(becoming god by Jacka18l)
This is the Holy Tutorial on how I, Jacka18l became God for a day.
I refer to the "player id number" as "pid" for this guide. for both shortening reasons and php reasons.
first login as per normal on KOL with your user/pass.
do whatever you want to do on kol.
**but you MUST have looked at at least one players info. and have it stored in your history**
i was looking over all of your site and was "relentlesly jabbing at security
a few things i found with the site were;
1 - it used SQL, i got lots of errors with it (i was attempting to modify things
and inject and so on and so forth)
2 - it used a system to check if the page was in frames (clever, well done who ever thought of this.)
3 - your info was stored in a session cookie, now i know from experience that these are hard to break, if not impossible. only last for a certain time. have a secure ID and are just a bitch for exploiters.
4 - from account 1 to about 4000 (i forget the exact ammount) there is no data stored for them. (perculiar?)
5 - many more things that are small in insignificant.
so i needed to find a way of changing my cookie to yours without leaving the
window or i will logout. hmm perplexing.
as i have been a person who likes looking into things that are used alot for holes. (invision and IPS are two.).
in this instance it was paypal, "Make payments with PayPal - it's fast, free and secure!" as they claim, yes maybe secure for them, but paypal was the key to your site. not secure for you eh? but it sure is fun finding exploits in stuff... oh and its free, so i guess i will give them 2 out of 3.
i looked at the paypal code and say afterdonate.php and it recognised me?,
now if a page that doesnt need frames can see me then this should be my target.
i modified the ?whatever=whatever&pid=60852&... url to this;
http://email@example.com&item_name=The Kingdom of Loathing&return=http://18.104.22.168/afterdonate.php?pid=60852&no_note=1¤cy_code=USD&tax=0
for a full url, and noticed it still recognised me.. so i changed my pid in the url to 1 to get;
http://firstname.lastname@example.org&item_name=The Kingdom of Loathing&return=http://22.214.171.124/afterdonate.php?pid=1&no_note=1¤cy_code=USD&tax=0
now it just screwed up. i was on my way to exploiting, i will admit at this point i was hoping to do something to the site (note: that i am not a malicious person, so i hoped it would not do something bad, just something to wake people up alittle bit.).
at this point i came of the computer and though, "hmm, if i can change that there quickly, then there might be a way i can use that link to change my pid on the site."
an hour of three later i came back online and logged in as per usual.
i knew that in your history when a page in a frame gets saved it gets saved with the frames attatched so what i did, was go to anyones account, (lets use boozerbears for reference.)
and there it stored the whole page on history.
so go to the donate page, do the url change thingie and change your pid.
from here i simply opened up history with my account opened. and clicked on
in my history and you get a page with lots of sql errors, and i mean alot, about 20, and on every page you go to you get about 3-30 errors.
And look at that, that account doesnt look like mine!
WOW!! i had done it, gotten access to any account in the kingdom.
i was Jacka18l, now i was GOD.
1 - login normally,
2 - go to anyones account info.
3 - go to the donate page.
4 - change the url with the corrosponding php info and pid.
5 - go to site and visit history to go to players account
6 - you are into another players account.
NOTE: This HAS been fixed and doesnt work anymore.