· 6 years ago · Mar 10, 2019, 07:24 PM
1<?php
2/* TABLE STRUCTURE
3CREATE TABLE IF NOT EXISTS users (
4userid INT(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
5username VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,
6password CHAR(32) CHARACTER SET ascii COLLATE ascii_bin NOT NULL
7) ENGINE=myISAM;
8*/
9
10# Username and Password sent?
11if ( ('' !== ($username = Common::getPostString('username'))) && (false !== ($password = Common::getPostString('password', false))) ) {
12 auth1_onLogin($chall, $username, $password);
13}
14
15/**
16 * Get the database for this challenge.
17 * @return GDO_Database
18 */
19function auth1_db()
20{
21 if (false === ($db = gdo_db_instance('localhost', WCC_AUTH_BYPASS1_USER, WCC_AUTH_BYPASS1_PASS, WCC_AUTH_BYPASS1_DB))) {
22 die('Database error 0815_1!');
23 }
24 $db->setLogging(false);
25 $db->setEMailOnError(false);
26 return $db;
27}
28
29/**
30 * Exploit this!
31 * @param WC_Challenge $chall
32 * @param unknown_type $username
33 * @param unknown_type $password
34 * @return boolean
35 */
36function auth1_onLogin(WC_Challenge $chall, $username, $password)
37{
38 $db = auth1_db();
39
40 $password = md5($password);
41
42 $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
43
44 if (false === ($result = $db->queryFirst($query))) {
45 echo GWF_HTML::error('Auth1', $chall->lang('err_unknown'), false); # Unknown user
46 return false;
47 }
48
49 # Welcome back!
50 echo GWF_HTML::message('Auth1', $chall->lang('msg_welcome_back', htmlspecialchars($result['username'])), false);
51
52 # Challenge solved?
53 if (strtolower($result['username']) === 'admin') {
54 $chall->onChallengeSolved(GWF_Session::getUserID());
55 }
56
57 return true;
58}
59?>
60<form action="index.php" method="post">
61<table>
62<tr>
63 <td><?php echo $chall->lang('username'); ?>:</td>
64 <td><input type="text" name="username" value="" /></td>
65</tr>
66<tr>
67 <td><?php echo $chall->lang('password'); ?>:</td>
68 <td><input type="password" name="password" value="" /></td>
69</tr>
70<tr>
71 <td></td>
72 <td><input type="submit" name="login" value="<?php echo $chall->lang('btn_login'); ?>" /></td>
73</tr>
74</table>
75</form>