[OpenSource] 2019 ModTools for Plus

ItsMeRomian

ItsMeRomian

Member
Oct 3, 2015
190
22
Hi,

Im releasing my moderation tools for PlusEMU 3.4.3 database. ModTools is not connected to your CMS so you can deploy it anywhere you want.

Simply put the ModTools folder in your /www of /htdocs folder and configure the modtoolsconfig.php file.
Screenshots:

Home:
gB7ApCS.png

Users:
You must be registered for see images attach

Rooms:
You must be registered for see images attach
Current features:
Users
  • See user info.
  • Edit user info.
  • Ban users.
  • Make users UOTW.
  • See where user corrently is.
  • See all rooms of users.
Rooms
  • See room info.
  • Edit room info.
  • Make room private.
  • Change room name.
  • See room chat.
Guilds/Clans
  • See guild info.
  • Change guild info.
Sollies
  • works with the DynaHotel theme, but can be configured to work with your theme aswel.
  • Deny, accept solicitations to your admin team.
  • see who responded to a solicitation (called sollies in ModTools).
  • Easly compare multiple job applications with eachother.
Owners can see which admin changed what in ModTools.
  • Specific welcome messages to admins.
  • Nice to read logs. (comming soon)
You can get it at
You must be registered for see links

Feel free to report any bugs or tell me which features i should add.
 
M8than

M8than

yes
Mar 16, 2012
463
102
Legit tho if you use this, any of your mods will be able to completely fuck ur shit up. Theres probably exploits without having to login too so your own funeral i guess.
 
Damien

Damien

Don't need glasses if you can C#
Feb 26, 2012
426
642
Muffinss said:
Legit tho if you use this, any of your mods will be able to completely fuck ur shit up. Theres probably exploits without having to login too so your own funeral i guess.
Click to expand...
Anyone actually, aslong as they know where the housekeeping is.
 
LeChris

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,736
1,319
Damien said:
Anyone actually, aslong as they know where the housekeeping is.
Click to expand...
Are you 100% it doesn’t require a cookie (which would indicate it at least went through rank auth)?
There’s a SQLi that shouldn’t ever be used on a hotel, but I’d be wary of false accusations if you haven’t checked yet
 
Damien

Damien

Don't need glasses if you can C#
Feb 26, 2012
426
642
LeChris said:
Are you 100% it doesn’t require a cookie (which would indicate it at least went through rank auth)?
There’s a SQLi that shouldn’t ever be used on a hotel, but I’d be wary of false accusations if you haven’t checked yet
Click to expand...
The source is can be found here:
Code: 
https://github.com/ItsMeRomian/ModTools

Check out the query.php file for yourself.
 
ItsMeRomian

ItsMeRomian

Member
Oct 3, 2015
190
22
Yeah, i guess you can say this was not coded with security in mind, but that can and will be added later.
 
LeChris

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,736
1,319
ItsMeRomian said:
Yeah, i guess you can say this was not coded with security in mind, but that can and will be added later.
Click to expand...
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used
Damien said:
The source is can be found here:
Code: 
https://github.com/ItsMeRomian/ModTools

Check out the query.php file for yourself.
Click to expand...
have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
 
M8than

M8than

yes
Mar 16, 2012
463
102
LeChris said:
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used

have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
Click to expand...
100% it's sqli able just by sending a get request to query.php
Post automatically merged:

Even if it wasn't there's still no authentication on query.php
 
Damien

Damien

Don't need glasses if you can C#
Feb 26, 2012
426
642
LeChris said:
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used

have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
Click to expand...
I can't set it up either but from reading the code it can be executed from anywhere.

On a more positive note it's very promising and the features and styles used are nice. It's good to see people are still creating new things and learning to code, hopefully with more iterations, both you and your code will improve over time.
 
ItsMeRomian

ItsMeRomian

Member
Oct 3, 2015
190
22
LeChris said:
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used
Click to expand...

Thanks for your feedback, i will do that.
 
LeChris

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,736
1,319
Muffinss said:
100% it's sqli able just by sending a get request to query.php
Post automatically merged:

Even if it wasn't there's still no authentication on query.php
Click to expand...
Yea, I wasn't aware if there's any steps to get to query.php. ie: Just because a file exists doesn't mean you can just openly access it directly, especially with URL Rewrite
 
ItsMeRomian

ItsMeRomian

Member
Oct 3, 2015
190
22
Damien said:
I can't set it up either but from reading the code it can be executed from anywhere.

On a more positive note it's very promising and the features and styles used are nice. It's good to see people are still creating new things and learning to code, hopefully with more iterations, both you and your code will improve over time.
Click to expand...
Thanks you
 
M8than

M8than

yes
Mar 16, 2012
463
102
LeChris said:
Yea, I wasn't aware if there's any steps to get to query.php. ie: Just because a file exists doesn't mean you can just openly access it directly, especially with URL Rewrite
Click to expand...
well its pretty dumb if you cant access it directly, it literally takes a get request
 
LeChris

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,736
1,319
Muffinss said:
well its pretty dumb if you cant access it directly, it literally takes a get request
Click to expand...
You sure bud? I doubt you understand how URL Rewrite works, CHMOD, etc. I’m not saying he has set it up to not be directly accessible, but just because this is PHP doesn’t make it directly accessible.

Set it up, run a GET and show the pics. The accuser can show us the proof of SQLi without auth
 
M8than

M8than

yes
Mar 16, 2012
463
102
LeChris said:
You sure bud? I doubt you understand how URL Rewrite works, CHMOD, etc. I’m not saying he has set it up to not be directly accessible, but just because this is PHP doesn’t make it directly accessible.

Set it up, run a GET and show the pics. The accuser can show us the proof of SQLi without auth
Click to expand...

"yOu SuRe BuD? i DoUbT yOu UnDeRsTaNd HoW uRl ReWrItE wOrKs" ur such an ignorant condescending asshole you know?

The query.php file directly references get variables. I seriously doubt he's denying access to that script and just including it in "safe places".

In fact click this
You must be registered for see links
 
Last edited:
LeChris

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,736
1,319
Muffinss said:
"yOu SuRe BuD? i DoUbT yOu UnDeRsTaNd HoW uRl ReWrItE wOrKs" ur such an ignorant condescending asshole you know?

The query.php file directly references get variables. I seriously doubt he's denying access to that script and just including it in "safe places".

In fact click this
You must be registered for see links
Click to expand...
If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet
 
M8than

M8than

yes
Mar 16, 2012
463
102
LeChris said:
If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet
Click to expand...
Look at the source, does it look like theres any auth for that file anywhere? Nope. You're wrong end of story.
 

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
☀️  Switch to Light Theme

Latest posts

Top