write-ups-challenges-2020-2021/break_the_gate/authenticateLevel.php

<?php

	require('flags.php');

	function authCred($u, $p) {
		if (isset($_POST['user']) && isset($_POST['passw'])) {
			if ($_POST['user'] === $u && $_POST['passw'] === $p) {
				return True;
			} else {
				return False;
			}
		} else {
			return False;
		}
	}


	function checkInj() {
		if (isset($_POST['user']) && isset($_POST['passw'])) {
			if ($_POST['passw'][0] == '"' || $_POST['passw'][0] == "'") {
				return True;
			} else {
				return False;
			}
		} else {
			return False;
		}
	}


	function checkInDatabase($query) {
		$handle = new SQLite3('secretDataBase.db');
		$array['dbhandle'] = $handle;
		$array['query'] = $query;
		$result = $handle->query($query);
		$i = 0;
		while ($result->columnName($i)) {
			$columns[ ] = $result->columnName($i);
			$i++;
		}
		$resx = $result->fetchArray(SQLITE3_ASSOC);
		return $resx;
	}

	switch ($_COOKIE['currentLevel']) {
		case $flag_1:
			if (isset($_POST['thisUser'])) {
				echo $flag_2;
			} else {
				echo '0';
			}
			break;
		case $flag_2:
			$badQuery = 'SELECT * FROM users WHERE username = "' . $_POST['user'] . '" and password = "' . $_POST['passw'] . '";';
			if (strpos(strtoupper($_POST['passw']), 'UPDATE')) {
				$_POST['passw'] = '';
			}
			if (strpos(strtoupper($_POST['passw']), 'DELETE')) {
				$_POST['passw'] = '';
			}
			if (strpos(strtoupper($_POST['passw']), 'DROP')) {
				$_POST['passw'] = '';
			}
			if (strpos(strtoupper($_POST['user']), 'UPDATE')) {
				$_POST['user'] = '';
			}
			if (strpos(strtoupper($_POST['user']), 'DELETE')) {
				$_POST['user'] = '';
			}
			if (strpos(strtoupper($_POST['user']), 'DROP')) {
				$_POST['user'] = '';
			}
			if (checkInDatabase($badQuery)) {
				echo $flag_3;
			} else {
				echo '0';
			}
			break;
		case $flag_3:
			break;
		case $flag_4:
			if (authCred('LarsIX', 'FXrm264!&Rdjka')) {
				echo $flag_5;
			} else {
				echo '0';
			}
			break;
		default:
			if (authCred('admin', 'admin')) {
				echo $flag_1;
			} else {
				echo '0';
			}
	}


?>
initial commit 2022-11-24 17:03:20 +00:00			`<?php`

			`require('flags.php');`

			`function authCred($u, $p) {`
			`if (isset($_POST['user']) && isset($_POST['passw'])) {`
			`if ($_POST['user'] === $u && $_POST['passw'] === $p) {`
			`return True;`
			`} else {`
			`return False;`
			`}`
			`} else {`
			`return False;`
			`}`
			`}`


			`function checkInj() {`
			`if (isset($_POST['user']) && isset($_POST['passw'])) {`
			`if ($_POST['passw'][0] == '"' \|\| $_POST['passw'][0] == "'") {`
			`return True;`
			`} else {`
			`return False;`
			`}`
			`} else {`
			`return False;`
			`}`
			`}`


			`function checkInDatabase($query) {`
			`$handle = new SQLite3('secretDataBase.db');`
			`$array['dbhandle'] = $handle;`
			`$array['query'] = $query;`
			`$result = $handle->query($query);`
			`$i = 0;`
			`while ($result->columnName($i)) {`
			`$columns[ ] = $result->columnName($i);`
			`$i++;`
			`}`
			`$resx = $result->fetchArray(SQLITE3_ASSOC);`
			`return $resx;`
			`}`

			`switch ($_COOKIE['currentLevel']) {`
			`case $flag_1:`
			`if (isset($_POST['thisUser'])) {`
			`echo $flag_2;`
			`} else {`
			`echo '0';`
			`}`
			`break;`
			`case $flag_2:`
			`$badQuery = 'SELECT * FROM users WHERE username = "' . $_POST['user'] . '" and password = "' . $_POST['passw'] . '";';`
			`if (strpos(strtoupper($_POST['passw']), 'UPDATE')) {`
			`$_POST['passw'] = '';`
			`}`
			`if (strpos(strtoupper($_POST['passw']), 'DELETE')) {`
			`$_POST['passw'] = '';`
			`}`
			`if (strpos(strtoupper($_POST['passw']), 'DROP')) {`
			`$_POST['passw'] = '';`
			`}`
			`if (strpos(strtoupper($_POST['user']), 'UPDATE')) {`
			`$_POST['user'] = '';`
			`}`
			`if (strpos(strtoupper($_POST['user']), 'DELETE')) {`
			`$_POST['user'] = '';`
			`}`
			`if (strpos(strtoupper($_POST['user']), 'DROP')) {`
			`$_POST['user'] = '';`
			`}`
			`if (checkInDatabase($badQuery)) {`
			`echo $flag_3;`
			`} else {`
			`echo '0';`
			`}`
			`break;`
			`case $flag_3:`
			`break;`
			`case $flag_4:`
			`if (authCred('LarsIX', 'FXrm264!&Rdjka')) {`
			`echo $flag_5;`
			`} else {`
			`echo '0';`
			`}`
			`break;`
			`default:`
			`if (authCred('admin', 'admin')) {`
			`echo $flag_1;`
			`} else {`
			`echo '0';`
			`}`
			`}`


			`?>`