From b2ce6be543734595a74a40a2e8937414b720a38b Mon Sep 17 00:00:00 2001 From: SilicaAndPina Date: Wed, 19 May 2021 12:17:16 +1200 Subject: [PATCH] More web stuff --- WebInterface/game-site/config.php | 2 +- WebInterface/game-site/setupaccount.php | 40 ------- .../game-site/web/admin/administrate.php | 10 +- WebInterface/game-site/web/admin/index.php | 4 +- WebInterface/game-site/web/admin/login.php | 8 +- WebInterface/master-site/account.php | 68 +++++++---- WebInterface/master-site/common.php | 101 +++++++++++++--- WebInterface/master-site/crosserver.php | 113 ++++++++++++++++++ WebInterface/master-site/index.php | 25 ++-- WebInterface/master-site/joinserver.php | 47 ++++++++ WebInterface/master-site/servers.php | 3 +- WebInterface/master-site/web/header.php | 20 +--- 12 files changed, 323 insertions(+), 118 deletions(-) delete mode 100644 WebInterface/game-site/setupaccount.php create mode 100644 WebInterface/master-site/joinserver.php diff --git a/WebInterface/game-site/config.php b/WebInterface/game-site/config.php index 0327be9..cbbd1ab 100755 --- a/WebInterface/game-site/config.php +++ b/WebInterface/game-site/config.php @@ -11,7 +11,7 @@ $dbhost = '127.0.0.1'; # Should be set to the same value on all game sites and the master site. # NOTE: if someone knows this secret they can create accounts with ADMIN privledges! $hmac_secret = "!!NOTSET!!"; - +$master_site = "http://server.islehorse.com"; # Password for /web/admin $admin_portal_password = "!!NOTSET!!"; ?> diff --git a/WebInterface/game-site/setupaccount.php b/WebInterface/game-site/setupaccount.php deleted file mode 100644 index 6139e0d..0000000 --- a/WebInterface/game-site/setupaccount.php +++ /dev/null @@ -1,40 +0,0 @@ -Change it from the default and then try again!"); - exit(); -} - -if(isset($_POST["ID"], $_POST["USERNAME"], $_POST["USERNAME"], $_POST["PASSHASH"], $_POST["PASSSALT"], $_POST["SEX"], $_POST["MODERATOR"], $_POST["ADMIN"], $_POST["CODE"])) -{ - $id = $_POST["ID"]; - $username = $_POST["USERNAME"]; - $passhash = $_POST["PASSHASH"]; - $passsalt = $_POST["PASSSALT"]; - $sex = $_POST["SEX"]; - $moderator = $_POST["MODERATOR"]; - $admin = $_POST["ADMIN"]; - $code = $_POST["CODE"]; - - #Verify Input - $hmac = hash_hmac('sha256', (string)$id.$username.$passhash.$passsalt.$sex.$moderator.$admin, $hmac_secret."HOIL4321")); - - if (hash_equals($code, $hmac)) - { - # Create Account. - $stmt = $connect->prepare("INSERT INTO Users VALUES(?,?,?,?,?,?,?)"); - $stmt->bind_param("issssss", $id, $username, $passhash, $passsalt, $sex, $admin, $moderator); - $stmt->execute(); - echo("OK"); - } - else - { - header("HTTP/1.1 403 Forbidden"); - echo("Invalid HMAC! Please ensure that all game-site's have the same HMAC as the master-site! - } -} - -?> \ No newline at end of file diff --git a/WebInterface/game-site/web/admin/administrate.php b/WebInterface/game-site/web/admin/administrate.php index 25e85f9..7a55e64 100644 --- a/WebInterface/game-site/web/admin/administrate.php +++ b/WebInterface/game-site/web/admin/administrate.php @@ -9,9 +9,9 @@ include("../header.php");
execute(); } echo("
Permissions updated successfully.
"); - echo("Go back"); + echo("Go back"); include("../footer.php"); exit(); } @@ -77,7 +77,7 @@ include("../header.php"); ?>
HISP - Admin Portal

Player Operations
-
+
Username:
@@ -93,7 +93,7 @@ include("../header.php");


- Logout from admin portal
+ Logout from admin portal

diff --git a/WebInterface/game-site/web/admin/index.php b/WebInterface/game-site/web/admin/index.php index b04c904..2d5b9a6 100644 --- a/WebInterface/game-site/web/admin/index.php +++ b/WebInterface/game-site/web/admin/index.php @@ -2,7 +2,7 @@ include("../../config.php"); session_start(['cookie_lifetime' => 86400]); -$_SESSION["logged_in"] = false; +$_SESSION["A_LOGGED_IN"] = "NO"; include("../header.php"); ?> @@ -11,7 +11,7 @@ include("../header.php");
HISP - Super Admin Login

This page requires a password, please enter it below:
-
+
diff --git a/WebInterface/game-site/web/admin/login.php b/WebInterface/game-site/web/admin/login.php index d83e7fc..e81bdcc 100644 --- a/WebInterface/game-site/web/admin/login.php +++ b/WebInterface/game-site/web/admin/login.php @@ -20,19 +20,19 @@ include("../header.php"); exit; } - $_SESSION["logged_in"] = true; - header("Location: administrate.php"); + $_SESSION["A_LOGGED_IN"] = "YES"; + header("Location: /web/admin/administrate.php"); } else { echo("
The password you entered was NOT correct.
"); - echo("Try Again..."); + echo("Try Again..."); } } else { echo("
You didnt enter a password.
"); - echo("Try Again..."); + echo("Try Again..."); } ?> diff --git a/WebInterface/master-site/account.php b/WebInterface/master-site/account.php index ed8eeb7..0288388 100755 --- a/WebInterface/master-site/account.php +++ b/WebInterface/master-site/account.php @@ -1,7 +1,9 @@ Username or Password is not valid or your account has timed out. Please Log in again.

"); - $_SESSION['LOGGED_IN'] = "NO"; - include("web/footer.php"); - exit(); - pass: + include("web/header.php"); + echo(" + Username or Password is not valid or your account has timed out. Please Log in again.

"); + $_SESSION['LOGGED_IN'] = "NO"; + include("web/footer.php"); + exit(); } -else + +if(isset($_GET['CONNECT'])) { - goto error; + $server = getServerById($_GET['CONNECT']); + + if($server !== null) + { + $playerId = $_SESSION['PLAYER_ID']; + + $hmac = hash_hmac('sha256', (string)$playerId, $hmac_secret."CrossSiteLogin"); + $redirectUrl = $server['site']; + + if(!endsWith($redirectUrl, '/')) + $redirectUrl .= '/'; + + $redirectUrl .= 'account.php?SLID='.(string)$playerId.'&C='.base64_encode(hex2bin($hmac)); + + header("Location: ".$redirectUrl); + exit(); + } } include("web/header.php"); ?> You were on this server last time:
SERVER: PINTO.HORSEISLE.COM

Not Subscribed
Quest Points: 75pts
Times Online: 3
Last On: 0.84 days ago
17
players
online
now[LOG IN]
?> [June 23, 2020 Latest Horse Isle News] Horse Isle 1 Compromise:
Unfortunately, some troublemakers made a mess of HI1.
We have reverted to a backup from 4am PST and taken some precautions. So, anything you "did" this morning was reverted.
We have also given all subs +12hrs to cover the down time.

Because passwords for accounts were likely compromised, we setup a system to verify and unlock for players' protection. When you try to login you will be prompted to reset your password. We can automatically unlock most players' accounts, but some will require manual support via email. Just follow the directions and please be patient with us.

Sorry about the trouble. HI1 was never designed to survive so long into this new mean digital world. ;)

P.S. The XSS alert was a simple javascript alert, just meaningless and harmless.

Thanks!
?>
We have a Beginner Guide online to help new players learn how to play.

Horse Isle Server List
Each server is completely independent and has identical game content. Money/horses/subscriptions are all tied to a particular server. Normally you will only play on one server. Playing on any server uses up playtime on all servers, so you do not gain any free time. Reasons for playing on more than one include joining a friend, or in case your normal server is down. -Multiple servers are required since there is a max capacity of around 150 players online per server.
Please note, a profile on any individual server will be permanently deleted after 183 days (6 months) of not logging into the game on that specific server or your subscription expiring, whichever is later.Please note, a profile on any individual server will be permanently deleted after 183 days (6 months) of not logging into the game on that specific server or your subscription expiring, whichever is later.
GAME SERVERS (all identical please only join 1 or 2)PROFILE (not current)ONLINELOGIN
+'); + $domain = parse_url($url, PHP_URL_HOST); + $join = ''; + if(!userid_exists($server['database'], $_SESSION['PLAYER_ID'])) + $join = '[JOIN]'; + else + $join = '[LOG IN]'; + + echo(''); } ?> diff --git a/WebInterface/master-site/common.php b/WebInterface/master-site/common.php index 78e91e3..c056715 100755 --- a/WebInterface/master-site/common.php +++ b/WebInterface/master-site/common.php @@ -13,12 +13,23 @@ function hash_salt(string $input, string $salt) return hash('sha512',$xor_hash,false); } +function is_logged_in() +{ + if(session_status() !== PHP_SESSION_ACTIVE) + return false; + + if(isset($_SESSION["LOGGED_IN"])) + if($_SESSION["LOGGED_IN"] === "YES") + return true; + return false; +} + function user_exists(string $username) { include('dbconfig.php'); $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); - $stmt = $connect->prepare("SELECT COUNT(1) FROM Users WHERE Username=?"); - $stmt->bind_param("s", $username); + $stmt = $connect->prepare("SELECT COUNT(1) FROM Users WHERE UPPER(Username)=?"); + $stmt->bind_param("s", strtoupper($username)); $stmt->execute(); $result = $stmt->get_result(); $count = intval($result->fetch_row()[0]); @@ -30,31 +41,80 @@ function get_userid(string $username) include('dbconfig.php'); $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); - $stmt = $connect->prepare("SELECT Id FROM Users WHERE Username=?"); - $stmt->bind_param("s", $username); + $stmt = $connect->prepare("SELECT Id FROM Users WHERE UPPER(Username)=?"); + $stmt->bind_param("s", strtoupper($username)); $stmt->execute(); $result = $stmt->get_result(); $id = intval($result->fetch_row()[0]); return $id; } -function check_password(int $userId, string $password) +function get_sex(int $userid) { include('dbconfig.php'); $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); - $stmt = $connect->prepare("SELECT PassHash FROM Users WHERE Id=?"); - $stmt->bind_param("i", $userId); + $stmt = $connect->prepare("SELECT Gender FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); $stmt->execute(); $result = $stmt->get_result(); - $passhash = $result->fetch_row()[0]; + return $result->fetch_row()[0]; - $stmt = $connect->prepare("SELECT Salt FROM Users WHERE Id=?"); - $stmt->bind_param("i", $userId); +} + +function get_admin(int $userid) +{ + include('dbconfig.php'); + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + + $stmt = $connect->prepare("SELECT Admin FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); $stmt->execute(); $result = $stmt->get_result(); - $passsalt = $result->fetch_row()[0]; - $passsalt = hex2bin($passsalt); + return $result->fetch_row()[0]; + +} + +function get_mod(int $userid) +{ + include('dbconfig.php'); + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + + $stmt = $connect->prepare("SELECT Moderator FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); + $stmt->execute(); + $result = $stmt->get_result(); + return $result->fetch_row()[0]; + +} + +function get_password_hash(int $userid) +{ + include('dbconfig.php'); + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $stmt = $connect->prepare("SELECT PassHash FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); + $stmt->execute(); + $result = $stmt->get_result(); + return $result->fetch_row()[0]; + +} + +function get_salt(int $userid) +{ + include('dbconfig.php'); + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $stmt = $connect->prepare("SELECT Salt FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); + $stmt->execute(); + $result = $stmt->get_result(); + return $result->fetch_row()[0]; +} + +function check_password(int $userId, string $password) +{ + $passhash = get_password_hash($userId); + $passsalt = hex2bin(get_salt($userId)); $acturalhash = hash_salt($password, $passsalt); if($acturalhash === $passhash) @@ -65,11 +125,24 @@ function check_password(int $userId, string $password) function populate_db() { - include('dbconfig.php'); $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); mysqli_query($connect, "CREATE TABLE IF NOT EXISTS Users(Id INT, Username TEXT(16),Email TEXT(128),Country TEXT(128),SecurityQuestion Text(128),SecurityAnswerHash TEXT(128),Age INT,PassHash TEXT(128), Salt TEXT(128),Gender TEXT(16), Admin TEXT(3), Moderator TEXT(3))"); - mysqli_query($connect, "CREATE TABLE IF NOT EXISTS OnlineUsers(playerId INT, Admin TEXT(3), Moderator TEXT(3), Subscribed TEXT(3))"); } + +function startsWith( $haystack, $needle ) { + $length = strlen( $needle ); + return substr( $haystack, 0, $length ) === $needle; +} + +function endsWith( $haystack, $needle ) { + $length = strlen( $needle ); + if( !$length ) { + return true; + } + return substr( $haystack, -$length ) === $needle; +} + + ?> \ No newline at end of file diff --git a/WebInterface/master-site/crosserver.php b/WebInterface/master-site/crosserver.php index e69de29..e816ff8 100644 --- a/WebInterface/master-site/crosserver.php +++ b/WebInterface/master-site/crosserver.php @@ -0,0 +1,113 @@ +fetch_row()[0]; +} + +function getNoSubbedPlayersOnlineInServer($database) +{ + include('dbconfig.php'); + $dbname = $database; + + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $onlineSubscribers = mysqli_query($connect, "SELECT COUNT(1) FROM OnlineUsers WHERE Subscribed = 'YES'"); + return $onlineSubscribers->fetch_row()[0]; +} + +function getNoModPlayersOnlineInServer($database) +{ + include('dbconfig.php'); + $dbname = $database; + + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $onlineModerators = mysqli_query($connect, "SELECT COUNT(1) FROM OnlineUsers WHERE Moderator = 'YES' OR Admin='YES'"); + return $onlineModerators->fetch_row()[0]; +} + +function getServerById(string $id) +{ + include('servers.php'); + for($i = 0; $i < count($server_list); $i++) + { + if($server_list[$i]['id'] == $id) + return $server_list[$i]; + } + return null; +} + + +function userid_exists(string $database, string $userid) +{ + include('dbconfig.php'); + $dbname = $database; + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $stmt = $connect->prepare("SELECT COUNT(1) FROM Users WHERE Id=?"); + $stmt->bind_param("i", $userid); + $stmt->execute(); + $result = $stmt->get_result(); + $count = intval($result->fetch_row()[0]); + return $count>0; +} + +function createAccountOnServer(string $database) +{ + include('dbconfig.php'); + $dbname = $database; + + $id = intval($_SESSION['PLAYER_ID']); + $username = $_SESSION['USERNAME']; + $sex = $_SESSION['SEX']; + $admin = $_SESSION['ADMIN']; + $mod = $_SESSION['MOD']; + $passhash = $_SESSION['PASSWORD_HASH']; + $salt = $_SESSION['SALT']; + + + $connect = mysqli_connect($dbhost, $dbuser, $dbpass,$dbname) or die("Unable to connect to '$dbhost'"); + $stmt = $connect->prepare("INSERT INTO Users VALUES(?,?,?,?,?,?,?)"); + $stmt->bind_param("issssss", $id, $username, $passhash, $salt, $sex, $admin, $mod); + $stmt->execute(); +} + +# Global Functions +function getNoPlayersOnlineGlobal() +{ + include('servers.php'); + $playersOn = 0; + for($i = 0; $i < count($server_list); $i++) + { + $playersOn += getNoPlayersOnlineInServer($server_list[$i]['database']); + } + return $playersOn; +} + +function getNoSubbedPlayersOnlineGlobal() +{ + include('servers.php'); + $playersOn = 0; + for($i = 0; $i < count($server_list); $i++) + { + $playersOn += getNoSubbedPlayersOnlineInServer($server_list[$i]['database']); + } + return $playersOn; +} + +function getNoModPlayersOnlineGlobal() +{ + include('servers.php'); + $playersOn = 0; + for($i = 0; $i < count($server_list); $i++) + { + $playersOn += getNoModPlayersOnlineInServer($server_list[$i]['database']); + } + return $playersOn; +} + + +?> \ No newline at end of file diff --git a/WebInterface/master-site/index.php b/WebInterface/master-site/index.php index 7305dcd..4ce3382 100755 --- a/WebInterface/master-site/index.php +++ b/WebInterface/master-site/index.php @@ -1,12 +1,14 @@ Parent's Guide
CURRENTLY:
fetch_row()[0]; if($hasIntl) -echo numfmt_format($fmt, $onlineUsersCount); +echo numfmt_format($fmt, $onlineUsers); else -echo $onlineUserCount; +echo $onlineUser; ?> Players Online Now
fetch_row()[0]; if($hasIntl) -echo numfmt_format($fmt, $onlineSubscribersCount); +echo numfmt_format($fmt, $onlineSubscribers); else -echo $onlineSubscribersCount; +echo $onlineSubscribers; ?> Subscribers Online Now
fetch_row()[0]; if($hasIntl) -echo numfmt_format($fmt, $onlineModeratorsCount ); +echo numfmt_format($fmt, $onlineModerators); else -echo $onlineModeratorsCount; +echo $onlineModerators; ?> Moderators Online Now
ERROR: Account is already setup on this server. /
If you already have an account on server, try logging in direct: '.$server['site'].''); + } + } + else + { + echo('[Account]Joining the Server Failed. Please try a different server, or Try re-logging into the website. If you continue to have troubles, you may need to enable Cookies in your browser. Another possibility ONLY if you already have an account is logging directly into the server via: '.$server['site'].'/
ERROR: Account Setup Failed. Please be sure you are logged in. /
If you already have an account on server, try logging in direct: '.$server['site'].''); + } + } + else + { + echo('[]Joining the Server Failed. Please try a different server, or Try re-logging into the website. If you continue to have troubles, you may need to enable Cookies in your browser. Another possibility ONLY if you already have an account is logging directly into the server via:
ERROR: / The requested URL returned error: 404 Not Found
If you already have an account on server, try logging in direct: '); + } +} +?> \ No newline at end of file diff --git a/WebInterface/master-site/servers.php b/WebInterface/master-site/servers.php index f17ff97..6efded3 100644 --- a/WebInterface/master-site/servers.php +++ b/WebInterface/master-site/servers.php @@ -1,8 +1,7 @@ 'beta.gif', 'database' => 'beta', 'site' => 'beta.islehorse.com', 'desc' => ' '], - ['icon' => 'black.gif', 'database' => 'example', 'site' => 'example.islehorse.com', 'desc' => 'Example HISP Server!'], + ['id' => 'game', 'icon' => 'beta.gif', 'database' => 'beta', 'site' => 'http://game.islehorse.com', 'desc' => ' '], ]; // black: 1/3 interest rate, final new server as of July 2012 for those who want to start classic horseisle anew! diff --git a/WebInterface/master-site/web/header.php b/WebInterface/master-site/web/header.php index 4ec230b..1bc77a6 100644 --- a/WebInterface/master-site/web/header.php +++ b/WebInterface/master-site/web/header.php @@ -1,6 +1,9 @@ HORSE ISLE - Online Multiplayer Horse Game @@ -101,24 +104,13 @@ color: #440000;
GAME SERVERS (all identical please only join 1 or 2)PROFILE (not current)ONLINELOGIN
SERVER: '.strtoupper($url).'
'.$desc.'
no existing profile0
players
online
now		[JOIN]
SERVER: '.strtoupper($domain).'
'.$desc.'
no existing profile0
players
online
now		'.$join.'
Logged in as: '.$username.'






'); - } - else - { - goto not_loggedin; - } + $username = $_SESSION['USERNAME']; + echo('
Logged in as: '.$username.'






'); } else { -not_loggedin: echo('
USER:
PASS: