threadr.lostcave.ddnss.de/admin.php

<?php
  %PLEAZE_NO_CACHE%
  $permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&/()[]$:?_';

  function generate_salt($input, $strength = 5) {
    $input_length = strlen($input);
    $random_string = '';
    for($i = 0; $i < $strength; $i++) {
      $random_character = $input[random_int(0, $input_length - 1)];
      $random_string .= $random_character;
    }
    return $random_string;
  }

  $random_salt = generate_salt($permitted_chars);
  $password_hash_method = "sha256";

  $pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');
  $query = "SELECT id, name, authentication_algorithm FROM users;";

  if (isset($_GET['action'])) {
    if ($_GET['action']=='add') {
      $error = false;
      $error_message = "";
      if ($_POST['name']=='' || $_POST['password']=='' || $_POST['password_confirmation']=='') {
        $error = true;
        $error_message = "<p>Error: Not all values populated.</p>";
      }
      if ($_POST['password'] != $_POST['password_confirmation']) {
        $error = true;
        $error_message = "<p>Error: Password confirmation does not match password.</p>";
      }
      if (!$error) {
        $statement = $pdo->prepare('INSERT INTO users (name, authentication_string, authentication_salt, authentication_algorithm) VALUES (:name, :authentication_string, :authentication_salt, :authentication_algorithm)');
        $result = $statement->execute(array('name' => $_POST['name'], 'authentication_string' => hash($password_hash_method, $_POST['password'] . $random_salt), 'authentication_salt' => $random_salt, 'authentication_algorithm' => $password_hash_method));
        if (!$result) {
          $error_message = "<p>Error: SQL error.</p><pre>" . $statement->queryString . "</pre><pre>" . $statement->errorInfo()[2] . "</pre>";
        }
      }
    }
  }
?>
<!DOCTYPE html>
<html>
  <head>
    <title> LostCave Admin Page </title>
    <meta charset="utf-8" />
  </head>
  <body>
    <h1> Useful links </h1>
      <ul>
        <li><a href="http://admin.strassenkind.ip/phpmyadmin/" > PHPMyAdmin </a></li>
        <li><a href="http://admin.strassenkind.ip/postfixadmin/" > PostfixAdmin </a></li>
        <li><a href="http://strassenkind.ip/" > Server status page </a></li>
        <li><a href="http://strassenkind.ip/git/" > Gitea </a></li>
        <li><a href="http://admin.strassenkind.ip/phpinfo.php"> phpinfo(); </a></li>
        <li><a href="http://admin.strassenkind.ip/stdout.log"> Just normal server logs, nothing to see here. </a></li>
        <li><a href="http://admin.strassenkind.ip/stderr.log"> Just normal server error logs, nothing to see here. </a></li>
      </ul>
    <h1> User Management </h1>
    <h2> Registered Users </h2>
    <table>
      <tr><td>User ID</td><td>Name</td><td>Authentication algorithm</td></tr>
      <?php
        foreach ($pdo->query($query) as $row) {
          echo "<tr><td>".$row['id']."</td><td>".$row['name']."</td><td>".$row['authentication_algorithm']."</td></tr>";
        }
      ?>
    </table>
    <h2> Add user </h2>
    <form action="?action=add" method="post">
      <input type="text" maxlength="20" name="name" placeholder="Username" />
      <input type="password" maxlength="256" name="password" placeholder="Password" />
      <input type="password" maxlength="256" name="password_confirmation" placeholder="Repeat password" />
      <input type="submit" value="Add" />
      <?php
        if (isset($error_message)) {
          echo $error_message;
        }
      ?>
    </form>
  </body>
</html>
First try at database interaction 2020-01-03 15:28:17 +01:00			`<?php`
request client to not use caching 2020-03-02 14:10:27 +01:00			`%PLEAZE_NO_CACHE%`
I’m stupid. That variable was actually in use. 2020-02-14 21:04:35 +01:00			`$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ&/()[]$:?_';`

First try at database interaction 2020-01-03 15:28:17 +01:00			`function generate_salt($input, $strength = 5) {`
			`$input_length = strlen($input);`
			`$random_string = '';`
			`for($i = 0; $i < $strength; $i++) {`
			`$random_character = $input[random_int(0, $input_length - 1)];`
			`$random_string .= $random_character;`
			`}`
			`return $random_string;`
			`}`

			`$random_salt = generate_salt($permitted_chars);`
I hate semicolons. 2020-01-03 16:55:04 +01:00			`$password_hash_method = "sha256";`
First try at database interaction 2020-01-03 15:28:17 +01:00
			`$pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');`
I hate semicolons. 2020-01-03 16:55:04 +01:00			`$query = "SELECT id, name, authentication_algorithm FROM users;";`
First try at database interaction 2020-01-03 15:28:17 +01:00
			`if (isset($_GET['action'])) {`
			`if ($_GET['action']=='add') {`
			`$error = false;`
			`$error_message = "";`
			`if ($_POST['name']=='' \|\| $_POST['password']=='' \|\| $_POST['password_confirmation']=='') {`
			`$error = true;`
			`$error_message = "<p>Error: Not all values populated.</p>";`
			`}`
			`if ($_POST['password'] != $_POST['password_confirmation']) {`
			`$error = true;`
			`$error_message = "<p>Error: Password confirmation does not match password.</p>";`
			`}`
			`if (!$error) {`
			`$statement = $pdo->prepare('INSERT INTO users (name, authentication_string, authentication_salt, authentication_algorithm) VALUES (:name, :authentication_string, :authentication_salt, :authentication_algorithm)');`
			`$result = $statement->execute(array('name' => $_POST['name'], 'authentication_string' => hash($password_hash_method, $_POST['password'] . $random_salt), 'authentication_salt' => $random_salt, 'authentication_algorithm' => $password_hash_method));`
			`if (!$result) {`
			`$error_message = "<p>Error: SQL error.</p><pre>" . $statement->queryString . "</pre><pre>" . $statement->errorInfo()[2] . "</pre>";`
			`}`
			`}`
			`}`
			`}`
			`?>`
			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<title> LostCave Admin Page </title>`
			`<meta charset="utf-8" />`
			`</head>`
			`<body>`
improved internal admin page by adding useful links 2020-02-20 00:14:09 +01:00			`<h1> Useful links </h1>`
			`<ul>`
fixed links 2020-02-20 00:28:09 +01:00			`<li><a href="http://admin.strassenkind.ip/phpmyadmin/" > PHPMyAdmin </a></li>`
			`<li><a href="http://admin.strassenkind.ip/postfixadmin/" > PostfixAdmin </a></li>`
			`<li><a href="http://strassenkind.ip/" > Server status page </a></li>`
			`<li><a href="http://strassenkind.ip/git/" > Gitea </a></li>`
added link to another internal page 2020-02-21 07:09:40 +01:00			`<li><a href="http://admin.strassenkind.ip/phpinfo.php"> phpinfo(); </a></li>`
My brain is slowly going downhill. Also, I got frustrated enough to add links to the deployment logs. 2020-04-08 03:32:22 +02:00			`<li><a href="http://admin.strassenkind.ip/stdout.log"> Just normal server logs, nothing to see here. </a></li>`
			`<li><a href="http://admin.strassenkind.ip/stderr.log"> Just normal server error logs, nothing to see here. </a></li>`
improved internal admin page by adding useful links 2020-02-20 00:14:09 +01:00			`</ul>`
			`<h1> User Management </h1>`
			`<h2> Registered Users </h2>`
First try at database interaction 2020-01-03 15:28:17 +01:00			`<table>`
			`<tr><td>User ID</td><td>Name</td><td>Authentication algorithm</td></tr>`
			`<?php`
			`foreach ($pdo->query($query) as $row) {`
			`echo "<tr><td>".$row['id']."</td><td>".$row['name']."</td><td>".$row['authentication_algorithm']."</td></tr>";`
			`}`
			`?>`
			`</table>`
improved internal admin page by adding useful links 2020-02-20 00:14:09 +01:00			`<h2> Add user </h2>`
First try at database interaction 2020-01-03 15:28:17 +01:00			`<form action="?action=add" method="post">`
			`<input type="text" maxlength="20" name="name" placeholder="Username" />`
			`<input type="password" maxlength="256" name="password" placeholder="Password" />`
			`<input type="password" maxlength="256" name="password_confirmation" placeholder="Repeat password" />`
			`<input type="submit" value="Add" />`
catched a possibly not assigned variable, tried fixing some errors with some other variables 2020-02-14 21:38:47 +01:00			`<?php`
			`if (isset($error_message)) {`
			`echo $error_message;`
			`}`
			`?>`
First try at database interaction 2020-01-03 15:28:17 +01:00			`</form>`
			`</body>`
			`</html>`