Created
October 11, 2016 21:13
-
-
Save pawlos/de6b345045f8a2f3d4141be8011989a9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| include "config.php"; | |
| class HITCON{ | |
| private $method; | |
| private $args; | |
| private $conn; | |
| public function __construct($method, $args) { | |
| $this->method = $method; | |
| $this->args = $args; | |
| $this->__conn(); | |
| } | |
| function show() { | |
| list($username) = func_get_args(); | |
| $sql = sprintf("SELECT * FROM users WHERE username='%s'", $username); | |
| $obj = $this->__query($sql); | |
| if ( $obj != false ) { | |
| $this->__die( sprintf("%s is %s", $obj->username, $obj->role) ); | |
| } else { | |
| $this->__die("Nobody Nobody But You!"); | |
| } | |
| } | |
| function login() { | |
| global $FLAG; | |
| list($username, $password) = func_get_args(); | |
| $username = strtolower(trim(mysql_escape_string($username))); | |
| $password = strtolower(trim(mysql_escape_string($password))); | |
| $sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password); | |
| if ( $username == 'orange' || stripos($sql, 'orange') != false ) { | |
| $this->__die("Orange is so shy. He do not want to see you."); | |
| } | |
| $obj = $this->__query($sql); | |
| if ( $obj != false && $obj->role == 'admin' ) { | |
| $this->__die("Hi, Orange! Here is your flag: " . $FLAG); | |
| } else { | |
| $this->__die("Admin only!"); | |
| } | |
| } | |
| function source() { | |
| highlight_file(__FILE__); | |
| } | |
| function __conn() { | |
| global $db_host, $db_name, $db_user, $db_pass, $DEBUG; | |
| if (!$this->conn) | |
| $this->conn = mysql_connect($db_host, $db_user, $db_pass); | |
| mysql_select_db($db_name, $this->conn); | |
| if ($DEBUG) { | |
| $sql = "CREATE TABLE IF NOT EXISTS users ( | |
| username VARCHAR(64), | |
| password VARCHAR(64), | |
| role VARCHAR(64) | |
| ) CHARACTER SET utf8"; | |
| $this->__query($sql, $back=false); | |
| $sql = "INSERT INTO users VALUES ('orange', '$db_pass', 'admin'), ('phddaa', 'ddaa', 'user')"; | |
| $this->__query($sql, $back=false); | |
| } | |
| mysql_query("SET names utf8"); | |
| mysql_query("SET sql_mode = 'strict_all_tables'"); | |
| } | |
| function __query($sql, $back=true) { | |
| $result = @mysql_query($sql); | |
| if ($back) { | |
| return @mysql_fetch_object($result); | |
| } | |
| } | |
| function __die($msg) { | |
| $this->__close(); | |
| header("Content-Type: application/json"); | |
| die( json_encode( array("msg"=> $msg) ) ); | |
| } | |
| function __close() { | |
| mysql_close($this->conn); | |
| } | |
| function __destruct() { | |
| $this->__conn(); | |
| if (in_array($this->method, array("show", "login", "source"))) { | |
| @call_user_func_array(array($this, $this->method), $this->args); | |
| } else { | |
| $this->__die("What do you do?"); | |
| } | |
| $this->__close(); | |
| } | |
| function __wakeup() { | |
| foreach($this->args as $k => $v) { | |
| $this->args[$k] = strtolower(trim(mysql_escape_string($v))); | |
| } | |
| } | |
| } | |
| if(isset($_GET["data"])) { | |
| @unserialize($_GET["data"]); | |
| } else { | |
| new HITCON("source", array()); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment