Skip to content

Instantly share code, notes, and snippets.

@md-5
Created Apr 26, 2013
Embed
What would you like to do?
<?php
/*
Script for XenForo 1.X
Tested with: 1.1.X
Created by: #SG# Sharkiller
Forked by: JWhy
Verison: 0.2.1
*/
###############
## Variables ##
###############
# Reject all connections exept this IP.
$secret = "CHANGE_THIS"; //Password needed to use this script
# Database info
$db_server = 'localhost';
$db_user = 'root';
$db_passwd = '';
$db_name = 'xf';
# Name of the custom field of XenForo where the Minecraft nicknames are stored.
$field = 'MCUSER';
# Minecraft nicks ignored from successful message
$ignore = array("admin1","admin2"); // Admin nicknames ignored from broadcast message on login.
##############
## Messages ##
##############
$msg = array(
"login_successful" => "§8%s §7has logged in. Forum account: §8%s",
"user_not_exist" => "§6§kasdasd§4 Does the user exist? §6§kasdasd",
"player_not_exist" => "§4§kasdas§6 Nick not associated in forum. §4§kasdas",
"user_banned" => "§6§kasdasd§4 The user is banned. §6§kasdasd",
"wrong_data" => "§6Failed to read the user data. Contact an admin!",
"wrong_password" => "§4Wrong password! §6 Use §a/login forum-password"
);
////////////////////////////////////////////////
// Don't change bellow this if you don't know //
////////////////////////////////////////////////
####################
## Security check ##
####################
//Restrict access to localhost
if($_SERVER['REMOTE_ADDR'] !== '127.0.0.1'){
header("HTTP/1.0 403 Forbidden");
die();
}
###############
## FUNCTIONS ##
###############
$nickname = $_POST['user'];
$password = $_POST['pass'];
$action = $_POST['action'];
# Response message
function done($msg, $template = "ERROR\n%s"){
global $mysqli;
printf($template, $msg);
$mysqli->close();
exit;
}
# Ignore users from successfull message.
function ignore($nick){
global $ignore;
if(in_array($nick, $ignore))
return true;
else
return false;
}
################################
## Only support login for now ##
################################
# login, register, online, offline
if($action != "login"){
header("HTTP/1.0 403 Forbidden");
die();
}
###############
## Code here ##
###############
# Init MySQL connection
$mysqli = new mysqli($db_server, $db_user, $db_passwd, $db_name);
# Obtain user data (UserID, DataBlob) from Minecraft Nickname.
$stmt = $mysqli->prepare("SELECT `data`, `user_id` FROM `xf_user_authenticate` WHERE `user_id` = (SELECT `user_id` FROM `xf_user_field_value` WHERE `field_value` = '$nickname' AND `field_id` = '$field') LIMIT 1") or done('MySQL Error 1');
$stmt->execute();
$stmt->bind_result($data, $user_id);
$success = $stmt->fetch();
$stmt->close();
# Check if a user have the nickname associated
if(!$success)
done($msg["player_not_exist"]);
# Obtain user data (Username, Ban Status) from UserID.
$stmt = $mysqli->prepare("SELECT `username`, `is_banned` FROM `xf_user` WHERE `user_id` = $user_id LIMIT 1") or done('MySQL Error 2');
$stmt->execute();
$stmt->bind_result($username, $is_banned);
$success = $stmt->fetch();
$stmt->close();
# Check if user exist
if(!$success)
done($msg["user_not_exist"]);
# Check if banned
if($is_banned == 1)
done($msg["user_banned"]);
# Check and read user data blob
if(preg_match("/\"([a-z0-9]{64})\".*\"([a-z0-9]{64})\"/", $data, $matches) == 0)
done($msg["wrong_data"]);
# Hashing password for XenForo
$hashforo = $matches[1];
$salt = $matches[2];
$hashpass = hash("sha256", hash("sha256", $password).$salt);
# Wrong password
if($hashforo != $hashpass)
done($msg["wrong_password"]);
# Login Successful
$message = "";
if(!ignore($nickname))
$message = sprintf($msg["login_successful"], $nickname, $username);
done($message, "YES\n%s");
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment