new-combats/game
3
0
Fork 0
Code Issues 23 Pull Requests Releases Wiki Activity

Хороним $_COOKIE['pass'], отказываемся от md5('pass'). Это не регистрация, а чёрная дыра!

Browse Source
This commit is contained in:
Ivor Barhansky
2023-01-06 16:57:25 +02:00
parent e9ec7eb2f2
commit 9e45f170c7
50 changed files with 1470 additions and 2242 deletions
Download Patch File Download Diff File Expand all files Collapse all files
enter.php
+139 -97
View File
@@ -39,9 +39,10 @@ if (isset($_GET['cookie_login']) && $_GET['cookie_login'] != '') {
function error($e)
{
die('
<link rel="stylesheet" href="error.css">
<div class="text-wrapper">
die(
'
<link rel="stylesheet" href="error.css">
<div class="text-wrapper">
<div class="title" data-content="Îøèáêà">
Îøèáêà!!
</div>
@@ -51,42 +52,30 @@ function error($e)
</div>
<div class="buttons">
<a class="button" href="https://new-combats.com">Âåðíóòüñÿ íàçàä</a>
<a class="button" href="' . Config::get('https') . '">Âåðíóòüñÿ íàçàä</a>
</div>
</div>
');
'
);
}
function md5m($src)
function checkPassword(string $password, string $passwordHash, string $login): bool
{
$tar = [16];
$res = [16];
$src = utf8_encode($src);
for ($i = 0; $i < strlen($src) || $i < 16; $i++) {
$res[$i] = ord($src[$i]) ^ $i * 4;
}
for ($i = 0; $i < 4; $i++) {
for ($j = 0; $j < 4; $j++) {
$tar[$i * 4 + $j] = ($res[$j * 4 + $i] + 256) % 256;
if (password_verify($password, $passwordHash)) { // check password
return true;
} else {
if (
md5($password) === $passwordHash || // convert old md5() password
password_needs_rehash($passwordHash, PASSWORD_DEFAULT) //rehash if PASSWORD_DEFAULT changed
) {
$hash = password_hash($password, PASSWORD_DEFAULT);
Db::sql('update users set pass = ? where login = ?', [$hash, $login]);
return true;
}
return false;
}
return ($tar);
}
function array2HStr($src): string
{
$hex = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F"];
$res = "";
for ($i = 0; $i < 16; $i++) {
$res = $res . ($hex[$src[$i] >> 4] . $hex[$src[$i] % 16]);
}
return ($res);
}
$socauth = false;
//ReCapthca
require_once "./recaptchalib.php";
// âàø ñåêðåòíûé êëþ÷
@@ -99,49 +88,75 @@ $response = null;
$reCaptcha = new ReCaptcha($secret);
if ($_POST["g-recaptcha-response"]) {
$response = $reCaptcha->verifyResponse(
$response = $reCaptcha->verifyResponse(
$_SERVER["REMOTE_ADDR"],
$_POST["g-recaptcha-response"]
);
}
//ReCapthca
$u = Db::getRow('select id, login, auth, pass, pass2, city, ip, ipreg, admin, online, banned, host_reg, timereg, securetime from users where login = ?', [$_POST['login']]);
$u = Db::getRow(
'select
users.id,
users.login,
auth,
pass,
pass2,
users.city,
users.ip,
ipreg,
admin,
online,
banned,
host_reg,
timereg,
securetime,
users_delo.text as block_reason
from users
left join users_delo on users.id = users_delo.uid
where users.login = ?',
[$_POST['login']]
);
$auth = Db::getValue('select id from logs_auth where uid = ? and ip = ?', [$u['id'], IP]);
if (
Config::get('securetime') > 0 &&
IP != $u['ip'] &&
IP != $u['ipreg'] &&
!isset($auth) &&
$u['securetime'] < Config::get('securetime') &&
$u['timereg'] < Config::get('securetime')
Config::get('securetime') > 0 &&
IP != $u['ip'] &&
IP != $u['ipreg'] &&
!isset($auth) &&
$u['securetime'] < Config::get('securetime') &&
$u['timereg'] < Config::get('securetime')
) {
error('Âû íå ìîæåòå âîéòè íà ïåðñîíàæà "' . $_POST['login'] . '".<br>Ñêîðåå âñåãî âû äàâíî íå ìåíÿëè ïàðîëü. Äëÿ ñìåíû ïåðåéäèòå ïî ññûëêå: <a href="/repass.php?login=' . htmlspecialchars($_POST['login'], null, 'cp1251') . '">ÑÌÅÍÀ ÏÀÐÎËß</a><br><br>Âàì íåîáõîäèìî ñìåíèòü ïàðîëü äëÿ áåçîïàñíîñòè ïåðñîíàæà, íà ïî÷òó ïî êîòîðîé çàðåãèñòðèðîâàí ïåðñîíàæ ïðèäåò íîâûé ñëó÷àéíî ñãåíåðèðîâàííûé ïàðîëü.<br>Åñëè ó âàñ íåò äîñòóïà ê E-mail: Çàðåãèñòðèðóéòå íîâîãî ïåðñîíàæà è îáðàòèòåñü ê Àäìèíèñòðàöèè, ëèáî ìîäåðàòîðàì.');
}
if (md5(md5($_POST['pass'])) == $u['pass']) {
$_POST['pass'] = md5($_POST['pass']);
error(
'Âû íå ìîæåòå âîéòè íà ïåðñîíàæà "' . $_POST['login'] . '".<br>
Ñêîðåå âñåãî âû äàâíî íå ìåíÿëè ïàðîëü.
Äëÿ ñìåíû ïåðåéäèòå ïî ññûëêå: <a href="/repass.php?login=' . $u['login'] . '">ÑÌÅÍÀ ÏÀÐÎËß</a><br><br>
Âàì íåîáõîäèìî ñìåíèòü ïàðîëü äëÿ áåçîïàñíîñòè ïåðñîíàæà,
íà ïî÷òó ïî êîòîðîé çàðåãèñòðèðîâàí ïåðñîíàæ ïðèäåò íîâûé ñëó÷àéíî ñãåíåðèðîâàííûé ïàðîëü.'
);
}
if (!isset($u['id'])) {
error('Ëîãèí "' . $_POST['login'] . '" íå íàéäåí â áàçå.');
} elseif ($u['pass'] != md5($_POST['pass']) && !$socauth) {
error('Íåâåðíûé ïàðîëü ê ïåðñîíàæó "' . $_POST['login'] . '".');
Db::sql('insert into logs_auth (uid, ip, browser, type, time, depass) values (?,?,?,3,unix_timestamp(),?)', [$u['id'], IP, $_SERVER['HTTP_USER_AGENT'], $_POST['pass']]);
} elseif ($u['banned'] > 0) {
$fm = Db::getValue('select text from users_delo where uid = ? and hb != 0 order by id desc limit 1', [$u['id']]) ?? '';
error('Ïåðñîíàæ <b>' . $_POST['login'] . '</b> çàáëîêèðîâàí.' . '<br>' . $fm . '<br>' . '<br><b>Âíèìàíèå!</b> Åñëè Âû óâåðåíû, ÷òî ïðîèçîøëà îøèáêà è Âû íè÷åãî íå íàðóøàëè, ïåðåðåãèñòðèðóéòåñü, îáüÿñíèòå ñèòóàöèþ àäìèíèñòðàöèè è îæèäàéòå îòâåòà!</a>' . '<br>Ïåðåä òåì êàê ïèñàòü, <b>ÂÍÈÌÀÒÅËÜÍÎ</b> îçíàêîìèòåñü ñ <a target="_blank" href="https://new-combats.com/lib/zakon/">äåéñòâóþùèìè çàêîíàìè.' . '<br><br>Åñëè Âû çàáëîêèðîâàíû ïðàâîìåðíî, òî ó Âàñ íåò øàíñîâ íà ðàçáëîêèðîâêó âàøåãî èãðîâîãî ïåðñîíàæà.');
$blockstr = "Ïåðñîíàæ <b>{$u['login']}</b> çàáëîêèðîâàí.";
$blockstr .= $u['block_reason'] ? "Ïðè÷èíà áëîêèðîâêè: {$u['block_reason']}<br><br>" : '<br><br>';
error($blockstr);
} elseif (!checkPassword($_POST['pass'], $u['pass'], $u['login'])) {
error("Íåâåðíûé ïàðîëü ê ïåðñîíàæó {$u['login']}.");
Db::sql(
'insert into logs_auth (uid, ip, browser, type, time, depass) values (?,?,?,3,unix_timestamp(),?)',
[$u['id'], IP, $_SERVER['HTTP_USER_AGENT'], $_POST['pass']]
);
} else {
//Âòîðîé ïàðîëü
if ($u['pass2'] != '' && $u['pass2'] != '0') {
if (!empty($u['pass2'])) {
$_SESSION['login'] = $_POST['login'];
$_SESSION['pass'] = $_POST['pass'];
$good2 = false;
$koko = '';
if (md5(array2HStr(md5m($_POST['code']))) == $u['pass2']) {
if (password_verify($_POST['code'], $u['pass2'])) {
$good2 = true;
unset($_SESSION['login'], $_SESSION['pass']);
} else {
@@ -150,11 +165,9 @@ if (!isset($u['id'])) {
}
setcookie('login', '', time() - 60 * 60 * 24, '', Config::get('host'));
setcookie('pass', '', time() - 60 * 60 * 24, '', Config::get('host'));
setcookie('login', '', time() - 60 * 60 * 24);
setcookie('pass', '', time() - 60 * 60 * 24);
}
if ($koko != '') {
if ($koko) {
$koko = '<b style="color: red">' . $koko . '</b>';
}
if (!$good2) {
@@ -272,25 +285,32 @@ if (!isset($u['id'])) {
}
}
$st = mysql_fetch_array(mysql_query('SELECT * FROM `stats` WHERE `id`="' . $u['id'] . '" LIMIT 1'));
if (!isset($st['id'])) {
mysql_query("INSERT INTO `stats` (`id`,`stats`) VALUES ('" . $u['id'] . "','s1=3|s2=3|s3=3|s4=3|rinv=40|m9=5|m6=10')");
if (!Db::getValue('select count(*) from stats where id = ?', [$u['id']])) {
Db::sql('insert into stats (id, stats) values (?,?)', [$u['id'], 's1=3|s2=3|s3=3|s4=3|rinv=40|m9=5|m6=10']);
}
$on = mysql_fetch_array(mysql_query('SELECT * FROM `online` WHERE `uid`="' . $u['id'] . '" LIMIT 1'));
if (!isset($on['id'])) {
mysql_query("INSERT INTO `online` (`uid`,`timeStart`) VALUES ('" . $u['id'] . "','" . time() . "')");
if (!Db::getValue('select count(*) from online where uid = ?', [$u['id']])) {
Db::sql('insert into online (uid, timeStart) values (?,unix_timestamp())', [$u['id']]);
}
if (isset($_COOKIE['login']) || isset($_COOKIE['pass'])) {
if (isset($_COOKIE['login'])) {
setcookie('login', '', time() - 60 * 60 * 24, '', Config::get('host'));
setcookie('pass', '', time() - 60 * 60 * 24, '', Config::get('host'));
}
//ìóëüòû
if ($u['admin'] === 0) {
$ipm1 = Db::getValue('select ip from logs_auth where uid = ? and ip != ? order by id limit 1', [$u['id'], $u['ip']]);
$ppl = Db::getRows('select * from logs_auth where ip != ? and (ip = ? or ip = ? or ip = ? or ip = ? or ip = ?)', ['', $u['ip'], $ipm1, $u['ipreg'], IP, $_COOKIE['ip']]);
$ipm1 = Db::getValue(
'select ip from logs_auth where uid = ? and ip != ? order by id limit 1',
[$u['id'], $u['ip']]
);
$ppl = Db::getRows(
'select * from logs_auth where ip != ? and (ip = ? or ip = ? or ip = ? or ip = ? or ip = ?)',
['', $u['ip'], $ipm1, $u['ipreg'], IP, $_COOKIE['ip']]
);
foreach ($ppl as $item) {
$ml = Db::getValue('select id from mults where (uid = ? and uid2 = ?) or (uid = ? and uid2 = ?) limit 1', [$item['uid'], $u['id'], $u['id'], $item['uid']]);
$ml = Db::getValue(
'select id from mults where (uid = ? and uid2 = ?) or (uid = ? and uid2 = ?) limit 1',
[$item['uid'], $u['id'], $u['id'], $item['uid']]
);
if (!$ml && $item['ip'] !== '' && $item['ip'] !== '127.0.0.1') {
Db::sql('insert into mults (uid, uid2, ip) VALUES (?,?,?)', [$u['id'], $item['uid'], $item['ip']]);
}
@@ -301,52 +321,69 @@ if (!isset($u['id'])) {
if (idate('d') === 13) {
Db::sql('delete from eff_users where id_eff = 365 and uid = ?', [$u['id']]);
Db::sql(
'insert into eff_users (id_eff, uid, name, data, overType, timeUse, no_Ace) values (365,?,?,?,47,unix_timestamp(),1)',
[
$u['id'],
'Äåíü Ðîæäåíèÿ Êëóáà',
'add_speedhp=500|add_speedmp=500|add_speed_dungeon=50|add_repair_discount=1|',
]
'insert into eff_users (id_eff, uid, name, data, overType, timeUse, no_Ace) values (365,?,?,?,47,unix_timestamp(),1)',
[
$u['id'],
'Äåíü Ðîæäåíèÿ Êëóáà',
'add_speedhp=500|add_speedmp=500|add_speed_dungeon=50|add_repair_discount=1|',
]
);
$chat->send('', $u['room'], $u['city'], '', $u['login'], ' ÷åñòü äíÿ ðîæäåíèÿ ïðîåêòà âû ïîëó÷àåòå ýôôåêò &quot;Äåíü Ðîæäåíèÿ Êëóáà&quot;!(Ýôôåêò îáíîâëÿåòñÿ êàæäûé ðàç êîãäà âû çàõîäèòå íà ïåðñîíàæà)', time(), 6, 0, 0, 0, 1);
$chat->send(
'', $u['room'], $u['city'], '', $u['login'],
' ÷åñòü äíÿ ðîæäåíèÿ ïðîåêòà âû ïîëó÷àåòå ýôôåêò &quot;Äåíü Ðîæäåíèÿ Êëóáà&quot;!(Ýôôåêò îáíîâëÿåòñÿ êàæäûé ðàç êîãäà âû çàõîäèòå íà ïåðñîíàæà)',
time(), 6, 0, 0, 0, 1
);
}
if (isset($_COOKIE['ip']) && $_COOKIE['ip'] != IP) {
Db::sql('insert into logs_auth (uid, ip, browser, type, time, depass) VALUES (?,?,?,1,unix_timestamp(),?)', [$u['id'], $_COOKIE['ip'], $_SERVER['HTTP_USER_AGENT'], md5($_POST['pass'])]);
Db::sql(
'insert into logs_auth (uid, ip, browser, type, time, depass) VALUES (?,?,?,1,unix_timestamp(),?)',
[$u['id'], $_COOKIE['ip'], $_SERVER['HTTP_USER_AGENT'], md5($_POST['pass'])]
);
}
setcookie('login', $_POST['login'], time() + 60 * 60 * 24 * 7, '', Config::get('host'));
setcookie('pass', $u['pass'], time() + 60 * 60 * 24 * 7, '', Config::get('host'));
setcookie('login', $_POST['login'], time() + 60 * 60 * 24 * 7);
setcookie('pass', md5($_POST['pass']), time() + 60 * 60 * 24 * 7);
setcookie('ip', IP, time() + 60 * 60 * 24 * 150, '');
if ($u['online'] < time() - 520) {
$sp = mysql_query('SELECT `user` FROM `friends` WHERE `friend` = ' . $u['id']);
while ($pl = mysql_fetch_array($sp)) {
$usr = mysql_fetch_array(mysql_query('SELECT `id`,`online`,`login`,`city`,`room` FROM `users` WHERE `id` = ' . $pl['user']));
if (isset($usr['id']) && $usr['online'] > time() - 600) {
$chat->send('', $usr['room'], $usr['city'], '', $usr['login'], 'Âàñ ïðèâåòñòâóåò: <b>' . $u['login'] . '</b>.', time(), 6, 0, 0, 0, 1);
}
$sp = Db::getRows('select room, city, login from users where online > unix_timestamp() - 600 and id in (select user from friends where friend = ?)', [$u['id']]);
foreach ($sp as $usr) {
$chat->send(
'', $usr['room'], $usr['city'], '', $usr['login'], 'Âàñ ïðèâåòñòâóåò: <b>' . $u['login'] . '</b>.',
time(), 6, 0, 0, 0, 1
);
}
}
$apu = '';
mysql_query('UPDATE `dump` SET `ver` = 1,`upd` = 2 WHERE `uid` = ' . $u['id']);
Db::sql('update dump set ver = 1, upd = 2 where uid = ?', [$u['id']]);
if (
$u['auth'] != md5($u['login'] . 'AUTH' . IP) ||
$_COOKIE['auth'] != md5($u['login'] . 'AUTH' . IP) ||
$u['auth'] == '' || $u['auth'] == '0'
$u['auth'] != md5($u['login'] . 'AUTH' . IP) ||
$_COOKIE['auth'] != md5($u['login'] . 'AUTH' . IP) ||
$u['auth'] == '' || $u['auth'] == '0'
) {
if (
$u['auth'] != '' &&
$u['auth'] != '0' &&
$u['ip'] != IP
$u['auth'] != '' &&
$u['auth'] != '0' &&
$u['ip'] != IP
) {
mysql_query("INSERT INTO `chat` (`new`,`city`,`room`,`login`,`to`,`text`,`time`,`type`,`toChat`) VALUES ('1','capitalcity','0','','" . $u['login'] . "','Â ïðåäûäóùèé ðàç ýòèì ïåðñîíàæåì çàõîäèëè ñ äðóãîãî êîìïüþòåðà " . date('d.m.Y H:i', $u['online']) . ". (Ïðåäûäóùèé ip: %" . $u['ip'] . ")','-1','6','0')");
mysql_query(
"INSERT INTO `chat` (`new`,`city`,`room`,`login`,`to`,`text`,`time`,`type`,`toChat`) VALUES
('1',
'capitalcity',
'0',
'',
'" . $u['login'] . "',
'Â ïðåäûäóùèé ðàç ýòèì ïåðñîíàæåì çàõîäèëè ñ äðóãîãî êîìïüþòåðà " .
date('d.m.Y H:i', $u['online']) . ". (Ïðåäûäóùèé ip: %" . $u['ip'] . ")',
'-1',
'6',
'0'
)"
);
}
$apu = "`auth` = '" . md5($u['login'] . 'AUTH' . IP) . "',";
setcookie('auth', md5($u['login'] . 'AUTH' . IP), time() + 60 * 60 * 24 * 365, '', 'new-combats.com');
@@ -359,13 +396,18 @@ if (!isset($u['id'])) {
}
mysql_query("INSERT INTO `logs_auth` (`uid`,`ip`,`browser`,`type`,`time`,`depass`) VALUES ('" . $u['id'] . "','" . IP . "','" . mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']) . "','0','" . time() . "','" . mysql_real_escape_string(md5($_POST['pass'])) . "')");
mysql_query(
"INSERT INTO `logs_auth` (`uid`,`ip`,`browser`,`type`,`time`,`depass`) VALUES ('" . $u['id'] . "','" . IP . "','" .
$_SERVER['HTTP_USER_AGENT'] . "','0','" . time() . "','" . mysql_real_escape_string(md5($_POST['pass'])) . "')"
);
mysql_query("UPDATE `users` SET " . $apu . "`ip`='" . $ipnew . "',`dateEnter`='" . mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']) . "',`online`='" . time() . "' WHERE `login` = '" . mysql_real_escape_string($_POST['login']) . "' AND `pass` = '" . mysql_real_escape_string(md5($_POST['pass'])) . "' LIMIT 1");
mysql_query(
"UPDATE `users` SET " . $apu . "`ip`='" . $ipnew . "',`dateEnter`='" . $_SERVER['HTTP_USER_AGENT'] .
"',`online`='" . time() . "' WHERE `login` = '" . mysql_real_escape_string($_POST['login']) .
"' AND `pass` = '" . mysql_real_escape_string(md5($_POST['pass'])) . "' LIMIT 1"
);
header('location: /bk');
if (isset($_POST['active_code_key'])) {
header('location: /active.php?code=' . htmlspecialchars($_POST['active_code_key'], null, 'cp1251'));
} else {
header('location: /bk');
}
}