El nombre del desafio es SeSSxploit, lo cual parece que es una referencia a session poisoning.
Pero el tema es que no he encontrado como explotarlo..
Posteo el codigo fuente:
Código:
<?php
session_start();
if(!$db = @mysql_connect('localhost', '', '')) {
die('Connection error');
}
if(!@mysql_select_db('netforce', $db)) {
die('Can\'t locate database');
}
if(isset($send) && $send == 'reg' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
echo 'You are added to our database! Click <a href="index.php"><b>here</b></a> to proceed!<br /><br />';
}
} else if(isset($submit) && $submit == 'Login' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = addslashes($username);
$password = addslashes($password);
$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
$Data = mysql_fetch_array($checkinfo);
if($Data['id'] == '') {
die('Wrong password!');
} else {
session_register('Data');
header('Location: index.php');
}
}
} else if(isset($action) && $action == 'register') {
?>
<html>
<head>
<title>Register</title>
</head>
<body>
<h3>Register now!</h3>
<form action="index.php" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg">
<input type="submit" value="Register">
</p>
</form>
</body>
</html>
<?php
} else if(isset($action) && $action == 'logout') {
session_destroy();
header('location: index.php');
} else if(isset($_SESSION['Data'])) {
$sesname = $_SESSION['Data']['username'];
$sespass = $_SESSION['Data']['password'];
$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
$checkit = mysql_fetch_array($checkinfo);
if($checkit['id'] == '') {
die('Wrong password!');
} else {
if($Data['level'] == '') {
$Data['level'] = '0';
}
echo '<p>Welcome to our protected website!</p>';
echo '<ul>';
echo '<li>Username: '.$Data['username'].'</li>';
echo '<li>Admin Level: '.$Data['level'].'</li>';
echo '<li><a href="index.php?action=logout">Logout.</a></li>';
echo '</ul>';
if($Data['level'] == '8') {
echo 'Well done! The solution is: [...]';
}
}
} else {
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<h3>Login!</h3>
<p>
Not yet a member? <a href="index.php?action=register">Register a new account.</a><br />
</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="submit" name="submit" value="Login">
</p>
</form>
</body>
</html>
<?
}
?>
Por favor, no dar soluciones, solo ayudas..
Si el post no esta permitido, por favor borrarlo..
Saludos!