public function __wakeup()
{
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) {
$chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/are_you_serial/index.php');
}
$chall->onChallengeSolved(GWF_Session::getUserID());
}
<?php
chdir('../../../');
define('GWF_PAGE_TITLE', 'Z - Reloaded');
require_once 'challenge/html_head.php';
$title = 'Z - Reloaded';
if (false === ($chall = WC_Challenge::getByTitle($title))) {
$chall = WC_Challenge::dummyChallenge($title, 6, '/challenge/Z/reloaded', false);
}
$chall->showHeader();
htmlTitleBox($chall->lang('title'), $chall->lang('info', array('zshellz.php')));
echo $chall->copyrightFooter();
require_once 'challenge/html_foot.php';
<?php
chdir('../../');
define('GWF_PAGE_TITLE', 'Addslashes');
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle('Addslashes'))) {
$chall = WC_Challenge::dummyChallenge('Addslashes', 5, false, false);
}
$chall->showHeader();
# Mission
echo GWF_Box::box($chall->lang('info', array('addslashes.include', 'index.php?highlight=christmas')));
define('ADDSLASH_USERNAME', 'gizmore_addslash');
define('ADDSLASH_DATABASE', 'gizmore_addslash');
define('ADDSLASH_PASSWORD', 'addslash');
require_once 'addslashes.include';
if (false !== Common::getGet('login')) {
if (true === asvsmysql_login(Common::getGet('username'), Common::getGet('password'))) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
}
if (false !== Common::getGet('highlight')) {
$msg = file_get_contents('challenge/addslashes/addslashes.include');
$msg = '[code=php title=addslashes.include]' . $msg . '[/code]';
echo GWF_Box::box(GWF_Message::display($msg));
}
?>
<div class="box box_c">
<h2>欢迎登录页面</h2>
<h3>请登录</h3>
<?php
chdir("../../");
define('GWF_PAGE_TITLE', 'Lettergrid');
require_once 'challenge/html_head.php';
define('LETTERGRID_MAX_TIME', 4.5);
if (false === ($chall = WC_Challenge::getByTitle('Lettergrid'))) {
$chall = WC_Challenge::dummyChallenge('Lettergrid');
}
$chall->showHeader();
$solved = false;
if (false !== ($answer = Common::getGet('solution'))) {
$solved = checkSolution($chall);
}
if ($solved === true) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
echo htmlTitleBox($chall->lang('title'), $chall->lang('info', array(LETTERGRID_MAX_TIME)));
?>
<div class="box box_c">
<iframe src='generate.php' scrolling='auto'>
</iframe>
<form action='index.php' method='get'>
<input type='text' name='solution' value='' />
<input type="submit" name="cmd" value="Submit Answer" />
</form>
</div>
<?php
echo $chall->copyrightFooter();
require_once "challenge/html_head.php";
//html_head("Install Addslashes");
if (!GWF_User::isAdminS()) {
echo GWF_HTML::err('ERR_NO_PERMISSION');
return;
}
// $title = GWF_PAGE_TITLE;
$solution = $solution;
$score = 4;
$url = "challenge/training/php/experience/index.php";
$creators = "Gizmore";
$tags = 'MySQL,PHP,Exploit';
WC_Challenge::installChallenge(GWF_PAGE_TITLE, $solution, $score, $url, $creators, $tags);
if (!($db = gdo_db_instance(EXP_DB_HOST, EXP_DB_USER, EXP_DB_PASS, EXP_DB_NAME))) {
die(GWF_HTML::err('ERR_DATABASE', array(__FILE__, __LINE__)));
}
$db->truncateTable('items');
$db->truncateTable('flags');
foreach ($data as $title) {
$title = $db->escape($title);
$db->queryWrite("INSERT INTO items VALUES(0, '{$title}', NOW())");
}
$challenges = GDO::table('WC_Challenge')->selectObjects('*');
foreach ($challenges as $challenge) {
$challenge instanceof WC_Challenge;
$random_solution = GWF_Random::randomKey(32);
$db->queryWrite("INSERT INTO flags VALUES({$challenge->getID()}, '{$random_solution}')");
}
$challenge = WC_Challenge::getByTitle(GWF_PAGE_TITLE, false);
$db->queryWrite("REPLACE INTO flags VALUES({$challenge->getID()}, '{$solution}')");
require_once "challenge/html_foot.php";
<?php
define('NO_ESCAPE_USER', 'gizmore_noesc');
define('NO_ESCAPE_DB', 'gizmore_noesc');
define('NO_ESCAPE_PW', 'gizmore_noesc');
require_once 'code.include';
chdir('../../');
define('GWF_PAGE_TITLE', 'No Escape');
require_once 'challenge/html_head.php';
if (!($chall = WC_Challenge::getByTitle('No Escape'))) {
$chall = WC_Challenge::dummyChallenge('No Escape', 2, '/challenge/no_escape/index.php', false);
}
$chall->showHeader();
if ($who = Common::getGetString('vote_for', false)) {
noesc_voteup($who);
}
htmlTitleBox($chall->lang('title'), $chall->lang('info', array('code.include', 'index.php?highlight=christmas')));
if (Common::getGetString('highlight') === 'christmas') {
$msg = file_get_contents('challenge/no_escape/code.include');
$msg = '[code=php title=code.include]' . $msg . '[/code]';
echo GWF_Box::box(GWF_Message::display($msg, true, false, false));
}
echo noesc_DisplayVotes($chall);
echo $chall->copyrightFooter();
require_once 'challenge/html_foot.php';
<?php
chdir("../../../");
define('GWF_PAGE_TITLE', 'Training: Encodings I');
require_once "challenge/html_head.php";
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle("Training: Encodings I"))) {
$chall = WC_Challenge::dummyChallenge('Training: Encodings I');
}
$chall->showHeader();
$chall->onCheckSolution();
?>
<div class="box box_c">
<?php
echo $chall->lang('info', array(GWF_WEB_ROOT . 'tools/JPK'));
?>
<br/>
<br/>
<pre>
10101001101000110100111100110100
00011101001100101111100011101000
10000011010011110011010000001101
11010110111000101101001111010001
00000110010111011101100011110111
11100100110010111001000100000110
00011110011110001111010011101001
01011100100000101100111011111110
10111100100100000111000011000011
11001111100111110111110111111100
10110010001000001101001111001101
<?php
chdir('../../');
define('GWF_PAGE_TITLE', 'Screwed Signup - Login');
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle('Screwed Signup'))) {
$chall = WC_Challenge::dummyChallenge('Screwed Signup', 7, 'challenge/screwed_signup/index.php', false);
}
$chall->showHeader();
require_once 'screwed_signup.include';
if (isset($_POST['login'])) {
screwed_signupLogin($chall);
}
?>
<div class="box box_c"><a href="register.php"><?php
echo $chall->lang('btn_register');
?>
</a></div>
<?php
htmlTitleBox($chall->lang('login_title'), $chall->lang('login_info'));
?>
<form action="" method="post">
<?php
#Session::CSRF();
?>
<table>
<tr>
<?php
chdir("../../");
define('GWF_PAGE_TITLE', 'Connect the dots');
require_once "challenge/html_head.php";
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle('Connect the Dots'))) {
$chall = WC_Challenge::dummyChallenge('Connect The Dots');
}
$chall->showHeader();
$chall->onCheckSolution();
$alt = $chall->lang('img_alt');
echo GWF_Box::box($chall->lang('info', array(GWF_WEB_ROOT . 'profile/galen')) . '<br/><img src="dots.jpg" alt="' . $alt . '" title="' . $alt . '" />');
formSolutionbox($chall);
echo $chall->copyrightFooter();
require_once "challenge/html_foot.php";
<?php
chdir('../../');
define('GWF_PAGE_TITLE', 'Crappyshare');
require_once 'challenge/html_head.php';
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle('Crappyshare'))) {
$chall = WC_Challenge::dummyChallenge('Crappyshare', 4, '/challenge/crappyshare/index.php', false);
}
$chall->showHeader();
$chall->onCheckSolution();
# Mission
htmlTitleBox($chall->lang('title'), $chall->lang('info'));
# Show This Code
if ('code' === Common::getGet('show')) {
$msg = '[CODE=PHP title=crappyshare.php]' . file_get_contents('challenge/crappyshare/crappyshare.php') . '[/CODE]';
echo GWF_Box::box(GWF_Message::display($msg, true, true, true));
}
formSolutionbox($chall);
echo $chall->copyrightFooter();
require_once 'challenge/html_foot.php';
<?php
chdir("../../");
define('GWF_PAGE_TITLE', 'Letterworm');
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle("Letterworm"))) {
$chall = WC_Challenge::dummyChallenge('Letterworm');
}
$chall->showHeader();
$solved = false;
if (isset($_GET["solution"])) {
$solved = checkSolution($chall);
}
if ($solved === true) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
htmlTitleBox($chall->lang('title'), $chall->lang('info'));
?>
<div class="box box_c">
<iframe src='generate.php' scrolling='auto' style="margin: 10px; padding: 5px; height: 320px;"></iframe>
<form action='index.php' method='get'>
<input type="text" name="solution" value="" />
<input type="submit" name="submit" value="Submit" />
</form>
</div>
<?php
echo $chall->copyrightFooter();
require_once "challenge/html_foot.php";
function checkSolution(WC_Challenge $chall)
{
<?php
chdir("../../../");
define('GWF_PAGE_TITLE', 'Training: Stegano I');
require_once "challenge/html_head.php";
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle("Training: Stegano I"))) {
$chall = WC_Challenge::dummyChallenge("[Training: Stegano I]");
}
$chall->showHeader();
$chall->onCheckSolution();
echo GWF_Box::box($chall->lang('info') . '<br/><img src="stegano1.bmp" width="64" height="64" />', GWF_PAGE_TITLE);
formSolutionbox($chall);
require_once "challenge/html_foot.php";
<?php
include 'stalking_solution.php';
chdir('../../../');
define('GWF_PAGE_TITLE', 'Stalking');
require_once 'challenge/html_head.php';
require_once GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) {
$chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 10, 'challenge/identity/stalking/index.php', false);
}
$chall->showHeader();
# That would be you!
$user = GWF_User::getStaticOrGuest();
# Get prerequisite challenge
if (false === ($identity = WC_Challenge::getByTitle('Identity'))) {
echo GWF_HTML::err('ERR_GENERAL', array(__FILE__, __LINE__));
} else {
if (!WC_ChallSolved::hasSolved($user->getID(), $identity->getID())) {
$ida = sprintf('<a href="%s">%s</a>', htmlspecialchars($identity->hrefChallenge()), htmlspecialchars($identity->getName()));
echo GWF_HTML::error($chall->lang('title'), $chall->lang('err_identity', $ida));
} else {
# Did we get an anwer at all?
if ('' !== ($answer = Common::getPostString('answer', ''))) {
# Bruteforcing answers?
if (false !== ($error = $chall->isAnswerBlocked($user))) {
echo $error;
} elseif (false !== ($error = stalking_check_answer($chall, $answer))) {
echo GWF_HTML::error($chall->lang('title'), $error);
} else {
echo GWF_HTML::message($chall->lang('title'), $chall->lang('msg_correct'));
$chall->onChallengeSolved($user->getID());
<?php
chdir("../../../");
define('GWF_PAGE_TITLE', 'Training: Programming I');
define("TIMELIMIT", 1.337);
if (isset($_GET['action']) && is_string($_GET['action']) && $_GET['action'] === 'request') {
define('NO_HEADER_PLEASE', true);
}
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle("Training: Programming 1"))) {
$chall = WC_Challenge::dummyChallenge("[Training: Programming 1]");
}
if (true === defined('NO_HEADER_PLEASE')) {
prog2NextQuestion($chall);
}
$solved = false;
if (false !== ($answer = Common::getGet('answer'))) {
$solved = prog2CheckResult($chall);
}
$chall->showHeader();
if ($solved === true) {
$chall->onChallengeSolved(GWF_Session::getUserID());
} elseif (is_string($solved)) {
htmlDisplayError($solved, false);
}
?>
<?php
$sol_url = Common::getAbsoluteURL($chall->getVar('chall_url')) . '?answer=the_message';
echo GWF_Box::box($chall->lang('info', array('index.php?action=request', $sol_url, TIMELIMIT)));
?>
<?php
chdir('../../../');
define('GWF_PAGE_TITLE', 'Training: Prime Factory');
require_once "challenge/html_head.php";
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle('Prime Factory'))) {
$chall = WC_Challenge::dummyChallenge('Prime Factory', 1, 'index.php', '1');
}
$chall->showHeader();
$chall->onCheckSolution();
?>
<div class="box box_c"><?php
echo $chall->lang('info');
?>
</div>
<?php
formSolutionbox($chall);
echo $chall->copyrightFooter();
require_once 'challenge/html_foot.php';
<?php
chdir("../../");
define('WC_CYRM_TIMEOUT', 2.5);
define('GWF_PAGE_TITLE', 'Can you read me');
require_once "challenge/html_head.php";
if (false === ($chall = WC_Challenge::getByTitle('Can you read me'))) {
$chall = WC_Challenge::dummyChallenge('Can you read me');
}
$chall->showHeader();
$solved = false;
if (isset($_GET["solution"])) {
$solved = checkSolution($chall);
}
if ($solved === true) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
htmlTitleBox($chall->lang('title'), $chall->lang('info', array(WC_CYRM_TIMEOUT)));
?>
<div class="box box_c">
<img src='gimme.php'><br/>
<form action='index.php' method='get'>
<input type='text' name='solution' value='' />
<input type="submit" name="cmd" value="Answer" />
</form>
</div>
<?php
echo $chall->copyrightFooter();
require_once "challenge/html_foot.php";
function checkSolution(WC_Challenge $chall)
{
<?php
chdir("../../../");
define('GWF_PAGE_TITLE', 'Training: Get Sourced');
require_once "challenge/html_head.php";
require GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle('Training: Get Sourced'))) {
$chall = WC_Challenge::dummyChallenge('Training: Get Sourced');
}
$chall->showHeader();
$chall->onCheckSolution();
?>
<div class="box box_c">
<p><?php
echo $chall->lang('info');
?>
</p>
<p style="color:#e5e5e5;"><?php
echo $chall->lang('info2');
?>
</p>
</div>
<!-- <?php
echo $chall->lang('comment');
?>
-->
<?php
formSolutionbox($chall);
require_once "challenge/html_foot.php";
?>
<!-- <?php
function zreload_func_help($shellid, $args)
{
if (false === ($chall = WC_Challenge::getByTitle('Z - Reloaded'))) {
$chall = WC_Challenge::dummyChallenge('Z - Reloaded', 6, '/challenge/Z/reloaded', false);
}
return $chall->lang('cmd_help');
}
<?php
require 'checkit.php';
# required to check your solution/injection
chdir('../../');
# chroot to web root
define('GWF_PAGE_TITLE', 'Yourself PHP');
# Wrapper hack
require_once 'challenge/html_head.php';
# output start of website
# Get the challenge
if (false === ($chall = WC_Challenge::getByTitle('Yourself PHP'))) {
$chall = WC_Challenge::dummyChallenge('Yourself PHP', 4, 'challenge/yourself_php/index.php', false);
}
# And display the header
$chall->showHeader();
# Show mission box (translated)
echo GWF_Box::box($chall->lang('mission_i', array('index.php?highlight=christmas')), $chall->lang('mission_t'));
# Check your injection and fix the hole by silently applying htmlsepcialchars to the vuln input.
if (phpself_checkit()) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
# Show this file as highlighted sourcecode, if desired
if ('christmas' === Common::getGetString('highlight')) {
$msg = file_get_contents('challenge/yourself_php/index.php');
$msg = '[' . 'code=php title=index.php]' . $msg . '[' . '/code]';
echo GWF_Box::box(GWF_Message::display($msg));
}
# __This is the challenge:
if (isset($_POST['username'])) {
echo GWF_Box::box(sprintf("Well done %s, you entered your username. But this is <b>not</b> what you need to do.", htmlspecialchars(Common::getPostString('username'))));
<?php
chdir('../../../');
define('GWF_PAGE_TITLE', 'Training: Regex');
require_once 'challenge/html_head.php';
require_once GWF_CORE_PATH . 'module/WeChall/solutionbox.php';
if (false === ($chall = WC_Challenge::getByTitle('Training: Regex'))) {
$chall = WC_Challenge::dummyChallenge('Training: Regex', 2, '/challenge/training/regex/index.php', false);
}
$chall->showHeader();
$level = GWF_Session::getOrDefault('WCC_T_REGEX', 1);
if (false !== ($answer = Common::getPost('answer'))) {
$function = 'train_regex_level_' . $level;
# Users can cause errors... don`t die :) (thx busyr
GWF_Debug::setMailOnError(false);
GWF_Debug::setDieOnError(false);
$solved = call_user_func($function, $chall, $answer);
GWF_Debug::setMailOnError(true);
GWF_Debug::setDieOnError(true);
if ($solved === true) {
$level++;
$next_func = 'train_regex_level_' . $level;
if (!function_exists($next_func)) {
echo GWF_HTML::message('WeChall', $chall->lang('msg_solved'), false);
$chall->onChallengeSolved(GWF_Session::getUserID());
$level = 1;
} else {
echo GWF_HTML::message('WeChall', $chall->lang('msg_next_level'), false);
}
GWF_Session::set('WCC_T_REGEX', $level);
} else {
<?php
chdir('../../../../');
define('GWF_PAGE_TITLE', 'AUTH me');
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) {
$chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/space/auth_me/index.php', false);
}
$chall->showHeader();
$chall->onChallengeSolved();
# THE GAME! ;)
echo $chall->copyrightFooter();
require_once 'challenge/html_foot.php';
<?php
# Higlighter Plain
if (isset($_GET['show']) && $_GET['show'] === 'source') {
header('Content-Type: text/plain; charset=utf8;');
echo file_get_contents('index.php');
die;
}
# Change dir to web root
chdir('../../../../../');
# Print the website header
define('GWF_PAGE_TITLE', 'Local File Inclusion');
require_once 'challenge/html_head.php';
if (false === ($chall = WC_Challenge::getByTitle('Training: PHP LFI'))) {
$chall = WC_Challenge::dummyChallenge('Training: PHP LFI', 2, 'challenge/training/php/lfi/up/index.php', false);
}
$chall->showHeader();
# Highlighter BBCode
if (isset($_GET['highlight']) && $_GET['highlight'] === 'christmas') {
echo GWF_Message::display('[PHP]' . file_get_contents($_SERVER['SCRIPT_FILENAME']) . '[/PHP]');
require_once 'challenge/html_foot.php';
return;
}
###############################
### Here is your exploit :) ###
###############################
$code = '$filename = \'pages/\'.(isset($_GET["file"])?$_GET["file"]:"welcome").\'.html\';';
$code_emulate_pnb = '$filename = Common::substrUntil($filename, "\\0");';
# Emulate Poison Null Byte for PHP>=5.3.4
$code2 = 'include $filename;';
### End of exploit ###
