public function __wakeup() { if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) { $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/are_you_serial/index.php'); } $chall->onChallengeSolved(GWF_Session::getUserID()); }
<?php chdir('../../../'); define('GWF_PAGE_TITLE', 'Z - Reloaded'); require_once 'challenge/html_head.php'; $title = 'Z - Reloaded'; if (false === ($chall = WC_Challenge::getByTitle($title))) { $chall = WC_Challenge::dummyChallenge($title, 6, '/challenge/Z/reloaded', false); } $chall->showHeader(); htmlTitleBox($chall->lang('title'), $chall->lang('info', array('zshellz.php'))); echo $chall->copyrightFooter(); require_once 'challenge/html_foot.php';
<?php chdir('../../'); define('GWF_PAGE_TITLE', 'Addslashes'); require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle('Addslashes'))) { $chall = WC_Challenge::dummyChallenge('Addslashes', 5, false, false); } $chall->showHeader(); # Mission echo GWF_Box::box($chall->lang('info', array('addslashes.include', 'index.php?highlight=christmas'))); define('ADDSLASH_USERNAME', 'gizmore_addslash'); define('ADDSLASH_DATABASE', 'gizmore_addslash'); define('ADDSLASH_PASSWORD', 'addslash'); require_once 'addslashes.include'; if (false !== Common::getGet('login')) { if (true === asvsmysql_login(Common::getGet('username'), Common::getGet('password'))) { $chall->onChallengeSolved(GWF_Session::getUserID()); } } if (false !== Common::getGet('highlight')) { $msg = file_get_contents('challenge/addslashes/addslashes.include'); $msg = '[code=php title=addslashes.include]' . $msg . '[/code]'; echo GWF_Box::box(GWF_Message::display($msg)); } ?> <div class="box box_c"> <h2>欢迎登录页面</h2> <h3>请登录</h3>
<?php chdir("../../"); define('GWF_PAGE_TITLE', 'Lettergrid'); require_once 'challenge/html_head.php'; define('LETTERGRID_MAX_TIME', 4.5); if (false === ($chall = WC_Challenge::getByTitle('Lettergrid'))) { $chall = WC_Challenge::dummyChallenge('Lettergrid'); } $chall->showHeader(); $solved = false; if (false !== ($answer = Common::getGet('solution'))) { $solved = checkSolution($chall); } if ($solved === true) { $chall->onChallengeSolved(GWF_Session::getUserID()); } echo htmlTitleBox($chall->lang('title'), $chall->lang('info', array(LETTERGRID_MAX_TIME))); ?> <div class="box box_c"> <iframe src='generate.php' scrolling='auto'> </iframe> <form action='index.php' method='get'> <input type='text' name='solution' value='' /> <input type="submit" name="cmd" value="Submit Answer" /> </form> </div> <?php echo $chall->copyrightFooter();
require_once "challenge/html_head.php"; //html_head("Install Addslashes"); if (!GWF_User::isAdminS()) { echo GWF_HTML::err('ERR_NO_PERMISSION'); return; } // $title = GWF_PAGE_TITLE; $solution = $solution; $score = 4; $url = "challenge/training/php/experience/index.php"; $creators = "Gizmore"; $tags = 'MySQL,PHP,Exploit'; WC_Challenge::installChallenge(GWF_PAGE_TITLE, $solution, $score, $url, $creators, $tags); if (!($db = gdo_db_instance(EXP_DB_HOST, EXP_DB_USER, EXP_DB_PASS, EXP_DB_NAME))) { die(GWF_HTML::err('ERR_DATABASE', array(__FILE__, __LINE__))); } $db->truncateTable('items'); $db->truncateTable('flags'); foreach ($data as $title) { $title = $db->escape($title); $db->queryWrite("INSERT INTO items VALUES(0, '{$title}', NOW())"); } $challenges = GDO::table('WC_Challenge')->selectObjects('*'); foreach ($challenges as $challenge) { $challenge instanceof WC_Challenge; $random_solution = GWF_Random::randomKey(32); $db->queryWrite("INSERT INTO flags VALUES({$challenge->getID()}, '{$random_solution}')"); } $challenge = WC_Challenge::getByTitle(GWF_PAGE_TITLE, false); $db->queryWrite("REPLACE INTO flags VALUES({$challenge->getID()}, '{$solution}')"); require_once "challenge/html_foot.php";
<?php define('NO_ESCAPE_USER', 'gizmore_noesc'); define('NO_ESCAPE_DB', 'gizmore_noesc'); define('NO_ESCAPE_PW', 'gizmore_noesc'); require_once 'code.include'; chdir('../../'); define('GWF_PAGE_TITLE', 'No Escape'); require_once 'challenge/html_head.php'; if (!($chall = WC_Challenge::getByTitle('No Escape'))) { $chall = WC_Challenge::dummyChallenge('No Escape', 2, '/challenge/no_escape/index.php', false); } $chall->showHeader(); if ($who = Common::getGetString('vote_for', false)) { noesc_voteup($who); } htmlTitleBox($chall->lang('title'), $chall->lang('info', array('code.include', 'index.php?highlight=christmas'))); if (Common::getGetString('highlight') === 'christmas') { $msg = file_get_contents('challenge/no_escape/code.include'); $msg = '[code=php title=code.include]' . $msg . '[/code]'; echo GWF_Box::box(GWF_Message::display($msg, true, false, false)); } echo noesc_DisplayVotes($chall); echo $chall->copyrightFooter(); require_once 'challenge/html_foot.php';
<?php chdir("../../../"); define('GWF_PAGE_TITLE', 'Training: Encodings I'); require_once "challenge/html_head.php"; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle("Training: Encodings I"))) { $chall = WC_Challenge::dummyChallenge('Training: Encodings I'); } $chall->showHeader(); $chall->onCheckSolution(); ?> <div class="box box_c"> <?php echo $chall->lang('info', array(GWF_WEB_ROOT . 'tools/JPK')); ?> <br/> <br/> <pre> 10101001101000110100111100110100 00011101001100101111100011101000 10000011010011110011010000001101 11010110111000101101001111010001 00000110010111011101100011110111 11100100110010111001000100000110 00011110011110001111010011101001 01011100100000101100111011111110 10111100100100000111000011000011 11001111100111110111110111111100 10110010001000001101001111001101
<?php chdir('../../'); define('GWF_PAGE_TITLE', 'Screwed Signup - Login'); require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle('Screwed Signup'))) { $chall = WC_Challenge::dummyChallenge('Screwed Signup', 7, 'challenge/screwed_signup/index.php', false); } $chall->showHeader(); require_once 'screwed_signup.include'; if (isset($_POST['login'])) { screwed_signupLogin($chall); } ?> <div class="box box_c"><a href="register.php"><?php echo $chall->lang('btn_register'); ?> </a></div> <?php htmlTitleBox($chall->lang('login_title'), $chall->lang('login_info')); ?> <form action="" method="post"> <?php #Session::CSRF(); ?> <table> <tr>
<?php chdir("../../"); define('GWF_PAGE_TITLE', 'Connect the dots'); require_once "challenge/html_head.php"; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle('Connect the Dots'))) { $chall = WC_Challenge::dummyChallenge('Connect The Dots'); } $chall->showHeader(); $chall->onCheckSolution(); $alt = $chall->lang('img_alt'); echo GWF_Box::box($chall->lang('info', array(GWF_WEB_ROOT . 'profile/galen')) . '<br/><img src="dots.jpg" alt="' . $alt . '" title="' . $alt . '" />'); formSolutionbox($chall); echo $chall->copyrightFooter(); require_once "challenge/html_foot.php";
<?php chdir('../../'); define('GWF_PAGE_TITLE', 'Crappyshare'); require_once 'challenge/html_head.php'; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle('Crappyshare'))) { $chall = WC_Challenge::dummyChallenge('Crappyshare', 4, '/challenge/crappyshare/index.php', false); } $chall->showHeader(); $chall->onCheckSolution(); # Mission htmlTitleBox($chall->lang('title'), $chall->lang('info')); # Show This Code if ('code' === Common::getGet('show')) { $msg = '[CODE=PHP title=crappyshare.php]' . file_get_contents('challenge/crappyshare/crappyshare.php') . '[/CODE]'; echo GWF_Box::box(GWF_Message::display($msg, true, true, true)); } formSolutionbox($chall); echo $chall->copyrightFooter(); require_once 'challenge/html_foot.php';
<?php chdir("../../"); define('GWF_PAGE_TITLE', 'Letterworm'); require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle("Letterworm"))) { $chall = WC_Challenge::dummyChallenge('Letterworm'); } $chall->showHeader(); $solved = false; if (isset($_GET["solution"])) { $solved = checkSolution($chall); } if ($solved === true) { $chall->onChallengeSolved(GWF_Session::getUserID()); } htmlTitleBox($chall->lang('title'), $chall->lang('info')); ?> <div class="box box_c"> <iframe src='generate.php' scrolling='auto' style="margin: 10px; padding: 5px; height: 320px;"></iframe> <form action='index.php' method='get'> <input type="text" name="solution" value="" /> <input type="submit" name="submit" value="Submit" /> </form> </div> <?php echo $chall->copyrightFooter(); require_once "challenge/html_foot.php"; function checkSolution(WC_Challenge $chall) {
<?php chdir("../../../"); define('GWF_PAGE_TITLE', 'Training: Stegano I'); require_once "challenge/html_head.php"; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle("Training: Stegano I"))) { $chall = WC_Challenge::dummyChallenge("[Training: Stegano I]"); } $chall->showHeader(); $chall->onCheckSolution(); echo GWF_Box::box($chall->lang('info') . '<br/><img src="stegano1.bmp" width="64" height="64" />', GWF_PAGE_TITLE); formSolutionbox($chall); require_once "challenge/html_foot.php";
<?php include 'stalking_solution.php'; chdir('../../../'); define('GWF_PAGE_TITLE', 'Stalking'); require_once 'challenge/html_head.php'; require_once GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) { $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 10, 'challenge/identity/stalking/index.php', false); } $chall->showHeader(); # That would be you! $user = GWF_User::getStaticOrGuest(); # Get prerequisite challenge if (false === ($identity = WC_Challenge::getByTitle('Identity'))) { echo GWF_HTML::err('ERR_GENERAL', array(__FILE__, __LINE__)); } else { if (!WC_ChallSolved::hasSolved($user->getID(), $identity->getID())) { $ida = sprintf('<a href="%s">%s</a>', htmlspecialchars($identity->hrefChallenge()), htmlspecialchars($identity->getName())); echo GWF_HTML::error($chall->lang('title'), $chall->lang('err_identity', $ida)); } else { # Did we get an anwer at all? if ('' !== ($answer = Common::getPostString('answer', ''))) { # Bruteforcing answers? if (false !== ($error = $chall->isAnswerBlocked($user))) { echo $error; } elseif (false !== ($error = stalking_check_answer($chall, $answer))) { echo GWF_HTML::error($chall->lang('title'), $error); } else { echo GWF_HTML::message($chall->lang('title'), $chall->lang('msg_correct')); $chall->onChallengeSolved($user->getID());
<?php chdir("../../../"); define('GWF_PAGE_TITLE', 'Training: Programming I'); define("TIMELIMIT", 1.337); if (isset($_GET['action']) && is_string($_GET['action']) && $_GET['action'] === 'request') { define('NO_HEADER_PLEASE', true); } require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle("Training: Programming 1"))) { $chall = WC_Challenge::dummyChallenge("[Training: Programming 1]"); } if (true === defined('NO_HEADER_PLEASE')) { prog2NextQuestion($chall); } $solved = false; if (false !== ($answer = Common::getGet('answer'))) { $solved = prog2CheckResult($chall); } $chall->showHeader(); if ($solved === true) { $chall->onChallengeSolved(GWF_Session::getUserID()); } elseif (is_string($solved)) { htmlDisplayError($solved, false); } ?> <?php $sol_url = Common::getAbsoluteURL($chall->getVar('chall_url')) . '?answer=the_message'; echo GWF_Box::box($chall->lang('info', array('index.php?action=request', $sol_url, TIMELIMIT))); ?>
<?php chdir('../../../'); define('GWF_PAGE_TITLE', 'Training: Prime Factory'); require_once "challenge/html_head.php"; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle('Prime Factory'))) { $chall = WC_Challenge::dummyChallenge('Prime Factory', 1, 'index.php', '1'); } $chall->showHeader(); $chall->onCheckSolution(); ?> <div class="box box_c"><?php echo $chall->lang('info'); ?> </div> <?php formSolutionbox($chall); echo $chall->copyrightFooter(); require_once 'challenge/html_foot.php';
<?php chdir("../../"); define('WC_CYRM_TIMEOUT', 2.5); define('GWF_PAGE_TITLE', 'Can you read me'); require_once "challenge/html_head.php"; if (false === ($chall = WC_Challenge::getByTitle('Can you read me'))) { $chall = WC_Challenge::dummyChallenge('Can you read me'); } $chall->showHeader(); $solved = false; if (isset($_GET["solution"])) { $solved = checkSolution($chall); } if ($solved === true) { $chall->onChallengeSolved(GWF_Session::getUserID()); } htmlTitleBox($chall->lang('title'), $chall->lang('info', array(WC_CYRM_TIMEOUT))); ?> <div class="box box_c"> <img src='gimme.php'><br/> <form action='index.php' method='get'> <input type='text' name='solution' value='' /> <input type="submit" name="cmd" value="Answer" /> </form> </div> <?php echo $chall->copyrightFooter(); require_once "challenge/html_foot.php"; function checkSolution(WC_Challenge $chall) {
<?php chdir("../../../"); define('GWF_PAGE_TITLE', 'Training: Get Sourced'); require_once "challenge/html_head.php"; require GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle('Training: Get Sourced'))) { $chall = WC_Challenge::dummyChallenge('Training: Get Sourced'); } $chall->showHeader(); $chall->onCheckSolution(); ?> <div class="box box_c"> <p><?php echo $chall->lang('info'); ?> </p> <p style="color:#e5e5e5;"><?php echo $chall->lang('info2'); ?> </p> </div> <!-- <?php echo $chall->lang('comment'); ?> --> <?php formSolutionbox($chall); require_once "challenge/html_foot.php"; ?> <!-- <?php
function zreload_func_help($shellid, $args) { if (false === ($chall = WC_Challenge::getByTitle('Z - Reloaded'))) { $chall = WC_Challenge::dummyChallenge('Z - Reloaded', 6, '/challenge/Z/reloaded', false); } return $chall->lang('cmd_help'); }
<?php require 'checkit.php'; # required to check your solution/injection chdir('../../'); # chroot to web root define('GWF_PAGE_TITLE', 'Yourself PHP'); # Wrapper hack require_once 'challenge/html_head.php'; # output start of website # Get the challenge if (false === ($chall = WC_Challenge::getByTitle('Yourself PHP'))) { $chall = WC_Challenge::dummyChallenge('Yourself PHP', 4, 'challenge/yourself_php/index.php', false); } # And display the header $chall->showHeader(); # Show mission box (translated) echo GWF_Box::box($chall->lang('mission_i', array('index.php?highlight=christmas')), $chall->lang('mission_t')); # Check your injection and fix the hole by silently applying htmlsepcialchars to the vuln input. if (phpself_checkit()) { $chall->onChallengeSolved(GWF_Session::getUserID()); } # Show this file as highlighted sourcecode, if desired if ('christmas' === Common::getGetString('highlight')) { $msg = file_get_contents('challenge/yourself_php/index.php'); $msg = '[' . 'code=php title=index.php]' . $msg . '[' . '/code]'; echo GWF_Box::box(GWF_Message::display($msg)); } # __This is the challenge: if (isset($_POST['username'])) { echo GWF_Box::box(sprintf("Well done %s, you entered your username. But this is <b>not</b> what you need to do.", htmlspecialchars(Common::getPostString('username'))));
<?php chdir('../../../'); define('GWF_PAGE_TITLE', 'Training: Regex'); require_once 'challenge/html_head.php'; require_once GWF_CORE_PATH . 'module/WeChall/solutionbox.php'; if (false === ($chall = WC_Challenge::getByTitle('Training: Regex'))) { $chall = WC_Challenge::dummyChallenge('Training: Regex', 2, '/challenge/training/regex/index.php', false); } $chall->showHeader(); $level = GWF_Session::getOrDefault('WCC_T_REGEX', 1); if (false !== ($answer = Common::getPost('answer'))) { $function = 'train_regex_level_' . $level; # Users can cause errors... don`t die :) (thx busyr GWF_Debug::setMailOnError(false); GWF_Debug::setDieOnError(false); $solved = call_user_func($function, $chall, $answer); GWF_Debug::setMailOnError(true); GWF_Debug::setDieOnError(true); if ($solved === true) { $level++; $next_func = 'train_regex_level_' . $level; if (!function_exists($next_func)) { echo GWF_HTML::message('WeChall', $chall->lang('msg_solved'), false); $chall->onChallengeSolved(GWF_Session::getUserID()); $level = 1; } else { echo GWF_HTML::message('WeChall', $chall->lang('msg_next_level'), false); } GWF_Session::set('WCC_T_REGEX', $level); } else {
<?php chdir('../../../../'); define('GWF_PAGE_TITLE', 'AUTH me'); require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) { $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/space/auth_me/index.php', false); } $chall->showHeader(); $chall->onChallengeSolved(); # THE GAME! ;) echo $chall->copyrightFooter(); require_once 'challenge/html_foot.php';
<?php # Higlighter Plain if (isset($_GET['show']) && $_GET['show'] === 'source') { header('Content-Type: text/plain; charset=utf8;'); echo file_get_contents('index.php'); die; } # Change dir to web root chdir('../../../../../'); # Print the website header define('GWF_PAGE_TITLE', 'Local File Inclusion'); require_once 'challenge/html_head.php'; if (false === ($chall = WC_Challenge::getByTitle('Training: PHP LFI'))) { $chall = WC_Challenge::dummyChallenge('Training: PHP LFI', 2, 'challenge/training/php/lfi/up/index.php', false); } $chall->showHeader(); # Highlighter BBCode if (isset($_GET['highlight']) && $_GET['highlight'] === 'christmas') { echo GWF_Message::display('[PHP]' . file_get_contents($_SERVER['SCRIPT_FILENAME']) . '[/PHP]'); require_once 'challenge/html_foot.php'; return; } ############################### ### Here is your exploit :) ### ############################### $code = '$filename = \'pages/\'.(isset($_GET["file"])?$_GET["file"]:"welcome").\'.html\';'; $code_emulate_pnb = '$filename = Common::substrUntil($filename, "\\0");'; # Emulate Poison Null Byte for PHP>=5.3.4 $code2 = 'include $filename;'; ### End of exploit ###