit this vulnerability by addingat the end of the URL for your character page and it should show you the account name Hefesto with default character design and garments with every single achievement given to the members of Overproject.cf.Code:' or '1'='1
What can we do?
If you share any passwords with your Overproject.cf account, I strongly recommend that you stop using that password and start looking into encrypted password containers (keychains or CryptoTE) which allows for you to handle complex passwords without too much trouble.
Should we stop playing on Overproject.cf?
The damage is already done, so there's no need to stop playing on Overproject.cf if you enjoy playing on that private server.
If you own Overproject.cf, then get in contact with me and I'll assist in patching this vulnerability and I'll even throw in some bcrypt hashing for your database passwords.
Last edited by kchoman; 03-02-2017 at 09:28 PM.
We already knew this if you looked in the original advertised post; thanks though.
The owner hasn't been here once, just an ambassador that doesn't show up anymore.
Past Name(s):
ImThrowingMyLifeAway
Owner got hacked twice, I got banned again and some others got banned as well.
kchoman (03-02-2017)
Since thepage is handling data using the GET method (gathering data from a predefined query) that means you have to insert the SQL injection into the URL which then gets added to the predefined query.Code:overproject.cf/characters?u=test
So in this instance the code could look something like this:
So the query that's being sent by going toCode:$query = "SELECT * FROM characters WHERE username='".$_GET['u']."'"; $data = $db->gather($db->connect(),$query); echo $data;would beCode:?u=testwhich would return everything if that username is found in the database.Code:SELECT * FROM characters WHERE username='test'
If we're sending the SQL injection like thisthen the query would look like thisCode:?u=test' or '1'='1Even if there was no user by the username 'test' in the database, the 2nd part of that query would return TRUE since 1 is equal to 1. (It's pretty much asking the database "Is there a user named 'test', otherwise does one equal to one?"Code:SELECT * FROM characters WHERE username='test' or '1'='1'
An OR statement doesn't require both outputs to be TRUE unlike an AND statement.
Refer to this chart below for a rather lazy explanation of an AND and an OR statement:
Code:test AND 0=0 -> TRUE AND TRUE == TRUE t3st AND 0=0 -> FALSE AND TRUE == FALSE test AND 0=1 -> TRUE AND FALSE == FALSE t3st AND 0=1 -> FALSE AND FALSE == FALSE test OR 0=0 -> TRUE OR TRUE == TRUE t3st OR 0=0 -> FALSE OR TRUE == TRUE test OR 0=1 -> TRUE OR FALSE == TRUE t3st OR 0=1 -> FALSE OR FALSE == FALSE
Volt (03-03-2017)
I am sorry i cant understand anything on this. But i have a question. How Can i message you?
kchoman has chosen not to receive private messages or may not be allowed to receive private messages. Therefore you may not send your message to him/her.
I'll stick for a few days, Pretty useful information, Thanks for the heads up!
Click Here to visit the official MPGH wiki! Keep up with the latest news and information on games and MPGH! To check out pages dedicated to games, see the links below!
dd/mm/yyyy
Member - 31/01/2015
Premium - 12/09/2016
Call of Duty minion - 05/11/2016 - 05/11/2019
BattleOn minion - 28/02/2017 - 05/11/2019
Battlefield minion - 30/05/2017 - 05/11/2019
Other Semi-Popular First Person Shooter Hacks minion - 21/09/2017 - 17/09/2019
Publicist - 07/11/2017 - 02/08/2018
Cock Sucker - 01/12/2017 - Unknown
Minion+ - 06/03/2018 - 05/11/2019
Fortnite minion - 08/05/2018 - 05/11/2019
Head Publicist - 08/10/2018 - 10/01/2020
Developer Team - 26/10/2019 - 10/01/2020
Former Staff - 10/01/2020
question do you guys know what i need to use to be able to use ID shops for AQW