MySQL "injection", does it really work?

[elpopper]

Hi all,

I have been searching through the forums for some general sql (mysql information), but I haven't found anything useful.
I am writing some unix shell scripts that use mysql to alter the database directly.
My far-fetched goal is to create an anti-flood shell script, so that i won't need to use tcpquery.

I finished the shortest part of my script, the one that inserts the bans in the ts2_bans table. Here is the code it uses:

$i is an auto-incrementing variable which starts from the biggest index+5
$sor is the server id
$ban holds the ip to be banned
$nev holds the name who created the ban
$tim is created using the date +%d%m%Y%H%M%S with 000 on it's end (here is something i want to ask)
$ido is the time(in minutes) for how long the ban will last.
INSERT INTO ts2.ts2_bans (i_ban_id,i_ban_server_id,s_ban_ip,s_ban_by,dt_ban _created,i_ban_minutes) VALUES('$i','$sor','$ban','$nev','$tim','$ido')

The script works flawlessly, it inserts the required records in the table BUT
here is the problem:
If i add my own ip i can still go on the server. I can't see the ban in the banlist, until i add a ban manually, and still i will be able to join the server with the banned IP.

Here is the line that my manual ban inserts:
0 1 167.231.*.* IP Ban Popper[LoginName: popper] 21052008033642859 0

and here is the one that my script does:
107 53 157.181.184.35 MYSQL 21052008033559000 0

The only main difference is the last three numbers of the time of the ban's creation, which i could not figure out what it stood for (if someone knows please tell)

So, if i "inject" a ban directly into the sql table, than it won't work? Or i have to "force" the server to re-read the sql table ts2_bans? If so than how?

I hope that someone understands my foolish problem and helps me out

[elpopper]

Any ideas and suggestions are welcome Please help.

[ozman]

The TS server needs to rehash when a mysql database change has occured without TeamSpeak actually doing the change.

Let me know if that worked

Good Luck

ps: send me the whole code via pm if you will plz

[elpopper]

By rehash, you meant the tcpquery command rehash, right? Tried that but it did not work. I am quite sure that what i am trying to do is possible, but...

ozman has chosen not to receive private messages or may not be allowed to receive private messages. Therefore you may not send your message to him/her.

I will publish the code here, BUT please everyone keep in mind, that this whole thing is (as for now) EXPERIMENTAL, it does not have error-checking, or any other means of safeguarding, if you want to test it, please do so with a test server and database (as i do), and don't come crying if something goes wrong. Please remember, this script is for educational purpose only. (AN it is a rather quickly written crappy something by me )

If I can get this thing to work, i am willing to put some time and effort into creating the whole system, but for now, i have alot of other things to do.

Code:

#!/bin/sh
if [[ $1 == --help ]]
then
echo -e "This script adds a ban (first parameter) to all virtual servers hosted in the database.\n\nThe second parameter will be the name who adds the ban.If the second parameter is rem , then the ban on the ip will be lifted on all servers.\n\nThe third parameter specifies the time (in minutes) for how long you want the ban to be in effect.\n\nBecause I was lazy, this shell script does not (yet) check if the input is correct, or if the ban is already added in the database, it is for educational purposes, and for my own entertainment :)"
exit
fi

ban=$1
nev=$2
ido=$3
tim=`date +%d%m%Y%H%M%S`
tim=$tim"000"

us=""
pa=""
db=""

mysql -s --user=$us --password=$pa -e "SELECT i_server_id FROM $db.ts2_servers" > sql.tmp
if [[ $3 == "" ]]
then
ido=0
fi

cat sql.tmp|while read sor
do
i=$(( i + 1 ))
if [[ $2 != rem ]]
then
mysql -s --user=$us --password=$pa -e "INSERT INTO $db.ts2_bans (i_ban_server_id,s_ban_ip,s_ban_by,dt_ban_created,i_ban_minutes) VALUES('$sor','$ban','$nev','$tim','$ido')"
fi
done

if [[ $2 == rem ]]
then
mysql -s --user=$us --password=$pa -e "DELETE FROM $db.ts2_bans WHERE s_ban_ip = '$ban'"
fi

rm sql.tmp

exit