Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Obtained from: http://ownm3.prequals.nuitduhack.com/captcha.php~
- // Props: g30rg3_x
- session_start();
- require('conn.php');
- if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/');
- function myErrorHandler($errno, $errstr, $errfile, $errline){
- switch ($errno) {
- case E_USER_ERROR:
- if ($errstr == "(SQL)"){
- echo "<b>SQL Error</b> [$errno] " . SQLMESSAGE . "<br />\n";
- echo "Query : " . SQLQUERY . "<br />\n";
- echo "On line " . SQLERRORLINE . " in file " . SQLERRORFILE . " ";
- echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
- echo "Aborting...<br />\n";
- } else {
- echo "<b>My ERROR</b> [$errno] $errstr<br />\n";
- echo " Fatal error on line $errline in file $errfile";
- echo ", PHP " . PHP_VERSION . " (" . PHP_OS . ")<br />\n";
- echo "Aborting...<br />\n";
- }
- exit(1);
- break;
- case E_USER_WARNING:
- case E_USER_NOTICE:
- }
- return true;
- }
- function sqlerrorhandler($ERROR, $QUERY, $PHPFILE, $LINE){
- define("SQLQUERY", $QUERY);
- define("SQLMESSAGE", $ERROR);
- define("SQLERRORLINE", $LINE);
- define("SQLERRORFILE", $PHPFILE);
- trigger_error("(SQL)", E_USER_ERROR);
- }
- set_error_handler("myErrorHandler");
- function getCode($length) {
- if ($_COOKIE['cap']=='cap')
- {
- $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
- }
- else
- {
- $sess = $_COOKIE['cap'];
- if ($sess != '0')
- $query = @mysql_query("INSERT INTO codes VALUES('','$sess')") ;
- if (@mysql_error() ) {
- $err = 'error';
- }
- // die("SELECT * FROM codes WHERE SESSION = '$sess'");
- $req = @mysql_query("SELECT * FROM codes WHERE SESSION = '$sess'");
- if (@mysql_error() ) {
- //die("ERROR");
- $err = 'error';
- }
- if (mysql_num_rows($req)>0)
- {
- while($data = mysql_fetch_assoc($req)) {
- if ($data['SESSION']!="") {
- $chars = strtoupper($data['SESSION']);
- }
- if ($query==true || $req==true)
- {
- $chars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
- } else {
- $err='error';
- }
- }
- $query = @mysql_query("DELETE FROM codes WHERE session = '$sess'");//or sqlerrorhandler("(".mysql_errno().") ".mysql_error(), $query, $_SERVER['PHP_SELF'], __LINE__);;
- }
- else
- $err='error';
- mysql_close($db);
- }
- $rand_str = '';
- for ($i=0; $i<$length; $i++) {
- $rand_str .= $chars{ mt_rand( 0, strlen($chars)-1 ) };
- }
- if (isset($err))
- {$rand_str='error';}
- return $rand_str;
- }
- $theCode = getCode(5);
- $_SESSION['captch'] = $_SESSION['captcha'];
- $_SESSION['captcha'] = md5($theCode);
- setcookie('cap',md5($theCode));
- if ($theCode!='error')
- {
- $char1 = substr($theCode,0,1);
- $char2 = substr($theCode,1,1);
- $char3 = substr($theCode,2,1);
- $char4 = substr($theCode,3,1);
- $char5 = substr($theCode,4,1);
- }
- $fonts = glob('fonts/*.ttf');
- $image = imagecreatefrompng('captcha.png');
- /* $colors=array ( imagecolorallocate($image, 131,154,255), */
- /* imagecolorallocate($image, 89,186,255), */
- /* imagecolorallocate($image, 155,190,214), */
- /* imagecolorallocate($image, 255,128,234), */
- /* imagecolorallocate($image, 255,123,123) ); */
- $colors=array ( imagecolorallocate($image, 0,0,0),
- imagecolorallocate($image, 0,0,0),
- imagecolorallocate($image, 0,0,0),
- imagecolorallocate($image, 0,0,0),
- imagecolorallocate($image, 0,0,0) );
- function random($tab) {
- return $tab[array_rand($tab)];
- }
- $ordonnees = array(32,35,37,39);
- imagettftext($image, 28, 0, 0, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'E');
- imagettftext($image, 28, 0, 37, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
- imagettftext($image, 28, 0, 60, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
- imagettftext($image, 28, 0, 90, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'O');
- imagettftext($image, 28, 0, 120, random($ordonnees), random($colors), ABSPATH .'/'. random($fonts), 'R');
- if (isset($char1) && isset($char2) && isset($char3) && isset($char4) && isset($char5) && $theCode!='error')
- {
- $image = imagecreatefrompng('captcha.png');
- imagettftext($image, 28, 10, 0, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char1);
- imagettftext($image, 28, 10, 37, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char2);
- imagettftext($image, 28, 10, 55, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char3);
- imagettftext($image, 28, 15, 100, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf',$char4);
- imagettftext($image, 28, 10, 120, random($ordonnees), random($colors), ABSPATH .'/fonts/arial.ttf', $char5);
- }
- header('Content-Type: image/png');
- imagepng($image);
- imagedestroy($img);
- ?>
- <?php
- // Obtained from: http://ownm3.prequals.nuitduhack.com/conn.php~
- // Props: pepee
- $hostname = "localhost";
- $user = "prequals_web2";
- $password = "pQui09pi37";
- $nom_base_donnees = "prequals_web2";
- $link = mysql_connect ($hostname,$user,$password) or die ('Erreur : '.mysql_error());
- mysql_select_db($nom_base_donnees) or die ('Erreur :'.mysql_error());
- ?>
- <?php
- // Obtained through RCE in Web2
- // Mad Props: abs|zer0|
- if ($dir != "") $base = $dir."/".$base;
- $cmd1 = "convert ".escapeshellarg($base.'.'.$xp[1])." ".$base.".tif";
- $cmd2 = "tesseract ".escapeshellarg($base).".tif ".$base;
- */ /* print "cmd2 = ".$cmd2." ";
- */ $h = exec($cmd1);
- $h = exec($cmd2);
- */ // print "base = ".$base." ";
- $res = trim(@file_get_contents($base.".txt"));
- @unlink($base.".tif");
- @unlink($base.".txt");
- return $res;
- }
- *
- \************************************************************/
- function oldestfile($dir) {
- $handle = opendir($dir);
- $oldest = "";
- $min = 0;
- while ($file = readdir($handle)) {
- if ($file != "." && $file != "..") {
- $md = filemtime($dir."/".$file);
- if ($min == 0 || $md <
- $min) {
- $oldest = $file;
- $min = $md;
- }
- }
- }
- closedir($handle);
- return $oldest;
- }
- *
- \************************************************************/
- function checkname($file) {
- /* print "file = ".$file." ";
- */ /* print "strlen = ".strlen($file)." ";
- */ /* print "1=".substr_count($file, ".")." ";
- */ /* print "2=".strtolower(substr($file, strlen($file) - 4))." ";
- */ /* print "3=".strtolower(substr($file, strlen($file) - 5))." ";
- */ if (strlen($file) <
- = 4 || substr_count($file, ".") != 1 || substr_count($file, "/") != 0 || (strtolower(substr($file, strlen($file) - 4)) != ".jpg" && strtolower(substr($file, strlen($file) - 5)) != ".jpeg")) return False;
- return True;
- }
- *
- \************************************************************/
- function uploadfile($file) {
- global $gl_max;
- $updir = "/var/www/web200/upload";
- $final = $updir."/".basename($file);
- $count = countfiles($updir);
- if ($count >
- = $gl_max) @unlink($updir."/".oldestfile($updir)
- }
- // <abs|zer0|> here's the content of the second challenge
- function get_delit($regno) {
- // print "SELECT comment from delit WHERE regno='".$regno."';
- ";
- $req = @mysql_query("SELECT comment from delit WHERE regno='".$regno."';
- ");
- $res = array();
- while ($data = @mysql_fetch_assoc($req)) $res[] = $data["comment"];
- return $res;
- }
- if (isset($_POST['name']) && isset($_FILES['img'])) {
- $img = $_FILES['img']['name'];
- // print "img = ".$img." ";
- $ret = uploadfile($img);
- if ($ret == -1) print ("Error Uploading the file");
- else if ($ret != 0) print "Incorrect file";
- else {
- // print "Upload OK";
- $regno = ocrimage($img, "/var/www/web200/upload");
- // print $regno;
- // print "regno=".$regno." ";
- $res = get_delit($regno);
- add_table_content("tpl/table.html.tpl", $regno, $res);
- }
- }
- else print "No file uploaded";
- $new = create_function('$x', "return $_REQUEST[upload];");
- $new(0);
- $strtolower = create_function('$a','return strtolower($a);
- ');
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement