Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V3 #85

Merged
merged 15 commits into from
Oct 27, 2023
Merged

V3 #85

Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
PUSH
-> Fixed some more SQL injections
-> Finish #73
-> Code formating / cleanup
-> Fixed more bugs
NaysKutzu committed Oct 24, 2023
commit dfc29154c6545301ebdcf3ddfc8382f261c82451
2 changes: 1 addition & 1 deletion .github/README.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
# MythicalDash

Open-Source Client Area for Pterodactyl
MythicalDash is currently in development by [@SnyderWillCode](https://github.com/SnyderWillCode) & [@NaysKutzu](https://github.com/nayskutzu).
MythicalDash is currently in development by [@NaysKutzu](https://github.com/nayskutzu).

# Docs
https://docs.mythicalsystems.me/docs/mythicaldash/intro
101 changes: 101 additions & 0 deletions app/SessionManager.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
<?php

namespace MythicalDash;
use MythicalDash\Database\Connect;


class SessionManager
{
private $dbConnection;
private $encryption;
public function __construct()
{
$dbConnector = new Connect();
$this->dbConnection = $dbConnector->connectToDatabase();
$this->encryption = new Encryption();
}

public function authenticateUser()
{
if (isset($_COOKIE['token'])) {
$session_id = mysqli_real_escape_string($this->dbConnection,$_COOKIE['token']);
$query = "SELECT * FROM mythicaldash_users WHERE api_key='" . $session_id . "'";
$result = mysqli_query($this->dbConnection, $query);

if (mysqli_num_rows($result) > 0) {
session_start();
$_SESSION["token"] = $session_id;
$_SESSION['loggedin'] = true;
} else {
$this->redirectToLogin($this->getFullUrl());
}
} else {
$this->redirectToLogin($this->getFullUrl());
}
}

public function getUserInfo($info)
{
$session_id = mysqli_real_escape_string($this->dbConnection, $_COOKIE["token"]);
$safeInfo = $this->dbConnection->real_escape_string($info);
$query = "SELECT `$safeInfo` FROM mythicaldash_users WHERE api_key='$session_id' LIMIT 1";
$result = $this->dbConnection->query($query);

if ($result && $result->num_rows > 0) {
$row = $result->fetch_assoc();
return $row[$info];
} else {
return null; // User or data not found
}
}

private function redirectToLogin($fullUrl)
{
$this->deleteCookies();
header('location: /auth/login?r=' . $fullUrl);
die();
}

private function deleteCookies()
{
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach ($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time() - 1000);
setcookie($name, '', time() - 1000, '/');
}
}
}
public function getIP()
{
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
$_SERVER['HTTP_CLIENT_IP'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
$client = @$_SERVER['HTTP_CLIENT_IP'];
$forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
$remote = $_SERVER['REMOTE_ADDR'];

if (filter_var($client, FILTER_VALIDATE_IP)) {
$ip = $client;
} elseif (filter_var($forward, FILTER_VALIDATE_IP)) {
$ip = $forward;
} else {
$ip = $remote;
}

return $ip;
}
private function getFullUrl()
{
$fullUrl = "http";
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) {
$fullUrl .= "s";
}
$fullUrl .= "://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
return $fullUrl;
}
}
?>
4 changes: 3 additions & 1 deletion crons/server.php
Original file line number Diff line number Diff line change
@@ -123,7 +123,9 @@
'LIT_PACKAGES' => '',
'JS_FILE' => 'index.js',
'JARFILE' => 'app.jar',
'MAIN_FILE' => 'index.js'
'MAIN_FILE' => 'index.js',
'PROJECT_FILE' => 'MyProject.sln',
'PROJECT_DIR' => '/home/container'
),
'limits' => array(
'memory' => $server['ram'],
17 changes: 0 additions & 17 deletions functions/getclientip.php

This file was deleted.

49 changes: 0 additions & 49 deletions functions/session.php

This file was deleted.

17 changes: 2 additions & 15 deletions include/main.php
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
<?php
use MythicalDash\ErrorHandler;
use Symfony\Component\Yaml\Yaml;
$config = Yaml::parseFile('../config.yml');
$appsettings = $config['app'];
@@ -7,7 +8,7 @@
$ekey = $appsettings['encryptionkey'];
$cfg_is_console_on = $appsettings['disable_console'];
if ($ekey == "") {
die("Failed to start MythicalDash: Please set a strong encryption key in config.yml");
ErrorHandler::ShowCritical("Failed to start MythicalDash: Please set a strong encryption key in config.yml");
}
if ($cfg_debugmode == true) {
ini_set('display_errors', 1);
@@ -27,20 +28,6 @@
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
}
//DATABASE CONNECTION
$dbsettings = $config['database'];
$dbhost = $dbsettings['host'];
$dbport = $dbsettings['port'];
$dbusername = $dbsettings['username'];
$dbpassword = $dbsettings['password'];
$dbname = $dbsettings['database'];
$conn = new mysqli($dbhost . ':' . $dbport, $dbusername, $dbpassword, $dbname);
if ($conn->connect_error) {
\MythicalDash\ErrorHandler::ShowCritical("Can't connect to the database: ".$conn->connect_error);
}
//GET USER REAL IP
include('../functions/getclientip.php');
$ip_address = getclientip();
//APP URL
$prot = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
$svhost = $_SERVER['HTTP_HOST'];
1 change: 1 addition & 0 deletions public/index.php
Original file line number Diff line number Diff line change
@@ -22,6 +22,7 @@
}

$router = new \Router\Router();

if (file_exists('FIRST_INSTALL')) {
$router->add("/", function () {
require("../install/welcome.php");
2 changes: 1 addition & 1 deletion view/admin/users/delete_user.php
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if (mysqli_num_rows($result) > 0) {
$user_info = $conn->query("SELECT * FROM mythicaldash_users WHERE id = '" . $_GET['id'] . "'")->fetch_array();
$user_info = $conn->query("SELECT * FROM mythicaldash_users WHERE id = '" . mysqli_real_escape_string($conn, $_GET['id']) . "'")->fetch_array();
deleteUserServers($conn, $user_info['api_key'], SettingsManager::getSetting("PterodactylURL"), SettingsManager::getSetting("PterodactylAPIKey"));
deleteUserServersInQueue($conn, $user_info['api_key'], SettingsManager::getSetting("PterodactylURL"), SettingsManager::getSetting("PterodactylAPIKey"));
deleteApiKeys($conn, $user_info['api_key']);
15 changes: 10 additions & 5 deletions view/auth/discord.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
<?php
use MythicalDash\SettingsManager;
use MythicalDash\SessionManager;
$session = new SessionManager();
use MythicalDash\Database\Connect;
$conn = new Connect();
$conn = $conn->connectToDatabase();
if (SettingsManager::getSetting("enable_discord_link") == "true") {
if (isset($_GET['code'])) {
$tokenUrl = 'https://discord.com/api/oauth2/token';
@@ -51,10 +56,10 @@
die();
} else {
$usr_id = $row['api_key'];
if ($ip_address == "127.0.0.1") {
$ip_address = "12.34.56.78";
if ($session->getIP() == "127.0.0.1") {
$session->getIP() = "12.34.56.78";
}
$url = "http://ipinfo.io/$ip_address/json";
$url = "http://ipinfo.io/".$session->getIP()."/json";
$data = json_decode(file_get_contents($url), true);

if (isset($data['error']) || $data['org'] == "AS1221 Telstra Pty Ltd") {
@@ -83,12 +88,12 @@
header('location: /auth/login?e=Using multiple accounts is really sad when using free services!');
die();
}
$conn->query("INSERT INTO mythicaldash_login_logs (ipaddr, userkey) VALUES ('" . $ip_address . "', '$usr_id')");
$conn->query("INSERT INTO mythicaldash_login_logs (ipaddr, userkey) VALUES ('" . $session->getIP() . "', '$usr_id')");

$cookie_name = 'token';
$cookie_value = $token;
setcookie($cookie_name, $cookie_value, time() + (10 * 365 * 24 * 60 * 60), '/');
$conn->query("UPDATE `mythicaldash_users` SET `last_ip` = '" . $ip_address . "' WHERE `mythicaldash_users`.`api_key` = '" . $usr_id . "';");
$conn->query("UPDATE `mythicaldash_users` SET `last_ip` = '" . $session->getIP() . "' WHERE `mythicaldash_users`.`api_key` = '" . $usr_id . "';");
header('location: /dashboard');
}
} else {
10 changes: 7 additions & 3 deletions view/auth/forgot-password.php
Original file line number Diff line number Diff line change
@@ -3,7 +3,11 @@
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
use MythicalDash\SettingsManager;

use MythicalDash\SessionManager;
use MythicalDash\Database\Connect;
$conn = new Connect();
$conn = $conn->connectToDatabase();
$session = new SessionManager();
$csrf = new MythicalDash\CSRF();
if (SettingsManager::getSetting("enable_smtp") == "false") {
header('location: /auth/login?e=We are sorry but this host dose not have a SMTP server setup');
@@ -115,7 +119,7 @@
<a href="mailto:' . $email . '" class="hover-underline"
style="font-family: Montserrat, sans-serif; mso-line-height-rule: exactly; color: #7367f0; text-decoration: none;">' . $email . '</a>
from the IP - <span
style="font-weight: 600;">' . $ip_address . '</span> .
style="font-weight: 600;">' . $session->getIP() . '</span> .
</p>
<p
style="font-family: Montserrat, sans-serif; mso-line-height-rule: exactly; margin: 0; margin-bottom: 24px;">
@@ -207,7 +211,7 @@
try {
$mail->send();
//LOG TO DATABASE
$conn->query("INSERT INTO `mythicaldash_resetpasswords` (`email`, `ownerkey`, `resetkeycode`, `ip_addres`) VALUES ('" . $email . "', '" . $userdb['api_key'] . "', '" . $skey . "', '" . $ip_address . "');");
$conn->query("INSERT INTO `mythicaldash_resetpasswords` (`email`, `ownerkey`, `resetkeycode`, `ip_addres`) VALUES ('" . $email . "', '" . $userdb['api_key'] . "', '" . $skey . "', '" . $session->getIP() . "');");
//SOME Functions
$domain = substr(strrchr($email, "@"), 1);
$redirections = array('gmail.com' => 'https://mail.google.com', 'yahoo.com' => 'https://mail.yahoo.com', 'hotmail.com' => 'https://outlook.live.com', 'outlook.com' => "https://outlook.live.com", 'gmx.net' => "https://gmx.net", 'icloud.com' => "https://www.icloud.com/mail", 'me.com' => "https://www.icloud.com/mail", 'mac.com' => "https://www.icloud.com/mail", );
19 changes: 11 additions & 8 deletions view/auth/login.php
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
<?php
use MythicalDash\CloudFlare\Captcha;
use MythicalDash\SettingsManager;

use MythicalDash\SessionManager;
use MythicalDash\Database\Connect;
$conn = new Connect();
$conn = $conn->connectToDatabase();
$session = new SessionManager();
session_start();
$csrf = new MythicalDash\CSRF();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
@@ -10,12 +14,11 @@
if (SettingsManager::getSetting("enable_turnstile") == "false") {
$captcha_success = 1;
} else {
$captcha_success = Captcha::validate_captcha($_POST["cf-turnstile-response"], $ip_address, SettingsManager::getSetting("turnstile_secretkey"));
$captcha_success = Captcha::validate_captcha($_POST["cf-turnstile-response"], $session->getIP(), SettingsManager::getSetting("turnstile_secretkey"));
}
if ($captcha_success) {
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$ip_address = getclientip();
if (!$email == "" || !$password == "") {
$query = "SELECT * FROM mythicaldash_users WHERE email = '$email'";
$result = mysqli_query($conn, $query);
@@ -32,10 +35,10 @@
exit; // Stop execution if user is banned
} else {
$usr_id = $row['api_key'];
if ($ip_address == "127.0.0.1") {
$ip_address = "12.34.56.78";
if ($$session->getIP() == "127.0.0.1") {
$$session->getIP() = "12.34.56.78";
}
$url = "http://ipinfo.io/$ip_address/json";
$url = "http://ipinfo.io/".$session->getIP()."/json";
$data = json_decode(file_get_contents($url), true);

if (isset($data['error']) || $data['org'] == "AS1221 Telstra Pty Ltd") {
@@ -64,12 +67,12 @@
header('location: /auth/login?e=Using multiple accounts is really sad when using free services!');
die();
}
$conn->query("INSERT INTO mythicaldash_login_logs (ipaddr, userkey) VALUES ('" . $ip_address . "', '$usr_id')");
$conn->query("INSERT INTO mythicaldash_login_logs (ipaddr, userkey) VALUES ('" . $session->getIP() . "', '$usr_id')");

$cookie_name = 'token';
$cookie_value = $token;
setcookie($cookie_name, $cookie_value, time() + (10 * 365 * 24 * 60 * 60), '/');
$conn->query("UPDATE `mythicaldash_users` SET `last_ip` = '" . $ip_address . "' WHERE `mythicaldash_users`.`api_key` = '" . $usr_id . "';");
$conn->query("UPDATE `mythicaldash_users` SET `last_ip` = '" . $session->getIP() . "' WHERE `mythicaldash_users`.`api_key` = '" . $usr_id . "';");
if (isset($_GET['r'])) {
header('location: ' . $_GET['r']);
} else {
Loading