Commit 24a8cc36 authored by w3challs's avatar w3challs
Browse files

init repo

parents
## Web/Misc challs source
This repository contains the source code of some (not all!) of the Web & Misc challenges.
<?php
include('config.php');
include('util.php');
require 'credis/Client.php';
$redis = new Credis_Client($redis_host, $redis_port, null, '', $redis_db);
$url = $redis->hget('trainer:'.$_GET['value'], 'url');
if($url){
$baseUrl = substr($url, 0, strrpos($url, '/'));
$result = get_web_page($baseUrl.'/Badge.php', $trainerName);
echo $result;
}
else{
echo '{"error": "Trainer unknown"}';
}
?>
<?php
include('config.php');
require 'credis/Client.php';
$redis = new Credis_Client($redis_host, $redis_port, null, '', $redis_db);
$win = $redis->hget('trainer:'.$_SERVER['HTTP_USER_AGENT'], 'win');
if($win === "1"){
echo '"'.$badge.'"';
}
else{
echo '"You never won against me"';
}
?>
<?php
include('config.php');
require 'credis/Client.php';
$redis = new Credis_Client($redis_host, $redis_port, null, '', $redis_db);
$redis->hset('trainer:'.$_SERVER['HTTP_USER_AGENT'], 'win', '0');
$result = $redis->keys('pokemon:*');
$pokemons = array();
for($i=0; $i<count($result); $i++){
array_push($pokemons, json_decode($redis->get($result[$i])));
}
$result = new stdClass();
$result->trainer = $trainerName;
$result->pokemons = $pokemons;
echo json_encode($result);
?>
<?php
include('config.php');
include('util.php');
require 'credis/Client.php';
$api = 'http://pokeapi.co/api/v2/pokemon/';
$pokemon_name = strtolower($_GET['value']);
if(ctype_alpha($pokemon_name)){
$redis = new Credis_Client($redis_host, $redis_port, null, '', $redis_db);
$result = $redis->get('pokemon:'.$pokemon_name);
if(!$result){
$pokemon_full = json_decode(get_web_page($api.$pokemon_name.'/', $trainerName));
if(@$pokemon_full->detail){
$result = '{"error": "Pokemon unknown"}';
}
else{
$pokemon = new stdClass();
$pokemon->name = $pokemon_full->name;
$pokemon->id = $pokemon_full->id;
$pokemon->height = $pokemon_full->height;
$pokemon->weight = $pokemon_full->weight;
$pokemon->img = base64_encode(get_web_page($pokemon_full->sprites->front_default, $trainerName));
$pokemon->type = $pokemon_full->types[0]->type->name;
$result = json_encode($pokemon);
$redis->set('pokemon:'.$pokemon_name, $result);
}
}
echo $result;
}
else{
echo '{"error": "Bad value"}';
}
?>
<?php
include('config.php');
include('util.php');
require 'credis/Client.php';
$result = get_web_page($_GET['value'], $trainerName);
$d_result = json_decode($result);
$redis = new Credis_Client($redis_host, $redis_port, null, '', $redis_db);
$redis->hset('trainer:'.$d_result->trainer, 'url', $_GET['value']);
echo $result;
?>
<?php
$trainerName = 'Gary';
$badge = 'The flag will be here!';
$redis_host = '127.0.0.1';
$redis_port = 6379;
$redis_db = 15;
?>
This diff is collapsed.
<?php
include('config.php');
?>
<html>
<head>
</head>
<body style="text-align:center;">
<canvas id="pokedex" width="745" height="541">
</canvas>
<input autocomplete="off" style="position:absolute; top:-1000px;" type="text" id="url" autofocus="true" />
<script>
var currentTrainer = '<?php echo $trainerName; ?>';
String.prototype.capitalizeFirstLetter = function() {
return this.charAt(0).toUpperCase() + this.slice(1);
}
function loadImage(path){
return new Promise(function(resolve, reject){
var img = new Image();
img.onload = function(){
resolve(img);
}
img.onerror = function(){
reject();
}
img.src = path;
});
}
function GET(path){
return new Promise(function(resolve, reject){
var xhr = new XMLHttpRequest();
xhr.open('GET', encodeURI(path));
xhr.onload = function() {
if (xhr.status === 200) {
try{
var datas = JSON.parse(xhr.responseText);
resolve(datas);
}
catch (err){
reject('Invalid format');
}
}
else{
reject(xhr.statusText);
}
};
xhr.send();
});
}
function getMousePos(canvas, e) {
/// getBoundingClientRect is supported in most browsers and gives you
/// the absolute geometry of an element
var rect = canvas.getBoundingClientRect();
/// as mouse event coords are relative to document you need to
/// subtract the element's left and top position:
return {x: e.clientX - rect.left, y: e.clientY - rect.top};
}
var canvas = document.getElementById('pokedex');
var ctx = canvas.getContext('2d');
canvas.onclick = function(event){
var pos = getMousePos(this, event);
console.log(pos);
if(pos.x > windowText.x){
document.getElementById('url').focus();
}
}
var actions = [{func: scanPokemon, url: 'ScanPokemon.php', title: 'Scan wild pokemon'}, {func: scanTrainer, url: 'ScanTrainer.php', title: 'Scan trainer'}, {func: askBadge, url: 'AskBadge.php', title: 'Ask for badge'}];
var currentAction = 0;
var pokemons = [];
var currentPokemon = 0;
var pokedexImg;
var windowText = {
x: 456,
y: 172,
width: 680-456,
height: 265-172
};
var windowPokemon = {
x: 62,
y: 158,
width: 303-62,
height: 312-158
};
loadImage('pokedex.gif').then(function(pokedexImgP){
pokedexImg = pokedexImgP;
drawPokedex(pokedexImg);
drawActionTitle(actions[currentAction].title);
});
function drawPokedex(pokedexImg){
ctx.drawImage(pokedexImg, 0, 0, canvas.width, canvas.height);
}
function drawActionTitle(action){
ctx.save();
ctx.fillStyle = '#30fb05';
ctx.fillRect(windowText.x, windowText.y, windowText.width, windowText.height);
ctx.textAlign = 'center';
ctx.font = '1em DejaVu Sans';
ctx.fillStyle = '#c72127';
ctx.fillText(action, windowText.x+windowText.width/2, windowText.y+15);
ctx.fillText('|', windowText.x+5, windowText.y+45);
ctx.restore();
}
function drawUrl(value){
ctx.save();
ctx.fillStyle = '#30fb05';
ctx.fillRect(windowText.x, windowText.y+20, windowText.width, windowText.height-20);
ctx.font = '0.7em DejaVu Sans';
ctx.fillStyle = '#c72127';
ctx.fillText(value, windowText.x+5, windowText.y+45);
ctx.restore();
}
function drawError(error){
ctx.save();
ctx.fillStyle = '#30fb05';
ctx.fillRect(windowText.x, windowText.y+20, windowText.width, windowText.height-20);
ctx.textAlign = 'center';
ctx.font = '1.2em DejaVu Sans';
ctx.fillStyle = '#c72127';
ctx.fillText(error, windowText.x+windowText.width/2, windowText.y+85);
ctx.restore();
}
function drawPokemon(pokemon){
loadImage('data:image/gif;base64,'+pokemon.img).then(function(pokemonImg){
ctx.save();
ctx.clearRect(windowPokemon.x, windowPokemon.y, windowPokemon.width, windowPokemon.height+5);
ctx.drawImage(pokemonImg, windowPokemon.x+pokemonImg.width/2+20, windowPokemon.y+pokemonImg.height/2, pokemonImg.width, pokemonImg.height);
ctx.font = '1em DejaVu Sans';
ctx.fillStyle = 'black';
ctx.fillText('#'+pokemon.id+' '+pokemon.name.capitalizeFirstLetter(), windowPokemon.x+15, windowPokemon.y+35);
ctx.fillText('Height : '+pokemon.height+' | Weight : '+pokemon.weight, windowPokemon.x+15, windowPokemon.y+55);
ctx.textAlign = 'center';
ctx.fillText('Type : '+pokemon.type, windowPokemon.x+windowPokemon.width/2, windowPokemon.y+windowPokemon.height);
ctx.font = '0.9em DejaVu Sans';
ctx.fillText(currentTrainer+'\'s pokemons', windowPokemon.x+windowPokemon.width/2, windowPokemon.y+10);
ctx.restore();
});
}
function drawBadge(content){
ctx.save();
ctx.clearRect(windowPokemon.x, windowPokemon.y, windowPokemon.width, windowPokemon.height+5);
ctx.textAlign = 'center';
ctx.font = '0.9em DejaVu Sans';
ctx.fillText(content, windowPokemon.x+windowPokemon.width/2, windowPokemon.y+windowPokemon.height/2);
ctx.restore();
}
function scanPokemon(result){
drawActionTitle(actions[currentAction].title);
if(typeof(result.error) === 'undefined'){
drawPokemon(result);
}
else{
drawError(result.error);
}
}
function scanTrainer(result){
drawActionTitle(actions[currentAction].title);
pokemons = result.pokemons;
currentPokemon = 0;
drawPokemon(pokemons[currentPokemon]);
}
function askBadge(result){
drawActionTitle(actions[currentAction].title);
if(typeof(result.error) === 'undefined'){
drawBadge(result);
}
else{
drawError(result.error);
}
}
document.getElementById('url').onkeyup = function(event){
console.log(event.keyIdentifier);
if(event.keyIdentifier !== 'Left' && event.keyIdentifier !== 'Right' && event.keyIdentifier !== 'Enter' && event.keyIdentifier !== 'Up' && event.keyIdentifier !== 'Down'){
drawUrl(document.getElementById('url').value);
}
}
document.onkeydown = function(event){
var action = false;
var changePokemon = false;
switch(event.keyCode){
case 37:
if(document.getElementById('url').value === ''){
action = true;
currentAction -= 1;
}
break;
case 39:
if(document.getElementById('url').value === ''){
action = true;
currentAction += 1;
}
break;
case 38:
if(pokemons.length > 0){
changePokemon = true;
currentPokemon -= 1;
}
break;
case 40:
if(pokemons.length > 0){
changePokemon = true;
currentPokemon += 1;
}
break;
case 13:
GET(actions[currentAction].url+'?value='+encodeURI(document.getElementById('url').value)).then(actions[currentAction].func, function(error){
drawError(error);
});
document.getElementById('url').value = '';
break;
default:
console.log(event.keyIdentifier);
}
if(action){
if(currentAction >= actions.length){
currentAction = 0;
}
if(currentAction < 0){
currentAction = actions.length-1;
}
drawActionTitle(actions[currentAction].title);
}
if(changePokemon){
if(currentPokemon >= pokemons.length){
currentPokemon = 0;
}
if(currentPokemon < 0){
currentPokemon = pokemons.length-1;
}
drawPokemon(pokemons[currentPokemon]);
}
}
</script>
</body>
</html>
<?php
function get_web_page($url, $trainerName) {
$options = array(
CURLOPT_RETURNTRANSFER => true, // return web page
CURLOPT_HEADER => false, // don't return headers
CURLOPT_FOLLOWLOCATION => true, // follow redirects
CURLOPT_MAXREDIRS => 3, // stop after 10 redirects
CURLOPT_ENCODING => '', // handle compressed
CURLOPT_USERAGENT => $trainerName, // name of client
CURLOPT_AUTOREFERER => true, // set referrer on redirect
CURLOPT_CONNECTTIMEOUT => 120, // time-out on connect
CURLOPT_TIMEOUT => 120, // time-out on response
);
$ch = curl_init($url);
curl_setopt_array($ch, $options);
$content = curl_exec($ch);
curl_close($ch);
return $content;
}
?>
\ No newline at end of file
</div>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>databasic</title>
<meta name="language" content="en" />
<meta name="copyright" content="w3challs" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-language" content="en" />
</head>
<body>
<div style="text-align: center;">
<img src="/images/auth.jpg" alt="" /><br />
<h1>Authentication</h1>
<?php
# Easy starter :)
/* Init database
-- Table structure for table `haxorz_memberz`
--
CREATE TABLE IF NOT EXISTS `haxorz_memberz` (
`login` varchar(15) collate utf8_unicode_ci NOT NULL,
`password` varchar(65) collate utf8_unicode_ci NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
Add 2 or more users.
*/
define('DB_HOST', 'localhost');
define('DB_USER', 'databasic');
define('DB_PASSWORD', '********************************');
define('DB_DATABASE', 'databasic');
define('FLAG', 'The flag will be here.');
require_once dirname(__FILE__).'/inc/header.php';
$auth = FALSE;
if (isset($_POST['login'], $_POST['password']) && is_string($_POST['login']) && is_string($_POST['password']))
{
$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
$query = sprintf("SELECT * FROM haxorz_memberz WHERE login = '%s' AND password = MD5('%s')",
mysqli_real_escape_string($con, $_POST['login']),
$_POST['password']
);
$sql = mysqli_query($con, $query);
if (@mysqli_num_rows($sql) == 1)
$auth = TRUE;
else
printf('<div style="text-align: center;color: #ff000c;">Wrong login/password</div>');
}
if ($auth)
{
printf('<div style="text-align: center;color: #35ae00;">Well done, the flag is <strong>%s</strong></div>', FLAG);
}
else
{
echo <<< EOT
<form method="post" action="">
<table style="margin-left : auto; margin-right : auto;">
<tr><td><strong>Login</strong></td><td><input type="text" size="15" name="login" /></td></tr>
<tr><td><strong>Password<strong></td><td><input type="password" size="15" name="password" /></td></tr>
<tr><td colspan="2" style="text-align: center;"><input type="submit" /></td></tr>
</table>
</form>
EOT;
}
require_once dirname(__FILE__).'/inc/footer.php';
?>
<?php
$dbConfig = array(
'host' => 'localhost',
'database' => 'facepalm',
'user' => 'facepalm',
'pass' => 'FIXME',
);
//error_reporting(0);
define('SITENAME', 'FACEPALM');
# Do not even try to solve with the following...
define('FLAG','The flag will be here.');
# Pages whitelist
$PAGES = array('home', 'gallery', 'random', 'add', 'login', 'admin');
# Check ini_set are OK
$failConfig = array();
if (ini_get('magic_quotes_gpc')) {
$failConfig[] = array('magic_quotes_gpc', 'off');
}
if (ini_get('register_globals')) {
$failConfig[] = array('register_globals', 'off');
}
if (ini_get('session.auto_start')) {
$failConfig[] = array('session.auto_start', 'off');
}
# If some php.ini settings are not configured well, say it
$len = count($failConfig);
if ($len)
{
printf ('%d configuration errors:<br />', $len);
foreach ($failConfig as $fail) {
printf('Set <strong>%s</strong> to <strong>%s</strong> in <em>php.ini</em><br />', $fail[0], $fail[1]);
}
}
?>
<?php
$link = getPost('link');
$author = getPost('author');
$errors = array();
$count = 0;
define('MAX_AUTHORIZED_LINKS',3);
# Form submitted
function startsWith($string, $query)
{
return substr($string, 0, strlen($query)) === $query;
}
if (!is_null($link) && !is_null($author) && checkToken('facepalm_anticsrf'))
{
if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED) ||
!(startsWith($link, 'http://') || startsWith($link, 'https://')))
{
$errors[] = invalidLink;
}
$len = strlen($author);
if (!preg_match('/^[a-zA-Z0-9]{3,20}$/', $author)) {
$errors[] = invalidAuthor;
}
$antiflood = getSession('facepalm_antiflood');
$count = count($errors);
if (!$count && !is_null($antiflood) && $antiflood > time() - 120) {
$errors[] = waitABitDude;
} elseif (!$count) {
setSession('facepalm_antiflood', time());
}
if (!$count)
{
# Check there is no flood
$query = $db->prepare("
SELECT COUNT(*) AS count
FROM facepalm_proposal
WHERE ip=:ip AND status='wait'"
);
$query->bindParam(':ip', getIp(), PDO::PARAM_STR);
$query->execute();
$row = $query->fetch(PDO::FETCH_ASSOC);
if ($row['count'] >= MAX_AUTHORIZED_LINKS)
{
$errors[] = waitForIt;