<?php require_once '../config/config.inc.php'; $challenge = new Challenge(); $array = $BASE_ARRAY; $array['otherpage'] = '<a class="white" href="/mailbox.php">Mailbox</a>'; $challenge->header($array); CTF::showAllMail($challenge->getUser()); ?> </div></div> <div id="main-footer"> <table width="100%"> <tr> <td>This site is partly made possible by me :)</td> <td align="right">OWASP - CTF 2010</td> </tr> <tr> <td>Thanks to my wife, <a href="http://www.securityskills.nl" class="white">securityskills.nl</a> and other sites of which I copied stuff :)</td> </tr> </table> </div> <!-- mail starts here --> <div id="overlay" style="display:none;"></div> <div id="mail" style="display:none;"> <div class="closing"><a href="javascript:closeMail()">X</a></div> <div id="mailmessage"> </div> </div> </body> </html>
<?php session_start(); /* * To change this template, choose Tools | Templates * and open the template in the editor. */ require_once "../config/config.inc.php"; $challenge = new Challenge(); if (isset($_POST['m'])) { $mail = util::getPost('m'); $db = new MySQL(HOST, DB_USER, DB_PASSWORD, DB_NAME); $sql = "SELECT mfrom,mto,msubject,mbody,mdate FROM mailbox m,players u WHERE u.id=m.userid AND u.name='" . $challenge->getUser() . "' AND m.mailid={$mail}"; // echo $sql; $result = $db->query($sql); $row = $result->fetch(); extract($row); $text = <<<EOT <div id="message"> <!-- mail starts here --> <table id="mailheader" cellpadding="15" cellspacing="3"> <tr><td align="right">To:</td><td> </td><td>{$mto}</td></tr> <tr><td align="right">From:</td><td> </td><td>{$mfrom}</td></tr> <tr><td align="right">Date:</td><td> </td><td>{$mdate}</td></tr> <tr><td align="right">Subject:</td><td> </td><td>{$msubject}</td></tr> </table> <hr/> <div id="mailbody">{$mbody}</div> <!-- mail ends here --> </div> EOT;
<?php /* * This should work: * uid = admin'+--+- * pwd = 123 */ require_once '../../../../config/config.inc.php'; $challenge = new Challenge(); $challenge->startChallenge(); $pwd = $challenge->getDictionaryWord(); $token = $challenge->getToken(); $createSQL = "CREATE TABLE players (id MEDIUMINT NOT NULL AUTO_INCREMENT,name varchar(60) NOT NULL,password varchar(100) NOT NULL,PRIMARY KEY(id))"; $error = ""; $dbname = 'wcdb' . $challenge->getChallenge() . $challenge->getUser(); $dbname = str_replace('-', '', $dbname); $db = new MySQL('localhost', 'wcuid' . $challenge->getUser(), 'wcpwd#sldi$v0x8' . $token, strtolower($dbname)); if ($db->testTable("SELECT * FROM players LIMIT 0,1", $createSQL)) { $db->query("INSERT INTO players(name,password) VALUES('admin','{$token}')"); } if (isset($_GET['submit'])) { $uid = htmlspecialchars(strip_tags($_GET['username'])); $passwd = htmlspecialchars(strip_tags($_GET['password'])); $sql = "SELECT password FROM players where name='admin'"; $result = $db->query($sql); $tbl = $result->fetch(); $pwd = $tbl['password']; if ($uid == "admin" && $passwd == $pwd) { $challenge->mark(); CTF::showAchieved(); $db->query("DROP database " . 'webchallengedb' . $challenge->getUser());