vulnerable or not?

[misiusiak]

Hey guys. I have a world of warcraft server and i just found a new programmer who is also good at security things. It's very important for me to make my site 100% safe from hacking. Actually i have some backups so it doesn't matter but i won't have it for all the time. So, I said to the developer (with security skills) to make the site, the server and especcially database safe. He did some work and he said that it is very safe right now and there is no way to get passwords to db etc. Can you check if it really is?
I made some scripts which connects to realmd database which i am worried about most (of course i dont give you password or login yet:) )
I wonder what you can do:)
Please DO NOT destroy the site or the server completly.
Please let me know when you change something. Sometimes its hard to guess it and my database can get messy.
Show your skills and give me some clues what can I do to make the site safer. (of course if it's not safe already)

If it's a wrong section, please move the topic.
Of course the site: www.tinkertown-gaming.net

[bubzuru]

SQLi ? http://www.tinkertown-gaming.net/?page=realm&id=%27HELLLLLLO

[bubzuru]

yup http://www.tinkertown-gaming.net/?page=realm&id=%27OR%20%271%27=%271

will select all ids from the db , your passwords are not safe

tell the 'developer (with security skills)' you dont need the db password because the script he was suposed to secure lets users execute sql commands on the server (while its connected to the db) silly billy

also remove the CORE footer , if someone realy wanted to get in they could just look at the source (thats not very secure) and find an exploit

[misiusiak]

well honestly i am not a hacker and i dont get it exactly.
what does the link u gave do?

[bubzuru]

just imagine i have your database password

i can execute sql commands on your db. plus its open source so i dont even need to figure out where the password are stored,i just look at the source

just tell the developer to check id and make sure its sql safe

[misiusiak]

well i think you cant cuz there is an info Invalid Realm Id.

[bubzuru]

what do you mean
http://www.tinkertown-gaming.net/?page=realm&id=%27%20OR%20bubzuru%20LIKE%20%27%What%20?%

iv not got the time to look at the source and make an injection but im sure someone will

[Phage]

well i think you cant cuz there is an info Invalid Realm Id.

Well we can SQL inject your site if you don't believe us (Im not saying i would)? Otherwise just tell your "It security guy" that there is a SQLi vuln and he should know how to deal with it.

Though i must say, that it is kind off weird that i can't find the IP of the website.

[bubzuru]

Well we can SQL inject your site if you don't believe us (Im not saying i would)? Otherwise just tell your "It security guy" that there is a SQLi vuln and he should know how to deal with it.

Though i must say, that it is kind off weird that i can't find the IP of the website.

thats because the website is on cloud flare

[misiusiak]

Thanks guy for the clues. I will definetly tell him:)
SQL injection is so easy on my website? jesus

[Phage]

thats because the website is on cloud flare

Yes, but shouldn't i just get another IP address instead I'm not getting any IP address.

[misiusiak]

hmm he said that he knows shat sql injection is and that there is not possible to to that cuz you cant see online players list code because its php. Also there is something like realm=1 and i sent him links you gave. He said that you cant get any information cuz you will be getting "invalid realm id" error all the time. Also you cant get database information cuz there is no information_schema (whatever it is)

[bubzuru]

hmm he said that he knows shat sql injection is and that there is not possible to to that cuz you cant see online players list code because its php. Also there is something like realm=1 and i sent him links you gave. He said that you cant get any information cuz you will be getting "invalid realm id" error all the time. Also you cant get database information cuz there is no information_schema (whatever it is)

well your sql server is vuln to time based injection, so im sure we can.
do we realy need to prove it to your it guy by taking over the server ?
if there is a vuln there someone will exploit it, sooner or later, security by obscurity  is not a good idea

[misiusiak]

if he won't do it cuz he is sure it is safe already proove would be a good idea. Of course if it's not so time consuming for you. I will do site backup anyway.

[bubzuru]

will someone please just download the source and prove to him that its vuln
http://www.ac-web.org/forums/showthread.php?t=119288

i would do it if i had time and i suck at SQLi