<html> <head> <!-- This stuff in the header has nothing to do with the level

1. <html>
2. <head>
3. <!-- This stuff in the header has nothing to do with the level -->
4. <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
5. <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
6. <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
7. <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
8. <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
9. <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
10. <script>var wechallinfo = { "level": "natas27", "pass": "<censored>" };</script></head>
11. <body>
12. <h1>natas27</h1>
13. <div id="content">
14. <?
15.  
16. // morla / 10111
17. // database gets cleared every 5 min
18.  
19.  
20. /*
21. CREATE TABLE `users` (
22. `username` varchar(64) DEFAULT NULL,
23. `password` varchar(64) DEFAULT NULL
24. );
25. */
26.  
27.  
28. function checkCredentials($link,$usr,$pass){
29.  
30. $user=mysql_real_escape_string($usr);
31. $password=mysql_real_escape_string($pass);
32.  
33. $query = "SELECT username from users where username='$user' and password='$password' ";
34. $res = mysql_query($query, $link);
35. if(mysql_num_rows($res) > 0){
36. return True;
37. }
38. return False;
39. }
40.  
41.  
42. function validUser($link,$usr){
43.  
44. $user=mysql_real_escape_string($usr);
45.  
46. $query = "SELECT * from users where username='$user'";
47. $res = mysql_query($query, $link);
48. if($res) {
49. if(mysql_num_rows($res) > 0) {
50. return True;
51. }
52. }
53. return False;
54. }
55.  
56.  
57. function dumpData($link,$usr){
58.  
59. $user=mysql_real_escape_string($usr);
60.  
61. $query = "SELECT * from users where username='$user'";
62. $res = mysql_query($query, $link);
63. if($res) {
64. if(mysql_num_rows($res) > 0) {
65. while ($row = mysql_fetch_assoc($res)) {
66. // thanks to Gobo for reporting this bug!
67. //return print_r($row);
68. return print_r($row,true);
69. }
70. }
71. }
72. return False;
73. }
74.  
75.  
76. function createUser($link, $usr, $pass){
77.  
78. $user=mysql_real_escape_string($usr);
79. $password=mysql_real_escape_string($pass);
80.  
81. $query = "INSERT INTO users (username,password) values ('$user','$password')";
82. $res = mysql_query($query, $link);
83. if(mysql_affected_rows() > 0){
84. return True;
85. }
86. return False;
87. }
88.  
89.  
90. if(array_key_exists("username", $_REQUEST) and array_key_exists("password", $_REQUEST)) {
91. $link = mysql_connect('localhost', 'natas27', '<censored>');
92. mysql_select_db('natas27', $link);
93.  
94.  
95. if(validUser($link,$_REQUEST["username"])) {
96. //user exists, check creds
97. if(checkCredentials($link,$_REQUEST["username"],$_REQUEST["password"])){
98. echo "Welcome " . htmlentities($_REQUEST["username"]) . "!<br>";
99. echo "Here is your data:<br>";
100. $data=dumpData($link,$_REQUEST["username"]);
101. print htmlentities($data);
102. }
103. else{
104. echo "Wrong password for user: " . htmlentities($_REQUEST["username"]) . "<br>";
105. }
106. }
107. else {
108. //user doesn't exist
109. if(createUser($link,$_REQUEST["username"],$_REQUEST["password"])){
110. echo "User " . htmlentities($_REQUEST["username"]) . " was created!";
111. }
112. }
113.  
114. mysql_close($link);
115. } else {
116. ?>
117.  
118. <form action="index.php" method="POST">
119. Username: <input name="username"><br>
120. Password: <input name="password" type="password"><br>
121. <input type="submit" value="login" />
122. </form>
123. <? } ?>
124. <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
125. </div>
126. </body>
127. </html>