Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Habbo Q&A
RevCMS PlusEmu SSO issue
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="AssLikeThat" data-source="post: 428088" data-attributes="member: 27476"><p>Hi,</p><p></p><p>So basically I had the hotel working fine, no problem whatsoever, all of a sudden it starts preventing me from entering and disconnecting when loading, looked into it a bit and I saw that the exploit with the SSO tickets wasn't patched on the version of RevCMS I had, it seemed to be nulling the SSO ticket when loading the client...</p><p></p><p>Did these fixes:</p><p><a href="https://devbest.com/threads/revcms-plusemu-extra-security.78678/" target="_blank">https://devbest.com/threads/revcms-plusemu-extra-security.78678/</a></p><p><a href="https://devbest.com/threads/plusemu-revision-6070-sso-exploit-urgent-help-needed.81152/#post-394851" target="_blank">https://devbest.com/threads/plusemu-revision-6070-sso-exploit-urgent-help-needed.81152/#post-394851</a></p><p></p><p>The assigning of the SSO Ticket seems fine; however I now am unable to enter the hotel, loads to 76% then disconnects.. I've researched all the possible reasons behind this but still can't seem to come up with a solution, been trying to sort this for a few hours now and am wits end with it.</p><p></p><p>I've double checked all the obvious stuff such as IP's, links, variables etc.</p><p></p><p>Would anybody be able to advise?</p><p></p><p>EDIT: Using PRODUCTION-201701242205-837386173</p><p>Haboon Edit</p><p></p><p>[SPOILER="UserDataFactory.cs"]</p><p> using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor())</p><p> {</p><p> dbClient.SetQuery(</p><p> "SELECT users.id,users.username,users.rank,users.motto,users.look,users.gender,users.last_online,users.credits,users.activity_points,users.home_room,users.block_newfriends,users.hide_online,users.hide_inroom,users.vip,users.account_created,users.vip_points,users.machine_id,users.volume,users.chat_preference,users.focus_preference,users.pets_muted,users.bots_muted,users.advertising_report_blocked,users.last_change,users.gotw_points,users.ignore_invites,users.time_muted,users.allow_gifts,users.friend_bar_state,users.disable_forced_effects,users.allow_mimic,users.rank_vip " +</p><p> "FROM users " +</p><p> "JOIN user_auth_ticket " +</p><p> "ON users.id = user_auth_ticket.user_id " +</p><p> "WHERE user_auth_ticket.auth_ticket = @sso " +</p><p> "LIMIT 1"</p><p> );</p><p>dbClient.AddParameter("sso", SessionTicket);</p><p> dUserInfo = dbClient.getRow();</p><p></p><p> if (dUserInfo == null)</p><p> {</p><p> errorCode = 1;</p><p> return null;</p><p> }</p><p></p><p> UserId = Convert.ToInt32(dUserInfo["id"]);</p><p> if (PlusEnvironment.GetGame().GetClientManager().GetClientByUserID(UserId) != null)</p><p> {</p><p> errorCode = 2;</p><p> PlusEnvironment.GetGame().GetClientManager().GetClientByUserID(UserId).Disconnect();</p><p> return null;</p><p> }</p><p></p><p> dbClient.SetQuery("SELECT `group`,`level`,`progress` FROM `user_achievements` WHERE `userid` = '" + UserId + "'");</p><p> dAchievements = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT room_id FROM user_favorites WHERE `user_id` = '" + UserId + "'");</p><p> dFavouriteRooms = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT ignore_id FROM user_ignores WHERE `user_id` = '" + UserId + "'");</p><p> dIgnores = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT `badge_id`,`badge_slot` FROM user_badges WHERE `user_id` = '" + UserId + "'");</p><p> dBadges = dbClient.getTable();</p><p></p><p> dbClient.SetQuery(</p><p> "SELECT users.id,users.username,users.motto,users.look,users.last_online,users.hide_inroom,users.hide_online " +</p><p> "FROM users " +</p><p> "JOIN messenger_friendships " +</p><p> "ON users.id = messenger_friendships.user_one_id " +</p><p> "WHERE messenger_friendships.user_two_id = " + UserId + " " +</p><p> "UNION ALL " +</p><p> "SELECT users.id,users.username,users.motto,users.look,users.last_online,users.hide_inroom,users.hide_online " +</p><p> "FROM users " +</p><p> "JOIN messenger_friendships " +</p><p> "ON users.id = messenger_friendships.user_two_id " +</p><p> "WHERE messenger_friendships.user_one_id = " + UserId);</p><p> dFriends = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT messenger_requests.from_id,messenger_requests.to_id,users.username FROM users JOIN messenger_requests ON users.id = messenger_requests.from_id WHERE messenger_requests.to_id = " + UserId);</p><p> dRequests = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT * FROM rooms WHERE `owner` = '" + UserId + "' LIMIT 150");</p><p> dRooms = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT `quest_id`,`progress` FROM user_quests WHERE `user_id` = '" + UserId + "'");</p><p> dQuests = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT `id`,`user_id`,`target`,`type` FROM `user_relationships` WHERE `user_id` = '" + UserId + "'");</p><p> dRelations = dbClient.getTable();</p><p></p><p> dbClient.SetQuery("SELECT * FROM `user_info` WHERE `user_id` = '" + UserId + "' LIMIT 1");</p><p> UserInfo = dbClient.getRow();</p><p> if (UserInfo == null)</p><p> {</p><p> dbClient.RunQuery("INSERT INTO `user_info` (`user_id`) VALUES ('" + UserId + "')");</p><p></p><p> dbClient.SetQuery("SELECT * FROM `user_info` WHERE `user_id` = '" + UserId + "' LIMIT 1");</p><p> UserInfo = dbClient.getRow();</p><p> }</p><p> dbClient.RunQuery("UPDATE `users` SET `online` = '1' WHERE `id` = '" + UserId + "' LIMIT 1");</p><p> dbClient.RunQuery("DELETE FROM `user_auth_ticket` WHERE `user_id` = '" + UserId + "' LIMIT 1");</p><p> }</p><p>[/SPOILER]</p><p></p><p>[SPOILER="PlusEnvironment.cs"]</p><p> public static void PerformShutDown()</p><p> {</p><p> Console.Clear();</p><p> log.Info("Server shutting down...");</p><p> Console.Title = "PLUS EMULATOR: SHUTTING DOWN!";</p><p></p><p> PlusEnvironment.GetGame().GetClientManager().SendMessage(new BroadcastMessageAlertComposer(PlusEnvironment.GetGame().GetLanguageLocale().TryGetValue("shutdown_alert")));</p><p> GetGame().StopGameLoop();</p><p> Thread.Sleep(2500);</p><p> GetConnectionManager().Destroy();//Stop listening.</p><p> GetGame().GetPacketManager().UnregisterAll();//Unregister the packets.</p><p> GetGame().GetPacketManager().WaitForAllToComplete();</p><p> GetGame().GetClientManager().CloseAll();//Close all connections</p><p> GetGame().GetRoomManager().Dispose();//Stop the game loop.</p><p></p><p> using (IQueryAdapter dbClient = _manager.GetQueryReactor())</p><p> {</p><p> dbClient.RunQuery("TRUNCATE `catalog_marketplace_data`");</p><p> dbClient.RunQuery("TRUNCATE `user_auth_ticket`");</p><p> dbClient.RunQuery("UPDATE `users` SET online = '0'");</p><p> dbClient.RunQuery("UPDATE `rooms` SET `users_now` = '0' WHERE `users_now` > '0'");</p><p> dbClient.RunQuery("UPDATE `server_status` SET `users_online` = '0', `loaded_rooms` = '0'");</p><p> }</p><p></p><p> log.Info("Plus Emulator has successfully shutdown.");</p><p></p><p> Thread.Sleep(1000);</p><p> Environment.Exit(0);</p><p> }</p><p>[/SPOILER]</p><p></p><p>[SPOILER="class.users.php"]</p><p> /*-------------------------------Create SSO auth_ticket-------------------------------------*/</p><p> </p><p> final public function createSSO($k)</p><p> {</p><p> global $engine;</p><p> $sessionKey = 'RevCMS-' . rand(9, 9999999).'/'.substr(sha1(time()).'/'.rand(9,9999999).'/'.rand(9,9999999).'/'.rand(9,9999999),0,33);</p><p> </p><p> if($engine->num_rows("SELECT * FROM user_auth_ticket WHERE user_id = '" . $k . "' LIMIT 1") > 0) {</p><p> $engine->query("UPDATE user_auth_ticket SET auth_ticket = '" . $sessionKey . "' WHERE user_id = '" . $k . "'");</p><p> } else {</p><p> $engine->query("INSERT INTO user_auth_ticket (user_id, auth_ticket) VALUES ('" . $k . "', '" . $sessionKey ."')");</p><p> }</p><p> return $sessionKey;</p><p> unset($sessionKey);</p><p> } </p><p>[/SPOILER]</p><p></p><p>[SPOILER="class.core.php"]</p><p> case "client":</p><p> $users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);</p><p> $template->setParams('sso', $users->createSSO($_SESSION['user']['id']));</p><p> break;</p><p>[/SPOILER]</p><p></p><p>[SPOILER="SSOTicketEvent.cs"]</p><p>using System;</p><p></p><p>using Plus.Communication.Packets.Incoming;</p><p>using Plus.HabboHotel.GameClients;</p><p>using Plus.Communication.Packets.Outgoing.Handshake;</p><p></p><p>namespace Plus.Communication.Packets.Incoming.Handshake</p><p>{</p><p> public class SSOTicketEvent : IPacketEvent</p><p> {</p><p> public void Parse(GameClient Session, ClientPacket Packet)</p><p> {</p><p> if (Session == null || Session.RC4Client == null || Session.GetHabbo() != null)</p><p> return;</p><p></p><p> string SSO = Packet.PopString();</p><p> if (string.IsNullOrEmpty(SSO) || SSO.Length < 15)</p><p> return;</p><p></p><p> Session.TryAuthenticate(SSO);</p><p> }</p><p> }</p><p>}</p><p>[/SPOILER]</p><p></p><p>If you need any more info please let me know</p><p></p><p>Thanks</p></blockquote><p></p>
[QUOTE="AssLikeThat, post: 428088, member: 27476"] Hi, So basically I had the hotel working fine, no problem whatsoever, all of a sudden it starts preventing me from entering and disconnecting when loading, looked into it a bit and I saw that the exploit with the SSO tickets wasn't patched on the version of RevCMS I had, it seemed to be nulling the SSO ticket when loading the client... Did these fixes: [URL]https://devbest.com/threads/revcms-plusemu-extra-security.78678/[/URL] [URL]https://devbest.com/threads/plusemu-revision-6070-sso-exploit-urgent-help-needed.81152/#post-394851[/URL] The assigning of the SSO Ticket seems fine; however I now am unable to enter the hotel, loads to 76% then disconnects.. I've researched all the possible reasons behind this but still can't seem to come up with a solution, been trying to sort this for a few hours now and am wits end with it. I've double checked all the obvious stuff such as IP's, links, variables etc. Would anybody be able to advise? EDIT: Using PRODUCTION-201701242205-837386173 Haboon Edit [SPOILER="UserDataFactory.cs"] using (IQueryAdapter dbClient = PlusEnvironment.GetDatabaseManager().GetQueryReactor()) { dbClient.SetQuery( "SELECT users.id,users.username,users.rank,users.motto,users.look,users.gender,users.last_online,users.credits,users.activity_points,users.home_room,users.block_newfriends,users.hide_online,users.hide_inroom,users.vip,users.account_created,users.vip_points,users.machine_id,users.volume,users.chat_preference,users.focus_preference,users.pets_muted,users.bots_muted,users.advertising_report_blocked,users.last_change,users.gotw_points,users.ignore_invites,users.time_muted,users.allow_gifts,users.friend_bar_state,users.disable_forced_effects,users.allow_mimic,users.rank_vip " + "FROM users " + "JOIN user_auth_ticket " + "ON users.id = user_auth_ticket.user_id " + "WHERE user_auth_ticket.auth_ticket = @sso " + "LIMIT 1" ); dbClient.AddParameter("sso", SessionTicket); dUserInfo = dbClient.getRow(); if (dUserInfo == null) { errorCode = 1; return null; } UserId = Convert.ToInt32(dUserInfo["id"]); if (PlusEnvironment.GetGame().GetClientManager().GetClientByUserID(UserId) != null) { errorCode = 2; PlusEnvironment.GetGame().GetClientManager().GetClientByUserID(UserId).Disconnect(); return null; } dbClient.SetQuery("SELECT `group`,`level`,`progress` FROM `user_achievements` WHERE `userid` = '" + UserId + "'"); dAchievements = dbClient.getTable(); dbClient.SetQuery("SELECT room_id FROM user_favorites WHERE `user_id` = '" + UserId + "'"); dFavouriteRooms = dbClient.getTable(); dbClient.SetQuery("SELECT ignore_id FROM user_ignores WHERE `user_id` = '" + UserId + "'"); dIgnores = dbClient.getTable(); dbClient.SetQuery("SELECT `badge_id`,`badge_slot` FROM user_badges WHERE `user_id` = '" + UserId + "'"); dBadges = dbClient.getTable(); dbClient.SetQuery( "SELECT users.id,users.username,users.motto,users.look,users.last_online,users.hide_inroom,users.hide_online " + "FROM users " + "JOIN messenger_friendships " + "ON users.id = messenger_friendships.user_one_id " + "WHERE messenger_friendships.user_two_id = " + UserId + " " + "UNION ALL " + "SELECT users.id,users.username,users.motto,users.look,users.last_online,users.hide_inroom,users.hide_online " + "FROM users " + "JOIN messenger_friendships " + "ON users.id = messenger_friendships.user_two_id " + "WHERE messenger_friendships.user_one_id = " + UserId); dFriends = dbClient.getTable(); dbClient.SetQuery("SELECT messenger_requests.from_id,messenger_requests.to_id,users.username FROM users JOIN messenger_requests ON users.id = messenger_requests.from_id WHERE messenger_requests.to_id = " + UserId); dRequests = dbClient.getTable(); dbClient.SetQuery("SELECT * FROM rooms WHERE `owner` = '" + UserId + "' LIMIT 150"); dRooms = dbClient.getTable(); dbClient.SetQuery("SELECT `quest_id`,`progress` FROM user_quests WHERE `user_id` = '" + UserId + "'"); dQuests = dbClient.getTable(); dbClient.SetQuery("SELECT `id`,`user_id`,`target`,`type` FROM `user_relationships` WHERE `user_id` = '" + UserId + "'"); dRelations = dbClient.getTable(); dbClient.SetQuery("SELECT * FROM `user_info` WHERE `user_id` = '" + UserId + "' LIMIT 1"); UserInfo = dbClient.getRow(); if (UserInfo == null) { dbClient.RunQuery("INSERT INTO `user_info` (`user_id`) VALUES ('" + UserId + "')"); dbClient.SetQuery("SELECT * FROM `user_info` WHERE `user_id` = '" + UserId + "' LIMIT 1"); UserInfo = dbClient.getRow(); } dbClient.RunQuery("UPDATE `users` SET `online` = '1' WHERE `id` = '" + UserId + "' LIMIT 1"); dbClient.RunQuery("DELETE FROM `user_auth_ticket` WHERE `user_id` = '" + UserId + "' LIMIT 1"); } [/SPOILER] [SPOILER="PlusEnvironment.cs"] public static void PerformShutDown() { Console.Clear(); log.Info("Server shutting down..."); Console.Title = "PLUS EMULATOR: SHUTTING DOWN!"; PlusEnvironment.GetGame().GetClientManager().SendMessage(new BroadcastMessageAlertComposer(PlusEnvironment.GetGame().GetLanguageLocale().TryGetValue("shutdown_alert"))); GetGame().StopGameLoop(); Thread.Sleep(2500); GetConnectionManager().Destroy();//Stop listening. GetGame().GetPacketManager().UnregisterAll();//Unregister the packets. GetGame().GetPacketManager().WaitForAllToComplete(); GetGame().GetClientManager().CloseAll();//Close all connections GetGame().GetRoomManager().Dispose();//Stop the game loop. using (IQueryAdapter dbClient = _manager.GetQueryReactor()) { dbClient.RunQuery("TRUNCATE `catalog_marketplace_data`"); dbClient.RunQuery("TRUNCATE `user_auth_ticket`"); dbClient.RunQuery("UPDATE `users` SET online = '0'"); dbClient.RunQuery("UPDATE `rooms` SET `users_now` = '0' WHERE `users_now` > '0'"); dbClient.RunQuery("UPDATE `server_status` SET `users_online` = '0', `loaded_rooms` = '0'"); } log.Info("Plus Emulator has successfully shutdown."); Thread.Sleep(1000); Environment.Exit(0); } [/SPOILER] [SPOILER="class.users.php"] /*-------------------------------Create SSO auth_ticket-------------------------------------*/ final public function createSSO($k) { global $engine; $sessionKey = 'RevCMS-' . rand(9, 9999999).'/'.substr(sha1(time()).'/'.rand(9,9999999).'/'.rand(9,9999999).'/'.rand(9,9999999),0,33); if($engine->num_rows("SELECT * FROM user_auth_ticket WHERE user_id = '" . $k . "' LIMIT 1") > 0) { $engine->query("UPDATE user_auth_ticket SET auth_ticket = '" . $sessionKey . "' WHERE user_id = '" . $k . "'"); } else { $engine->query("INSERT INTO user_auth_ticket (user_id, auth_ticket) VALUES ('" . $k . "', '" . $sessionKey ."')"); } return $sessionKey; unset($sessionKey); } [/SPOILER] [SPOILER="class.core.php"] case "client": $users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']); $template->setParams('sso', $users->createSSO($_SESSION['user']['id'])); break; [/SPOILER] [SPOILER="SSOTicketEvent.cs"] using System; using Plus.Communication.Packets.Incoming; using Plus.HabboHotel.GameClients; using Plus.Communication.Packets.Outgoing.Handshake; namespace Plus.Communication.Packets.Incoming.Handshake { public class SSOTicketEvent : IPacketEvent { public void Parse(GameClient Session, ClientPacket Packet) { if (Session == null || Session.RC4Client == null || Session.GetHabbo() != null) return; string SSO = Packet.PopString(); if (string.IsNullOrEmpty(SSO) || SSO.Length < 15) return; Session.TryAuthenticate(SSO); } } } [/SPOILER] If you need any more info please let me know Thanks [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Habbo Q&A
RevCMS PlusEmu SSO issue
Top