mIRC Home    About    Download    Register    News    Help

Forums Active Threads Search Who's Online Help
Print Thread
About mSL Injection question
#247810 27/08/14 02:21 PM
Joined: Aug 2014
Posts: 3
O
operadude Offline OP
Self-satisified door
OP Offline
operadude
Self-satisified door
O
Joined: Aug 2014
Posts: 3
First of all this is my first time posting here. I am a new member and the last month i am reading an learning mirc scripting in order to make a very simple bot for my twitch channel. I have to say i made a lot of progress and i really enjoy it but then i read about this mSL Injection and how to avoid it and it really scared me a bit to be honest. So know i am not sure how to make my scripts run safely.
I would appreciate if you guide me a bit about what else i might need to take care of except these the link says.

In more details in my scripts i dont let anyone run commands expect op (used isop) but i am thinking to replace this with people located in my list in mods.txt Would that be wise or make my script safer?
Also i have replased anything had # or $chan with $sf($chan) where $sf is an alias like this example:

Code:
alias sf return $decode($encode($1-, m) ,m)

  on *:text:!test:#: {
  if ($nick isop $sf($chan)) { 
    msg $sf($chan) This is a test 
  }
}


Is that alias safe enought? Also i cant use this alias in the part: "on !*:text:#: {" and replase # with $sf(#). Is that still acceptable? I used $decode instead of $!decode that appears at the original code inside the link i have posted above. Would that be a problem?

I am using the "n" in $read and $readini files so i am guessing thats enought for this part. Isn't it?

About $calc right now, none in my chat got permition to run anything contains $calc in it so is that also safe?

Also none got permition to use any command starting with !* except a !raffle command that stores every user's $nick that typed !raffle in a text file. Will that might get me in troubles somehow?

Same with /timer, only me and my ops can run timers and none else from other viewers. Is this making /timer safe or i have to fix my scripts somehow?

I didn't understand a lot about $nick and how someone can take advantage of this. Can i use same safe alias for $nick as for the $chan to make it safer? Will that works?

Also i would appreciate if someone can give me more guidness on what part of mirc i have to worry about in order to run my bot with safety.

Thanks for helping in advance and i am happy to be here and learning.


Re: About mSL Injection question
operadude #247811 27/08/14 03:17 PM
Joined: Jan 2004
Posts: 1,358
L
Loki12583 Offline
Hoopy frood
Offline
Loki12583
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
Code:
alias safe return $!decode( $encode($1,m) ,m)


Every character here has a purpose. You can't just remove them. The space you removed had a purpose, the exclamation point you removed had a purpose. The changes you made destroyed the safety of the alias.

What you need to know is that in some circumstances ($read, $readini, $calc, /scon, /scid, and /timer) input is evaluated and you need to sanitize it by using the $safe alias (for $read and $readini use the "n" switch). $chan and $nick are mentioned because you may not think these could be exploited but they can. If you are using $chan or $nick in a place other than these previous 6 listed you don't need to sanitize them.

The alias works by causing the evaluation to be performed on $decode rather than the input text.

It does not matter that you limit access by checking if they're an op. You should sanitize the input in these 6 cases no matter what. It does not need to be sanitized in the example you've given.

Realize that $chan and $nick are not the only things you need to sanitize. You need to sanitize all unknown input; all text that originated from someone other than yourself.

Execute this line in your edit box:
Code:
//tokenize 32 $ $+ pi | .timer 1 0 echo -ag $1 $safe($1)


First $1 is filled with the text "$pi". Next you can see that using just $1 echoes the evaluation of $pi, but $safe($1) echoes the string "$pi". Other identifiers don't just return a value like $pi does though. Other identifiers allow you to execute commands, and if these are evaluated it allows arbitrary code to be run on your computer.
Re: About mSL Injection question
Loki12583 #247827 28/08/14 09:46 AM
Joined: Aug 2014
Posts: 3
O
operadude Offline OP
Self-satisified door
OP Offline
operadude
Self-satisified door
O
Joined: Aug 2014
Posts: 3
First of all thank you very much, your comment really helped me see things with your own angle of view. I now understand that any command that has an input and returns /timer, $calc etc need to be sanitized. In alias i forgot spaces by mistake but i removed ! cause it didn't work with it but worked without it. But after your comments i now know why.
I ll explain better in the following example and i would appreciate if you let me know if i did that right please.

Code:
alias sf return $!decode( $encode($1-, m) ,m)

on *:text:!raided *:#: {
  if ($nick isop $chan) { 
    /timertest 1 3 msg $sf($chan) We have been raided by: $sf($2-) please give a follow to this awesome streamer $sf(twitch.tv/ $+ $2-) 
  }
}


Its a simple code that has an input in it, although only me and my ops can trigger this and i only write this to see how decode works. In my version its just sents a message, so i guess this will be safe too right?

Code:
on *:text:!raided *:#: {
  if ($nick isop $chan) { 
  msg $chan We have been raided by: $2- please give a follow to this awesome streamer twitch.tv/ $+ $2- 
  }
}


So anywhere there is an input from a viewer (even if is set to isop only) and returned from $calc, /timer and the rest 4 need to be sanitized like my example right?
$chan and $nick that are posted from a single msg $chan command are safe and only need to be sanitized if there are in the return of $calc, /timer and the rest.

As said before, only me and my ops have access on running commands with inputs, and thats why i comfused.

Only in one case normal viewers can trigger the command !raffle to enter the raffle. But still if someone would type
Code:
!raffle $(and the exploit code here)

that wouldn't help him cause !raffle is set to only store his $nick in a text and randomly return a nick from this text when i ask it with a differend command. Is this right or i am missing something? In any case everything appears as input in $calc, /timer and the rest need to be sanitized. Correct me please if i understand this wrong.

Again thank you very much for your help. I so appreciate for helping me figure this out.

Link Copied to Clipboard
Forum Rules · Mark All Read Contact Us · Help · mIRC Homepage