<?phpsession_start();$steamid = mysql_real_escape_string($_GET['steamid'])

1. <?php
2. session_start();
3.  
4. $steamid = mysql_real_escape_string($_GET['steamid']);
5.  
6. if(isset($_SESSION['loggedin']) && $_SESSION['loggedin']) {
7. if($steamid != $_SESSION['steamid']) {
8. die("{\"success\": false, \"reason\":\"access_denied\"}");
9. }
10. } else {
11. die("{\"success\": false, \"reason\":\"access_denied\"}");
12. }
13.  
14. require('api/db_connect.php');
15.  
16. $url = "http://putinbet.com/withdrawblacklist.php";
17. $response = file_get_contents($url) or die("{\"success\":false, \"reason\":\"failed_price_response\"}");
18. $withdrawblacklist = json_decode($response);
19.  
20. $type = mysql_real_escape_string($_GET['type']);
21.  
22. if($type == 'withdraw' && in_array($steamid, $withdrawblacklist)) {
23. die("{\"success\": false, \"reason\":\"blacklisted\"}");
24. }
25.  
26. $query0 = mysql_query("SELECT * FROM `steam_users` WHERE steamid='$steamid'") or die("{\"success\": false, \"reason\":\"".mysql_error()."\"}");
27.  
28. if(mysql_num_rows($query0) == 0) {
29. die("{\"success\": false, \"reason\":\"invalid_tradeurl\"}");
30. }
31.  
32. $result = mysql_fetch_array($query0);
33.  
34. if($type == 'withdraw' && $result['totaldeposited'] < 5500) {
35. die("{\"success\": false, \"reason\":\"deposit\"}");
36. }
37. /*if($type == 'withdraw' && $result['totalbet'] < 65000) {
38. die("{\"success\": false, \"reason\":\"play\"}");
39. }*/
40.  
41. $value = $_GET['value'];
42.  
43. if($type == 'withdraw' && floatval($value) > $result['balance']) {
44. die("{\"success\": false, \"reason\":\"insufficient_balance\"}");
45. }
46.  
47. $items = json_decode($_GET['items']);
48. foreach($items as $item) {
49. $hash = $item[0];
50. $unique_array[$hash]=$item;
51. }
52. $items = $unique_array;
53. //DONE: withdraw exploit
54. if($type == 'withdraw') {
55. $url = "http://putinbet.com/getPlayerInventory.php?steamid=76561198292270366";
56. } else {
57. $url = "http://putinbet.com/getPlayerInventory.php?steamid=".$steamid;
58. }
59. $botInventoryResponse = file_get_contents($url) or die("{\"success\":false, \"reason\":\"failed_price_response\"}");
60. $botInventory = json_decode($botInventoryResponse);
61.  
62. foreach($items as $item) {
63. if (isset($item[0], $botInventory->rgInventory)) {
64. $itemHardCodeID = $botInventory->rgInventory->$item[0]->classid . "_" . $botInventory->rgInventory->$item[0]->instanceid;
65. //$itemName = str_replace("{TM}", "™", $item[1]);
66. $itemName = str_replace(['{STAR}', '{TM}'], ['★', '™'], $item[1]);
67. if (strcmp($itemName,$botInventory->rgDescriptions->$itemHardCodeID->market_hash_name) !== 0) {
68. die("{\"success\":false, \"reason\":\"rig\"}");
69. /*
70. $inp = file_get_contents('banned.json.file.i.don');
71. $tempArray = json_decode($inp);
72. array_push($tempArray, $data);
73. $jsonData = json_encode($tempArray);
74. file_put_contents('results.json', $jsonData)
75. */
76. } else {
77. continue;
78. }
79. } else {
80. die("{\"success\":false, \"reason\":\"rig\"}");
81. }
82. }
83. }
84.  
85.  
86. $url = "http://putinbet.com/getPriceList.php";
87. $response = file_get_contents($url) or die("{\"success\":false, \"reason\":\"failed_price_response\"}");
88. $response = str_replace("\u2122", "{TM}", $response);
89. $response = str_replace("\u2605", "{STAR}", $response);
90.  
91. $itemPrices = json_decode($response);
92.  
93. $goToBot2 = 0;
94.  
95. $value2 = 0.0;
96. $botToUse = 1;
97. foreach($items as $item) {
98. $name = $item[1];
99. //echo $itemPrices;//->items;
100. $item_price = 0;
101. if($itemPrices->items->$name->volume < 10) {
102. $name = str_replace(" ", "%20", $name);
103. $url = "http://putinbet.com/getItemPrice.php?market_hash_name=$name";
104. $response = file_get_contents($url) or die("{\"success\":false, \"reason\":\"failed_price_response\"}");
105.  
106. echo $response;
107.  
108. $itemPriceStupid = json_decode($response);
109. $item_price = floatval($itemPriceStupid->median_price) * 1000;
110. } else {
111. $item_price = floatval($itemPrices->items->$name->median_price) * 1000;
112. }
113. $value2 += $item_price;
114. if($item_price >= 1000) {
115. $goToBot2 = 1;
116. }
117. }
118.  
119.  
120. if($value != $value2) {
121. die("{\"success\": false, \"reason\":\"value_mismatch\", \"value\":$value2}");
122. }
123.  
124. $time = round(microtime(true) * 1000);
125.  
126. $tradeurl = $result['tradeurl'];
127.  
128. $matched = preg_match('/token=([\w-]+)/', $tradeurl, $token_matches);
129. if($matched != 1) {
130. die("{\"success\": false, \"reason\"\"invalid_tradeurl\"}");
131. }
132.  
133. $token = $token_matches[1];
134.  
135. if($type == 'deposit' && $goToBot2 == 1) {
136. $botToUse = 1;
137. }
138.  
139. if($type == 'withdraw' && $value2 >= 1) {
140. $botToUse = -1;
141. }
142.  
143. $query1 = mysql_query("INSERT INTO `bot_tasks`(`id`, `task`, `steamid`, `value`, `status`, `tradetoken`, `botid`) VALUES ('$time', '$type', '$steamid', $value, 'new', '$token', $botToUse)") or die("{\"success\": false, \"reason\":\"".mysql_error()."\"}");
144. foreach($items as $item) {
145. $iid = mysql_real_escape_string($item[0]);
146. $query2 = mysql_query("INSERT INTO `task_data`(`taskid`, `itemid`) VALUES('$time', '$iid')") or die("{\"success\": false, \"reason\":\"".mysql_error()."\"}");
147. }
148.  
149. if($type == 'withdraw') {
150. mysql_query("UPDATE `steam_users` SET `balance`=`balance`-$value WHERE steamid='$steamid'") or die("{\"success\": false, \"reason\":\"".mysql_error()."\"}");
151. }
152.  
153. if($botToUse == -1) {
154. echo "{\"success\":true, \"info\":\"adminApproval\"}";
155. } else{
156. echo "{\"success\":true, \"info\":false}";
157. }
158.  
159. mysql_close();
160.  
161. ?>