Back-End OT Administration Tool

[xanitex]

Hello all!

I've been quite busy with work lately which has left my counterpart in a bad situation trying to manage the OT we run by himself. Unfortunately, his skills with the Linux command line and database management is fairly limited. To help mitigate this issue, I wrote a back-end admin system that can be used for managing and working with integral portions of the OpenTibia database back-end.

Current Features:
* Edit player (Level [sets experience to beginning of that level, ie: level 8, exp is set to 4200], magic level, skills, player name, group level [player, tutor, senior tutor, cm, gm, god], game world they're on)
* Edit account (Account name, password, premium points, and page_access permissions)
* View talkaction logs in a modal popup (to check up on your people who are using commands that are logged)
* Crash viewer (leverages a python script I wrote that uses pexpect to get core dump information and drops it into the dumps/ directory which is then parsed and displays data)
* Status page that will show current health of services based on TCP socket connectivity (uses fsockopen)

You can use this page to submit feature requests if you'd like. This project is currently available on Github at the link below:

GitHub OTAdmin Download Link

There's a live demo here (Feel free to tweak the values. If you are unable to login, the username and password for the accounts should be reset within 5 minutes).

Demo Accounts:
    Admin -
        Username: demo_admin
        Password: demodemo
    Readonly -
        Username: demo
        Password: demodemo

 

[Scarlet Ayleid]

Approved
Due to the fact that there is no direct download link, I cannot check the file, use at your own discretion

 

[xanitex]

All the files are available on GitHub. I am releasing this under the GPL license, so it can be taken and modified. The copy on the GitHub is the only official copy of this back-end tool. I just pushed an update that fixed a bug that allowed negative values to be posted for certain values.

 

[Nottinghster]

That's beautiful!

 

[xanitex]

Thanks! If you have suggestions, ideas, critiques, or any other feedback, please feel free to share. I'm finally starting to get some time to contribute more to the OpenTibia community. I'm going to write up a tutorial on installation and use soon. All variables that you should need to ed edit are in the config.php file.

<?php
    // MySQL Configuration Information
    $host = "localhost";
    $un = "demo";
    $pw = "demo_password";
    $db = "tfstest";

    // Arrays that contain vocation information based on promotion
    $vocation_name[0] = array(0 => 'None', 1 => 'Sorcerer', 2 => 'Druid', 3 => 'Paladin', 4 => 'Knight', 5 => 'Barbarian', 6 => 'Assassin');
    $vocation_name[1] = array(1 => 'Master Sorcerer', 2 => 'Elder Druid', 3 => 'Royal Paladin', 4 => 'Elite Knight', 5 => 'Savage Barbarian', 6=> 'Dark Assassin'); // id => 'name' , $vocation_name[1] - promotion level 1,
    $vocation_name[2] = array(1 => 'Unholy Sorcerer', 2 => 'Unholy Druid', 3 => 'Unholy Paladin', 4 => 'Unholy Knight', 5 => 'Unholy Barbarian', 6 => 'Unholy Assassin');
    $vocation_name[3] = array(1 => 'Templar Sorcerer', 2 => 'Templar Druid', 3 => 'Templar Paladin', 4 => 'Templar Knight', 5 => 'Templar Barbarian', 6 => 'Templar Assassin');

    // Promotion Names
    $promotion_name = array(0 => 'None', 1 => 'First', 2 => 'Unholy', 3 => 'Templar');

    // Group List based off the data/XML/groups.xml
    $group_list = array(1 => "Player", 2 => "Tutor", 3 => "Senior Tutor", 4 => "Gamemaster", 5 => "Higher Gamemaster", 6 => "God");

    // List of game servers
    $world_list = array(0 => 'Live Server', 1 => 'Test Server');

    // Path to root of OT installation (folder above data)
    $ot_root = "/devOT";

    // Services for the dashboard
    $services = array();
    $services[] = array(
        'short_name' => 'ot',
        'proper_name' => 'Open Tibia',
        'host' => '127.0.0.1',
        'port' => '7171'
    );
    $services[] = array(
        'short_name' => 'vent',
        'proper_name' => 'Ventrilo',
        'host' => '127.0.0.1',
        'port' => '3784'
    );
    $services[] = array(
        'short_name' => 'fail',
        'proper_name' => 'Failed Service',
        'host' => '127.0.0.1',
        'port' => '1'
    );
    // Menu items
    $menu_auth = array(
        "Dashboard" => "dashboard.php",
        "Account Management" => "account_management.php",
        "Player Management" => "player_management.php",
        "Admin Logs" => "admin_logs.php",
        "Crash Logs" => "crash_dump.php",
        "Log Out" => "logout.php"
    );
?>

I believe the config.php file is fairly self-explanatory. Please let me know if you have questions!

 

[Red]

Welcome to the ultimate in sexy administration tools.

It is indeed sexy I may use it after giving it a closer look.
Looks awesome dude, rep for sure.

Red

 

[Animera]

loooks ceewl

 

[xanitex]

I'm glad you guys like it. If you guys have any feedback, feel free to share it. The delete player button doesn't function right now (mainly because I'm too lazy to change my "fix" script to re-import the database instead of running two update queries).

 

[devianceone]

After a quick look, there are some major vulnerabilities in your application.

Even in 'read only' mode, you're able to get access to a lot more files then you should.
http://demo.tntopentibia.com/ajax_file.php?name=/devOT/config.lua
http://demo.tntopentibia.com/ajax_file.php?name=/devOT/data/talkactions/talkactions.xml
http://demo.tntopentibia.com/ajax_file.php?name=/devOT/data/talkactions/scripts/fly/flyup.lua

With an exposed mysql password you it doesn't really matter if they can't edit the fields most of the time.

You also expose your real server path on your server.
https://www.tntopentibia.com/config/config.ini

 

[xanitex]

Hello devianceone,

Thank you for pointing that out! I'm working on fixing those issues now.

- - - Updated - - -

This bug has been fixed and pushed to GitHub. Thank you again devianceone. Please keep the bug reports coming! I'd love for this to become a nifty tool for other OT admins to use.

 

[devianceone]

Your script is still not secure.

demo.tntopentibia.com/ajax_file.php?name=/OT/data/creaturescripts/scripts/login.lua%00/devOT/data/logs/

 

[GoalTV]

this is working for windows??

 

[xanitex]

Thank you devianceone. I fixed that bug as well. Please let me know if you find a way to exploit that again.

I have not tested this on Windows, so I am not sure if it will work in a Windows environment.

 

[GoalTV]

I tested and I can change player name atc but cant get info like admin logs and crash logs and this error come when log in (Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\server\modernpanel\header.php on line 42) but every thing works only admin logs and crash logs not working but look cool Great Work Gz

 

[xanitex]

That's an odd error for the admin and crash logs. Did you put the correct path for the OT root in config.php? Please make sure that you're using the latest version from GitHub as there were some security vulnerabilities with ajax_file.php.

 

[GoalTV]

ok is this is right
// Path to root of OT installation (folder above data)
$dir = "C:\Users\janusz\Desktop\Flammingvets\data";

- - - Updated - - -

this error come up now and cant use the panel
(Parse error: syntax error, unexpected ']', expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\htdocs\server\modernpanel\config.php on line 28)

and my line 28

// Services for the dashboard
$services = array();
$services[] = array(
'short_name' => 'ModernOts 8.6',
'proper_name' => 'Modernots 8.6',
'host' => 'modernots.hopto.org',
'port' => '7171'
);

- - - Updated - - -

I got it
I haved $dir = "C:\Users\janusz\Desktop\Flammingvets\data\";
and i change for
$dir = "C:\Users\janusz\Desktop\Flammingvets\data";
and no error but still not working

- - - Updated - - -

only this error
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\server\modernpanel\header.php on line 42
sorry for spam ;p

 

[Amiroslo]

it have something with mysql_fetch_assoc()
post the header.php
the whole script

 

[GoalTV]

ok here header.php

<?php
    /*
    Copyright (C) 2013 - God Xanitex

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
    */
?>
<?php
    session_start();
    include "config.php";
    if (strstr($_SERVER['PHP_SELF'],'logout.php'))
    {
        $_SESSION['authed'] = 'false';
        session_destroy();
        header('Location: index.php');
    }
    if ($_POST['account_number'])
    {
        mysql_connect($host,$un,$pw) or die("Cannot connect to database.");
        mysql_select_db($db);
        $an = mysql_real_escape_string($_POST['account_number']);
        $pass = mysql_real_escape_string($_POST['password']);
        $account = mysql_query('SELECT * FROM `accounts` WHERE `name` = "'.$an.'" AND `password` = sha1("'.$pass.'") AND `page_access` >= 3;');
        if (mysql_num_rows($account) == 1)
        {
            while ($row = mysql_fetch_assoc($account))
            {
                $_SESSION['id'] = $row['id'];
                $_SESSION['an'] = $row['name'];
                $char_query = mysql_query('SELECT `name` FROM `players` WHERE `account_id` = "'.$row['id'].' AND `group` > 3 ORDER BY GROUP DESC LIMIT 0,1');
                while ($char_row = mysql_fetch_assoc($char_query))
                    $_SESSION['char'] = $char_row['name'];
                $_SESSION['authed'] = true;
                $_SESSION['access'] = $row['page_access'];
            }
        }
        mysql_close();
    }
    session_write_close();
    $menu_auth = array(
        //"Home" => "index.php",
        "Dashboard" => "dashboard.php",
        "Account Management" => "account_management.php",
        "Player Management" => "player_management.php",
        "Admin Logs" => "admin_logs.php",
        "Crash Logs" => "crash_dump.php",
        "Log Out" => "logout.php"
    );
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>OTAdmin</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="">

    <!-- Le styles -->
    <link href="css/bootstrap.css" rel="stylesheet">
    <style>
      body {
        padding-top: 60px; /* 60px to make the container go all the way to the bottom of the topbar */
      }
    </style>
    <link href="css/bootstrap-responsive.css" rel="stylesheet">

    <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
      <script src="js/html5shiv.js"></script>
    <![endif]-->

    <!-- Fav and touch icons -->
    <link rel="apple-touch-icon-precomposed" sizes="144x144" href="ico/apple-touch-icon-144-precomposed.png">
    <link rel="apple-touch-icon-precomposed" sizes="114x114" href="ico/apple-touch-icon-114-precomposed.png">
      <link rel="apple-touch-icon-precomposed" sizes="72x72" href="ico/apple-touch-icon-72-precomposed.png">
                    <link rel="apple-touch-icon-precomposed" href="ico/apple-touch-icon-57-precomposed.png">
                                   <link rel="shortcut icon" href="ico/favicon.png">
    <script src="js/jquery.js"></script>
    <script src="js/bootstrap.min.js"></script>
  </head>

  <body>

    <div class="navbar navbar-inverse navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container">
          <button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="brand" href="index.php" <?php if (strstr($_SERVER['PHP_SELF'],'index.php')) echo 'style="color: #FFF"'; ?>>OTAdmin</a>
          <div class="nav-collapse collapse">
            <ul class="nav">
            <?php
                if (isset($_SESSION['authed']) AND $_SESSION['authed'] == true)
                {
                    foreach ($menu_auth as $name => $link)
                    {
                        if (!is_array($link))
                        {
                            echo '<li';
                            if (strstr($_SERVER['PHP_SELF'], $link))
                                echo ' class="active"';
                            echo '><a href="'.$link.'">'.$name.'</a></li>';
                        }
                        else
                        {
                            echo '<li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">'.$name.' <b class="caret"></b></a><ul class="dropdown-menu">';
                            foreach ($link as $sub_name => $sub_link)
                            {
                                echo '<li';
                                    if (strstr($_SERVER['PHP_SELF'], $sub_link))
                                        echo ' class="active"';
                                echo '><a href="'.$sub_link.'">'.$sub_name.'</a></li>';
                            }
                            echo '</ul></li>';
                        }
                    }
                }
              ?>
            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container">
        <?php
            if (!isset($_SESSION['authed']) OR $_SESSION['authed'] == false)
            {
                include "login.php";
                include "footer.php";
                die();
            }
        ?>

 

[xanitex]

Hmm, God Batonik, did you change the variable to be $dir instead of $ot_root? If so, that's probably your issue. Try setting it like below:

$ot_root = "C:\Users\janusz\Desktop\Flammingvets\data";

As far as the error you are getting on line 42 of header.php, that's a check to store the name of a GM char:

                $char_query = mysql_query('SELECT `name` FROM `players` WHERE `account_id` = "'.$row['id'].' AND `group` > 3 ORDER BY GROUP DESC LIMIT 0,1');
                while ($char_row = mysql_fetch_assoc($char_query))
                    $_SESSION['char'] = $char_row['name'];

This is currently not being used at all, but I figured it would be fun in the future to add a "Hello, [insert player name here]!" The fact that you are getting this error just means that there were no MySQL results on the account that have a group higher than 3.

 

[GoalTV]

im already change to $dir but not working
$dir = "C:\Users\janusz\Desktop\Flammingvets\data";

- - - Updated - - -

I meant $ot_root = "C:\Users\janusz\Desktop\Flammingvets\data"; not working i try change to $but the same error

- - - Updated - - -

$dir