Joshua

As i'm fairly literate I'll get started on a Strategy Guide and How-To ^_- Daddy wants this mod :o

I'll look em up and post em when i'm not sleepy >,<

I know full well that the "common" place for those exploits are on $_GET = url blah blah However, This is "my" include globals bit that I like to use, sorta like a signature ^_- And you can't tell me that somewhere there isnt "some" elite hacker that could use that "include globals.php" bit to include his own file I'm sure it can be done, with my way it cant.

if(file_exists($globals)) { include_once($globals); } else { echo "globals file is missing"; exit; }   ISO Rfi/lfi? :P just a little extra, not really "needed" but it's how i code so shh.. As for the Select * I didnt want to mess with finding each column the viewuser was calling to im tired :P

I'm half asleep and tired. No doubt their will be critics as some of the things I added arent "necessary" but it's the way I code. Plus im' sleepy and wanted to work on something before I head off to bed. Shrugz. It works, and as far as I know there isnt a vulnerable spot on that script now, if there is I'd love for the critic to point it out as I want to try it ^_- best to run a BBcode engine with a profile Sig tho. htmlentities will strip a lot of <img <http tags from the sig w/o it. with it you would use [img tags

Ok so i did this in about 10 minutes, it can always be MORE secure. But this is a lot more secure than you had it.   <?php $globals = DIRNAME(__FILE__) . '/globals.php'; if(file_exists($globals)) { include_once($globals); } else { echo "globals file is missing"; exit; } $_GET['u'] = isset($_GET['u']) ? abs(@intval(trim($_GET['u']))) : '0'; if(!$_GET['u']) { print "Invalid use of file"; $h->endpage(); exit; } else { $q = $db->query("SELECT u.*,us.*,c.*,h.*,g.*,f.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid LEFT JOIN cities c ON u.location=c.cityid LEFT JOIN houses h ON u.maxwill=h.hWILL LEFT JOIN gangs g ON g.gangID=u.gang LEFT JOIN fedjail f ON f.fed_userid=u.userid WHERE u.userid={$_GET['u']}"); if($db->num_rows($q) == 0) { print "Sorry, we could not find a user with that ID, check your source."; $h->endpage(); exit; } else { $r = $db->fetch_row($q); if($r['user_level'] == 1) { $userl="Mobster"; } else if($r['userid'] == 1) { $userl="Owner"; } else if($r['userid'] == 3) { $userl="Owner"; } else if($r['user_level'] == 2) { $userl="Admin"; } else if($r['user_level'] == 0) { $userl="NPC"; } else {$userl="Moderator"; } if($r['fedjail']) { $ustat="[url='fedjail']Federal Jail[/url]"; } else if($r['hospital']) { $ustat="[url='hospital.php']Hospital[/url]"; } else if($r['jail']) { $ustat="[url='jail.php']Jail[/url]"; } else { $ustat="-"; } $lon = ($r['laston'] > 0) ?date('F j',$r['laston']) : "Never"; $sup = date('j F',$r['signedup']); $ts = $r['strength']+$r['agility']+$r['guard']+$r['labour']+$r['IQ']; $d = ""; if($r['laston'] > 0) { $la = time()-$r['laston']; $unit = "seconds"; if($la >= 60) { $la = (int) ($la/60); $unit = "minutes"; } if($la >= 60) { $la = (int) ($la/60); $unit = "hours"; if($la >= 24) { $la = (int) ($la/24); $unit= "days"; } } $str = "$la $unit ago"; } else { $str="--"; } if($r['last_login'] > 0) { $ll=time()-$r['last_login']; $unit2="seconds"; if($ll >= 60) { $ll=(int) ($ll/60); $unit2="minutes"; } if($ll >= 60) { $ll=(int) ($ll/60); $unit2="hours"; if($ll >= 24) { $ll=(int) ($ll/24); $unit2="days"; } } $str2="$ll $unit2 ago"; } else { $str2="--"; } if($r['user_level'] >1){ $r['username'] = "<font color=red>".stripslashes($r['username'])."</font>";} elseif($r['donatordays']) { $r['username'] = "<font color=blue>".stripslashes($r['username'])."</font>";$d="[img=donator.gif]"; } if($r['laston'] >= time()-15*60) { $on="<font color=green>[b]Online[/b]</font>"; } else { $on="<font color=red>[b]Offline[/b]</font>"; } print " <div class='content'> <h3>Profile: {$r['username']} [{$r['userid']}] $d</h3> <table width='100%'> <tr> <td colspan='4'> <table width='100%'> <tr> <td width='100' align='center'>"; if($r['display_pic']) { print "<center>[img=".stripslashes(htmlentities($r[] </center>"; } else { print "<center>[img=http://i38.tinypic.com/29bh8d5.jpg]</center> "; } print " </td> <td style='font-size:30px;' align='center'> <span style='font-weight:bold;'>".stripslashes($r['username'])." [".number_format($r['userid'])."] $d</span> </td> </tr> </table> </td> </tr> <tr> <td width='18%'><h4>Name:</h4></td> <td width='32'>[url='viewuser.php?u=".number_format($r[']".stripslashes($r['username'])."[/url]</td> <td width='18%'><h4>Type:</h4></td> <td width='32%'>".stripslashes(htmlentities($userl))."</td> </tr> <tr> <td><h4>Level:</h4></td> <td>".number_format($r['level'])."</td> <td><h4>Money:</h4></td> <td>\$".number_format($r['money'])."</td> </tr> <tr> <td><h4>Age:</h4></td> <td>".number_format($r['daysold'])." Days</td> <td><h4>Last Active:</h4></td> <td>$str</td> </tr> <tr> <td><h4>HP:</h4></td> <td>".number_format($r['hp'])."/".number_format($r['maxhp'])."</td> <td><h4>Gang:</h4></td> <td>"; if($r['gang']) { print "[url='gangs.php?action=view&ID=".number_format($r[']".stripslashes(htmlentities($r['gangNAME']))."[/url]"; } else { print "None</td>"; print " </tr> <tr> <td><h4>Location:</h4></td> <td>".stripslashes(htmlentities($r['cityname']))."</td> <td><h4>House:</h4></td> <td>[url='estate.php']".stripslashes(htmlentities($r['hNAME']))."[/url]</td> </tr> <tr> <td><h4>Status:</h4></td> <td>$ustat</td> <td><h4>Online:</h4></td> <td>$on</td> </tr> <tr> <td><h4>Status Message:</h4></td> <td>".stripslashes(htmlentities($r['sm']))."</td> <td><h4>Race:</h4></td> <td>{$r['race']}</td> </tr> <tr> <td><h4>Gender:</h4></td> <td>{$r['gender']}</td> <td><h4>Warnings:</h4></td> <td>"; $w=$db->query("SELECT * FROM warnings WHERE user={$r['userid']}",$c); echo " ".$db->num_rows($w)." "; if($ir['user_level'] > 1) { echo "|| <a href=warnings.php?action=index&user=".number_format($r['userid']).">Manage</a>"; } echo "</td> </tr> </table> <h3>Actions</h3> <table width='100%'> <tr> <td width='25%' align='center'>[url='mailbox.php?action=compose&ID=".number_format($r[']Message[/url]</td> <td width='25%' align='center'>[url='attack.php?ID=".number_format($r[']Attack[/url]</td> <td width='25%' align='center'>[url='mug.php?ID=".number_format($r[']Mug[/url]</td> <td width='25%' align='center'>[url='spy.php?ID=".number_format($r[']Spy[/url]</td> </tr> <tr> <td align='center'>[url='sendcash.php?ID=".number_format($r[']Send Money[/url]</td> <td align='center'>[url='sendcrsy.php?ID=".number_format($r[']Send Crystals[/url]</td> <td align='center'>[url='contactlist.php?action=add&ID=".number_format($r[']Add Contact[/url]</td> <td align='center'>[url='???????']Ignore[/url]</td> </tr> </table> <h3>Profile</h3></div> <div style='text-align: center;'> <table cellspacing=1 class='table' width='95%'> <tr style='background:gray'> <td>".stripslashes(htmlentities($r['profileSIG']))."</td> </tr> </table> </div>"; } } } $h->endpage(); ?>

Again Zero it depends on how the query looks As it didnt want to quote in my preferances, kept bugging. Then changed to the first and it worked Reg/Auth however I had to quote it. Beats me ><

As broke as I am I'm so buying this :p

Figures ><

Seems like I had this prob to and I cant remember how i fixed it. Lemme scroll back through the topic and see if i said how to fix >,<

you can try it a few diff ways, it varies on the game set up and server   userpass=$salted_hash userpass={$salted_hash} `userpass` = '{$salted_hash}' I had to do the last one on my staff change password for users bit.

2 Things.   One--Don't showcase your game with STOLEN layouts. ;)   Two--Secure your game before you showcase it, Made myself Admin in less than 20 seconds :| De-Staff ----Helloyou is characther name.

Sure, soon as i can get it back from the wife >< grr damn marriages, they eat all the food, spend all the money, and when it comes to "sexors" they have a headache !   lol.

Np, I brought popcorn ^_-

Popcorn anyone? This WAS a freebie addition thread :P it's been hi-jacked >,<

Gj if I wasnt tied up with somethin else id give it a run >,<

  Simple really Pay someone else to ^_^

yer I figured that bit out awhile back >,<

I like my way :p

Oops yea, forgot to mention that last bit Zeggy. I personally went with something along the lines of this for my salt &#JJFKK993KKD337r98LFKSDJF#@$#*()@&kdkfajdj$&)*(#%(*)#&$%Klk   shrugz :P

Ok, fairly simple mod here. This was Redex's idea I just slapped it together, all credit goes to him   This mod basically gives users a "stall" Where they can try once per day at a random chance of success or fail. Success brings money, fail loses money. The money goes into a stall vault where users can withdraw at their leisure. It's limited to one time per day. Shrugz, nothing special :P SQLs ALTER TABLE `users` ADD `stallopen` INT( 11 ) NOT NULL DEFAULT '0';   CREATE TABLE IF NOT EXISTS `stalls` ( `userid` int(11) NOT NULL, `stallvault` int(11) NOT NULL default '-1' ) ENGINE=MyISAM DEFAULT CHARSET=latin1;   stalls.php   <?php $globals = DIRNAME(__FILE__) . '/globals.php'; if(file_exists($globals)) { include_once($globals); } else { echo "globals file is missing"; exit; } if($ir['stallopen'] == 1) { echo "You can only use the stalls once per day"; $h->endpage(); exit; } echo "<h3>Welcome to the Stalls</h3>"; $stallers=$db->query(sprintf("SELECT * FROM `stalls` WHERE `userid`='%d'", $userid)); if($db->num_rows($stallers)) { switch($_GET['stall']) { case 'stallvault': stallvault(); break; case 'stallclick': stallclick(); break; default: index(); break; } } else { $staller=$db->query(sprintf("SELECT * FROM `stalls` WHERE `userid`='%d'", $userid)); if(!$db->num_rows($staller)) { if(isset($_GET['buy'])) { print "Congratulations, you have started a free stall vault good luck! [url='stalls.php']Start using your Stalls[/url]"; $db->query("INSERT INTO stalls VALUES($userid, 3000)"); } else { print "Start a free Stall Vault Today! [url='stalls.php?buy']> Yes, sign me up![/url]"; } } } function index() { global $ir,$userid,$db; $rr=$db->query(sprintf("SELECT * FROM `stalls` WHERE `userid`='%d'", $userid)); $r=$db->fetch_row($rr); echo sprintf(" Good day %s For surviving another day in a land of the unknown, You have been given the oppurtunity to try your luck in the stalls.</p>", htmlspecialchars($ir['username']));; echo "[url='?stall=stallclick']Try Stalls[/url] <form action='?stall=stallvault' method='post'> [b]Withdraw From Stall:[/b]\$".number_format($r['stallvault'])." Cash amount: <input type='text' name='cash' /> <input type='submit' value='Withdraw'>"; } function stallvault() { global $ir,$userid,$db,$h; $_POST['cash'] = abs(@intval($_POST['cash'])); $stall=$db->query(sprintf("SELECT * FROM `stalls` WHERE `userid`=%d", $userid)); $ss=$db->fetch_row($stall); if($_POST['cash'] > 0) { if($_POST['cash'] > $ss['stallvault']) { print 'You do not have enough cash to withdraw this much from your stall.'; $h->endpage(); exit; } else if($ss['stallvault'] < 1100) { print 'You need to keep at least 1100 cash in your vault'; $h->endpage(); exit; } else { $db->query(sprintf("UPDATE `users` SET `money` = `money` + '%d' WHERE `userid` = '%u'", $_POST['cash'], $ir['userid'])); $db->query(sprintf("UPDATE `stalls` SET `stallvault` = `stallvault` - '%d' WHERE `userid` = '%u'", $_POST['cash'], $userid)); echo 'You have withdrawn '.number_format($_POST['cash']).' from your stall.'; } } else { echo 'You missed one or more of the required fields.'; } } function stallclick() { global $ir,$userid,$db,$h; $stallz=mt_rand(1,2); if($stallz == 1) { $cash=2000; echo "Luck must be with you today! Your stalls have earned you \$".number_format($cash)." and been directly deposited into your stall account!"; $db->query(sprintf("UPDATE `stalls` SET `stallvault`=`stallvault`+'%u' WHERE `userid`='%d'", $cash, $userid)); $db->query(sprintf("UPDATE `users` SET `stallopen`='1' WHERE `userid`='%d'", $userid)); } else if($stallz == 2) { $deduct=1100; echo "Luck is not on your side! Your stalls have lost \$".number_format($deduct)."."; $db->query(sprintf("UPDATE `stalls` SET `stallvault`=`stallvault`-'%u' WHERE `userid`='%d'", $deduct,$userid)); $db->query(sprintf("UPDATE `users` SET `stallopen`='1' WHERE `userid`='%d'", $userid)); } } $h->endpage(); ?>   There is a chance for the stalls to go into the negatives. You have 2 options here. Let them ^_- or add a cron into the minute cron $db->query("DELETE FROM stalls WHERE stallvault < 0");   Again, nothing special, any ideas on this i'm willing to expand

I wouldnt suggest it and here is why. The users that arent logged in and don't get the announcement wont be able to log-in. You stand a chance at losing a lot of users as not all of them will think to use the password reset. You "could" But meh.

I'm not "that" good yet T ;) This is just something for everyone to increase their security a little bit You can't say sha1 salted is easy to decrypt :P

Well I'd hope I've helped you enough in the past, as well as others for people to know better regardless of how it appears.   I mean, we were just discussing not long ago how you were debating on paying me to secure your site. I'd be an idiot to hack someone who was offering me money :P I do have a baby girl to feed >,<   Just the same, I am sorry this happened to you as you are one of the better people here on MWG and have a lot of promise. Good luck in your gaming endeavors and remember i'm always on msn if you need assistance. --thug

Ok, I'd like to Re-iterate to everyone here you CANNOT CANNOT Install this on an existing game. The simple reason is, you are most likely all using an Md5 Encrytpion, moving to a salted sha1 will make ALL of your users passwords invalid and to go through and manually change all of these would take a decade. So, with that being said, this is for NEW GAMES only who can reset their database if need be. This is 10x's better to use than md5 as Salted and Sha1 is MUCH harder to Decrypt than md5 is. here we go. Open up Register.php. Find This $db->query("INSERT INTO users (username, login_name, userpass [code] Above that, add this [code] $salt = 'CHANGETOWHATEVERPASSYOUWANTHERETOMIXWITHSHA1''; $password = $_POST['password']; $salted_hash = hash("sha512", ($salt . $password));   Again look in this query $db->query("INSERT INTO users (username, login_name, userpass Find the '{$_POST['password']}' bit. Overwrite '{$_POST['password']}' with '{$salted_hash}'   Save/close.   Open up Authenticate.php Find $uq=$db->query   ABOVE add $salt = 'USE IDENTICAL PASSWORD YOU SET IN REGISTER'; $password = $_POST['password']; $salted_hash = hash("sha512", ($salt . $password));   Next go back to $uq=$db->query Find '{$_POST['password']} if you have this sprintf'd just look for $_POST['password'] Replace the password bit with $salted_hash you may need to add { } around it {$salted_hash} Close and Save.   Next Open up Preferances.php This is my Password Change function. This will vary on which preferances you use and how you have it laid out   // Password Change Function function PassChange() { global $ir, $db, $c; $salt = 'YOUR REGISTER/AUTHENTICATE CODE HERE'; $password = $_POST['OldPass']; $salted_hash = hash("sha512", ($salt . $password)); $salt2 = 'KEEP SAME PASSWORD FROM REG/AUTH'; $password2 = $_POST['NewPass1']; $salted_hash2 = hash("sha512", ($salt . $password)); $Info = $db->fetch_row($db->query(sprintf("SELECT `userid`, `userpass`, `login_name` FROM `users` WHERE `userid`='%d'", $ir['userid']))); if (isset($_POST['OldPass'], $_POST['NewPass1'])) { if ($_POST['NewPass1'] == '') { echo 'Error! You Entered No Password '; } else if ($salted_hash != $Info['userpass']) { echo 'Error! The Current Password Is Incorrect! '; } else { $db->query(sprintf("UPDATE `users` SET `userpass`='%s' WHERE `userid`='%d'", $salted_hash2, $ir['userid'])); echo 'Your Password Has Been Updated! Your New Password Is: [i]'.$_POST['NewPass1'].'[/i] Keep This Password Safe And Don\'t Tell Anyone It. > [url="index.php"]Home[/url]'; } } else { echo '<h3 style="text-decoration: underline;">Password Change</h3> <form act="preferences.php?act=PassChange" method="post"> Current Password: <input type="password" name="OldPass" /> New Password: <input type="password" name="NewPass1" /> <input type="submit" value="Change Password!" /> </form>'; } }   And that is it. For those that would like me to post up my preferances to keep it easy just ask, This in my opinion is far better than md5 and much harder to hack as there arent that many rainbow tables that can decrypt salted sha1 passwords.