In the previous github gist we went over multiple ways DataStoreService
could be abused to rollback data. This time we will be taking a more hands-on approach where you, the reader will be trying to figure out how to rollback data in a playground specifically created with the intention to teach you how to rollback data.
This time nothing you do will be pseudo-code. Everything you abuse, fire and interact with be real. Nothing is emulated in the playground and your data is actually rolled back because the datastore threw an error, all datastore requests use SetAsync
and if datastores fail UpdateAsync
is used to pull your old data and include a notice for when you rejoin to notify you that you have successfully rolled back your data.
You will need:
A working exploitYou can use the testing menu for firing remotesA remote spyRemotes and their arguments are printed to the console- A brain
You will be able to know if you rolled back your data by playing with the shopping system, buy a few items and leave so your data will save. Then when you rejoin buy or sell some of the items you have and try to rollback your data and see if your items are restored.
When you are tasked with finding a solution, try reading the previous gist and inserting your newly found knowledge into the playground rather than looking at the solutions instantly.
Our first target will be focusing on the chatting system with bob, its a simple chat system without any filtering. Any messages we send will have Bob respond with Bob. If we now try sending bob a message with invalid utf-8 (128 -> 255 byte range) we'll be able to rollback data.
Try doing this yourself by sending bob a message and editing the remote's arguments with a string datastores wont accept.
Solution 1
Code: https://paste.sh/VFNI-fiG#x9EIFbHeEs27L_WUqcJG9q9ZSolution 1 works because datastores cant accept bytes larger than 127. This is because those bytes are commonly used to start utf-8 characters
Solution 2.
Code: https://paste.sh/CAg48_hc#gj0iY51nEFY0FOzcYadjBQVNSolution 2 works because datastores cant accept strings longer than 65536 characters.
Our second target is a vulnerable settings system. The simple settings we have to work with are Nametags
and Bloom
. If we press any of them it'll fire a remote with the name and a boolean indicating the setting is enabled or not. We can do multiple things here, such as firing a different setting name and replacing the value of the setting. There is multiple solutions here.
Solution 1
Code: https://paste.sh/noiPYnHv#vIqtuMtNOTeRI91IL1r2mZLxSolution 1 works because datastores cant serialise instances.
Other solutions
Previous 2 solutions from the other problem will also work here because the setting name is not protectedOur last target is the gifting system, it intentionally has a vulnerable analytic included in its remote to provide one final example. Using all of the methods you learned from the previous gist and this gist you'll be able to rollback your data on your own with your own way.
All previous solutions will work.
Please consider learning from what I write rather than hoping someone else will dumb it down for you because you aren't willing to put in the time to figure something out. Asking for help is ok but only when you're struggling with a specific part, rather than the entire topic. We're not a school we're a public forum for developers and skids but my posts are meant for developers.
If you are a skid, consider taking up programming as a hobby, there is a lot to learn relating to it but it is much more rewarding and meaningful to spend time developing your own tooling rather than copy-pasting code which could be getitng you detected, banned or even ip-logging you.
I've read the article about JSON injection in your previous gist, however how would i use that to rollback data?