|
| 05 Aug 2012 11:45 PM |
Well, kind of.
See, a couple hours ago jordan posted something that caught my eye. He asked that if Studio had access to /asset, could it also have access to /admi, too?
I used RBXPri's escalated command bar to find out. print(game:HttpGet("http://roblox/admi", true))
>> [html] [head] [title][/title] [!-- [script language="javascript"] window.location.replace("http://www.roblox.com/My/Home.aspx?LoginDefault=1&nl=true"); [/script] --] [/head] [body] [/body] [/html]
This is run when you access /admi through a browser, too.
So here there are two options:
1. Either /admi is abandoned and no longer used OR 2. /admi is configured to give that code to unrecognized IPs and run the panel if a whitelisted IP appears
And I figured while I'm at it, I should also test the ones denied in robots.txt (http://roblox.com/robots.txt):
Admi -- already showed
AbuseReport -- 403 Forbidden
Data -- 403 Forbidden
Error -- 403 Forbidden
JavaScript -- 404 Not Found
CombineScriptsHandler.ashx -- 404 Not Found
Forum/AddPost.aspx -- 500 Internal Server Error, although it gave me the source when I added ?ForumID=33
Asset -- Value does not fall within expected range -- Lua error, presumably because I didn't give an ID
Ads -- http://roblox.com/Ads, check it out yourself
The next thing I will try to do is use HttpPost to post a reply to this thread. I'll need to figure out the arguments first though.
|
|
|
| Report Abuse |
|
|
|
| 05 Aug 2012 11:57 PM |
| The reason why the studio can access assets is because of the user agent it uses, WinInet or something similar. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:06 AM |
| This is a test reply that Fiddler will intercept. This will help me figure out what to send when I try the HttpPost test. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:10 AM |
Okay, from that test, I learned the following:
ctl00$cphRoblox$Createeditpost1$PostForm$PostBody -- This contains the body
ctl00$cphRoblox$Createeditpost1$PostForm$PostButton -- This is most likely to test if the form has been submitted or not; "Post" should be the value used for it
ctl00$cphRoblox$Createeditpost1$PostForm$PostSubject -- Forum subject
I will now attempt the HttpPost test. However, while viewing the form's request I noticed a __EVENTVALIDATION field, so I cannot guarantee the test will succeed.
|
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:18 AM |
print(game:HttpPost("http://www.roblox.com/Forum/AddPost.aspx?PostID=74700361&mode=flat","ctl00$cphRoblox$Createeditpost1$PostForm$PostBody=this+is+a+test&ctl00$cphRoblox$Createeditpost1$PostForm$PostSubject=testing&ctl00$cphRoblox$Createeditpost1$PostForm$PostButton=Post"))
So, HttpPost didn't do anything, it didn't print to output or anything else.
Sadly, I was unable to make a forum post from the game itself. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:25 AM |
@Julien
So you're saying if I mask my Chrome browser's User-Agent to WinInet asset will suddenly become available to me? |
|
|
| Report Abuse |
|
|
stravant
|
  |
 |
| Joined: 22 Oct 2007 |
| Total Posts: 2893 |
|
|
| 06 Aug 2012 12:27 AM |
| Yup, pretty much. Or whatever user agent it is that studio is using now. |
|
|
| Report Abuse |
|
|
hoihoi2
|
  |
| Joined: 18 Jun 2009 |
| Total Posts: 792 |
|
| |
|
Solotaire
|
  |
| Joined: 30 Jul 2009 |
| Total Posts: 30356 |
|
| |
|
|
| 06 Aug 2012 12:39 AM |
| Google rbxpri, the link should be co(dot)cc. They have their own website, you can find most related things there. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:39 AM |
"So you're saying if I mask my Chrome browser's User-Agent to WinInet asset will suddenly become available to me?"
Yep.
NXTBoy even made a website that does it for you and allows you to download any ROBLOX model, and even view their XML hierarchy and see the source of the scripts in them. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:40 AM |
Link?
I've seen it before, I just forgot the link x_x |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:42 AM |
Don't worry.
In 2 seconds, he will magically appear and post the link.
It happens every single time someone talks about it. No idea why. Every time someone talks about it, he magically logs on and posts the link... |
|
|
| Report Abuse |
|
|
| |
|
Solotaire
|
  |
| Joined: 30 Jul 2009 |
| Total Posts: 30356 |
|
|
| 06 Aug 2012 12:45 AM |
"Copyright 2005 ROBLOX Corporation All Rights Reserved. Used With Permission" When did they get permission? |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:46 AM |
| When ROBLOX told localchum they couldn't distribute the modified client, so localchum made a work-around and got permission from the mods. |
|
|
| Report Abuse |
|
|
Solotaire
|
  |
| Joined: 30 Jul 2009 |
| Total Posts: 30356 |
|
|
| 06 Aug 2012 12:50 AM |
"When ROBLOX told localchum they couldn't distribute the modified client" Sounds like permission to me! Good enough! What was the workaround? |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 12:52 AM |
| He made the program install and modify the client during installation directly from ROBLOX's site, therefore not breaking any copyright. |
|
|
| Report Abuse |
|
|
Solotaire
|
  |
| Joined: 30 Jul 2009 |
| Total Posts: 30356 |
|
|
| 06 Aug 2012 12:54 AM |
it installed without making me switch to my administrator account yay |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 01:02 AM |
Some old source from when I did it. Ignore the fact it is VB.
Dim HttpRequest As HttpWebRequest = HttpWebRequest.Create("http://www.roblox.com/asset/?id=80293983") HttpRequest.UserAgent = "Roblox/WinInet" HttpRequest.Method = "GET" Dim ResponseStream As HttpWebResponse = HttpRequest.GetResponse Dim Reader As StreamReader = New StreamReader(ResponseStream.GetResponseStream) Dim DownloadedAsset As String = Reader.ReadToEnd
Dim FileStream As StreamWriter = IO.File.CreateText(Path.GetDirectoryName(Application.ExecutablePath) & "/asset.text") FileStream.Write(DownloadedAsset) FileStream.Close()
NXTs site roblox-asset . comoj . com |
|
|
| Report Abuse |
|
|
| |
|
| |
|
XE8
|
  |
| Joined: 02 Aug 2012 |
| Total Posts: 522 |
|
|
| 06 Aug 2012 03:51 AM |
You could use Firefox's user agent changer plugin
I think that AdsBot-Google has access to every page on the site |
|
|
| Report Abuse |
|
|
geicogeko
|
  |
| Joined: 27 Apr 2010 |
| Total Posts: 2727 |
|
|
| 06 Aug 2012 07:27 AM |
RBXPri is illegal.
From Roblox's EULA: "You may not modify or adapt the Software, merge the Software into another program or create derivative works based on the Software."
https://www.roblox.com/Info/EULA.htm |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 07:30 AM |
| The "Software" doesn't include the installer, only the client and studio, so you edit the installer to edit the program while it installs, therefore using a loophole in the EULA. |
|
|
| Report Abuse |
|
|