docker-vulnerable-dvwa/dvwa/vulnerabilities/brute/source/medium.php

<?php

if( isset( $_GET[ 'Login' ] ) ) {
	// Sanitise username input
	$user = $_GET[ 'username' ];
	$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

	// Sanitise password input
	$pass = $_GET[ 'password' ];
	$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
	$pass = md5( $pass );

	// Check the database
	$query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
	$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

	if( $result && mysqli_num_rows( $result ) == 1 ) {
		// Get users details
		$row    = mysqli_fetch_assoc( $result );
		$avatar = $row["avatar"];

		// Login successful
		$html .= "<p>Welcome to the password protected area {$user}</p>";
		$html .= "<img src=\"{$avatar}\" />";
	}
	else {
		// Login failed
		sleep( 2 );
		$html .= "<pre><br />Username and/or password incorrect.</pre>";
	}

	((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>
first commit 2016-12-02 19:19:11 +00:00			`<?php`

			`if( isset( $_GET[ 'Login' ] ) ) {`
			`// Sanitise username input`
			`$user = $_GET[ 'username' ];`
dvwa updated 2018-10-12 15:49:58 +00:00			`$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));`
first commit 2016-12-02 19:19:11 +00:00
			`// Sanitise password input`
			`$pass = $_GET[ 'password' ];`
dvwa updated 2018-10-12 15:49:58 +00:00			`$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));`
first commit 2016-12-02 19:19:11 +00:00			`$pass = md5( $pass );`

			`// Check the database`
			$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
dvwa updated 2018-10-12 15:49:58 +00:00			`$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );`
first commit 2016-12-02 19:19:11 +00:00
dvwa updated 2018-10-12 15:49:58 +00:00			`if( $result && mysqli_num_rows( $result ) == 1 ) {`
first commit 2016-12-02 19:19:11 +00:00			`// Get users details`
dvwa updated 2018-10-12 15:49:58 +00:00			`$row = mysqli_fetch_assoc( $result );`
			`$avatar = $row["avatar"];`
first commit 2016-12-02 19:19:11 +00:00
			`// Login successful`
			`$html .= "<p>Welcome to the password protected area {$user}</p>";`
			`$html .= "<img src=\"{$avatar}\" />";`
			`}`
			`else {`
			`// Login failed`
			`sleep( 2 );`
			`$html .= "<pre><br />Username and/or password incorrect.</pre>";`
			`}`

dvwa updated 2018-10-12 15:49:58 +00:00			`((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);`
first commit 2016-12-02 19:19:11 +00:00			`}`

			`?>`