brokensql1

1. Br0kenMySQL
2.  
3.  
4.  
5. <title>Br0kenMySQL</title><h1><pre>
6. <p style='color:Red'>Br0kenMySQL</p>
7. <?php
8.  
9. if($_GET['debug']=='🕵') die(highlight_file(__FILE__));
10.  
11. require 'config.php';
12.  
13. $link = mysqli_connect('localhost', MYSQL_USER, MYSQL_PASSWORD);
14.  
15. if (!$link) {
16.     die('Could not connect: ' . mysql_error());
17. }
18.  
19. if (!mysqli_select_db($link,MYSQL_USER)) {
20.     die('Could not select database: ' . mysql_error());
21. }
22.     $id = $_GET['id'];
23.     if(preg_match('#sleep|benchmark|floor|rand|count#is',$id))
24.         die('Don\'t hurt me :-(');
25.     $query = mysqli_query($link,"SELECT username FROM users WHERE id = ". $id);
26.     $row = mysqli_fetch_array($query);
27.     $username = $row['username'];
28.  
29.     if($username === 'guest'){
30.  
31.         $ip = @$_SERVER['HTTP_X_FORWARDED_FOR']!="" ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
32.         if(preg_match('#sleep|benchmark|floor|rand|count#is',$ip))
33.             die('Don\'t hurt me :-(');
34.         var_dump($ip);
35.         if(!empty($ip))
36.             mysqli_query($link,"INSERT INTO logs VALUES('{$ip}')");
37.  
38.         $query = mysqli_query($link,"SELECT username FROM users WHERE id = ". $id);
39.         $row = mysqli_fetch_array($query);
40.         $username = $row['username'];
41.         if($username === 'admin'){
42.             echo "What ???????\nLogin as guest&admin at the same time ?\nSeems our code is broken, here is your bounty\n";
43.             die(FLAG);
44.         }
45.         echo "Nothing here";
46.     } else {
47.         echo "Hello ".$username;
48.     }
49.  
50.  
51.  
52.  
53. ?>
54. </h1>
55. </pre>
56.  
57. 1