system know who your admin

Started by kennedyarz, Mar 21, 2016, 01:54 AM

Previous topic - Next topic

Thijn

If you can't be arsed to test your snippets I'd rather if you don't post them. There's clearly syntax errors, still, so you probably didn't test it.

Mötley

Quote from: {ultimatejugo] on Apr 04, 2016, 09:52 AMFirst the class
class PlayerClass
{
Level = 0
}
Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}
Its tested and it works.

For those that use this method its EXTREMELY EXPLOITABLE, Why are you sharing the same level system with the players and admins? You need to set in the class a different level system that only is used for admin's. and if they are not admins keep it null in the database. Let alone the databases usually  converts the name to lower case so I or anyone could exploit this in 2 minutes, Please update your systems as this is bad practice,

I am not hear to hack peoples systems. I only know this from players attempting to break my system in the past.

Thijn

Quote from: Mr_Motley on Apr 13, 2016, 07:04 PM
Quote from: {ultimatejugo] on Apr 04, 2016, 09:52 AMFirst the class
class PlayerClass
{
Level = 0
}
Then(Note this is to be pasted on onplayerjoin):
stats[ player.ID ] = PlayerClass( player.Name, sqliteDB );Finally(to be pasted on onplayercommand):
else if (cmd == "admins" || cmd == "admin")
{
local plr = GetPlayers();
{
plr = FindPlayer( player.ID );
if ((plr) && ( stats[player.ID].Level = 3))
{
Message("Admins: " + plr.Name + " [" + stats[player.ID].Level + "]");
}
else Message("No Admins Online");
}
}
Its tested and it works.

For those that use this method its EXTREMELY EXPLOITABLE, Why are you sharing the same level system with the players and admins? You need to set in the class a different level system that only is used for admin's. and if they are not admins keep it null in the database. Let alone the databases usually  converts the name to lower case so I or anyone could exploit this in 2 minutes, Please update your systems as this is bad practice,

I am not hear to hack peoples systems. I only know this from players attempting to break my system in the past.
If using this system is exploitable, you're not doing it right. I don't see any problem in using a level system to see what privileges a player has.
With every system you'd have to make it right though. For example, using the code from @{ultimatejugo is going to be fun, since you'd make everyone a level 3 admin. Good stuff! (Hint: You forgot a =)

Whether you're having a column in your database that tells if you're an admin or not (true/false, or null/privileges), or a level (0 reg player, 1+ mod/admin) makes not difference at all. Once someone finds an exploit in your code, you're still fucked when people can change those values.

Having lowercase doesn't matter either, since (if you'd make it right) you would check with a lowercase nick and only allow admin commands when they're logged in.

Please, feel free to explain how your system (whatever that might be, not clear from your post) is better practice, and the level system is more exploitable.

Mötley

#18
I forgot one main piece that will 99% allow it, that is if you only use Name Lower,  Lets say I use Motley. And I create a bug called MOTLEY majority of the times if i join the server the same time as the original name I can exploit the admin system and begin banning other players (sometimes the original name on the server at the same time is not needed but would be recommended it helps trick the database), as well I could take and do this and create and legit account and give that legit account admin and leave before noticed. Then i can ban players.

It is a weird bug and does not always work, It takes a lot of trying sometime,

When I joined VC:MP I had this issue once again not only LU (Stress testing the admin system) so I had to do stronger authorizations that only relate to a modified account rather than a level system, only admins where given levels, Players where authorized by password existence, not levels. So if password returns true tell them to login, else they need to register.

This is a weird exploit, Like you said if you do the system correctly you would not need to worry about this issue.

BUT Ever since i learned this i refuse to allow other players to have levels OR at-least share the same level system. Because there is that what if it actually happened. It takes a lot of patience to make the exploit happen, or poor systems it takes seconds..

So with this knowledge is why I recommend not to use levels. authorize the players with passwords not levels. with the admin level system create and array as well for that admin setting. you can still use interesting levels.

 

KAKAN

Quote from: Mr_Motley on Apr 13, 2016, 09:20 PMI forgot one main piece that will 99% allow it, that is if you only use Name Lower,  Lets say I use Motley. And I create a bug called MOTLEY majority of the times if i join the server the same time as the original name I can exploit the admin system and begin banning other players (sometimes the original name on the server at the same time is not needed but would be recommended it helps trick the database), as well I could take and do this and create and legit account and give that legit account admin and leave before noticed. Then i can ban players.
Some points you need to answer:
1. The database stores the name as 'motley', so if you join using 'MOTLEY' it would ask you to login instead of register.
2. You can't ban someone unless you're logged in, isn't' it?

If you can do that, then your script is f*ed up.
oh no

Mötley

It does not ask you to login it wants a register that's where you have to do some tricks... Technically in this mater of admins names should never be lowered,

Tested on ADM script to ensure its not just my scripting meh, It works( Took a freaking long time {1hr}).
It is not just my part,. It's any server. Anyone could get this to work with the right patience. The correct admin would know to ban this player, unless its two late(if you added "Cant ban, kick, etc to admins(then your really fucked)".

The best fix is to not use levels but only for admins, Players should never share the same level system as admins,

Honestly if you think about it what other logical explanation is there to explain?

This is incorrect server building .

I would prefer to not show "videos etc" As I am not hear to teach as this is something terrible to know I was lucky and was thought how they exploited my system,. I am only hear to help others with the issues I have had to deal with.

This is just as bad as using player.Cash all over your server as well. As you are opening money hacks.
Please just trust me. If not just remember what someone may do one day, There are crappy players online looking to screw server owners.

KAKAN

Well, then the /register command is bugged
oh no

kennedyarz

 else if ( ( cmd == "admin" ) || ( cmd == "ADMIN" ) )
   {
      local plr, b;
      for( local i = 0; i <= GetMaxPlayers(); i++ )
      {
       plr = FindPlayer( i );
      if ( ( plr ) && ( pstats[ plr.ID ].Level >= 2 ) )
       {
      if ( b ) b = b + ", " + plr.Name + " (Level: " + pstats[ plr.ID ].Level + ")"
      else b = plr.Name + " Level: " + pstats[ plr.ID ].Level + ")"
       }
      }
      if ( b ) Message( "[#00FFFF]**[#00FF00] Admins Online[#FFFFFF]: [ " + b + " ]" );
      else Message( "[#00FFFF]**[#00FF00] No Admins Online." );
   }

KAKAN

Wow! That's a very good work, mate!
What's wrong with it?
oh no