Created
August 12, 2019 14:58
-
-
Save 196Ikuchil/e8c8562fd6fec4c24f71c21689542b75 to your computer and use it in GitHub Desktop.
interKosenctf2019
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
ini_set('display_errors', 0); | |
// reset challenge environment hourly | |
if (!file_exists('../hourly') || (time() - filemtime('../hourly')) > 60*60) { | |
// remove uploaded files | |
foreach (glob('../files/*') as $f) { | |
unlink("../files/$f"); | |
} | |
rmdir('../files'); | |
// remove a database | |
unlink('../database.db'); | |
// make a directory to store uploaded files | |
mkdir('../files'); | |
// move a secret file into `files` | |
copy('../secret_file', '../files/secret_file'); | |
// make the database | |
$db = new PDO('sqlite:../database.db'); | |
$db->exec('CREATE TABLE files(id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, passcode TEXT)'); | |
// create a secret entry | |
$secrets = include('secrets.php'); | |
$db->exec("INSERT INTO files(name, passcode) VALUES ('secret_file', '{$secrets['passcode']}')"); | |
// update file modified time | |
file_put_contents('../hourly', (string)time()); | |
} | |
if (isset($_GET['source'])) { | |
highlight_file(__FILE__); | |
exit; | |
} | |
$db = new PDO('sqlite:../database.db'); | |
// when a file is uploaded | |
if (isset($_POST['passcode'])) { | |
$filename = basename($_FILES['file']['name']); | |
if (!preg_match('@^[A-Za-z0-9_.]+$@', $filename)) { | |
die('Invalid Filename'); | |
} | |
$uploadfile = '../files/' . $filename; | |
if (file_exists($uploadfile)) { | |
die('File already exists'); | |
} | |
if (! move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) { | |
die('Failed to upload file'); | |
} | |
$db->exec("INSERT INTO files(name, passcode) VALUES ('$filename', '{$_POST['passcode']}')"); | |
} | |
// file download query | |
if (isset($_GET['download']) && isset($_GET['passcode'])) { | |
$name = $_GET['download']; | |
$rows = $db->query("select name, passcode from files where name = '$name'")->fetchAll(); | |
if (count($rows) == 1 && $rows[0][0] === $name && $rows[0][1] == $_GET['passcode']) { | |
$path = '../files/'. $name; | |
header('Content-Type: application/force-download'); | |
header('Content-Length: '.filesize($path)); | |
header('Content-disposition: attachment; filename="'.$name.'"'); | |
readfile($path); | |
exit; | |
} else { | |
die('Invalid filename or passcode'); | |
} | |
} | |
$files = []; | |
// search | |
if (isset($_GET['search'])) { | |
$rows = $db->query("SELECT name FROM files WHERE instr(name, '{$_GET['search']}') ORDER BY id DESC"); | |
foreach ($rows as $row) { | |
$files []= $row[0]; | |
} | |
} | |
// all files | |
else { | |
$rows = $db->query('SELECT name FROM files ORDER BY id DESC'); | |
foreach ($rows as $row) { | |
$files []= $row[0]; | |
} | |
} | |
?> | |
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<title>UPLOADER</title> | |
<style> | |
.container { | |
width: 1024px; | |
margin: 0 auto; | |
} | |
h1 { | |
text-align: center; | |
} | |
section { | |
margin: 20px 0; | |
} | |
h2 { | |
border-bottom: 1px solid #ccc; | |
} | |
input[type=file] { | |
display: none; | |
} | |
.upload,input[type=submit] { | |
border: 1px solid #ccc; | |
display: inline-block; | |
padding: 0.5em 2em; | |
cursor: pointer; | |
} | |
input[type=text],input[type=password] { | |
border: 1px solid #ccc; | |
padding: 0.5em; | |
} | |
li { | |
clear: both; | |
} | |
.inline-form { | |
display: inline-block; | |
float: right; | |
} | |
</style> | |
</head> | |
<body> | |
<div class="container"> | |
<h1>UPLOADER</h1> | |
<p><a href="?source">view source</a></p> | |
<section> | |
<h2>UPLOAD</h2> | |
<form enctype="multipart/form-data" method="POST"> | |
<label for="file-upload" class="upload">file upload</label> | |
<input name="file" type="file" id="file-upload"/> | |
passcode: <input type="password" name="passcode" required> | |
<input type="submit" value="UPLOAD" /> | |
</form> | |
</section> | |
<section> | |
<h2>DOWNLOAD</h2> | |
<form method="GET"><input type="text" name="search" value="<?= @$_GET['search']; ?>"><input type="submit" value="search by keyword"></form> | |
<ul> | |
<?php foreach ($files as $f) { | |
echo "<li>$f<form class='inline-form' method='get'><input type='hidden' name='download' value='$f'>passcode: <input type='password' name='passcode'/><input type='submit' value='download'></form></li>"; | |
} ?> | |
</ul> | |
</section> | |
</div> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment