[$1] Can you discover this plugin backdoor/exploit? (Easy)

[Harry]

Thread Title
[$1] Can you discover this plugin backdoor/exploit? (Easy)

Prize name
$1 PP

Requirements and other relevant information
Thought it would be fun to create a backdoor/exploit within a plugin, and see who can discover it first.

You’ll need to fully explain the exploit, including all classes and methods involved. You’ll then also need to describe/show how the exploit can then be used to win the prize (as an example, kick all players in the server). The prize is only awarded to the first person obviously.

This one is pretty easy and should be discoverable by any person moderately comfortable with Java, and this is why the prize is only $1 PP.

Download: https://majored.me/download/Lockdown.jar

End date
Jan 2, 2019

If award date is different from contest end date, please specify.
Jan 2, 2019

 

[warfox]

Logs players names and kicks them?

 

[Ambrosia]

i think i know what it's doing but I'm so lazy I can't be bothered to type it all out.

 

[Harry]

Logs players names and kicks them?

Uhh, no. You might want to decompile the plugin first and look facepalm

i think i know what it's doing but I'm so lazy I can't be bothered to type it all out.

No worries, maybe just show how it can be used to kick all players then, and that'll be fine?

 

[YosemiteOG]

stops you from doing /reload if enabled

kicks everyone with the message ""&cThis server is currently in lockdown mode." (has a bypass in the config.yml)

cba saying all the java talk stuff y'know, hf to whoever actually does it

 

[Ambrosia]

Uhh, no. You might want to decompile the plugin first and look facepalm


No worries, maybe just show how it can be used to kick all players then, and that'll be fine?

sure gimme a sec

 

[warfox]

Uhh, no. You might want to decompile the plugin first and look facepalm


No worries, maybe just show how it can be used to kick all players then, and that'll be fine?

eh too lazy lmao

 

[Harry]

View attachment 176362

stops you from doing /reload if enabled

kicks everyone with the message ""&cThis server is currently in lockdown mode." (has a bypass in the config.yml)

cba saying all the java talk stuff y'know, hf to whoever actually does it

Nope, that's just the normal plugin, not the actual exploit.

I tried to make it look like a normal plugin, so the 'Lockdown' feature is normal. You're looking in the right area though.

 

[YosemiteOG]

Nope, that's just the normal plugin, not the actual exploit.

I tried to make it look like a normal plugin, so the 'Lockdown' feature is normal. You're looking in the right area though.

ah my bad, didn't read it right; I'm good at java so I'll just skip out

 

[Ambrosia]

I managed to break the plugin somehow.

 

[Harry]

I managed to break the plugin somehow.

Rip, how? If you're on about errors, don't worry about it. Just look at the code, and it should be pretty obvious.

 

[Ambrosia]

Rip, how? If you're on about errors, don't worry about it. Just look at the code, and it should be pretty obvious.

Does it do something related to logging player names/uuids?

 

[Harry]

Does it do something related to logging player names/uuids?

Uhh, no :/[DOUBLEPOST=1546389138][/DOUBLEPOST]Let's see if Notifyz can discover it within 10 minutes?

 

[Harry]

I am on phone, could you hastebin all classes for me please?

Not easily since there are eight classes. Probably a lot easier to decompile it when you have time/back on your PC, but I'll try to upload them to hastebin now.

 

[Harry]

Alright well I am on phone right now since it's 2AM for me so yeah tomorrow I can look up the code

I've uploaded the source to my site, since I thought it would be a lot easier; Just no syntax highlighting :/

https://majored.me/download/lockdown-source/

 

[Spenser]

I am no dev.

I took a shot in the dark

https://gyazo.com/403b3164e2c09421ca82fa5cf62b3c4d