vb.net check if user its in a group
#11
Note that the above code should escape the username before using it in an SQL query. It is currently wide open to SQL injection.
Reply
#12
(2015-08-15, 08:24 AM)Euan T Wrote: Note that the above code should escape the username before using it in an SQL query. It is currently wide open to SQL injection.

how to fix it?!
I need that script and I don't know PHP, I'm Java programmer.
Reply
#13
This should be a little better:

<?php
header ("Content-Type:text/xml"); 
define("IN_MYBB", 1);
require_once "./global.php";
require_once "./inc/functions_time.php";

$user = $db->simple_select("users", "*", "username='".$db->escape_string($mybb->input['username'])."'");

if($mybb->input['username'] && $db->num_rows($user) != 0)
{
   $user = $db->fetch_array($user);
   $usergroupcache = $cache->read("usergroups");
   
   $doc = new DOMDocument();
   $doc->formatOutput = true;

   $u = $doc->createElement("user");
   $doc->appendChild($u);

   $usergroup = $doc->createElement("usergroup");
   $usergroup->appendChild($doc->createTextNode($usergroupcache[$user['usergroup']]['gid']));
   
   $numthreads = $db->simple_select("threads", "COUNT(tid) as count", "uid = ".$user['uid']);
   $numthreads = $db->fetch_field($numthreads, "count");
  
   $timesearch = TIME_NOW - $mybb->settings['wolcutoffmins']*60;
   $query = $db->simple_select("sessions", "location,nopermission", "uid='".((int) $user['uid'])."' AND time>'".$timesearch."'", array('order_by' => 'time', 'order_dir' => 'DESC', 'limit' => 1));
   $session = $db->fetch_array($query);
   
   if ($db->num_rows($query) == 0)
   {
       $onlinestatustext = "Offline";
   }
   else
   {
       require_once MYBB_ROOT."inc/functions_online.php";
       $lang->load("online");
       $location = fetch_wol_activity($session['location'], $session['nopermission']);
       $location = build_friendly_wol_location($location);
       $onlinestatustext = "Online - ".strip_tags($location);
   }
   
   $u->appendChild($usergroup);

   echo $doc->saveXML();
}
else
{
   error("invalid user");
}

Reply
#14
(2017-06-26, 01:40 PM)Euan T Wrote: This should be a little better:

<?php
header ("Content-Type:text/xml"); 
define("IN_MYBB", 1);
require_once "./global.php";
require_once "./inc/functions_time.php";

$user = $db->simple_select("users", "*", "username='".$db->escape_string($mybb->input['username'])."'");

if($mybb->input['username'] && $db->num_rows($user) != 0)
{
   $user = $db->fetch_array($user);
   $usergroupcache = $cache->read("usergroups");
   
   $doc = new DOMDocument();
   $doc->formatOutput = true;

   $u = $doc->createElement("user");
   $doc->appendChild($u);

   $usergroup = $doc->createElement("usergroup");
   $usergroup->appendChild($doc->createTextNode($usergroupcache[$user['usergroup']]['gid']));
   
   $numthreads = $db->simple_select("threads", "COUNT(tid) as count", "uid = ".$user['uid']);
   $numthreads = $db->fetch_field($numthreads, "count");
  
   $timesearch = TIME_NOW - $mybb->settings['wolcutoffmins']*60;
   $query = $db->simple_select("sessions", "location,nopermission", "uid='".((int) $user['uid'])."' AND time>'".$timesearch."'", array('order_by' => 'time', 'order_dir' => 'DESC', 'limit' => 1));
   $session = $db->fetch_array($query);
   
   if ($db->num_rows($query) == 0)
   {
       $onlinestatustext = "Offline";
   }
   else
   {
       require_once MYBB_ROOT."inc/functions_online.php";
       $lang->load("online");
       $location = fetch_wol_activity($session['location'], $session['nopermission']);
       $location = build_friendly_wol_location($location);
       $onlinestatustext = "Online - ".strip_tags($location);
   }
   
   $u->appendChild($usergroup);

   echo $doc->saveXML();
}
else
{
   error("invalid user");
}


Thanks, Just this script don't contain vuln?
Reply
#15
I don't think so, but I haven't tested it. The obvious issues are fixed in it.
Reply
#16
(2017-06-26, 09:01 PM)Euan T Wrote: I don't think so, but I haven't tested it. The obvious issues are fixed in it.

Thanks very much.
Sorry for saying this, Will you test the script later or you can't?!
Reply
#17
This user has been denied support. This user has been denied support.
better vb.net mybb_login_system_with_HWID_lock

whats needed

2 buttons
7 labels
2 textboxes
2 timers
1 textbox named txtHWID
WebBrowser1
WebBrowser2
WebBrowser3


Imports System.IO
Imports System.Net
Imports System.Threading
Imports System.Management
Imports System.Security
Imports System.Security.Policy

Public Class Form1

   Dim login As Integer
   Dim confirm As Integer
   Dim runlogin As Integer
   Dim updateneeded As Integer
   Dim firstlaunch As Integer
   Dim confirmhwid As Integer
   Dim updatecolor As Integer

   Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load


   


       WebBrowser1.Navigate("/forum/member.php?action=login")
       WebBrowser2.Navigate("/forum/usercheck.php")
       WebBrowser3.Navigate("/forum/hwid.php")

       'Loads user settings
       If My.Settings.check = True Then
           TextBox1.Text = My.Settings.username
           TextBox2.Text = My.Settings.password
           CheckBox1.Checked = My.Settings.check
       Else
           'Do nothing
       End If

       'Check connection to website
       Try
      '     My.Computer.Network.Ping("your web server ipaddress")
       Catch
           MsgBox("Error: Unable to connect to the website", vbCritical)
           Application.Exit()
       End Try

       'Generate HWID
       Dim hw As New clsComputerInfo

       Dim cpu As String
       Dim mb As String
       Dim mac As String
       Dim hwid As String

       cpu = hw.GetProcessorId()
       mb = hw.GetMotherboardID()
       mac = hw.GetMACAddress()
       hwid = cpu + mb + mac

       Dim hwidEncrypted As String = Strings.UCase(hw.getMD5Hash(cpu & mb & mac))

       txtHWID.Text = hwidEncrypted
       'HWID Generated

       Timer1.Start()
       Timer2.Start()

       'Local Version
       Dim currentVerison As String
       currentVerison = "1.0.0.0"

       'Web Version
       Dim address As String = "/forum/version.txt"
       Dim client As WebClient = New WebClient()
       Dim reader As StreamReader = New StreamReader(client.OpenRead(address))
       Label4.Text = reader.ReadToEnd
       Label4.ForeColor = Color.Transparent
       Label4.Location = New Point(1000, 2000)

       If (currentVerison < Label4.Text) Then
           updateneeded = 1
       ElseIf (currentVerison > Label4.Text) Then
           updateneeded = 1
       Else
           updateneeded = 0
       End If

       Label6.Text = "Current Status: Waiting for input"

       If My.Computer.FileSystem.FileExists("C:\temp\Nova\Nova.Hook") Then
       Else
           firstlaunch = 1
           System.IO.Directory.CreateDirectory("C:\temp\Nova\")
           My.Computer.FileSystem.WriteAllText("c:\temp\nova\Nova.Hook", "", False)
           Dim ToHideDir As New System.IO.DirectoryInfo("C:\temp\Nova\")
           ToHideDir.Attributes = IO.FileAttributes.Hidden
       End If


       'Dim pName As String = "Steam"
       'Dim psList() As Process
       'Try
       'psList = Process.GetProcesses()
       'For Each p As Process In psList
       'If (pName = p.ProcessName) Then
       'MsgBox("Steam is currently running! Please close steam before using the loader", MsgBoxStyle.Exclamation)
       'Me.Close()
       'End If
       'Next p

       'Catch ex As Exception
       'MsgBox(ex.Message)
       'End Try

       'Dim appPath As String = My.Application.Info.DirectoryPath
       'If appPath.Contains("C:\") Then
       'MsgBox("The loader must be run from a USB! Please move the loader's .exe onto a USB then execute!")
       'Me.Close()
       'End If
   End Sub
   ' Confirm HWID
   Private Class clsComputerInfo
       'Get processor ID
       Friend Function GetProcessorId() As String
           Dim strProcessorID As String = String.Empty
           Dim query As New SelectQuery("Win32_processor")
           Dim search As New ManagementObjectSearcher(query)
           Dim info As ManagementObject
           For Each info In search.Get()
               strProcessorID = info("processorID").ToString()
           Next
           Return strProcessorID
       End Function
       ' Get MAC Address
       Friend Function GetMACAddress() As String
           Dim mc As ManagementClass = New ManagementClass("Win32_NetworkAdapterConfiguration")
           Dim moc As ManagementObjectCollection = mc.GetInstances()
           Dim MacAddress As String = String.Empty
           For Each mo As ManagementObject In moc
               If (MacAddress.Equals(String.Empty)) Then
                   If CBool(mo("IPEnabled")) Then MacAddress = mo("MacAddress").ToString()
                   mo.Dispose()
               End If
               MacAddress = MacAddress.Replace(":", String.Empty)
           Next
           Return MacAddress
       End Function
       ' Get Motherboard ID
       Friend Function GetMotherboardID() As String
           Dim strMotherboardID As String = String.Empty
           Dim query As New SelectQuery("Win32_BaseBoard")
           Dim search As New ManagementObjectSearcher(query)
           Dim info As ManagementObject
           For Each info In search.Get()
               strMotherboardID = info("product").ToString()
           Next
           Return strMotherboardID
       End Function
       ' Encrypt HWID
       Friend Function getMD5Hash(ByVal strToHash As String) As String
           Dim md5Obj As New System.Security.Cryptography.MD5CryptoServiceProvider
           Dim bytesToHash() As Byte = System.Text.Encoding.ASCII.GetBytes(strToHash)
           bytesToHash = md5Obj.ComputeHash(bytesToHash)
           Dim strResult As String = ""
           For Each b As Byte In bytesToHash
               strResult += b.ToString("x2")
           Next
           Return strResult
       End Function
   End Class
   ' Timer start
   Private Sub Timer1_Tick(sender As Object, e As EventArgs) Handles Timer1.Tick
       If (firstlaunch = 1) Then
           Form6.Show()
           Timer1.Stop()
       Else
           Timer1.Stop()
       End If
   End Sub
   ' Login button
   Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
       Button1.Enabled = False
       login = 1

       Try
           WebBrowser1.Document.GetElementById("username").SetAttribute("value", TextBox1.Text)
           WebBrowser1.Document.GetElementById("password").SetAttribute("value", TextBox2.Text)
           WebBrowser1.Document.GetElementById("submit").InvokeMember("click")
       Catch
           MsgBox("Error: Login function not setup right. Yell at the 'dev' until he figures out how to read the README.md", vbCritical)
       End Try

       Try
           WebBrowser2.Document.GetElementById("username").SetAttribute("value", TextBox1.Text)
           WebBrowser2.Document.GetElementById("submit").InvokeMember("click")
       Catch
           MsgBox("Error: Usercheck function not setup right. Yell at the 'dev' until he figures out how to read the README.md", vbCritical)
       End Try

       Try
           WebBrowser3.Document.GetElementById("username").SetAttribute("value", TextBox1.Text)
           WebBrowser3.Document.GetElementById("hwidin").SetAttribute("value", txtHWID.Text)
           WebBrowser3.Document.GetElementById("submit").InvokeMember("click")
       Catch
           MsgBox("Error: HWID function not setup right. Yell at the 'dev' until he figures out how to read the README.md", vbCritical)
       End Try
   End Sub

   ' Exit button
   Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
       Application.Exit()
   End Sub
   ' Login check
   Private Sub WebBrowser1_DocumentCompleted(sender As Object, e As WebBrowserDocumentCompletedEventArgs) Handles WebBrowser1.DocumentCompleted
       If login = 1 Then
           login = 0
           Try
               Label6.Text = "Current Status: Checking password"
               If WebBrowser1.DocumentText.Contains("<p>You have successfully been logged in") Then
                   Label6.Text = "Current Status: Password accepted"
                   confirm = 1
               Else
                   Label6.ForeColor = Color.Red
                   Label6.Text = "Current Status: Password rejected!"
                   WebBrowser1.Navigate("/forum/member.php?action=login")
                   MsgBox("Error: Username or password is incorrect", vbCritical)
                   Thread.Sleep(150)
                   Button1.Enabled = True
               End If
           Catch ex As Exception
               MsgBox("Error: Forum login not working. Yell at the 'dev' until they learn to read the README.md", vbCritical)
           End Try
       End If
   End Sub
   ' Status check
   Private Sub WebBrowser2_DocumentCompleted(sender As Object, e As WebBrowserDocumentCompletedEventArgs) Handles WebBrowser1.DocumentCompleted
       If confirm = 1 Then
           confirm = 0

           Try
               Label6.Text = "Current Status: Checking account status"

               If WebBrowser2.DocumentText.Contains("2") Then ' Check if they are "registered"
                   Label6.Text = "Current Status: User is not premium"
                   Label6.ForeColor = Color.Red
                   confirmhwid = 0
               Else
                   If WebBrowser2.DocumentText.Contains("4") Then ' Check if they are "banned"

                       Label6.Text = "Current Status: User is banned"
                       Label6.ForeColor = Color.Red
                       confirmhwid = 1
                   Else
                       If WebBrowser2.DocumentText.Contains("8") Then ' Check if they are "Premium CS:GO"
                           Label6.Text = "Current Status: Group accepted"
                           MsgBox("Premium CS:GO")
                           confirmhwid = 1
                       Else
                           If WebBrowser2.DocumentText.Contains("10") Then ' Check if they are "Premium CS:GO Beta"
                               Label6.Text = "Current Status: Group accepted"
                               MsgBox("Premium CS:GO Beta")
                               confirmhwid = 1
                           Else
                               If WebBrowser2.DocumentText.Contains("9") Then ' Check if they are "Premium CS:GO Lite"
                                   Label6.Text = "Current Status: Group accepted"
                                   MsgBox("Premium CS:GO Lite")
                                   confirmhwid = 1
                               Else
                                   If WebBrowser2.DocumentText.Contains("11") Then ' Check if they are "Premium Garry's Mod"
                                       Label6.Text = "Current Status: Group accepted"
                                       MsgBox("Premium Garry's Mod")
                                       confirmhwid = 1
                                   Else
                                       If WebBrowser2.DocumentText.Contains("4") Then ' Check if they are "Admin"
                                           Label6.Text = "Current Status: Group accepted"
                                           MsgBox("Administrator")
                                           confirmhwid = 1
                                       End If
                                   End If
                               End If
                           End If
                       End If
                   End If
               End If
           Catch ex As Exception
               MsgBox("Error: usercheck_get.php not working. Yell at the 'dev' until they learn to read the README.md", vbCritical)
           End Try
       End If

       'Admin---------------------4
       'Premium Garry's Mod-------11
       'Premium CS:GO Lite--------9
       'Premium CS:GO Beta--------10
       'Premium CS:GO-------------8
       'Banned--------------------7
       'Not-----------------------2

   End Sub
   ' HWID check
   Private Sub WebBrowser3_DocumentCompleted_1(sender As Object, e As WebBrowserDocumentCompletedEventArgs) Handles WebBrowser3.DocumentCompleted
       If confirmhwid = 1 Then
           confirmhwid = 0
           Try
               Label6.Text = "Current Status: Checking HWID"
               If WebBrowser3.DocumentText.Contains("HWID is correct") Then
                   Label6.Text = "Current Status: HWID accepted!"

                   If (CheckBox1.Checked = True) Then
                       My.Settings.check = True
                   ElseIf (CheckBox1.Checked = False) Then
                       My.Settings.check = False
                   End If

                   My.Settings.username = TextBox1.Text
                   My.Settings.password = TextBox2.Text
                   My.Settings.Save()
                   TextBox1.Text = ""
                   TextBox2.Text = ""
                   TextBox1.Focus()
                   Form3.Show()
                   Me.Hide()
                   Button1.Enabled = True
               ElseIf WebBrowser3.DocumentText.Contains("HWID is not correct") Then
                   WebBrowser1.Navigate("/forum/member.php?action=login")
                   WebBrowser2.Navigate("/forum/usercheck.php")
                   WebBrowser3.Navigate("/forum/hwid.php")
                   Label6.ForeColor = Color.Red
                   Label6.Text = "Current Status: HWID rejected!"
                   MsgBox("Error: HWID is incorrect", vbCritical)
                   Thread.Sleep(250)
                   Button1.Enabled = True
               ElseIf WebBrowser3.DocumentText.Contains("") Then
                   WebBrowser1.Navigate("/forum/member.php?action=login")
                   WebBrowser2.Navigate("/forum/usercheck.php")
                   WebBrowser3.Navigate("/forum/hwid.php")
                   Label6.ForeColor = Color.Red
                   Label6.Text = "Current Status: HWID rejected!"
                   MsgBox("Error: No user with that name (HWID)", vbCritical)
                   Thread.Sleep(250)
                   Button1.Enabled = True
               End If
           Catch ex As Exception
               MsgBox("Error: hwid_get.php not working. Yell at the 'dev' until they learn to read the README.md", vbCritical)
           End Try
       End If
   End Sub
   ' Login fix
   Private Sub Label1_Click(sender As Object, e As EventArgs) Handles Label1.Click
       Me.Hide()
       Form2.Show()
   End Sub
   ' Update Script





   Private Sub Label6_Click(sender As Object, e As EventArgs) Handles Label6.Click

   End Sub

   ' This is the updater script. Un-comment it if you want the update function. It's kind of useless in my opinion UNLESS you are doing more than just CS:GO cheats.
   'Private Sub Timer2_Tick(sender As Object, e As EventArgs) Handles Timer2.Tick
   '    If (updateneeded = 1) Then
   '        Timer2.Stop()
   '        Dim exePath As String = Application.ExecutablePath()
   '        My.Computer.FileSystem.WriteAllText("c:\temp\nova\Nova.Hook.Path", exePath, False)
   '        Me.Hide()
   '        Dim appPath As String = My.Application.Info.DirectoryPath
   '        If My.Computer.FileSystem.FileExists(appPath + "\Updater.exe") Then
   '            Process.Start(appPath + "\Updater.exe")
   '            Application.Exit()
   '        Else
   '            My.Computer.Network.DownloadFile("/forum/Updater.exe", appPath + "\Updater.exe")
   '            Process.Start(appPath + "\Updater.exe")
   '            Application.Exit()
   '        End If
   '    Else
   '        Timer2.Stop()
   '    End If
   'End Sub
End Class


php files

hwid.php

code:

<html>

<head>
<title>PHP hwid check</title>

<style type="text/css">
a {
    color: #0060B6;
    text-decoration: none;
}

a:hover 
{
     color:#00A0C6; 
     text-decoration:none; 
     cursor:pointer;  
}

#footer
{
    clear: both;
 background: white;
    padding: 0;
 border: 1px groove #aaaaaa;
    text-align: center;
    vertical-align: 10px;
    line-height: normal;
    margin: 0;
    position: fixed;
    bottom: 0px;
 left: -1px;
    width: 100%;
 height: 60px;
}

#text
{
    clear: both;
    padding: 0;
    text-align: center;
    vertical-align: middle;
    line-height: normal;
    margin: 0;
    position: relative;
    top: 70px;
 left: -10px;
    width: 100%;
 padding-bottom: 40px;
}

input{
   text-align:center;
}
</style>

</head>

<body>

<div class="text" id="text">
<font color="black" size="5"><b>Virus MyBB "API" v1.0.0.0</b></font>
 <br>
 <br>
 <form action="hwid_get.php" method="get">
 <input type="text" name="username" id="username" placeholder="Username to check"><br>
 <input type="text" name="hwidin" id="hwidin" placeholder="HWID"><br>
 <div style="padding-top: 7px;"></div>
 <input name="submit" id="submit" type="submit">
 </form>
</div>

<div class="footer" id="footer"><p>Copyright &copy Virus 2017</p></div>


 
</body>

</html>

hwid_get.php
code

<?php
$link = mysqli_connect('localhost','your-dataabase-username','your-databse-password-here','your-databaase name');
$database = mysqli_select_db($link,'database_name');

$user = $_GET['username'];
$hwid = $_GET['hwidin'];

$sql = "SELECT * FROM mybb_users WHERE username = '". mysqli_real_escape_string($link,$user) ."'" ;
$result = $link->query($sql);

if(strlen($hwid) < 1)
{
 echo "HWID value left empty";
}
else
{
 if ($result->num_rows > 0) {
 while($row = $result->fetch_assoc()) {
 if (strlen($row['hwid']) > 1)
 {
 if ($hwid != $row['hwid'])
 {
 echo "HWID is not correct";
 }
 else
 {
 echo "HWID is correct";
 }
 }
 else
 {
 $sql = "UPDATE mybb_users SET hwid='$hwid' WHERE username='$user'";
 if(mysqli_query($link, $sql))
 {
 echo $row['hwid'];
 }
 else
 {
 echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
 }
 }
 }
 }
}



?>

<html>
<head>
<title>PHP account check return</title>

</head>

<body>

</body>
</html>

usercheck.php

<html>

<head>
<title>PHP account check</title>

<style type="text/css">
a {
    color: #0060B6;
    text-decoration: none;
}

a:hover 
{
     color:#00A0C6; 
     text-decoration:none; 
     cursor:pointer;  
}

#footer
{
    clear: both;
 background: white;
    padding: 0;
 border: 1px groove #aaaaaa;
    text-align: center;
    vertical-align: 10px;
    line-height: normal;
    margin: 0;
    position: fixed;
    bottom: 0px;
 left: -1px;
    width: 100%;
 height: 60px;
}

#text
{
    clear: both;
    padding: 0;
    text-align: center;
    vertical-align: middle;
    line-height: normal;
    margin: 0;
    position: relative;
    top: 70px;
 left: -10px;
    width: 100%;
 padding-bottom: 40px;
}

input{
   text-align:center;
}
</style>

</head>

<body>

<div class="text" id="text">
<font color="black" size="5"><b>Virus's MyBB "API" v23.0.0.0</b></font>
 <br>
 <br>
 <form action="usercheck_get.php" method="get">
 <input type="text" name="username" id="username" placeholder="Username to check"><br>
 <div style="padding-top: 7px;"></div>
 <input name="submit" id="submit" type="submit">
 </form>
</div>

<div class="footer" id="footer"><p>Copyright &copy Thaisen 2017</p></div>


</body>

</html>

usercheck_get.php

code

<?php


$link = mysqli_connect('localhost','your-dataabase-username','your-databse-password-here','your-databaase name');
$database = mysqli_select_db($link,'mybb');$user = $_GET['username'];

$sql = "SELECT * FROM mybb_users WHERE username = '". mysqli_real_escape_string($link,$user) ."'" ;
$result = $link->query($sql);

if ($result->num_rows > 0) {
 // Outputting the rows
 while($row = $result->fetch_assoc()) {
 
 echo $row['usergroup'] . "";
 echo $row['additionalgroups'];
   
 }
} 
else
{
 echo "No user with the username " . $user;
}


eval("\$forums = \"".$templates->get("forumdisplay")."\";");


/*

*/
?>

<html>
<head>
<title>PHP account check return</title>

</head>

<body>

</div>
</body>

Enter your PHPMyAdmin (Or whatever tool you use for SQL managment) and navigate to your mybb_users.

2. Click on the "Structure" tab at the top of PHPMyAdmin.

3. Now add a new column named "hwid" that is a "varchar" with a max limit of "255"

file Download For full source code

http://quainator.com/22D1
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)