LOBSTER
|
|
December 31, 2014, 04:25:46 PM |
|
I can check out the blackjack script and see if any of jonnys work is in there. The newbie verifications in this thread doesn't instill a lot of confidence here. Scripts have been long posted here that led to thefts and backdoors, so downloaders beware. Well, that didn't take long. At least for the blackjack, this is a pirate copy of johny1976's coinjack. Install from the OP if (isset($_GET['checkCons'])) { if (@!mysql_connect($_POST['db_host'],$_POST['db_user'],$_POST['db_pass']) || @!mysql_select_db($_POST['db_name'])) { header('Location: ./?step=3&db'); exit(); } $included_=true; include __DIR__.'/db_data.php'; $db_file=fopen('../inc/db-conf.php','wb'); fwrite($db_file,"<?php \n"); fwrite($db_file,'$conf_c=true;'."\n"); fwrite($db_file,'mysql_connect(\''.$_POST['db_host'].'\',\''.$_POST['db_user'].'\',\''.$_POST['db_pass'].'\');'."\n"); fwrite($db_file,'mysql_select_db(\''.$_POST['db_name'].'\');'."\n"); fwrite($db_file,'mysql_query("SET NAMES utf8");'."\n"); fwrite($db_file,"?>"); ?><?php fclose($db_file); Install from official Coinjack: if (isset($_GET['checkCons'])) { if (@!mysql_connect($_POST['db_host'],$_POST['db_user'],$_POST['db_pass']) || @!mysql_select_db($_POST['db_name'])) { header('Location: ./?step=3&db'); exit(); }
$included_=true; include __DIR__.'/db_data.php'; $db_file=fopen('../inc/db-conf.php','wb'); fwrite($db_file,"<?php \n"); fwrite($db_file,'$conf_c=true;'."\n"); fwrite($db_file,'mysql_connect(\''.$_POST['db_host'].'\',\''.$_POST['db_user'].'\',\''.$_POST['db_pass'].'\');'."\n"); fwrite($db_file,'mysql_select_db(\''.$_POST['db_name'].'\');'."\n"); fwrite($db_file,'mysql_query("SET NAMES utf8");'."\n"); fwrite($db_file,"?>"); ?><?php fclose($db_file); As I said...but he meant that he fixed some bugs.
|
|
|
|
elm
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 31, 2014, 04:29:27 PM |
|
I can check out the blackjack script and see if any of jonnys work is in there. The newbie verifications in this thread doesn't instill a lot of confidence here. Scripts have been long posted here that led to thefts and backdoors, so downloaders beware.
are there many open source gambling scripts with backdoors on github?
|
|
|
|
johny1976
Legendary
Offline
Activity: 1135
Merit: 1002
Developer
|
|
December 31, 2014, 04:31:24 PM |
|
due to me giving this away for free there have been some "authenticity issues", I can assure you this is authentic and working and can only suggest you get someone with PHP skills to read through if you are unsure. - I cannot emphasise this enough.
And it's also copyrighted. Please stop sharing our scripts for free. SCAMMERI recommend everyone not to download this backdoored versions of our software. These are not even the latest versions and contain security bugs. If you buy full license from us, you'll get free lifetime support + updates. See my signature.
|
|
|
|
elm
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 31, 2014, 04:36:05 PM |
|
confused now...where are the backdoors? who is honest here? what is going on here? I cant code so I cant check. whom can I trust?
|
|
|
|
LOBSTER
|
|
December 31, 2014, 04:37:25 PM |
|
confused now...where are the backdoors? who is honest here? what is going on here? I cant code so I cant check. whom can I trust?
So true...best option: develop your own script!
|
|
|
|
cloverme
Legendary
Offline
Activity: 1512
Merit: 1057
SpacePirate.io
|
|
December 31, 2014, 04:38:13 PM |
|
As I said...but he meant that he fixed some bugs.
Sorry, I missed your post on it too. I went through some of the code, but not all of it. Since it's a pirate copy, who knows if it has any exploits in there or not, my advice is to avoid the pirate copy and just buy the script from johny if you want it.
|
|
|
|
LOBSTER
|
|
December 31, 2014, 04:39:42 PM |
|
As I said...but he meant that he fixed some bugs.
Sorry, I missed your post on it too. I went through some of the code, but not all of it. Since it's a pirate copy, who knows if it has any exploits in there or not. At first he should tell us which bugs are in the script and how he fixed it. That would help to trust and retrace.
|
|
|
|
|
elm
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 31, 2014, 04:43:10 PM |
|
confused now...where are the backdoors? who is honest here? what is going on here? I cant code so I cant check. whom can I trust?
So true...best option: develop your own script! I cant code ( so what should I do?
|
|
|
|
cloverme
Legendary
Offline
Activity: 1512
Merit: 1057
SpacePirate.io
|
|
December 31, 2014, 04:44:24 PM |
|
Everybody should remove this ASAP. You don't know what else could be hidden in here.
I am unsure what MD5 password this ("6d2aff483952d904179ca0c8c536a2c7" ) hash is, maybe someone with more experience in cracking password would know.
cloverme, I am assuming you have the original game? What line is meant to be in login.php?
I do have the licensed game yes, none of that code is in there, so it looks like you found the exploit in scammers attempt.
|
|
|
|
|
cloverme
Legendary
Offline
Activity: 1512
Merit: 1057
SpacePirate.io
|
|
December 31, 2014, 04:47:24 PM |
|
confused now...where are the backdoors? who is honest here? what is going on here? I cant code so I cant check. whom can I trust?
Just compare his modified admin login script with our original: (original) https://i.imgur.com/NjX9IW5.png( backdoored) https://i.imgur.com/NjX9IW5.pngThis should help you guys make clear who is the scammer here. :-) You posted the same image by accident.
|
|
|
|
johny1976
Legendary
Offline
Activity: 1135
Merit: 1002
Developer
|
|
December 31, 2014, 04:47:43 PM |
|
confused now...where are the backdoors? who is honest here? what is going on here? I cant code so I cant check. whom can I trust?
Just compare his modified admin login script with our original: (original) https://i.imgur.com/NjX9IW5.png( backdoored) https://i.imgur.com/NjX9IW5.pngThis should help you guys make clear who is the scammer here. :-) You posted the same image by accident. Thank you, corrected.
|
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1043
#Free market
|
|
December 31, 2014, 04:56:06 PM |
|
Scam accusation against you : https://bitcointalk.org/index.php?topic=909282.0 Please try to resolve it ( I've left you a negative trust for only a questio of security , when you will resolve this situation I will remove it). Thanks for the attention , have a great day .
|
|
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1043
#Free market
|
|
December 31, 2014, 05:00:08 PM |
|
Thanks I've seen it. Now I suggest to leave a negative trust to the OP ( for a security reason , it will remove when all the situation will be clarified).
|
|
|
|
johny1976
Legendary
Offline
Activity: 1135
Merit: 1002
Developer
|
|
December 31, 2014, 05:02:01 PM |
|
|
|
|
|
TechnoBibble
Member
Offline
Activity: 179
Merit: 10
|
|
December 31, 2014, 05:06:03 PM |
|
lol, did not see in your sig, I tend to ignore them added to post.
|
|
|
|
|
LilGhost
Member
Offline
Activity: 72
Merit: 10
|
|
December 31, 2014, 06:07:56 PM Last edit: December 31, 2014, 08:06:23 PM by LilGhost |
|
The admin login page is vulnerable to SQL injection. mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('".$_SESSION['username']."','".$_SERVER['REMOTE_ADDR']."','".$_SERVER['HTTP_USER_AGENT']."')"); This line is vulnerable to SQL injection if an attacker sends a custom user agent.
Edit: This is a recurring issue through out the script. Frequently the script records the user-agent without sanitizing it first.
|
|
|
|
|