-
Notifications
You must be signed in to change notification settings - Fork 263
/
Copy pathindex.php
75 lines (63 loc) · 2.14 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php
require_once('./auth.php');
function do_hash($data) {
$filename = tempnam(sys_get_temp_dir(), 'vhash');
file_put_contents($filename, $data);
$hash = substr(`cat $filename | /home/ctf/vhash`, 0, 256);
unlink($filename);
return $hash;
}
function create_hmac($data) {
return do_hash(SECRET . $data);
}
if(isset($_GET['action']) && $_GET['action'] === 'logout') {
setcookie('auth', '');
header('Location: index.php');
}
if(isset($_POST['username'])) {
# Do pagey stuff
if(is_valid($_POST['username'], $_POST['password'])) {
# Create the cookie
$cookie = 'username=' . $_POST['username'] . '&';
$cookie .= 'date=' . date(DATE_ISO8601) . '&';
$cookie .= 'secret_length=' . strlen(SECRET) . '&';
# Sign the cookie
$cookie = create_hmac($cookie) . '|' . $cookie;
setcookie('auth', $cookie);
print "<h1>Login successful!</h1>\n";
print "<p>Setting cookie: <tt>auth=$cookie</tt></p>\n";
} else {
print "<h1>Username or password was incorrect!</h1>\n";
}
print "<p>Click <a href='index.php'>here</a> to continue!</p>\n";
exit(0);
}
if(!isset($_COOKIE['auth'])) {
require_once('./login_form.php');
exit(0);
}
list($hmac, $cookie) = explode('|', $_COOKIE['auth'], 2);
if(create_hmac($cookie) !== $hmac) {
setcookie('auth', '');
print "<p>Something was wrong with your auth cookie!</p>\n";
print "<p>Click <a href='index.php'>here</a> to log in again!</p>\n";
exit();
}
$pairs = explode('&', $cookie);
$args = array();
foreach($pairs as $pair) {
if(!strpos($pair, '='))
continue;
list($name, $value) = explode('=', $pair, 2);
$args[$name] = $value;
}
$username = $args['username'];
print "<h1>Welcome back, $username!</h1>\n";
if($username == 'administrator') {
print "<p>Congratulations, you're the administrator! Here's your reward:</p>\n";
print "<p>" . FLAG . "</p>\n";
} else {
print "<p>It's cool that you logged in, but unfortunately we can only give the flag to 'administrator'. :(</p>\n";
}
print "<p><a href='/index.php?action=logout'>Log out</a></p>\n";
?>