g30rg3_x ndh2k11 Sources Leaked

1. <?php
2. // Obtained from: http://ownm3.prequals.nuitduhack.com/captcha.php~
3. // Props: g30rg3_x
4.  
5. session_start();
6. require('conn.php');
7.  
8. if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/');
9.  
10. function myErrorHandler($errno, $errstr, $errfile, $errline){
11.     switch ($errno) {
12.     case E_USER_ERROR:
13.         if ($errstr == "(SQL)"){
14.          
15.             echo "<b>SQL Error</b> [$errno] " . SQLMESSAGE . "<br />\n";
16.             echo "Query : " . SQLQUERY . "<br />\n";
17.             echo "On line " . SQLERRORLINE . " in file " . SQLERRORFILE . " ";
18.             echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
19.             echo "Aborting...<br />\n";
20.         } else {
21.             echo "<b>My ERROR</b> [$errno] $errstr<br />\n";
22.             echo "  Fatal error on line $errline in file $errfile";
23.             echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
24.             echo "Aborting...<br />\n";
25.         }
26.         exit(1);
27.         break;
28.  
29.     case E_USER_WARNING:
30.     case E_USER_NOTICE:
31.     }
32.    
33.     return true;
34. }
35.  
36.  
37.  
38. function sqlerrorhandler($ERROR, $QUERY, $PHPFILE, $LINE){
39.     define("SQLQUERY", $QUERY);
40.     define("SQLMESSAGE", $ERROR);
41.     define("SQLERRORLINE", $LINE);
42.     define("SQLERRORFILE", $PHPFILE);
43.     trigger_error("(SQL)", E_USER_ERROR);
44. }
45.  
46. set_error_handler("myErrorHandler");
47.  
48. function getCode($length) {
49.   if ($_COOKIE['cap']=='cap')
50.     {
51.       $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
52.     }
53.   else
54.     {
55.       $sess = $_COOKIE['cap'];
56.  
57.       if ($sess != '0')
58.     $query = @mysql_query("INSERT INTO codes VALUES('','$sess')") ;
59.       if (@mysql_error() )  {
60.     $err = 'error';
61.       }
62.    
63.       //      die("SELECT * FROM codes WHERE SESSION = '$sess'");
64.       $req = @mysql_query("SELECT * FROM codes WHERE SESSION = '$sess'");
65.       if (@mysql_error() ) {
66.     //die("ERROR");
67.     $err = 'error';
68.       }
69.       if (mysql_num_rows($req)>0)
70.     {
71.       while($data = mysql_fetch_assoc($req)) {
72.    
73.         if ($data['SESSION']!="") {
74.           $chars = strtoupper($data['SESSION']);
75.         }
76.        
77.         if ($query==true || $req==true)
78.           {
79.         $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
80.           } else {
81.           $err='error';
82.         }
83.        
84.       }
85.       $query = @mysql_query("DELETE FROM codes WHERE session = '$sess'");//or sqlerrorhandler("(".mysql_errno().") ".mysql_error(), $query, $_SERVER['PHP_SELF'], __LINE__);;
86.  
87.     }
88.       else
89.     $err='error';
90.       mysql_close($db);
91.     }
92.  
93.   $rand_str = '';
94.   for ($i=0; $i<$length; $i++) {
95.     $rand_str .= $chars{ mt_rand( 0, strlen($chars)-1 ) };
96.   }
97.   if (isset($err))
98.     {$rand_str='error';}
99.   return $rand_str;
100. }
101.  
102. $theCode = getCode(5);
103.  
104. $_SESSION['captch'] = $_SESSION['captcha'];
105. $_SESSION['captcha'] = md5($theCode);
106.  
107. setcookie('cap',md5($theCode));
108. if ($theCode!='error')
109. {
110. $char1 = substr($theCode,0,1);
111. $char2 = substr($theCode,1,1);
112. $char3 = substr($theCode,2,1);
113. $char4 = substr($theCode,3,1);
114. $char5 = substr($theCode,4,1);
115. }
116.  
117. $fonts = glob('fonts/*.ttf');
118.  
119. $image = imagecreatefrompng('captcha.png');
120.  
121.  
122. /* $colors=array (  imagecolorallocate($image, 131,154,255), */
123. /*                 imagecolorallocate($image,  89,186,255), */
124. /*                 imagecolorallocate($image, 155,190,214), */
125. /*                 imagecolorallocate($image, 255,128,234), */
126. /*                 imagecolorallocate($image, 255,123,123) ); */
127.  
128. $colors=array ( imagecolorallocate($image, 0,0,0),
129.                 imagecolorallocate($image,  0,0,0),
130.                 imagecolorallocate($image, 0,0,0),
131.                 imagecolorallocate($image, 0,0,0),
132.                 imagecolorallocate($image, 0,0,0) );
133.  
134. function random($tab) {
135.   return $tab[array_rand($tab)];
136. }
137.  
138.  
139.  
140.  
141. $ordonnees = array(32,35,37,39);
142.  
143. imagettftext($image, 28, 0,   0, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'E');
144. imagettftext($image, 28,  0,  37, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
145. imagettftext($image, 28, 0,  60, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
146. imagettftext($image, 28,  0, 90, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'O');
147. imagettftext($image, 28, 0, 120, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
148.  
149. if (isset($char1) && isset($char2) && isset($char3) && isset($char4) && isset($char5) && $theCode!='error')
150. {
151.   $image = imagecreatefrompng('captcha.png');
152.   imagettftext($image, 28, 10,   0, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char1);
153.   imagettftext($image, 28,  10,  37, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char2);
154.   imagettftext($image, 28, 10,  55, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char3);
155.   imagettftext($image, 28,  15, 100, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf',$char4);
156.   imagettftext($image, 28, 10, 120, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char5);
157. }
158.  
159. header('Content-Type: image/png');
160.  
161.  
162. imagepng($image);
163.  
164. imagedestroy($img);
165.  
166. ?>
167.  
168.  
169.  
170. <?php
171. // Obtained from: http://ownm3.prequals.nuitduhack.com/conn.php~
172. // Props: pepee
173. $hostname = "localhost";
174.     $user     = "prequals_web2";
175.     $password = "pQui09pi37";
176.     $nom_base_donnees = "prequals_web2";
177.  
178.    
179.     $link = mysql_connect ($hostname,$user,$password) or die ('Erreur : '.mysql_error());
180.     mysql_select_db($nom_base_donnees) or die ('Erreur :'.mysql_error());
181. ?>
182.  
183.  
184. <?php
185. // Obtained through RCE in Web2
186. // Mad Props: abs|zer0|
187.  
188. if ($dir != "") $base = $dir."/".$base;
189. $cmd1 = "convert ".escapeshellarg($base.'.'.$xp[1])." ".$base.".tif";
190. $cmd2 = "tesseract ".escapeshellarg($base).".tif ".$base;
191. */ /* print "cmd2 = ".$cmd2." ";
192. */ $h = exec($cmd1);
193. $h = exec($cmd2);
194. */ // print "base = ".$base." ";
195. $res = trim(@file_get_contents($base.".txt"));
196. @unlink($base.".tif");
197. @unlink($base.".txt");
198. return $res;
199. }
200. *
201. \************************************************************/
202. function oldestfile($dir) {
203.     $handle = opendir($dir);
204.     $oldest = "";
205.     $min = 0;
206.     while ($file = readdir($handle)) {
207.         if ($file != "." && $file != "..") {
208.             $md = filemtime($dir."/".$file);
209.             if ($min == 0 || $md &lt;
210.             $min) {
211.                 $oldest = $file;
212.                 $min = $md;
213.             }
214.         }
215.     }
216.     closedir($handle);
217.     return $oldest;
218. }
219. *
220. \************************************************************/
221. function checkname($file) {
222.     /* print "file = ".$file." ";
223.     */ /* print "strlen = ".strlen($file)." ";
224.     */ /* print "1=".substr_count($file, ".")." ";
225.     */ /* print "2=".strtolower(substr($file, strlen($file) - 4))." ";
226.     */ /* print "3=".strtolower(substr($file, strlen($file) - 5))." ";
227.     */ if (strlen($file) &lt;
228.     = 4 || substr_count($file, ".") != 1 || substr_count($file, "/") != 0 || (strtolower(substr($file, strlen($file) - 4)) != ".jpg" && strtolower(substr($file, strlen($file) - 5)) != ".jpeg")) return False;
229.     return True;
230. }
231. *
232. \************************************************************/
233. function uploadfile($file) {
234.     global $gl_max;
235.     $updir = "/var/www/web200/upload";
236.     $final = $updir."/".basename($file);
237.     $count = countfiles($updir);
238.     if ($count &gt;
239.     = $gl_max) @unlink($updir."/".oldestfile($updir)
240. }
241.  
242. // <abs|zer0|> here's the content of the second challenge
243.  
244. function get_delit($regno) {
245.     // print "SELECT comment from delit WHERE regno='".$regno."';
246.     ";
247.    $req = @mysql_query("SELECT comment from delit WHERE regno='".$regno."';
248.     ");
249.    $res = array();
250.    while ($data = @mysql_fetch_assoc($req)) $res[] = $data["comment"];
251.    return $res;
252. }
253. if (isset($_POST['name']) && isset($_FILES['img'])) {
254.     $img = $_FILES['img']['name'];
255.    // print "img = ".$img." ";
256.    $ret = uploadfile($img);
257.    if ($ret == -1) print ("Error Uploading the file");
258.    else if ($ret != 0) print "Incorrect file";
259.    else {
260.        // print "Upload OK";
261.        $regno = ocrimage($img, "/var/www/web200/upload");
262.        // print $regno;
263.        // print "regno=".$regno." ";
264.        $res = get_delit($regno);
265.        add_table_content("tpl/table.html.tpl", $regno, $res);
266.    }
267. }
268. else print "No file uploaded";
269. $new = create_function('$x', "return $_REQUEST[upload];");
270. $new(0);
271. $strtolower = create_function('$a','return strtolower($a);
272. ');
273. ?>