bobtfish/board.php

## board.php
<?php
session_start();
$m = mysql_connect();
mysql_select_db("test", $m);

if (isset($_POST['logout'])) {
    unset($_SESSION['user_id']);
    unset($_SESSION['fullname']);
}

if (!isset($_SESSION['user_id'])) {
    if (!isset($_POST['username'])) {
        login_form(0);
    }
    else {
        $qs = sprintf("SELECT id, fullname FROM users where name = '%s'
            AND password = '%s'", mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password']));
        $q = mysql_query($qs, $m);
        $data = mysql_fetch_array($q);
        if (false != $data) {
            $_SESSION['user_id'] = $data['id'];
            $_SESSION['fullname'] = $data['fullname'];
            bbs_page($m);
        }
        else {
            login_form(1);
        }
    }
}
else {
    bbs_page($m);
}

function bbs_page ($db) { ?>
<html>
<head>
<title>
My cool BBS
</title>
<body>
Logged in as <?php echo $_SESSION['fullname']; ?> <form method="post"><input type="hidden" name="logout" value="1"><input type="submit" value="logout"></form>
<br />
Post something:
<form method="POST">
<textarea name="post">
</textarea>
<input type="submit">
</form>
<?php

if (isset($_POST['post'])) {
  mysql_query(sprintf("INSERT INTO posts (post, user_id) VALUES ('%s', '%s');", mysql_real_escape_string($_POST['post']), $_SESSION['user_id']));
}
  $q = mysql_query("SELECT post, fullname FROM posts JOIN users ON (posts.user_id = users.id) ORDER BY posts.id DESC", $db);
  while ($row = mysql_fetch_array($q, MYSQL_NUM)) {
      echo "<hr>";
      echo "<h3>";
      echo $row[1];
      echo " said:</h3>";
      echo $row[0];
  }
    challenge();
?>
</body>
</html>
<?php }

function login_form ($bad) {
?>
<html>
<body>
<?php if (1 == $bad) { echo "Bad username or password"; } ?>
Please login: <form method="POST">
Username: <input name="username" value="<?php echo $_POST['username'] ?>" /><br />
Password: <input name="password" type="password"><br />
<input type="submit" />
</form>
<?php challenge() ?>
</body>
</html>
<?php
}

function challenge () { ?>
<hr />
<h1>Challenge</h1>
<p>Inject something which captures other users sessions, grab a session from
someone else, post as them.</p>
<p>This uses the same users table as the last example, so any users made ther
e should work for logging in here.</p>
<p><b>Note</b> this page should <b>not</b> be vulnerable to SQL injection.
Feel free to try, but it's hopefully protected..</p>
<?php
}


## create.sql

create table users (id INT PRIMARY KEY, name TEXT NOT NULL, password TEXT NOT NULL, fullname TEXT NOT NULL);
insert into users (name, password, fullname) values ('admin', 'sekrit', 'Mr Admin');
insert into users (id, name, password, fullname) values (1, 't0m', 'supersekrit', 'Tomas Doran');
insert into users (id, name, password, fullname) values (2, 'jrandom', 'password', 'J Random');

create table user_credit_cards (id PRIMARY KEY, cc_number TEXT NOT NULL);
INSERT INTO user_credit_cards (id, cc_number) values (1, '4539390243132435');
INSERT INTO user_credit_cards (id, cc_number) values (2, '5547899433555475');


create table posts (id INT  PRIMARY KEY AUTO_INCREMENT, user_id INT NOT NULL, post TEXT NOT NULL);


## index.html
<html>
  <head>
    <html>
      <head>
        <title>Workshop examples</title>
      </head>
      <body>
        <h1>Examples</h1>
        <ul><li><a href="simple.php">Simple HTML injection</a></li>
          <li><a href="sql.php">Simple SQL injection</a></li>
          <li><a href="board.php">Simple BBS with storage, logins and sessions</a></li>
       </ul>
      </body>
    </html>


## simple.php
<html>
Data is: <form>
<input name="foo" value="<?php echo $_GET['foo'] ?>" />
<input type="submit" />
</form>
</html>


## sql.php
<?php

$m = mysql_connect();
mysql_select_db("test", $m);
function login_form () {
?>
<html>
<body>
Please login: <form method="POST">
Username: <input name="username" value="<?php echo $_POST['username'] ?>" /><br />
Password: <input name="password" type="password"><br />
<input type="submit" />
</form>
<h2>Details about how to hack this</h2>
<h3>Working login</h3>
Username: admin<br>
Password: sekrit
<h3>SQL query</h3>
<pre>
  SELECT id, fullname FROM users where name = '%s'
    AND password = '%s';
</pre>
Note the <i>%s</i> sequences get interpolated with your data.
<h3>Things to try to do</h2>
<ul>
<li>Login as admin without the password</li>
<li>Enumerate all users by expanding that data into the 'fullname' column</li>
<li>Enumerate all tables in the database</li>
<li>Steal the credit card numbers</li>

</body>
</html>
<?php


}

if (!isset($_POST['username'])) {
  login_form();
}
else {
  $qs = sprintf("SELECT id, fullname FROM users where name = '%s'
    AND password = '%s'", $_POST['username'], $_POST['password']);
  $q = mysql_query($qs, $m);
  $data = mysql_fetch_array($q);
  if (false != $data) {
    echo "ID: "; echo $data['id']; echo "<br />";
    echo "Name: "; echo $data['fullname']; echo "<br />";
  }
  else {
    echo "Bad username or password";
  }
}
?>
	<?php
	session_start();
	$m = mysql_connect();
	mysql_select_db("test", $m);

	if (isset($_POST['logout'])) {
	unset($_SESSION['user_id']);
	unset($_SESSION['fullname']);
	}

	if (!isset($_SESSION['user_id'])) {
	if (!isset($_POST['username'])) {
	login_form(0);
	}
	else {
	$qs = sprintf("SELECT id, fullname FROM users where name = '%s'
	AND password = '%s'", mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password']));
	$q = mysql_query($qs, $m);
	$data = mysql_fetch_array($q);
	if (false != $data) {
	$_SESSION['user_id'] = $data['id'];
	$_SESSION['fullname'] = $data['fullname'];
	bbs_page($m);
	}
	else {
	login_form(1);
	}
	}
	}
	else {
	bbs_page($m);
	}

	function bbs_page ($db) { ?>
	<html>
	<head>
	<title>
	My cool BBS
	</title>
	<body>
	Logged in as <?php echo $_SESSION['fullname']; ?> <form method="post"><input type="hidden" name="logout" value="1"><input type="submit" value="logout"></form>
	<br />
	Post something:
	<form method="POST">
	<textarea name="post">
	</textarea>
	<input type="submit">
	</form>
	<?php

	if (isset($_POST['post'])) {
	mysql_query(sprintf("INSERT INTO posts (post, user_id) VALUES ('%s', '%s');", mysql_real_escape_string($_POST['post']), $_SESSION['user_id']));
	}
	$q = mysql_query("SELECT post, fullname FROM posts JOIN users ON (posts.user_id = users.id) ORDER BY posts.id DESC", $db);
	while ($row = mysql_fetch_array($q, MYSQL_NUM)) {
	echo "<hr>";
	echo "<h3>";
	echo $row[1];
	echo " said:</h3>";
	echo $row[0];
	}
	challenge();
	?>
	</body>
	</html>
	<?php }

	function login_form ($bad) {
	?>
	<html>
	<body>
	<?php if (1 == $bad) { echo "Bad username or password"; } ?>
	Please login: <form method="POST">
	Username: <input name="username" value="<?php echo $_POST['username'] ?>" /><br />
	Password: <input name="password" type="password"><br />
	<input type="submit" />
	</form>
	<?php challenge() ?>
	</body>
	</html>
	<?php
	}

	function challenge () { ?>
	<hr />
	<h1>Challenge</h1>
	<p>Inject something which captures other users sessions, grab a session from
	someone else, post as them.</p>
	<p>This uses the same users table as the last example, so any users made ther
	e should work for logging in here.</p>
	<p><b>Note</b> this page should <b>not</b> be vulnerable to SQL injection.
	Feel free to try, but it's hopefully protected..</p>
	<?php
	}

	create table users (id INT PRIMARY KEY, name TEXT NOT NULL, password TEXT NOT NULL, fullname TEXT NOT NULL);
	insert into users (name, password, fullname) values ('admin', 'sekrit', 'Mr Admin');
	insert into users (id, name, password, fullname) values (1, 't0m', 'supersekrit', 'Tomas Doran');
	insert into users (id, name, password, fullname) values (2, 'jrandom', 'password', 'J Random');

	create table user_credit_cards (id PRIMARY KEY, cc_number TEXT NOT NULL);
	INSERT INTO user_credit_cards (id, cc_number) values (1, '4539390243132435');
	INSERT INTO user_credit_cards (id, cc_number) values (2, '5547899433555475');


	create table posts (id INT PRIMARY KEY AUTO_INCREMENT, user_id INT NOT NULL, post TEXT NOT NULL);
	<html>
	Data is: <form>
	<input name="foo" value="<?php echo $_GET['foo'] ?>" />
	<input type="submit" />
	</form>
	</html>