<?php if (!isset($_GET["error"]) || empty($_GET["error"])) { echo "You

1.  
2. <?php
3.  
4. if (!isset($_GET["error"]) || empty($_GET["error"])) {
5.  
6. echo "You are a noob. That is all.";
7.  
8. } else {
9. $password=$_GET["error"];
10. if ($password=="penis") {
11.  
12.  
13. include("_mysql.php");
14. include("_settings.php");
15.  
16. // copy pagelock information for session test + deactivated pagelock for checklogin
17. $closed_tmp = $closed;
18. $closed = 0;
19.  
20. include("_functions.php");
21.  
22. //settings
23.  
24. $sleep = 1; //idle status for script if password is wrong?
25.  
26. //settings end
27. $_language->read_module('checklogin');
28.  
29. $get = safe_query("SELECT * FROM ".PREFIX."banned_ips WHERE ip='".$GLOBALS['ip']."'");
30. if(mysql_num_rows($get) == 0){
31. $ws_pwd = md5(stripslashes($_GET['x']));
32. $ws_user = $_GET['u'];
33.  
34. $check = safe_query("SELECT * FROM ".PREFIX."user WHERE username='".$ws_user."'");
35. $anz = mysql_num_rows($check);
36. $login = 0;
37.  
38. if($anz) {
39.  
40. $check = safe_query("SELECT * FROM ".PREFIX."user WHERE username='".$ws_user."' AND activated='1'");
41. if(mysql_num_rows($check)) {
42.  
43. $ds=mysql_fetch_array($check);
44.  
45. // check password
46. $login = 0;
47. if($ws_pwd == $ds['password']) {
48.  
49. //session
50. $_SESSION['ws_auth'] = $ds['userID'].":".$ws_pwd;
51. $_SESSION['ws_lastlogin'] = $ds['lastlogin'];
52. $_SESSION['referer'] = $_SERVER['HTTP_REFERER'];
53. //remove sessiontest variable
54. if(isset($_SESSION['ws_sessiontest'])) unset($_SESSION['ws_sessiontest']);
55. //cookie
56. setcookie("ws_auth", $ds['userID'].":".$ws_pwd, time()+($sessionduration*60*60));
57. setcookie("ws_auth2", $ds['userID'], time()+($sessionduration*60*60));
58. //Delete visitor with same IP from whoisonline
59. safe_query("DELETE FROM ".PREFIX."whoisonline WHERE ip='".$GLOBALS['ip']."'");
60. //Delete IP from failed logins
61. safe_query("DELETE FROM ".PREFIX."failed_login_attempts WHERE ip = '".$GLOBALS['ip']."'");
62. $login = 1;
63. $error = $_language->module['login_successful'];
64.  
65. echo "good";
66.  
67. }
68. elseif(!($ws_pwd == $ds['password'])) {
69.  
70. if($sleep) sleep(5);
71. $get = safe_query("SELECT wrong FROM ".PREFIX."failed_login_attempts WHERE ip = '".$GLOBALS['ip']."'");
72. if(mysql_num_rows($get)){
73. safe_query("UPDATE ".PREFIX."failed_login_attempts SET wrong = wrong+1 WHERE ip = '".$GLOBALS['ip']."'");
74. }
75. else{
76. safe_query("INSERT INTO ".PREFIX."failed_login_attempts (ip,wrong) VALUES ('".$GLOBALS['ip']."',1)");
77. }
78. $get = safe_query("SELECT wrong FROM ".PREFIX."failed_login_attempts WHERE ip = '".$GLOBALS['ip']."'");
79. if(mysql_num_rows($get)){
80. $ban = mysql_fetch_assoc($get);
81. if($ban['wrong'] == $max_wrong_pw){
82. $bantime = time() + (60*60*3); // 3 hours
83. safe_query("INSERT INTO ".PREFIX."banned_ips (ip,deltime,reason) VALUES ('".$GLOBALS['ip']."',".$bantime.",'Possible brute force attack')");
84. safe_query("DELETE FROM ".PREFIX."failed_login_attempts WHERE ip = '".$GLOBALS['ip']."'");
85. }
86. }
87. echo "wrong password";
88. }
89. }
90. else $error= $_language->module['not_activated'];
91.  
92. }
93. else $error=str_replace('%username%', htmlspecialchars($ws_user), $_language->module['no_user']);
94. }
95.  
96. else{
97. $login = 0;
98. $data = mysql_fetch_assoc($get);
99. $error = str_replace('%reason%', $data['reason'], $_language->module['ip_banned']);
100. echo "BANHAMMERED";
101. }
102.  
103. }
104. }
105. ob_start();
106. ?>