Could someone please tell me how to protect my habbo hotel from SQL injection attacks?

[ManuWasabi]

Could someone tell me how to protect my habbo hotel from SQL injection attacks? There's a hacker who this fucking game experience using Tanji in my hotel .... I would like to fix it but can not find any emulator (with download link) have protection ....

 

[Morohara]

SQL injection isn't normally EMU side. (there are other attacks that used to involve attacking an emu directly but the majority of these have already been fixed in updated emus.)

There are different type of injection attacks you have the standard injection method where you query yourself or you have the one this program used (If you have a source I can outline it better on how it works this can be done via cms but majority have this patched so this is useless.)
Majority of the programs you download work by querying repeated requests till they get a reaction like a list, apps like Cloudflare block these aswell as coming with SQL injection protection. Which is outlined below on how it works.

This can be done in a multitude of ways eg; Entering data into a field on a website. Like a post request. How it works is when you input a query into a field on a retro (normally cms) its stored and the database will run the query. posting the data requested. (this can be fixed by filtering out the queries.)

The one you have is probably are dealing with is eg;

You must be registered for see links

1 or 1=;-- (this is an example) This is basically a user asking for this data related to table user where it equals the id = 1. The program it self will bombard requests which depending on your server (IIS) you can see what kind of requests hes executing. The number with the program will go up and up so he'll ask for id 1,2,3,4,5 to get the relevant information.

In my honest opinion if you have no development background I wouldn't try to go in depth and try to do a complex resolution try getting cloudflare as this will help with the program associated, as cloudflare blocks requests after x amount has been queried.

 

[ManuWasabi]

La inyección de SQL normalmente no es del lado de la EMU. (Hay otros ataques que solían implicar atacar a un emú directamente, pero la mayoría de estos ya se han solucionado en los emús actualizados).

Hay diferentes tipos de ataques de inyección, tiene el método de inyección estándar en el que se consulta a sí mismo o tiene el que usó este programa (si tiene una fuente, puedo describirlo mejor sobre cómo funciona, esto se puede hacer a través de cms , pero la mayoría tiene esto parcheado por lo que esto es inútil.)
La mayoría de los programas que descargan utilizan solicitudes repetidas hasta que obtienen una reacción como una lista, las aplicaciones como Cloudflare los que vienen con protección de inyección SQL. Que se describe a continuación sobre cómo funciona.

Esto se puede hacer de muchas formas, por ejemplo; Ingresar datos en un campo en un sitio web. Como una solicitud de publicación. Cómo funciona es cuando ingresa una consulta en un campo en un retro (normalmente cms) se almacena y la base de datos ejecutará la consulta. publicando los datos solicitados. (esto se puede solucionar filtrando las consultas).

El que probablemente está tratando es, por ejemplo;

You must be registered for see links

1 o 1 =; - (este es un ejemplo) Este es básicamente un usuario que solicita datos relacionados con el usuario de la tabla donde es igual al id = 1. El programa en sí mismo bombardeará las solicitudes que dependen de su servidor (IIS) puede ver qué tipo de solicitudes está ejecutando. El número con el programa aumentará y aumentará, por lo que pedirá id 1,2,3,4,5 para obtener la información relevante.

En mi opinión honesta, si no tiene experiencia en desarrollo, no trataría de profundizar y tratar de hacer una resolución compleja, intente obtener cloudflare, ya que esto ayudará con el programa asociado, ya que cloudflare cierra las solicitudes después de que se haya consultado x cantidad.

I use the PLUS emulator, is it one of those "updated emu" ?????

 

[Daltron]

SQL Injections most likely are being ran through your CMS through an exploit where they are directly able to modify the database due to this exploit.

Most SQL Injections happen through INSERT query's inside your CMS there are many ways to protect yourself against those types of injections just ask if you need more info about that.

This person can "claim" he is using Tanji to scare you but if you are using PlusEMU r2 or r1 then Tanji is basically useless as it doesn't do much of anything besides modifying packets which habbo themselves couldn't even stop back when flash was prominent.

I'm not sure there is a way to disable Tanji to be completely honest, Darkstar and the other Tanji Developers developed Tanji so it would work in some form or fashion in any circumstance.

First I would check your INSERT queries such as CMS comments, Housekeeping, and Reset password scripts. Most CMS Comments that you find released have back doors so I would suggest either coding your own or fix the code that you get from those CMS's.

We can give you a more definitive answer if you give us more information about what the hacker is doing such as modifying rank or something of that nature, like how does the hacker disrupt the game?

 

[ManuWasabi]

Lo más probable es que las inyecciones de SQL se estén ejecutando a través de su CMS a través de un exploit en el que pueden modificar directamente la base de datos debido a este exploit.

La mayoría de las inyecciones de SQL ocurren a través de la consulta INSERT dentro de su CMS. Hay muchas formas de protegerse contra ese tipo de inyecciones, solo pregunte si necesita más información al respecto.

Esta persona puede "afirmar" que está usando Tanji para asustarte, pero si estás usando PlusEMU r2 o r1, entonces Tanji es básicamente inútil, ya que no hace mucho más que modificar paquetes que los propios habbo ni siquiera podían detener cuando parpadeaban. fue prominente.

No estoy seguro de que haya una manera de desactivar Tanji para ser completamente honesto, Darkstar y los otros desarrolladores de Tanji desarrollaron Tanji para que funcione de alguna forma o moda en cualquier circunstancia.

Primero verificaría sus consultas INSERT, como los comentarios de CMS, el mantenimiento y los scripts de restablecimiento de contraseña. La mayoría de los comentarios de CMS que encuentra publicados tienen puertas traseras, por lo que sugeriría codificar el suyo propio o corregir el código que obtiene de esos CMS.

Podemos darte una respuesta más definitiva si nos das más información sobre lo que está haciendo el hacker, como modificar el rango o algo por el estilo, como ¿cómo interrumpe el juego el hacker?

Hello, thank you very much for your answer ^^ I am using PLUS (neither plus r1 nor r2 since I can't find any download link ...) I imagine it will be an old version .... The hacker uses tanji to put diamonds, duplicate items, put MOD TOOLS, also to test if my configurations solved the vulnerability problems I downloaded tanji to hack my own hotel. I put cloudflare, I put the maximum protection, I have even paid for the PRO version but I have not managed to make my hotel protected from Tanji, I myself continue using it and it continues to work ...

 

[airilxx]

Hello, thank you very much for your answer ^^ I am using PLUS (neither plus r1 nor r2 since I can't find any download link ...) I imagine it will be an old version .... The hacker uses tanji to put diamonds, duplicate items, put MOD TOOLS, also to test if my configurations solved the vulnerability problems I downloaded tanji to hack my own hotel. I put cloudflare, I put the maximum protection, I have even paid for the PRO version but I have not managed to make my hotel protected from Tanji, I myself continue using it and it continues to work ...

As of my understanding, Tanji only took effect on client <--> server side. I would recommend using PlusEMU R2 as it likely have less vulnerability on Tanji. You can also try spoofing/changing client revision to minimize attacks (Only do this if you know what you're doing).

As for SQL injections, make sure to sanitize all critical requests, and disable SQL error output especially if you're running website in Production mode.

 

[Daltron]

You must be registered for see links

Visit that website for Plus EMU r1, r2, and r3 that is currently being worked on by the owner of retrofiles. If you don't trust r3 then use r2.

Cloudflare cannot protect you against Tanji in the lightest bit cloudflare is merely there to stop DDoS attacks. Your emulator has a few backdoors of such making it easy for the hacker to change the packets around and give him things he wants. Change your emulator to PlusEMU r2 or better yet scrap Plus if you want stability with zero edits then use Arcturus Morningstar as its literally plug and play.

 

[F099999]

i really recommend to use arcturus morningstar. we can say plus emulator is outdated...

 

[Weasel]

This is not the answer you'll want but I'm going to state a hard truth. If you do not know what an SQL Injection is, have no clue how to protect against them (like there's some magic bullet stopping all hackers) and the fact you're using some free emulator means you should not administer data/own a hotel that's open to the public. And this is not just for you.

This should be a general rule of thumb in gaming communities. If you cannot reasonably guarantee a level of safety of the data of your users, you should not own a publicly available service.

Take your time to learn. Open it up for friends and family. Dig into safety and code. Take a course or self-teach. Use this time to have fun and learn. And once you're ready, go for it.