MyBB Hacks

Full Version: Admin Can Login as Any User
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9
(07-31-2011 02:05 AM)RateU Wrote: [ -> ]Please make sure that you have {$adminoptions} variable in your member_profile template.

As far as I know, this plugin doesn't touch that variable at all. This plugin doesn't add anything to that template directly in activation process, and doesn't remove anything in deactivate process from it. The additional hijack options will be added "on the fly". This plugin only "care" the {$modoptions} variable in that template, not {$adminoptions} variable.

That's what I know.

Just to make it clear that the error was in from my side. If you hide all admin link from the config.php file, this plugin will not be visible as well.
Where is the styling for this plugin defined? Don't really need this thing using a whole table.
It's in the plugin file itself.  Open it up and scroll down - you'll see the HTML code near the bottom of the file.
Great, thanks.
(08-24-2010 08:59 AM)ZiNgA BuRgA Wrote: [ -> ]Yes, you have to be very explicit when you say these things, or I won't be able to figure out what you want exactly.

If you want to exclude users to be hijackable, don't do the edit I said earlier, instead, find both instances:

PHP Code:
if(!$user) error('Invalid UserID supplied.');

for both, add after:

PHP Code:
if(in_array($user['uid'], array(1,2,3))) error('Cannot log in / clear key of this user.');


The link will still appear, but won't work.


Where would I put that code in here?

PHP Code:
<?php

if(!defined("IN_MYBB"))
	die("This file cannot be accessed directly.");

$plugins->add_hook('member_login', 'admhijack_login');
$plugins->add_hook('member_logout_start', 'admhijack_logout');
$plugins->add_hook('member_profile_end', 'admhijack_profile');

function admhijack_info()
{
	return array(
		'name'			=> 'Admins can log into Users\' accounts',
		'description'	=> 'Allows admins to log into another user\'s account via their profile, and quickly swap back to their account via the Logout link.',
		'website'		=> 'http://mybbhacks.zingaburga.com/',
		'author'		=> 'ZiNgA BuRgA',
		'authorsite'	=> 'http://zingaburga.com/',
		'version'		=> '1.2',
		'compatibility'	=> '1*',
		'guid'			=> '8a4c3db281e87508c50386874e650297'
	);
}

function admhijack_login()
{
	global $mybb;
	if(($mybb->usergroup['cancp'] != 'yes' && $mybb->usergroup['cancp'] != 1) || $mybb->input['do'] != 'hijack' || !$mybb->input['uid'])
		return;
	
	verify_post_check($mybb->input['my_post_key']);
	$user = get_user(intval($mybb->input['uid']));
	if(!$user) error('Invalid UserID supplied.');
	my_setcookie('mybbadminuser', $mybb->user['uid'].'_'.$mybb->user['loginkey'], null, true);
	my_setcookie('mybbuser', $user['uid'].'_'.$user['loginkey'], null, true);
	redirect('index.php', 'You have successfully logged in as '.htmlspecialchars_uni($user['username']).'<br />You will be redirected to the forum index...');
	exit;
}

function admhijack_logout()
{
	global $mybb, $lang;
	
	if(($mybb->usergroup['cancp'] == 'yes' || $mybb->usergroup['cancp'] == 1) && $mybb->input['do'] == 'regenkey' && $mybb->input['uid'])
	{
		verify_post_check($mybb->input['my_post_key']);
		$user = get_user(intval($mybb->input['uid']));
		if(!$user) error('Invalid UserID supplied.');
		update_loginkey($user['uid']);
		redirect('member.php?action=profile&uid='.$user['uid'], 'You have successfully forced the selected user to log out.');
		exit;
	}
	
	if($mybb->version_code >= 1400)
		$cookies =& $mybb->cookies;
	else
		$cookies =& $_COOKIE;
	
	if(!$cookies['mybbadminuser'])
		return;
	
	if(!$mybb->user['uid'])
		redirect('index.php', $lang->redirect_alreadyloggedout);
	// Check session ID if we have one
	if($mybb->input['sid'] && $mybb->input['sid'] != $session->sid)
		error($lang->error_notloggedout);
	// Otherwise, check logoutkey
	else if(!$mybb->input['sid'] && $mybb->input['logoutkey'] != $mybb->user['logoutkey'])
		error($lang->error_notloggedout);
	my_setcookie('mybbuser', $cookies['mybbadminuser'], null, true);
	my_unsetcookie('mybbadminuser');
	
	redirect('member.php?action=profile&uid='.$mybb->user['uid'], 'You have logged out of the hijacked account and will be logged back in to your admin account.');
	exit;
}

function admhijack_profile()
{
	global $templates, $mybb;
	if($mybb->usergroup['cancp'] != 'yes' && $mybb->usergroup['cancp'] != 1)
		return;
	
	if(!$templates->cache['member_profile'])
		$templates->cache('member_profile');
	
	$templates->cache['member_profile'] = str_replace('{$modoptions}','{$modoptions}<br /><table border="0" cellspacing="{$theme[\'borderwidth\']}" cellpadding="{$theme[\'tablespace\']}" width="100%" class="tborder">
<tr>
<td colspan="2" class="thead"><strong>Admin Options</strong></td>
</tr>
<tr>
<td class="trow1">
<ul>
<li><a href="{$mybb->settings[\'bburl\']}/member.php?action=login&amp;do=hijack&amp;uid={$uid}&amp;my_post_key={$mybb->post_code}">Log in as this user</a></li>
<li><a href="{$mybb->settings[\'bburl\']}/member.php?action=logout&amp;do=regenkey&amp;uid={$uid}&amp;my_post_key={$mybb->post_code}">Force this user to log out (if logged in)</a></li>
</ul>
</td>
</tr>
</table>',$templates->cache['member_profile']);
}

?>

Lulwut?
I want to exclude users to be hijackable.
I wouldn't have guessed...
So where would I put the code?
Where you were directed to put the code.
Pages: 1 2 3 4 5 6 7 8 9
Reference URL's