write-ups-challenges-2020-2021/break_the_gate/authenticateLevel.php

98 lines
1.9 KiB
PHP
Raw Normal View History

2022-11-24 17:03:20 +00:00
<?php
require('flags.php');
function authCred($u, $p) {
if (isset($_POST['user']) && isset($_POST['passw'])) {
if ($_POST['user'] === $u && $_POST['passw'] === $p) {
return True;
} else {
return False;
}
} else {
return False;
}
}
function checkInj() {
if (isset($_POST['user']) && isset($_POST['passw'])) {
if ($_POST['passw'][0] == '"' || $_POST['passw'][0] == "'") {
return True;
} else {
return False;
}
} else {
return False;
}
}
function checkInDatabase($query) {
$handle = new SQLite3('secretDataBase.db');
$array['dbhandle'] = $handle;
$array['query'] = $query;
$result = $handle->query($query);
$i = 0;
while ($result->columnName($i)) {
$columns[ ] = $result->columnName($i);
$i++;
}
$resx = $result->fetchArray(SQLITE3_ASSOC);
return $resx;
}
switch ($_COOKIE['currentLevel']) {
case $flag_1:
if (isset($_POST['thisUser'])) {
echo $flag_2;
} else {
echo '0';
}
break;
case $flag_2:
$badQuery = 'SELECT * FROM users WHERE username = "' . $_POST['user'] . '" and password = "' . $_POST['passw'] . '";';
if (strpos(strtoupper($_POST['passw']), 'UPDATE')) {
$_POST['passw'] = '';
}
if (strpos(strtoupper($_POST['passw']), 'DELETE')) {
$_POST['passw'] = '';
}
if (strpos(strtoupper($_POST['passw']), 'DROP')) {
$_POST['passw'] = '';
}
if (strpos(strtoupper($_POST['user']), 'UPDATE')) {
$_POST['user'] = '';
}
if (strpos(strtoupper($_POST['user']), 'DELETE')) {
$_POST['user'] = '';
}
if (strpos(strtoupper($_POST['user']), 'DROP')) {
$_POST['user'] = '';
}
if (checkInDatabase($badQuery)) {
echo $flag_3;
} else {
echo '0';
}
break;
case $flag_3:
break;
case $flag_4:
if (authCred('LarsIX', 'FXrm264!&Rdjka')) {
echo $flag_5;
} else {
echo '0';
}
break;
default:
if (authCred('admin', 'admin')) {
echo $flag_1;
} else {
echo '0';
}
}
?>