Plus Emulator Security Fixes

Page 1 of 5 12345 LastLast
Results 1 to 15 of 63
  1. #1
    Account Upgraded | Title Enabled! Chapo is offline
    True MemberRank
    Jul 2010 Join Date
    928Posts

    idea Plus Emulator Security Fixes


    RaGEZONE Recommends

    RaGEZONE Recommends

    Hi,

    When I was checking Plus I found a exploit which makes it possible to send queries, drop tables, whatever you like. I noticed that someone finally found out the exploit and I decided to release the fix because this guys just want fuck some shit up.

    Open the source and follow me.

    1). HabboHotel\Items\Wired\Boxes\Effects\BotChangesClothesBox.cs

    Find:
    using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor())
    {
    dbClient.RunQuery("UPDATE `bots` SET `look` = '" + User.BotData.Look + "', `gender` = '" + User.BotData.Gender + "' WHERE `id` = '" + User.BotData.Id + "' LIMIT 1");
    }
    Replace:
    using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor()) {
    dbClient.SetQuery("UPDATE `bots` SET `look` = @look, `gender` = '" + User.BotData.Gender + "' WHERE `id` = '" + User.BotData.Id + "' LIMIT 1");
    dbClient.AddParameter("look", User.BotData.Look);
    dbClient.RunQuery();
    }
    And to be sure:

    2). Communication\Packets\Incoming\Rooms\AI\Bots\SaveBotActionEvent.cs

    Find:
    using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor())
    {
    dbClient.RunQuery("UPDATE `bots` SET `look` = '" + Session.GetHabbo().Look + "', `gender` = '" + Session.GetHabbo().Gender + "' WHERE `id` = '" + Bot.BotData.Id + "' LIMIT 1");
    }
    Replace:
    using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor())
    {
    dbClient.SetQuery("UPDATE `bots` SET `look` = @look, `gender` = '" + Session.GetHabbo().Gender + "' WHERE `id` = '" + Bot.BotData.Id + "' LIMIT 1");
    dbClient.AddParameter("look", Session.GetHabbo().Look);
    dbClient.RunQuery();
    }
    Replace the stuff as seen above in your source and recompile. I'm not going to explain how to execute the exploit because no one has this fixed yet.

    More fixes

    1). Communication\Packets\Incoming\Rooms\Furni\Wired\SaveWiredConfigEvent.cs

    Find:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    Replace:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;

    if (!Room.CheckRights(Session, false) && !Room.CheckRights(Session, true))
    return;
    There is a way to change someone elses Wired settings so the code above is the fix.

    2). Communication\Packets\Incoming\Catalog\CheckGnomeNameEvent.cs (Thanks to @Damien Jolly & thanks to @Shorty for sending me)

    Find:
    if (Item == null || Item.Data == null)
    return;
    Replace:
    if (Item == null || Item.Data == null || Item.UserID != Session.GetHabbo().Id || Item.Data.InteractionType != InteractionType.GNOME_BOX)
    return;
    The code above will fix the furni which change in Gnomes & duplicate furni in db.

    3). HabboHotel\Users\UserData\UserDataFactory.cs (Thanks to @Damien Jolly)

    Find:
    dbClient.SetQuery("SELECT `id`,`username`,`rank`,`motto`,`look`,`gender`,`last_online`,`credits`,`activity_points`,`home_room`,`block_newfriends`,`hide_online`,`hide_inroom`,`vip`,`account_created`,`vip_points`,`machine_id`,`volume`,`chat_preference`,`focus_preference`, `pets_muted`,`bots_muted`,`advertising_report_blocked`,`last_change`,`gotw_points`,`ignore_invites`,`time_muted`,`allow_gifts`,`friend_bar_state`,`disable_forced_effects`,`allow_mimic`,`rank_vip` FROM `users` WHERE `auth_ticket` = @sso LIMIT 1");
    Replace:
    dbClient.SetQuery("SELECT users.id,users.username,users.rank,users.motto,users.look,users.gender,users.last_online,users.credits,users.activity_points,users.home_room,users.block_newfriends,users.hide_online,users.hide_inroom,users.vip,users.account_created,users.vip_points,users.machine_id,users.volume,users.chat_preference,users.focus_preference,users.pets_muted,users.bots_muted,users.advertising_report_blocked,users.last_change,users.gotw_points,users.ignore_invites,users.time_muted,users.allow_gifts,users.friend_bar_state,users.disable_forced_effects,users.allow_mimic,users.rank_vip " +
    "FROM users " +
    "JOIN user_auth_ticket " +
    "ON users.id = user_auth_ticket.user_id " +
    "WHERE user_auth_ticket.auth_ticket = @sso " +
    "LIMIT 1");

    Find:
    dbClient.RunQuery("UPDATE `users` SET `online` = '1', `auth_ticket` = '' WHERE `id` = '" + UserId + "' LIMIT 1");


    Replace:
    dbClient.RunQuery("UPDATE `users` SET `online` = '1' WHERE `id` = '" + UserId + "' LIMIT 1");
    dbClient.RunQuery("DELETE FROM `user_auth_ticket` WHERE `user_id` = '" + UserId + "' LIMIT 1");


    PlusEnviroment.cs

    Find:
    dbClient.RunQuery("UPDATE `users` SET online = '0', `auth_ticket` = NULL");
    Replace:
    dbClient.RunQuery("TRUNCATE `user_auth_ticket`");
    dbClient.RunQuery("UPDATE `users` SET online = '0'");

    Finally run this database query:

    -- ----------------------------
    -- Table structure for `user_auth_ticket`
    -- ----------------------------
    DROP TABLE IF EXISTS `user_auth_ticket`;
    CREATE TABLE `user_auth_ticket` (
    `user_id` int(11) NOT NULL,
    `auth_ticket` varchar(60) NOT NULL,
    PRIMARY KEY (`user_id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    The code above will fix logging in someone elses account without password.

    There's more, and I will release more fixes later. If you have troubles with someone who is fuck some shit up send me a PM

    Last edited by Taiga; 28-12-16 at 08:00 PM. Reason: No propaganda


  2. #2
    Gaby is offline
      V.I.P  Rank
    Apr 2013 Join Date
    The NetherlandsLocation
    1,486Posts

    Re: Plus Emulator Security Fixes

    IMO More fixes > 1 should be

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.CheckRights(Session, false))
    return;
    and not

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.OwnerId != Session.GetHabbo().Id && Room.CheckRights(Session, false))
    return;
    Otherwise you only allow the actual room owner to make changes to the wired, while everybody with rights should have this ability. Thanks for releasing these fixes, you've done a great job for the Plus using-community!


  3. #3
    Account Upgraded | Title Enabled! Chapo is offline
    True MemberRank
    Jul 2010 Join Date
    928Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by Gaby View Post
    IMO More fixes > 1 should be

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.CheckRights(Session, false))
    return;
    and not

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.OwnerId != Session.GetHabbo().Id && Room.CheckRights(Session, false))
    return;
    Otherwise you only allow the actual room owner to make changes to the wired, while everybody with rights should have this ability. Thanks for releasing these fixes, you've done a great job for the Plus using-community!
    Yep! you're right, updated the thread. Thank you

  4. #4
    Member Damien Jolly is offline
    MemberRank
    Apr 2014 Join Date
    93Posts

    Re: Plus Emulator Security Fixes

    Number 2 is the exact fix I posted a while back on another forum, yet you credited Shorty? hmm ;)

    Either way, I doubt this is the last of these exploits, they seem to be popping up out of nowhere all of a sudden. Thank you for the bot fixes, it's a shame people have been abusing it and some hotels have suffered from it.

    +1 from me.

  5. #5
    Account Upgraded | Title Enabled! Chapo is offline
    True MemberRank
    Jul 2010 Join Date
    928Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by Damien Jolly View Post
    Number 2 is the exact fix I posted a while back on another forum, yet you credited Shorty? hmm ;)

    Either way, I doubt this is the last of these exploits, they seem to be popping up out of nowhere all of a sudden. Thank you for the bot fixes, it's a shame people have been abusing it and some hotels have suffered from it.

    +1 from me.
    Oops! My bad buddy, Shorty told me the fix, but had no name mentioned. Excusez-moi
    Thread updated.
    Last edited by Chapo; 28-05-16 at 10:22 PM.

  6. #6
    Member Damien Jolly is offline
    MemberRank
    Apr 2014 Join Date
    93Posts

    Re: Plus Emulator Security Fixes

    Here's another exploit while we're at it.

    In PurchaseFromCatalogEvent.cs

    Change:
    Code:
    if (Amount < 1 || Amount > 100)
    To:
    Code:
    if (Amount < 1 || Amount > 100 || !Item.HaveOffer)
    To stop people scripting unlimited credits.

  7. #7
    Member MattSantos is offline
    MemberRank
    May 2016 Join Date
    94Posts

    Re: Plus Emulator Security Fixes

    How to fix the delay at the time of purchase?

  8. #8
    Account Upgraded | Title Enabled! Chapo is offline
    True MemberRank
    Jul 2010 Join Date
    928Posts

    Re: Plus Emulator Security Fixes

    Oh, for the one who keep stuck at 76% after adding the fixes, you have to change your SSO ticket in client.php(?) to something like:

    $ticket = time().sha1(rand(10000,99999));

    $sql = DB::query('SELECT null FROM `user_auth_ticket` WHERE `user_id` = %i LIMIT 1', (int)$user->Id);

    if(DB::count() > 0) {
    DB::query('UPDATE `user_auth_ticket` SET `auth_ticket` = %s WHERE `user_id` = %i', $ticket, (int)$user->Id);
    }else{
    DB::insert('user_auth_ticket', array (
    'user_id' => $user['id'],
    'auth_ticket' => $ticket
    ));
    }
    or normal mysql:

    $ticket = time().sha1(rand(10000,99999));

    $sql = mysql_query("SELECT `user_id` FROM `user_auth_ticket` WHERE `user_id` = '".$user['id']."'");
    if(mysql_num_rows($sql) > 0){
    mysql_query("UPDATE `user_auth_ticket` SET `auth_ticket` = '".$ticket."' WHERE `user_id` = '".$user['id']."'");
    }else{
    mysql_query("INSERT INTO `user_auth_ticket` (`user_id`, `auth_ticket`) VALUES ('".$user['id']."', '".$ticket."');");
    }
    Last edited by Chapo; 28-05-16 at 11:28 PM.

  9. #9
    Hardcore Member trantium is offline
    MemberRank
    Jun 2007 Join Date
    102Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by MattSantos View Post
    How to fix the delay at the time of purchase?
    That's the way Plusemu is coded. You should try to find how to insert a bulk transaction instead of one by one.

  10. #10
    xHosts.uk Robot is offline
    True MemberRank
    Apr 2015 Join Date
    EnglandLocation
    728Posts

    Re: Plus Emulator Security Fixes

    A lot of people have had their db dropped using plus emulator, madness to think its possible but ay. These fixes will sure help people out that are using this emulator.

    xHosts - Support Staff - Visit us today @ xhosts.uk

  11. #11
    Newbie Eduardo Adkins is offline
    MemberRank
    May 2016 Join Date
    Veracruz, MexicLocation
    1Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by TehMud View Post
    Oh, for the one who keep stuck at 76% after adding the fixes, you have to change your SSO ticket in client.php(?) to something like:



    or normal mysql:
    okey
    i don't exactly know what to do
    Please helpme
    this is my client
    PHP Code:
    <?phprequire_once ('heliocms/core.php');if (isset($_SESSION['id'])) {if (isset($_GET['hash'])) {$client_a mysql_query("SELECT * FROM heliocms_hotel");$client_q mysql_fetch_assoc($client_a);mysql_query("UPDATE users SET auth_ticket = '', auth_ticket = '".GenerateTicket()."', ip_last = '', ip_last = '".$ip."' WHERE id = '".$user_q['id']."'");$ticketsql mysql_query("SELECT * FROM users WHERE id = '".$user_q['id']."'");$ticketrow mysql_fetch_assoc($ticketsql);?><!DOCTYPE HTML><html><head>    <meta content="text/html;charset=utf-8" http-equiv="Content-Type">    <link rel="stylesheet" href="<?php echo $aka?>/habbo-web/america/pt/app.css">    <link rel="stylesheet" type="text/css" href="<?php echo $aka?>/game-data-server-static//./hotel.css">    <script type="text/javascript" src="<?php echo $aka?>/game-data-server-static//./habboapi.js"></script></head> <script type="text/javascript">    var flashvars = {        "external.texts.txt": "<?php echo $client_q['external_flash_texts']; ?>",        "connection.info.port": "<?php echo $client_q['port']; ?>",        "furnidata.load.url": "<?php echo $client_q['furnidata']; ?>",        "external.variables.txt": "<?php echo $client_q['external_variables']; ?>",        "client.allow.cross.domain": "1",        "url.prefix": "<?php echo $site?>",        "external.override.texts.txt": "<?php echo $client_q['external_flash_override_texts']; ?>",        "supersonic_custom_css": "<?php echo $aka?>\/game-data-server-static\/\/.\/hotel.css",        "external.figurepartlist.txt": "<?php echo $client_q['figuredata']; ?>",        "flash.client.origin": "popup",        "client.starting": "Por favor aguarde! O <?php echo $sitename?> est\u00E1 carregando...",        "processlog.enabled": "1",        "has.identity": "1",        "productdata.load.url": "<?php echo $client_q['productdata']; ?>",        "client.starting.revolving": "Cuando menos te lo esperes... terminará de cargar...\/Cargando mensaje divertido! Por favor espera.\/¿Quieres papas fritas para acompañar?\/Siga al pato amarillo.\/El tiempo \u00E9 es una ilus\u00E3ón.\/J\u00E1 chegamos?!\/Me gusta tu camiseta\/Mira para un lado, mira para el otro... parpadea dos veces. Listo\/No eres tú... soy yo\/Shhh! Estoy intentando pensar aquí\/Cargando universo de pixeles...",        "external.override.variables.txt": "<?php echo $client_q['external_override_variables']; ?>",        "spaweb": "1",        "supersonic_application_key": "2c63c535",        "connection.info.host": "<?php echo $client_q['host']; ?>",        "sso.ticket": "<?php echo $ticketrow['auth_ticket']; ?>",        "client.notify.cross.domain": "0",        "account_id": "<?php echo $user_q['id']; ?>",        "flash.client.url": "<?php echo $client_q['base']; ?>",        "unique_habbo_id": "<?php echo $w?>",    };    </script>    <script>    var params = {    "base": "<?php echo $client_q['base']; ?>",    "allowScriptAccess": "always",    "menu": "false",    "wmode": "opaque"    };    swfobject.embedSWF('<?php echo $client_q['habbo_swf']; ?>', 'flash-container', '100%', '100%', '11.1.0', '//habboo-a.akamaihd.net/habboweb/63_1d5d8853040f30be0cc82355679bba7c/3630/web-gallery/flash/expressInstall.swf', flashvars, params, null, null);    if (!(HabbletLoader.needsFlashKbWorkaround())) {    params["wmode"] = "opaque";    }    FlashExternalInterface.signoutUrl = "<?php echo $site?>/logout";    </script><body id="client" class="flashclient">  <div id="overlay"></div><div id="client-ui" >    <div id="flash-wrapper">    <div id="flash-container">    <div ng-if="isOpen &amp;&amp; !flashEnabled" class="client-error">    <div class="client-error__text">        <h1 class="client-error__title" translate="CLIENT_ERROR_TITLE">Ops, sem Flash, sem <?php echo $sitename?>!</h1>        <p translate="CLIENT_ERROR_FLASH">Se você está utilizando um PC, você precisa <a href="http://www.adobe.com/go/getflashplayer" target="_blank">atualizar ou instalar o Flash player</a>.</p>        <div class="client-error__downloads">            <a href="http://www.adobe.com/go/getflashplayer" ng-href="http://www.adobe.com/go/getflashplayer" target="_blank" class="client-error__flash"></a>        </div>        <p translate="CLIENT_ERROR_MOBILE">Se você está utilizando um iPad, iPhone ou um dispositivo Android você deve baixar o <a href="https://itunes.apple.com/app/id794866182" target="_blank"><?php echo $sitename?> para iOS</a> na App Store ou <a href="https://play.google.com/store/apps/details?id=air.com.sulake.habboair" target="_blank"><?php echo $sitename?> para Android</a> na Google PlayStore.</p>        <div class="client-error__downloads">            <a href="https://itunes.apple.com/app/id794866182" ng-href="https://itunes.apple.com/app/id794866182" target="_blank" class="client-error__appstore"></a>            <a href="https://play.google.com/store/apps/details?id=air.com.sulake.habboair" ng-href="https://play.google.com/store/apps/details?id=air.com.sulake.habboair" target="_blank" class="client-error__googleplay"></a>        </div>    </div></div>    </div>    </div></div> </body></html><?php }} ?>

  12. #12
    Registered Yonas is offline
    MemberRank
    Apr 2016 Join Date
    The NetherlandsLocation
    13Posts

    Re: Plus Emulator Security Fixes

    Good job! Sure that many people will appreciate it :)

    However, I'm not using atm Plus Emulator, but yh i'm planning to use it soon.

  13. #13
    iiiiiiiiiii Brought is offline
    True MemberRank
    Aug 2013 Join Date
    477Posts

    Re: Plus Emulator Security Fixes

    This is a very beneficial thread for the community, especially because a majority of the community is now using the Plus Emulator that Sledmore released. Kudos to you for providing the community with this information rather than causing havoc. Not something a lot of people in the community would do.


  14. #14
    Account Upgraded | Title Enabled! Chapo is offline
    True MemberRank
    Jul 2010 Join Date
    928Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by Brought View Post
    This is a very beneficial thread for the community, especially because a majority of the community is now using the Plus Emulator that Sledmore released. Kudos to you for providing the community with this information rather than causing havoc. Not something a lot of people in the community would do.
    Unfortunately, there is still much more, and perhaps even harmful. That's why I recommend Comet Server.

    Regards,
    Ryan

  15. #15
    Member Damien Jolly is offline
    MemberRank
    Apr 2014 Join Date
    93Posts

    Re: Plus Emulator Security Fixes

    Quote Originally Posted by Gaby View Post
    IMO More fixes > 1 should be

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.CheckRights(Session, false))
    return;
    and not

    Code:
    Room Room = Session.GetHabbo().CurrentRoom;
    if (Room == null)
    return;
    
    
    
    
    if (Room.OwnerId != Session.GetHabbo().Id && Room.CheckRights(Session, false))
    return;
    Otherwise you only allow the actual room owner to make changes to the wired, while everybody with rights should have this ability. Thanks for releasing these fixes, you've done a great job for the Plus using-community!
    Isn't it supposed to be..
    Code:
    if (!Room.CheckRights(Session, false))
    return;
    Otherwise you're allowing everyone BUT users with rights to use and save wired.




Page 1 of 5 12345 LastLast

Advertisement