• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Gesior acc. maker for TFS

Status
Not open for further replies.
Agostino said:
This also doesn't work for me just keeps on giving me the loading message, and who is online just tells me there is no one currently playing.

And guys if you find any security leaks then please tell them to Gesior, he is doing an amazing job with the acc maker and we should all be grateful that he is willing to put his time and effort into this for all of us.
Click to expand...
Copy code from TFS 0.2.9 to your login.lua and logout.lua files if you have older version. Then should show online players list. In TFS 0.2.10 and newer you dont have to use LUA code.
--------------------------------------
fenomenoide said:
Dont use these AAC ( Automatic Account Creator ) It got alot of vulnerabilitys.. Check yourself with SSS ( Shadow Security Scanner )...
Click to expand...
How can I check "site" with this program? It check computer and show errors of applications, not scripts.
Maybe Nottinghster know more about XSS attack and can explain how can I attack my acc. maker?
 
Last edited:
Gesior.pl said:
Copy code from TFS 0.2.9 to your login.lua and logout.lua files if you have older version. Then should show online players list. In TFS 0.2.10 and newer you dont have to use LUA code.
Click to expand...

I am using the latest revision and have this in my server_status.php:
PHP: 
<?php
header('Content-Type: text/xml');
echo '<?xml version="1.0" encoding="utf-8" standalone="yes"?>';
$config = parse_ini_file('../../config/config.ini');
$server_config = parse_ini_file($config['server_path'].'config.lua');

$socket = @fsockopen($server_config['ip'], $server_config['port'], $errno, $errstr, 1);
if ($socket)
{
    stream_set_timeout($socket, 1);
    fwrite($socket, chr(6).chr(0).chr(255).chr(255).'info');
    $data;
    while (!feof($socket))
    {
        $data .= fread($socket, 128);
    }
    fclose($socket);

    preg_match('/players online="(\d+)" max="(\d+)"/', $data, $matches);
    echo '<response>'.$matches[1].'</response>';
}
else 
    echo '<response>OFF</response>';
?>
 
lol the last Ot i found with this website i fucked up......Sql injection is easy and u can get the Mysql password of there DB with this Coding....This website should be fixed bro like all are paying it needs POT
 
HellsGods91 said:
lol the last Ot i found with this website i fucked up......Sql injection is easy and u can get the Mysql password of there DB with this Coding....This website should be fixed bro like all are paying it needs POT
Click to expand...
Eee.. are you sure you are talking about my acc. maker ? -.-
This acc. maker from first version use POT and I think it's not possible to show DB password in version 0.2.1
Can you post any code or link to get DB password or data from DB with my acc. maker? Few users posted "i found bugs, i can fuck website", but none post script to do it or place where is bug -.-
Few popular servers (100+ online) use my acc. maker and I want be sure it's safe.
 
Ye, I'm using Gesior's account maker too, I would like to be sure it's 100% safe. (guilds are still fucked up btw)
 
Yep. I think it allow to use SQLite and MySQL :)
 
Ryan said:
Ye, I'm using Gesior's account maker too, I would like to be sure it's 100% safe. (guilds are still fucked up btw)
Click to expand...
What is wrong in guilds. Post it this thread what is wrong in guild system and I'll fix all. If it's problem "user create guild and he is a leader, buy isn't on guild members list", it's problem with OTS/TFS. With normal compilation of TFS you can't change ranks of players when they are online. When player create guild it change his "rank_id" in "players" and create new guild with "owner" = id of player. So player is a leader of guild ("guilds" table), but isn't a member of guild (when he logout server save his "rank_id" from time when he logged in).
How to fix it?
1. Open file: iologindata.cpp (TFS engine)
2. Find lines:
Code: 
	query << "`guildnick` = '" << Database::escapeString(player->guildNick) << "', ";
	query << "`rank_id` = " << IOGuild::getInstance()->getRankIdByGuildIdAndLevel(player->getGuildId(), player->getGuildLevel()) << " ";
3. Change to:
Code: 
	query << "`guildnick` = '" << Database::escapeString(player->guildNick) << "' ";
4. Compile and now you can create guild/change rank of online player without problem. Guild/new rank is actualized on OTS when he relog.
--------------------------------
Our 1337 h4X0r5 report problems with security, but can't tell me/us how can I/we abuse this bugs or how to fix it -.-
 
Last edited:
Gesior, I will help you later on so thers no vulnerabilitys in the web but I'm in vacations right now
 
<?php

function sql_seguro($valor)
{
/*we are replacing < > so it doesnt insert codes as <?php ...atack... ?>*/
$valor = str_replace("<","&lt;",$valor);
$valor = str_replace(">","&gt;",$valor);

/*words that can cause problems*/
$valor = str_replace('INSERT','[INSERT]',$valor);
$valor = str_replace('REPLACE','[REPLACE]',$valor);
$valor = str_replace('UPDATE','[UPDATE]',$valor);
$valor = str_replace('DELETE','[DELETE]',$valor);
$valor = str_replace('SELECT','[SELECT]',$valor);
$valor = str_replace('TRUNCATE','[TRUNCATE]',$valor);
$valor = str_replace('CREATE','[CREATE]',$valor);
$valor = str_replace('DROP','[DROP]',$valor);
$valor = str_replace('SET','[SET]',$valor);
$valor = str_replace(';','[;]',$valor);
$valor = str_replace('"','["]',$valor);
$valor = str_replace("'","[']",$valor);

return $valor;
}

function sql_noseguro($valor)
{
/*words that can make problems*/
$valor = str_replace('[INSERT]','INSERT',$valor);
$valor = str_replace('[REPLACE]','REPLACE',$valor);
$valor = str_replace('[UPDATE]','UPDATE',$valor);
$valor = str_replace('[DELETE]','DELETE',$valor);
$valor = str_replace('[SELECT]','SELECT',$valor);
$valor = str_replace('[TRUNCATE]','TRUNCATE',$valor);
$valor = str_replace('[CREATE]','CREATE',$valor);
$valor = str_replace('[DROP]','DROP',$valor);
$valor = str_replace('[SET]','SET',$valor);
$valor = str_replace('[;]',';',$valor);
$valor = str_replace('["]','"',$valor);
$valor = str_replace("[']","'",$valor);

return $valor;
}

?>
Click to expand...
These old script of mine, I dont rmmbr much but I still reading and creating things, I will send you modified scritps when I finish with them :p


use mysql_real_escape_string, when taking GET/POST-data to your database, and htmlentities to print it out.
Click to expand...
 
Dumb, he uses POTS ><

Btw.
Gesior, try moving javascripts responsible for newsticket to seperated file, and use them only if need (like in my version of AAC that i gave you.).
 
Last edited:
FightingElf said:
Dumb, he uses POTS ><

Btw.
Gesior, try moving javascripts responsible for newsticket to seperated file, and use them only if need (like in my version of AAC that i gave you.).
Click to expand...
News/tickers will be rewriten to work with other layouts in 100%. Script will generate only array with news and tickers. Script in layout directory will parse this array to layout format (layout graphics).
@fenomenoide
about mysql_real_escape_string.. I use POT and acc. maker is for SQLite and MySQL. "String escaped" for MySQL will always work fine with SQLite?
Before I send data from get/post to database I check every name, guild name, guild rank... on comments/guild description I use "htmlspecialchars".
I think users in this thread report problems with XSS, not SQL injection.
 
Last edited:
Code: 
STEP 4
Add samples to DB:
Added first news ticker.
Added first news.

Fatal error: Call to a member function fetch() on a non-object in D:\Programy\Xampp\htdocs\install.php on line 404

=o

Code: 
STEP 4
Add samples to DB:

Fatal error: Call to a member function query() on a non-object in D:\Programy\Xampp\htdocs\install.php on line 390

=oo
 
Marcinek Paladinek said:
Code: 
STEP 4
Add samples to DB:
Added first news ticker.
Added first news.

Fatal error: Call to a member function fetch() on a non-object in D:\Programy\Xampp\htdocs\install.php on line 404

=o

Code: 
STEP 4
Add samples to DB:

Fatal error: Call to a member function query() on a non-object in D:\Programy\Xampp\htdocs\install.php on line 390

=oo
Click to expand...
I don't know why, but some players have this error. I have windows and XAMPP 1.6.5 and I don't have this error in SQLite and MySQL. I'll change intallation a bit in next version and this error will be invisible.
 
I forgot to edit the above post.

The error stopped showing up when Ive added whole "data" folder to my server location, before I had only config file, coz been to lazy to compile :)
 
add the Gesior ITEM/PACC Shop (PHP+LUA) for TFS to this acc
 
Can anyone help me with the server status problem i am having? (Page 3)
It only works the first time i go to the website, but once i go to another page on the website it just keeps on saying "Loading...".
I am using the latest tfs tags revision.
 
@Agostini

You tried changing in config.lua statusTimeout to 0?
 
Thanks that worked, the only problem now that i have left is that the "who is online" page wont work correctly.
It only shows like 2 or 3 of the 20 online players.
Also when you look at the profile of a player that is online it will say he is offline.
 
Status
Not open for further replies.

Similar threads

nitrox
[NT ACC] Account Manager in NextJs
Replies
13
Views
1K
Fjorda
F
maxumic
  • Locked
[$50] OTC Advanced Guild Module
Replies
13
Views
2K
Niebieski
Niebieski
Jpstafe
  • Solved
Erro Rook_Sample created(MYACC)
Replies
2
Views
299
Jpstafe
Jpstafe
Back
Top