<?php
require_once '../config/config.inc.php';
$challenge = new Challenge();
$array = $BASE_ARRAY;
$array['otherpage'] = '<a class="white" href="/mailbox.php">Mailbox</a>';
$challenge->header($array);
CTF::showAllMail($challenge->getUser());
?>
</div></div>
<div id="main-footer">
<table width="100%">
<tr>
<td>This site is partly made possible by me :)</td>
<td align="right">OWASP - CTF 2010</td>
</tr>
<tr>
<td>Thanks to my wife, <a href="http://www.securityskills.nl" class="white">securityskills.nl</a> and other sites of which I copied stuff :)</td>
</tr>
</table>
</div>
<!-- mail starts here -->
<div id="overlay" style="display:none;"></div>
<div id="mail" style="display:none;">
<div class="closing"><a href="javascript:closeMail()">X</a></div>
<div id="mailmessage">
</div>
</div>
</body>
</html>
<?php
session_start();
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
require_once "../config/config.inc.php";
$challenge = new Challenge();
if (isset($_POST['m'])) {
$mail = util::getPost('m');
$db = new MySQL(HOST, DB_USER, DB_PASSWORD, DB_NAME);
$sql = "SELECT mfrom,mto,msubject,mbody,mdate FROM mailbox m,players u WHERE u.id=m.userid AND u.name='" . $challenge->getUser() . "' AND m.mailid={$mail}";
// echo $sql;
$result = $db->query($sql);
$row = $result->fetch();
extract($row);
$text = <<<EOT
<div id="message">
<!-- mail starts here -->
<table id="mailheader" cellpadding="15" cellspacing="3">
<tr><td align="right">To:</td><td> </td><td>{$mto}</td></tr>
<tr><td align="right">From:</td><td> </td><td>{$mfrom}</td></tr>
<tr><td align="right">Date:</td><td> </td><td>{$mdate}</td></tr>
<tr><td align="right">Subject:</td><td> </td><td>{$msubject}</td></tr>
</table>
<hr/>
<div id="mailbody">{$mbody}</div>
<!-- mail ends here -->
</div>
EOT;
<?php
/*
* This should work:
* uid = admin'+--+-
* pwd = 123
*/
require_once '../../../../config/config.inc.php';
$challenge = new Challenge();
$challenge->startChallenge();
$pwd = $challenge->getDictionaryWord();
$token = $challenge->getToken();
$createSQL = "CREATE TABLE players (id MEDIUMINT NOT NULL AUTO_INCREMENT,name varchar(60) NOT NULL,password varchar(100) NOT NULL,PRIMARY KEY(id))";
$error = "";
$dbname = 'wcdb' . $challenge->getChallenge() . $challenge->getUser();
$dbname = str_replace('-', '', $dbname);
$db = new MySQL('localhost', 'wcuid' . $challenge->getUser(), 'wcpwd#sldi$v0x8' . $token, strtolower($dbname));
if ($db->testTable("SELECT * FROM players LIMIT 0,1", $createSQL)) {
$db->query("INSERT INTO players(name,password) VALUES('admin','{$token}')");
}
if (isset($_GET['submit'])) {
$uid = htmlspecialchars(strip_tags($_GET['username']));
$passwd = htmlspecialchars(strip_tags($_GET['password']));
$sql = "SELECT password FROM players where name='admin'";
$result = $db->query($sql);
$tbl = $result->fetch();
$pwd = $tbl['password'];
if ($uid == "admin" && $passwd == $pwd) {
$challenge->mark();
CTF::showAchieved();
$db->query("DROP database " . 'webchallengedb' . $challenge->getUser());
