• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

TalkAction [TFS 1.3 / Lua 5.2] Debug LUA scripts with talkaction!

Gesior.pl

Mega Noob&LOL 2012
Senator
Joined
Sep 18, 2007
Messages
2,955
Solutions
98
Reaction score
3,351
Location
Poland
GitHub
gesior
Credits to @Cykotitan, based on TFS 0.x version TalkAction - Debug LUA scripts with talkaction!

It's updated version for LUA 5.2+ (in which they replaced 'loadstring' with 'load')!
For LuaJIT and LUA 5.1 versions use:

TalkAction - [TFS 1.x / LuaJIT] Debug LUA scripts with talkaction! (https://otland.net/threads/tfs-1-x-luajit-debug-lua-scripts-with-talkaction.260910/)

Talkaction that let you find problems with LUA scripts on GOD character.
You can also use it to do some admin actions in game. Fix small map bugs, make new spawns - without server restart.

XML data/talkactions/talkactions.xml:
PHP:
<talkaction words="/lua" separator=" " script="lua_debug.lua" />
<talkaction words="!lua" separator=" " script="lua_debug.lua" />

LUA data/talkactions/scripts/lua_debug.lua:
Lua:
function sendToPlayerLuaCallResult(player, ...)
   local n = select('#', ...)
   local result = setmetatable({ ... }, {
      __len = function()
         return n
      end,
   })

   local t = {}
   for i = 2, #result do
      local v = tostring(result[i])
      if v:len() > 0 then
         table.insert(t, v)
      end
   end

   if #t > 0 then
      player:sendTextMessage(MESSAGE_STATUS_CONSOLE_ORANGE, table.concat(t, ', '))
   end
end

function onSay(player, words, param)
   if not player:getGroup():getAccess() then
      return false
   end

   if player:getAccountType() < ACCOUNT_TYPE_GOD then
      return false
   end

   sendToPlayerLuaCallResult(player, pcall(load(
      'local cid = ' .. player:getId() .. ' ' ..
         'local player = Player(cid) ' ..
         'local pos = player:getPosition() ' ..
         'local position = pos ' ..
         param
   )))

   return false
end

Predefined variables:
cid
- GOD character 'cid'
player - GOD character Player object
pos - position of GOD character
position - position of GOD character

Examples:

1. Get current position of player 'Adsad':

PHP:
!lua p = Player('Adsad'):getPosition() return p.x, p.y, p.z
Result:
Local Chat in Tibia client said:
32368, 32224, 7

You can also split code to few lines:
PHP:
!lua var1 = Player('Adsad')
!lua var2 = var1:getPosition()
!lua return var2.x, var2.y, var2.z

2. Spawn monster Demon next to GOD:
PHP:
!lua Game.createMonster("Demon", pos)

3. Spawn monster Demon 20 times every 5 seconds on position on which is GOD in moment of saying !lua:
PHP:
!lua function spawnDemon(pos, countLeft) if countLeft > 0 then addEvent(spawnDemon, 5000, pos, countLeft - 1) end Game.createMonster("Demon", pos) end spawnDemon(pos, 20)

4. Set GOD storage value with key 123 to 456:
PHP:
!lua player:setStorageValue(123, 456)
Set player 'Adsad' storage value with key 123 to 456:
PHP:
!lua Player('Adsad'):setStorageValue(123, 456)

5. Get GOD storage value with key 123:
PHP:
!lua return player:getStorageValue(123)
Get player 'Adsad' storage value with key 123:
PHP:
!lua return Player('Adsad'):getStorageValue(123)
Result:
Local Chat in Tibia client said:
 
attention! don't not use this on production server (or change talkaction name).

when malicious people get use of it, it can open a security hole. this able to cracker (bad hacker) get sensitive information like database credentials,
password file (/etc/passwd) and execute malicious code using os.capture and os.execute.


-- suggestion
make a blacklist of keywords like mysql, sqlite, sqlPass, os.execute, os.capture...
 
I mean, you're right and all, but it is "DEBUG" purpose to not use it on production server.
Nice to mention it anyways
 
also this code is already executed only by god:

Lua:
if not player:getGroup():getAccess() then
      return false
   end

   if player:getAccountType() < ACCOUNT_TYPE_GOD then
      return false
   end
 
also this code is already executed only by god:

Lua:
if not player:getGroup():getAccess() then
      return false
   end

   if player:getAccountType() < ACCOUNT_TYPE_GOD then
      return false
   end

i know but today is really common to find an insecure website modification... if have the bad guy get access to god account? this should be the first step to get root your server.

I just told to take care of the utilization of this script in production server.
 
i know but today is really common to find an insecure website modification... if have the bad guy get access to god account? this should be the first step to get root your server.

I just told to take care of the utilization of this script in production server.
you are overreacting.
 
Back
Top