[OpenSource] 2019 ModTools for Plus

ItsMeRomian

Member
Oct 3, 2015
190
22
Hi,

Im releasing my moderation tools for PlusEMU 3.4.3 database. ModTools is not connected to your CMS so you can deploy it anywhere you want.

Simply put the ModTools folder in your /www of /htdocs folder and configure the modtoolsconfig.php file.
Screenshots:

Home:
gB7ApCS.png

Users:
You must be registered for see images attach

Rooms:
You must be registered for see images attach
Current features:
Users
  • See user info.
  • Edit user info.
  • Ban users.
  • Make users UOTW.
  • See where user corrently is.
  • See all rooms of users.
Rooms
  • See room info.
  • Edit room info.
  • Make room private.
  • Change room name.
  • See room chat.
Guilds/Clans
  • See guild info.
  • Change guild info.
Sollies
  • works with the DynaHotel theme, but can be configured to work with your theme aswel.
  • Deny, accept solicitations to your admin team.
  • see who responded to a solicitation (called sollies in ModTools).
  • Easly compare multiple job applications with eachother.
Owners can see which admin changed what in ModTools.
  • Specific welcome messages to admins.
  • Nice to read logs. (comming soon)
You can get it at
Feel free to report any bugs or tell me which features i should add.
 

M8than

yes
Mar 16, 2012
463
102
Legit tho if you use this, any of your mods will be able to completely fuck ur shit up. Theres probably exploits without having to login too so your own funeral i guess.
 

Damien

Don't need glasses if you can C#
Feb 26, 2012
434
647
Legit tho if you use this, any of your mods will be able to completely fuck ur shit up. Theres probably exploits without having to login too so your own funeral i guess.
Anyone actually, aslong as they know where the housekeeping is.
 

LeChris

https://habbo.codes/
Sep 30, 2013
2,786
1,395
Anyone actually, aslong as they know where the housekeeping is.
Are you 100% it doesn’t require a cookie (which would indicate it at least went through rank auth)?
There’s a SQLi that shouldn’t ever be used on a hotel, but I’d be wary of false accusations if you haven’t checked yet
 

Damien

Don't need glasses if you can C#
Feb 26, 2012
434
647
Are you 100% it doesn’t require a cookie (which would indicate it at least went through rank auth)?
There’s a SQLi that shouldn’t ever be used on a hotel, but I’d be wary of false accusations if you haven’t checked yet
The source is can be found here:
Code:
https://github.com/ItsMeRomian/ModTools

Check out the query.php file for yourself.
 

ItsMeRomian

Member
Oct 3, 2015
190
22
Yeah, i guess you can say this was not coded with security in mind, but that can and will be added later.
 

LeChris

https://habbo.codes/
Sep 30, 2013
2,786
1,395
Yeah, i guess you can say this was not coded with security in mind, but that can and will be added later.
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used
The source is can be found here:
Code:
https://github.com/ItsMeRomian/ModTools

Check out the query.php file for yourself.
have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
 

M8than

yes
Mar 16, 2012
463
102
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used

have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
100% it's sqli able just by sending a get request to query.php
Post automatically merged:

Even if it wasn't there's still no authentication on query.php
 

Damien

Don't need glasses if you can C#
Feb 26, 2012
434
647
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used

have you tried running a SQLi yourself without being authenticated? Just because a SQLi is present in code, doesn't mean it's accessible for everyone. It still sucks. (Sorry for spam questions, I can't set this up and verify on my own due to work)
I can't set it up either but from reading the code it can be executed from anywhere.

On a more positive note it's very promising and the features and styles used are nice. It's good to see people are still creating new things and learning to code, hopefully with more iterations, both you and your code will improve over time.
 

ItsMeRomian

Member
Oct 3, 2015
190
22
It's an admin panel. It's the one thing that is used to manage, secure and protect your users.

I love that you tried, but not every release should go public and you should be cautious when releasing malicious code (even if not your intent). I would suggest adding to the README saying this is exploitable and shouldn't be used

Thanks for your feedback, i will do that.
 

LeChris

https://habbo.codes/
Sep 30, 2013
2,786
1,395
100% it's sqli able just by sending a get request to query.php
Post automatically merged:

Even if it wasn't there's still no authentication on query.php
Yea, I wasn't aware if there's any steps to get to query.php. ie: Just because a file exists doesn't mean you can just openly access it directly, especially with URL Rewrite
 

ItsMeRomian

Member
Oct 3, 2015
190
22
I can't set it up either but from reading the code it can be executed from anywhere.

On a more positive note it's very promising and the features and styles used are nice. It's good to see people are still creating new things and learning to code, hopefully with more iterations, both you and your code will improve over time.
Thanks you
 

M8than

yes
Mar 16, 2012
463
102
Yea, I wasn't aware if there's any steps to get to query.php. ie: Just because a file exists doesn't mean you can just openly access it directly, especially with URL Rewrite
well its pretty dumb if you cant access it directly, it literally takes a get request
 

LeChris

https://habbo.codes/
Sep 30, 2013
2,786
1,395
well its pretty dumb if you cant access it directly, it literally takes a get request
You sure bud? I doubt you understand how URL Rewrite works, CHMOD, etc. I’m not saying he has set it up to not be directly accessible, but just because this is PHP doesn’t make it directly accessible.

Set it up, run a GET and show the pics. The accuser can show us the proof of SQLi without auth
 

M8than

yes
Mar 16, 2012
463
102
You sure bud? I doubt you understand how URL Rewrite works, CHMOD, etc. I’m not saying he has set it up to not be directly accessible, but just because this is PHP doesn’t make it directly accessible.

Set it up, run a GET and show the pics. The accuser can show us the proof of SQLi without auth

"yOu SuRe BuD? i DoUbT yOu UnDeRsTaNd HoW uRl ReWrItE wOrKs" ur such an ignorant condescending asshole you know?

The query.php file directly references get variables. I seriously doubt he's denying access to that script and just including it in "safe places".

In fact click this
 
Last edited:

LeChris

https://habbo.codes/
Sep 30, 2013
2,786
1,395
"yOu SuRe BuD? i DoUbT yOu UnDeRsTaNd HoW uRl ReWrItE wOrKs" ur such an ignorant condescending asshole you know?

The query.php file directly references get variables. I seriously doubt he's denying access to that script and just including it in "safe places".

In fact click this
If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet
 

M8than

yes
Mar 16, 2012
463
102
If URL rewrite or any rules are configured, then yes he stops access to it directly.
You can use GET anywhere even not directly accessed. I see you haven’t passed COMP Sci 101 yet
Look at the source, does it look like theres any auth for that file anywhere? Nope. You're wrong end of story.
 

Users who are viewing this thread

Top