SHARE
TWEET

g30rg3_x ndh2k11 Sources Leaked

a guest Apr 5th, 2011 517 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. // Obtained from: http://ownm3.prequals.nuitduhack.com/captcha.php~
  3. // Props: g30rg3_x
  4.  
  5. session_start();
  6. require('conn.php');
  7.  
  8. if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/');
  9.  
  10. function myErrorHandler($errno, $errstr, $errfile, $errline){
  11.     switch ($errno) {
  12.     case E_USER_ERROR:
  13.         if ($errstr == "(SQL)"){
  14.          
  15.             echo "<b>SQL Error</b> [$errno] " . SQLMESSAGE . "<br />\n";
  16.             echo "Query : " . SQLQUERY . "<br />\n";
  17.             echo "On line " . SQLERRORLINE . " in file " . SQLERRORFILE . " ";
  18.             echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
  19.             echo "Aborting...<br />\n";
  20.         } else {
  21.             echo "<b>My ERROR</b> [$errno] $errstr<br />\n";
  22.             echo "  Fatal error on line $errline in file $errfile";
  23.             echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
  24.             echo "Aborting...<br />\n";
  25.         }
  26.         exit(1);
  27.         break;
  28.  
  29.     case E_USER_WARNING:
  30.     case E_USER_NOTICE:
  31.     }
  32.    
  33.     return true;
  34. }
  35.  
  36.  
  37.  
  38. function sqlerrorhandler($ERROR, $QUERY, $PHPFILE, $LINE){
  39.     define("SQLQUERY", $QUERY);
  40.     define("SQLMESSAGE", $ERROR);
  41.     define("SQLERRORLINE", $LINE);
  42.     define("SQLERRORFILE", $PHPFILE);
  43.     trigger_error("(SQL)", E_USER_ERROR);
  44. }
  45.  
  46. set_error_handler("myErrorHandler");
  47.  
  48. function getCode($length) {
  49.   if ($_COOKIE['cap']=='cap')
  50.     {
  51.       $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
  52.     }
  53.   else
  54.     {
  55.       $sess = $_COOKIE['cap'];
  56.  
  57.       if ($sess != '0')
  58.         $query = @mysql_query("INSERT INTO codes VALUES('','$sess')") ;
  59.       if (@mysql_error() )  {
  60.         $err = 'error';
  61.       }
  62.        
  63.       //      die("SELECT * FROM codes WHERE SESSION = '$sess'");
  64.       $req = @mysql_query("SELECT * FROM codes WHERE SESSION = '$sess'");
  65.       if (@mysql_error() ) {
  66.         //die("ERROR");
  67.         $err = 'error';
  68.       }
  69.       if (mysql_num_rows($req)>0)
  70.         {
  71.           while($data = mysql_fetch_assoc($req)) {
  72.        
  73.             if ($data['SESSION']!="") {
  74.               $chars = strtoupper($data['SESSION']);
  75.             }
  76.                
  77.             if ($query==true || $req==true)
  78.               {
  79.                 $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
  80.               } else {
  81.               $err='error';
  82.             }
  83.                
  84.           }
  85.           $query = @mysql_query("DELETE FROM codes WHERE session = '$sess'");//or sqlerrorhandler("(".mysql_errno().") ".mysql_error(), $query, $_SERVER['PHP_SELF'], __LINE__);;
  86.  
  87.         }
  88.       else
  89.         $err='error';
  90.       mysql_close($db);
  91.     }
  92.  
  93.   $rand_str = '';
  94.   for ($i=0; $i<$length; $i++) {
  95.     $rand_str .= $chars{ mt_rand( 0, strlen($chars)-1 ) };
  96.   }
  97.   if (isset($err))
  98.     {$rand_str='error';}
  99.   return $rand_str;
  100. }
  101.  
  102. $theCode = getCode(5);
  103.  
  104. $_SESSION['captch'] = $_SESSION['captcha'];
  105. $_SESSION['captcha'] = md5($theCode);
  106.  
  107. setcookie('cap',md5($theCode));
  108. if ($theCode!='error')
  109. {
  110. $char1 = substr($theCode,0,1);
  111. $char2 = substr($theCode,1,1);
  112. $char3 = substr($theCode,2,1);
  113. $char4 = substr($theCode,3,1);
  114. $char5 = substr($theCode,4,1);
  115. }
  116.  
  117. $fonts = glob('fonts/*.ttf');
  118.  
  119. $image = imagecreatefrompng('captcha.png');
  120.  
  121.  
  122. /* $colors=array (      imagecolorallocate($image, 131,154,255), */
  123. /*                 imagecolorallocate($image,  89,186,255), */
  124. /*                 imagecolorallocate($image, 155,190,214), */
  125. /*                 imagecolorallocate($image, 255,128,234), */
  126. /*                 imagecolorallocate($image, 255,123,123) ); */
  127.  
  128. $colors=array ( imagecolorallocate($image, 0,0,0),
  129.                 imagecolorallocate($image,  0,0,0),
  130.                 imagecolorallocate($image, 0,0,0),
  131.                 imagecolorallocate($image, 0,0,0),
  132.                 imagecolorallocate($image, 0,0,0) );
  133.  
  134. function random($tab) {
  135.   return $tab[array_rand($tab)];
  136. }
  137.  
  138.  
  139.  
  140.  
  141. $ordonnees = array(32,35,37,39);
  142.  
  143. imagettftext($image, 28, 0,   0, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'E');
  144. imagettftext($image, 28,  0,  37, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
  145. imagettftext($image, 28, 0,  60, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
  146. imagettftext($image, 28,  0, 90, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'O');
  147. imagettftext($image, 28, 0, 120, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
  148.  
  149. if (isset($char1) && isset($char2) && isset($char3) && isset($char4) && isset($char5) && $theCode!='error')
  150. {
  151.   $image = imagecreatefrompng('captcha.png');
  152.   imagettftext($image, 28, 10,   0, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char1);
  153.   imagettftext($image, 28,  10,  37, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char2);
  154.   imagettftext($image, 28, 10,  55, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char3);
  155.   imagettftext($image, 28,  15, 100, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf',$char4);
  156.   imagettftext($image, 28, 10, 120, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char5);
  157. }
  158.  
  159. header('Content-Type: image/png');
  160.  
  161.  
  162. imagepng($image);
  163.  
  164. imagedestroy($img);
  165.  
  166. ?>
  167.  
  168.  
  169.  
  170. <?php
  171. // Obtained from: http://ownm3.prequals.nuitduhack.com/conn.php~
  172. // Props: pepee
  173. $hostname = "localhost";
  174.         $user     = "prequals_web2";
  175.         $password = "pQui09pi37";
  176.         $nom_base_donnees = "prequals_web2";
  177.  
  178.        
  179.         $link = mysql_connect ($hostname,$user,$password) or die ('Erreur : '.mysql_error());
  180.         mysql_select_db($nom_base_donnees) or die ('Erreur :'.mysql_error());
  181. ?>
  182.  
  183.  
  184. <?php
  185. // Obtained through RCE in Web2
  186. // Mad Props: abs|zer0|
  187.  
  188. if ($dir != "") $base = $dir."/".$base;
  189. $cmd1 = "convert ".escapeshellarg($base.'.'.$xp[1])." ".$base.".tif";
  190. $cmd2 = "tesseract ".escapeshellarg($base).".tif ".$base;
  191. */ /* print "cmd2 = ".$cmd2." ";
  192. */ $h = exec($cmd1);
  193. $h = exec($cmd2);
  194. */ // print "base = ".$base." ";
  195. $res = trim(@file_get_contents($base.".txt"));
  196. @unlink($base.".tif");
  197. @unlink($base.".txt");
  198. return $res;
  199. }
  200. *
  201. \************************************************************/
  202. function oldestfile($dir) {
  203.     $handle = opendir($dir);
  204.     $oldest = "";
  205.     $min = 0;
  206.     while ($file = readdir($handle)) {
  207.         if ($file != "." && $file != "..") {
  208.             $md = filemtime($dir."/".$file);
  209.             if ($min == 0 || $md &lt;
  210.             $min) {
  211.                 $oldest = $file;
  212.                 $min = $md;
  213.             }
  214.         }
  215.     }
  216.     closedir($handle);
  217.     return $oldest;
  218. }
  219. *
  220. \************************************************************/
  221. function checkname($file) {
  222.     /* print "file = ".$file." ";
  223.     */ /* print "strlen = ".strlen($file)." ";
  224.     */ /* print "1=".substr_count($file, ".")." ";
  225.     */ /* print "2=".strtolower(substr($file, strlen($file) - 4))." ";
  226.     */ /* print "3=".strtolower(substr($file, strlen($file) - 5))." ";
  227.     */ if (strlen($file) &lt;
  228.     = 4 || substr_count($file, ".") != 1 || substr_count($file, "/") != 0 || (strtolower(substr($file, strlen($file) - 4)) != ".jpg" && strtolower(substr($file, strlen($file) - 5)) != ".jpeg")) return False;
  229.     return True;
  230. }
  231. *
  232. \************************************************************/
  233. function uploadfile($file) {
  234.     global $gl_max;
  235.     $updir = "/var/www/web200/upload";
  236.     $final = $updir."/".basename($file);
  237.     $count = countfiles($updir);
  238.     if ($count &gt;
  239.     = $gl_max) @unlink($updir."/".oldestfile($updir)
  240. }
  241.  
  242. // <abs|zer0|> here's the content of the second challenge
  243.  
  244. function get_delit($regno) {
  245.     // print "SELECT comment from delit WHERE regno='".$regno."';
  246.     ";
  247.    $req = @mysql_query("SELECT comment from delit WHERE regno='".$regno."';
  248.     ");
  249.    $res = array();
  250.    while ($data = @mysql_fetch_assoc($req)) $res[] = $data["comment"];
  251.    return $res;
  252. }
  253. if (isset($_POST['name']) && isset($_FILES['img'])) {
  254.     $img = $_FILES['img']['name'];
  255.    // print "img = ".$img." ";
  256.    $ret = uploadfile($img);
  257.    if ($ret == -1) print ("Error Uploading the file");
  258.    else if ($ret != 0) print "Incorrect file";
  259.    else {
  260.        // print "Upload OK";
  261.        $regno = ocrimage($img, "/var/www/web200/upload");
  262.        // print $regno;
  263.        // print "regno=".$regno." ";
  264.        $res = get_delit($regno);
  265.        add_table_content("tpl/table.html.tpl", $regno, $res);
  266.    }
  267. }
  268. else print "No file uploaded";
  269. $new = create_function('$x', "return $_REQUEST[upload];");
  270. $new(0);
  271. $strtolower = create_function('$a','return strtolower($a);
  272. ');
  273. ?>
RAW Paste Data
Top