ctf-chal-ji/www/login.php

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Tux gallery !</title>
    <link rel="stylesheet" href="static/css/stylesheet.css">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
</head>
<body>
    <?php include 'include/nav.php'?>
    <div class="wrapper">
        <form id="loginForm" method="POST" action="login.php">
            <h1>Login</h1>
            <p>Note : The register feature is not implemented yet !</p>
            <label for="username">Username</label>
            <input type="text" id="username" name="username">
            <label for="password">Password</label>
            <input type="password" id="password" name="password">
            <input type="button" class="btn btn-primary" value="Login">
        </form>
    </div>
    <?php 
    // to do :
    // connect to mysql db
    // add sqli vulnerable login functionnality
    // ??
    // profit
    $servername = "db";
    $username = "root";
    $password = "39gknzLD";

    $conn = new mysqli($servername, $username, $password);

    if (! empty($_POST)) {
        $name = $_POST['username'];
        $password = $_POST['password'];
        if (empty($name)) {
            echo "Username is empty.";
        } else {
            $sql = 'SELECT username,pass FROM users WHERE username=' . $name . ' AND pass=' . $password; // sqli here
            $result = $conn->query($sql);
            if ($result->num_rows > 0) {
                echo "CONNECTED" // do redirect to upload page
            } else {
                echo "Wrong username or password !";
            }
        }
    }
    ?>
</body>
</html>