hello this time I ask for help with admin level function? you do here? poque put the system / admin cmds player and does not leave anyone? I need help with that security and where I stand that I am admin. ???
Dude, you are posting in wrong section of the forum for help!!! And Did you visit http://wiki.vc-mp.org. There are plenty of examples for these functions!!!
And P.S stop making more than one topics for a single subject!!!
Explain a little better ???
Edit
I had also told you before to make hidden cmds if you can't fix!
Also I can't help you if i don't know what kind of system you are using(query etc), i suggest uploading one admin cmd to show how the administration system works. you register function login and i doubt you are even returning admin commands as false, return 0 for non admins!
If you can't fix it i would suggest uploading majority of your script Unfortunately, as your entire script for admin system has to be entirely re written!
It's really not that hard. I wrote mine in two minutes took 3 minutes of trying every exploit that i could think of.
#I'm on my phone so expect errors
if (cmd == "ban")
{
if ([Account] < 1) {
AdminCommand(player);
return true;
}
Players should never receive levels only admins. Instead of using levels use there password to authorize there account( this is how i achieved it fastly)
You will need to do stroger account management? Took me a while to ensure you can't re register an existing account etc, You will need to delete accounts as passwords are encrypted and would cause possible issues ( or do you encrypt passwords??)
First the class
class PlayerClass
{
Level = 0
}Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}Its tested and it works.
I can guarantee you that the above code doesn't work.
Quote from: {ultimatejugo] on Apr 04, 2016, 09:52 AMFirst the class
class PlayerClass
{
Level = 0
}Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}Its tested and it works.
it looks horrible to me.
class Something{
Level = 0;
}
const MIN_ADMIN_LEVEL = 2;
g_stats <- array( GetMaxPlayers() );
function onPlayerJoin( CPlayer ){
g_stats[ CPlayer.ID ] = Something();
}
function onPlayerCommand( player, cmd, text ){
if( cmd == "admins" ){
local c_MaxPlayers = GetMaxPlayers(), c_AdminList = "";
for( local I = 0; I < c_MaxPlayers; I++ ) if( g_stats[ I ].Level >= ADMIN_MIN_LEVEL ) c_AdminList += FindPlayer( I ).Name + ", ";
Message( c_AdminList );
}
}Don't have time to mess with other things. Untested code anyways.
if i show u a ss of it working wot will u do doom?
Quote from: {ultimatejugo] on Apr 04, 2016, 03:05 PMif i show u a ss of it working wot will u do doom?
Your SS should show the EXACT same code you posted in a blank server and show me its working.
Quote from: {ultimatejugo] on Apr 04, 2016, 03:05 PMif i show u a ss of it working wot will u do doom?
Why not try it in a Blank script then ? and where This
sqliteDBeven exist? Just copy pasters dude! Add this
stats <- array(GetMaxPlayers(), null);Change
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB ); to
stats[ player.ID ] = PlayerClass(); and, so many!
Quote from: MaTaDeToR on Apr 04, 2016, 04:03 PMQuote from: {ultimatejugo] on Apr 04, 2016, 03:05 PMif i show u a ss of it working wot will u do doom?
Why not try it in a Blank script then ? and where This sqliteDBeven exist? Just copy pasters dude!
What about the 'stats' array?
And what about this master-piece:-
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{There are many errors in the code.
Quote from: KAKAN on Apr 04, 2016, 04:05 PMQuote from: MaTaDeToR on Apr 04, 2016, 04:03 PMQuote from: {ultimatejugo] on Apr 04, 2016, 03:05 PMif i show u a ss of it working wot will u do doom?
Why not try it in a Blank script then ? and where This sqliteDBeven exist? Just copy pasters dude!
What about the 'stats' array?
And what about this master-piece:-
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{There are many errors in the code.
I do mention it above my post, sorry it was edited, i guess you didn't recognize..... anyway i won't waste my time anymore....
You better try this :P
else if(cmd == "your command")
{
{
if (player == "admin1" || player == "admin2" || player == "admin3" )
//Do things here
{
{ Hope i helped you :D
if else.
:P fixed
If you can't be arsed to test your snippets I'd rather if you don't post them. There's clearly syntax errors, still, so you probably didn't test it.
Quote from: {ultimatejugo] on Apr 04, 2016, 09:52 AMFirst the class
class PlayerClass
{
Level = 0
}Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}Its tested and it works.
For those that use this method its EXTREMELY EXPLOITABLE, Why are you sharing the same level system with the players and admins? You need to set in the class a different level system that only is used for admin's. and if they are not admins keep it null in the database. Let alone the databases usually converts the name to lower case so I or anyone could exploit this in 2 minutes, Please update your systems as this is bad practice,
I am not hear to hack peoples systems. I only know this from players attempting to break my system in the past.
Quote from: Mr_Motley on Apr 13, 2016, 07:04 PMQuote from: {ultimatejugo] on Apr 04, 2016, 09:52 AMFirst the class
class PlayerClass
{
Level = 0
}Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}Its tested and it works.
For those that use this method its EXTREMELY EXPLOITABLE, Why are you sharing the same level system with the players and admins? You need to set in the class a different level system that only is used for admin's. and if they are not admins keep it null in the database. Let alone the databases usually converts the name to lower case so I or anyone could exploit this in 2 minutes, Please update your systems as this is bad practice,
I am not hear to hack peoples systems. I only know this from players attempting to break my system in the past.
If using this system is exploitable, you're not doing it right. I don't see any problem in using a level system to see what privileges a player has.
With every system you'd have to make it right though. For example, using the code from @{ultimatejugo is going to be fun, since you'd make everyone a level 3 admin. Good stuff! (Hint: You forgot a =)
Whether you're having a column in your database that tells if you're an admin or not (true/false, or null/privileges), or a level (0 reg player, 1+ mod/admin) makes not difference at all. Once someone finds an exploit in your code, you're still fucked when people can change those values.
Having lowercase doesn't matter either, since (if you'd make it right) you would check with a lowercase nick and only allow admin commands when they're logged in.
Please, feel free to explain how your system (whatever that might be, not clear from your post) is better practice, and the level system is more exploitable.
I forgot one main piece that will 99% allow it, that is if you only use Name Lower, Lets say I use Motley. And I create a bug called MOTLEY majority of the times if i join the server the same time as the original name I can exploit the admin system and begin banning other players (sometimes the original name on the server at the same time is not needed but would be recommended it helps trick the database), as well I could take and do this and create and legit account and give that legit account admin and leave before noticed. Then i can ban players.
It is a weird bug and does not always work, It takes a lot of trying sometime,
When I joined VC:MP I had this issue once again not only LU (Stress testing the admin system) so I had to do stronger authorizations that only relate to a modified account rather than a level system, only admins where given levels, Players where authorized by password existence, not levels. So if password returns true tell them to login, else they need to register.
This is a weird exploit, Like you said if you do the system correctly you would not need to worry about this issue.
BUT Ever since i learned this i refuse to allow other players to have levels OR at-least share the same level system. Because there is that what if it actually happened. It takes a lot of patience to make the exploit happen, or poor systems it takes seconds..
So with this knowledge is why I recommend not to use levels. authorize the players with passwords not levels. with the admin level system create and array as well for that admin setting. you can still use interesting levels.
Quote from: Mr_Motley on Apr 13, 2016, 09:20 PMI forgot one main piece that will 99% allow it, that is if you only use Name Lower, Lets say I use Motley. And I create a bug called MOTLEY majority of the times if i join the server the same time as the original name I can exploit the admin system and begin banning other players (sometimes the original name on the server at the same time is not needed but would be recommended it helps trick the database), as well I could take and do this and create and legit account and give that legit account admin and leave before noticed. Then i can ban players.
Some points you need to answer:
1. The database stores the name as 'motley', so if you join using 'MOTLEY' it would ask you to login instead of register.
2. You can't ban someone unless you're logged in, isn't' it?
If you can do that, then your script is f*ed up.
It does not ask you to login it wants a register that's where you have to do some tricks... Technically in this mater of admins names should never be lowered,
Tested on ADM script to ensure its not just my scripting meh, It works( Took a freaking long time {1hr}).
It is not just my part,. It's any server. Anyone could get this to work with the right patience. The correct admin would know to ban this player, unless its two late(if you added "Cant ban, kick, etc to admins(then your really fucked)".
The best fix is to not use levels but only for admins, Players should never share the same level system as admins,
Honestly if you think about it what other logical explanation is there to explain?
This is incorrect server building .
I would prefer to not show "videos etc" As I am not hear to teach as this is something terrible to know I was lucky and was thought how they exploited my system,. I am only hear to help others with the issues I have had to deal with.
This is just as bad as using player.Cash all over your server as well. As you are opening money hacks.
Please just trust me. If not just remember what someone may do one day, There are crappy players online looking to screw server owners.
Well, then the /register command is bugged
else if ( ( cmd == "admin" ) || ( cmd == "ADMIN" ) )
{
local plr, b;
for( local i = 0; i <= GetMaxPlayers(); i++ )
{
plr = FindPlayer( i );
if ( ( plr ) && ( pstats[ plr.ID ].Level >= 2 ) )
{
if ( b ) b = b + ", " + plr.Name + " (Level: " + pstats[ plr.ID ].Level + ")"
else b = plr.Name + " Level: " + pstats[ plr.ID ].Level + ")"
}
}
if ( b ) Message( "[#00FFFF]**[#00FF00] Admins Online[#FFFFFF]: [ " + b + " ]" );
else Message( "[#00FFFF]**[#00FF00] No Admins Online." );
}
Wow! That's a very good work, mate!
What's wrong with it?