Ragnarok Europe – Security Audit

by Vincent Thibault, posted Dec 18, 2012 in Works (1 Comment)

The MMORPG Ragnarok Online (Europe server) got a new complete website some months ago. I decide to check the security of this one. I was filled…

roeu-hack

In the past they got hacked multiples times because of their poors developers, now I understand why, the website security was really at their reputation.
I found at least :

  • Some Full Path disclosure
  • 4 local file inclusion
  • 1 XSS exploit
  • 3 blind SQL injection
  • 1 SQL injection
  • Some CSRF

The funniest thing was they are running the SQL database as “root”.
So it was possible to:

  • Modify the price of some services before buying them
  • Full access to the SQL database of the site
  • Change the password of others accounts
  • Get full access to the host by creating a file on
  • Get access to the mail support@gravityeu.com (the ID and pass was in one file)
  • Get access of some psd files (artwork)
  • And the better one : full access to the Game DB on another host, possible to add items, premium accounts, level, what you even need…

Note: all this hacks were fixed some months ago after I reported them.





1 Comment

  • Awesome bro

Leave a comment