BadSantaLogIn.php

1. <?php
2.  
3. // Congratulations!!
4. // I put this on Pastebin as a bonus for any adventurers who think to look here.
5.  
6.  
7. $password  = $_REQUEST['BadSantaPassword'];
8.  
9. // Determine is IP address is odd or even
10. $ip        = $_SERVER["REMOTE_ADDR"];
11. $split     = explode(".", $ip);
12. $lastOctet = $split[3];
13. $SantaIP = $_SERVER['REMOTE_ADDR'];
14. $CookieAuthValue = ($_COOKIE[Authenticated]);
15. $CookieLevelValue = ($_COOKIE[ReachedLevelThree]);
16.  
17. // Suggests potential command injection
18. echo "<p align=right>", system('date'), "</p>";
19.  
20.  
21. if (strpos($password, 'gibson') !== false)
22.   {
23.     // if the password tried is "gibson" tell them the directory
24.     echo "<h2>Very good! Santa's list can be found at \\gibson\\</h2>";
25.     echo '<br><img src="images/IMG_9619.JPG" width="1024" height="768" alt="" border="0">';
26.    
27.   }
28.  
29. elseif (strpos($password, 'Gibson') !== false)
30.   {
31.     // if the password tried is "Gibson" tell them the directory
32.     echo "<h2>Very good! Santa's list can be found at \\gibson\\</h2>";
33.     echo '<br><img src="images/IMG_9619.JPG" width="1024" height="768" alt="" border="0">';
34.   }
35.  
36. elseif (strpos($password, 'Santa') !== false)
37.   {
38.     // if they try a string with "Santa" sends them to a site that used to have the creds but was recently deleted. <REDACTED>
39.    
40.     echo '<h2><a href="http://icecreamrally.com/BadSanta/creds.html">Bad Santa Credentials</a></h2><br>';
41.     echo '<br><img src="/images/treeAnim.GIF" width="368" height="450" alt="" border="0">';
42.   }
43.  
44.  
45.   elseif ($CookieAuthValue != 0)
46.   {
47.     // If the cookie.authenticated value has been modified
48.     echo '<h2>Everyone is allowed to be in Bad Santa\'s world! But you\'ll need to go way back to get authentication information for what you are looking for.</h2><br>';
49.     echo '<br><img src="/images/santaPostCard.jpg" width="530" height="700" alt="" border="0">';
50.   }
51.  
52.  
53.  
54.   elseif (strpos($password, 'santa') !== false)
55.   {
56.     // if they try a string with "Santa" sends them to a site that used to have the creds but was recently deleted. <REDACTED>
57.      echo '<h2><a href="http://icecreamrally.com/BadSanta/creds.html">Bad Santa Credentials</a><br></h2>';
58.      echo '<br><img src="/images/treeAnim.GIF" width="368" height="450" alt="" border="0">';
59.   }
60.  
61.  
62. elseif (stripos($password, 'script') !== false)
63.   {
64.     // Moch XSS
65.     echo "<h2>XSS may not be very useful in this adventure.</h2>";
66.     echo '<br><img src="/images/IMG_9618.JPG" width="1080" height="1538" alt="" border="0">';
67.   }
68.  
69.   elseif (stripos($password, 'pass') !== false)
70.   {
71.     // entered a variation of password
72.     echo "<h2>Brute force attacks may not be very useful in this adventure.</h2>";
73.     echo '<br><img src="/images/rabbitAnim.GIF" width="450" height="338" alt="" border="0">';
74.   }
75.  
76.   elseif (strlen($password) < 1)
77.   {
78.     // If no value selected
79.     echo "<h2>You'll need to enter a password. No blanks allowed!</h2>";
80.     echo '<br><img src="/images/santaanim1.GIF" width="188" height="188" alt="" border="0">';
81.   }
82.  
83.   elseif ($_COOKIE["Authenticated"] ==! 0)
84.   {
85.     // If the authenticated cookie is tampered with
86.     echo "<h2>Cookie manipulation will not help in this adventure, but nice try!</h2>";
87.     echo '<br><img src="/images/santaanim2.GIF" width="188" height="188" alt="" border="0">';
88.   }
89.  
90.   // Provides different messages for odd and even IP addresses
91.     elseif ($lastOctet % 2 !== 0)
92.   {
93.     // output for even
94.     echo "<h2>The password you tried is incorrect</h2>";
95.     echo '<br><img src="/images/IMG_9617.JPG" width="1080" height="1494" alt="" border="0">';
96.     echo "<br><font color='white'>";
97.     $i          = 0;
98.     $SantaCount = rand(1, 35);
99.    
100.     //<REDACTED>
101.     // sderc is "creds" spelled backwards
102.     setcookie("sderc", "WW91IG5lZWQgdG8gZ28gd2F5IGJhY2sgdG8gZmluZCB0aGUgcmVtb3ZlZCBjcmVkZW50aWFscw");
103.    
104.     while ($i < $SantaCount)
105.       {
106.         $SantaCount--;
107.         $i++;
108.         echo $password, "<br>";
109.       }
110.      
111.     echo "</font>";
112.   }
113.  
114. else
115.   {
116.     // output for odd
117.     echo "<h2>It doesn't look like any web injection attacks are going to work here...</h2>";
118.     echo '<br><img src="/images/IMG_9617.JPG" width="1080" height="1494" alt="" border="0">';
119.     // advises user to "hack the gibson" refering to the directory the actual list is in
120.     // laog is "goal" spelled backwaards
121.     setcookie("laog", "V2hlbiBwb3NzaWJsZSwgaGFjayB0aGUgZ2lic29u");
122.   }
123.  
124. echo "</h2>";
125.  
126. // Inserts the search string in to the database after a string reverse to see what happens with SQLi attempts.
127.  
128. $servername = "localhost";
129. $username = "root";
130. $DBpassword = "<REDACTED>";
131. $dbname = "mysql";
132.  
133. // Create connection
134. $conn1 = new mysqli($servername, $username, $DBpassword, $dbname);
135.  
136. // Check connection
137. if ($conn1->connect_error) {
138.     die("Connection failed: " . $conn1->connect_error);
139. }
140.  
141. // Reveres input making the SQLi vuln undetectable to automated scanners but readily obvious with manual inspection with the ODBC error
142. $loggedQuery = (strrev($password));
143.  
144.  
145. // logs password input and IP. Vulnerable to SQLi
146.  
147. $sql = "INSERT INTO BadSantaQueries (BadSantaQueryString, BadSantaQueryIP) VALUES ('$loggedQuery', '$SantaIP')";
148.  
149. if ($conn1->query($sql) === TRUE) {
150.     echo "<p>IP Address Logged";
151. } else {
152.     echo "Error: " . $sql . "<br>" . $conn1->error;
153. }
154.  
155. $conn->close();
156.  
157.  
158.  
159. ?>