[Database] Tables are deleted?

cp1337 · September 23, 2021, 8:06pm

Hey everyone

it happened for the second time now while my server was online the complete table “users” was deleted from my database. I have no idea how something like this can happen.

Here is the log where the disaster started.

e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `inventories` WHERE `owner` = 'Char'; DROP TABLE `twitter_accounts` #:11000014a7ae97c' : []": ER_ROW_IS_REFERENCED_2: Cannot delete or update a parent row: a foreign key constraint fails
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `inventories` WHERE `owner` = 'Char'; DROP TABLE `user_inventory` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.user_inventory'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `twitter_likes` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_likes'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `phone_app_chat` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.phone_app_chat'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `twitter_tweets` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_tweets'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `user_accounts` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.user_accounts'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `users` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.users'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `user_inventory` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.user_inventory'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `twitter_accounts` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_accounts'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `twitter_likes` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_likes'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `twitter_tweets` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_tweets'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `characters` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.characters'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `users` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.users'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `billing` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.billing'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `playerhousing` WHERE `owner` = 'Char'; DROP TABLE `twitter_likes` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_likes'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `phone_users_contacts` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.phone_users_contacts'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `society_moneywash` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.society_moneywash'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `phone_app_chat` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.phone_app_chat'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `playerhousing` WHERE `owner` = 'Char'; DROP TABLE `twitter_accounts` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.twitter_accounts'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `datastores` WHERE `owner` = 'Char'; DROP TABLE `user_accounts` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.user_accounts'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `vehicles` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.vehicles'
e[38;5;159m[  script:mysql-async] [MariaDB:10.3.29-MariaDB-0+deb10u1] [ERROR] [esx_kashacters] An error happens for query "DELETE FROM `accounts` WHERE `owner` = 'Char'; DROP TABLE `weashops` #:11000014a7ae97c' : []": ER_BAD_TABLE_ERROR: Unknown table 'zap352014-2.weashops'

CritteR · September 23, 2021, 8:14pm

Can you show us how you insert stuff in the database?

cp1337 · September 23, 2021, 8:38pm

via commands, i use the sql file which comes with the scripts

INSERT INTO `licenses` (`type`, `label`) VALUES
	('aircraft', 'Fluglizenz')
;

CREATE TABLE `aircraft_categories` (
	`name` varchar(60) NOT NULL,
	`label` varchar(60) NOT NULL,

	PRIMARY KEY (`name`)
);

INSERT INTO `aircraft_categories` (name, label) VALUES
	('plane','Flugzeuge'),
	('heli','Helikopter')
;

CREATE TABLE `aircrafts` (
	`name` varchar(60) NOT NULL,
	`model` varchar(60) NOT NULL,
	`price` int(11) NOT NULL,
	`category` varchar(60) DEFAULT NULL,

	PRIMARY KEY (`model`)
);

ShahZaM · September 23, 2021, 11:28pm

Yeah bro either someone got access to your DB, you have some backdoor resource in your server or you got a big exploit there.

nta · September 24, 2021, 5:39am

This ‘kashacters’ resource has a known SQL injection bug the author is refusing to fix or take their resource down for.

cp1337 · September 24, 2021, 8:07am

Wow wtf… are there any alternativs?
And ty for the reply btw…

ShahZaM · September 24, 2021, 3:14pm

There is a kashacters fixed, just search for it

notsiege · September 25, 2021, 1:54am

esx-multicharacter by Linden - it does work best with ESX Legacy, and it’s included in the repo.

Linden · September 25, 2021, 4:33am

[esx_kashacters] An error happens for query "DELETE FROM `inventories` WHERE `owner` = 'Char'; DROP TABLE `twitter_accounts` #:11000014a7ae97c' : []"

I’ve mentioned this issue several times to people, on kashacters and on other resources that had similar issues.

function DeleteCharacter(identifier, charid)
    for _, itable in pairs(IdentifierTables) do
        MySQLAsyncExecute("DELETE FROM `"..itable.table.."` WHERE `"..itable.column.."` = 'Char"..charid..GetIdentifierWithoutSteam(identifier).."'")
    end
end

The server receives client-input and executes a query without any sort of protection or preparation, instead opting for string concatenation. The “expected” value of charid is a single integer, but instead of receiving 2 it gets ; DROP TABLE twitter_accounts #. Here’s my favourite comic on the subject.

Unfortunately there are too many kashacter resources posted out there; I can reach out to onno and see if he wants to hide, archive, or patch the oldest repo. Siege mentioned my multicharacter, however it’s for ESX Legacy and you are likely using 1.1 (you really shouldn’t be).