Merge branch 'master' of github.com:NerdOfCode/admin-panel

Author: nerdofcode

README.md

@@ -0,0 +1,25 @@
+# admin-panel
+This is a very sucky admin panel that is in pre-pre-pre-pre-pre-pre-pre-pre-alpha stages. So far it can run shell commands, and basic MySQL queries. It has a simple UI, and the passwords in the database are now hashed, as opposed to the plaintext they used to be.
+
+## Set-Up
+
+First create a MySQL database by running:
+
+```MySQL
+CREATE DATABASE database_name_goes_here;
+```
+
+To set it up, create a MySQL table, with the fields `name` and `password`, to do so run:
+
+```MySQL
+CREATE TABLE users(name VARCHAR(30) NOT NULL, password VARCHAR(50) NOT NULL);
+```
+Then put your desired username in the `name` field, and the password in the `password` field.
+The password must be PHP hashed, to do so, run:
+
+```shell
+php -r 'echo password_hash("password", PASSWORD_DEFAULT);'; echo ""
+```
+on a LAMP install, make sure to put this password back in the MySQL table...
+
+Finally, change the values in the <b>user.php</b> file to match your own.

index.php

@@ -46,11 +46,11 @@
 $result = mysqli_query($db, $query);
 $row = mysqli_fetch_array($result);
 $password=$row['password'];
-if($user_password == $password && $user_name != ""){
+if(password_verify($_POST['passwd'], $password)){
         $_SESSION['status'] = "1";
         header("Location: /options.php");
         die();
-}else if($user_password != $password && $user_name != ""){
+}else{
         echo "An error has occured... Please try again later";
         $_SESSION['status'] = "0";
 }

mysql_exec.php

@@ -33,19 +33,30 @@
 </body>
 
 <?php
-$udb=$_POST['mysql_get'];//Database
-$user=$_POST['username'];
-$pass=$_POST['password'];
-$query=$_POST['myquery'];//Commands
-$host=$_POST['host'];
-//Set all current values as session variables below
-$_SESSION['saved_info']="1";$_SESSION['udb']="$udb";$_SESSION['mysql_user']="$user";$_SESSION['mysql_pass']="$pass";$_SESSION['query']="$query";$_SESSION['host']="$host";
-$db = mysqli_connect($host,$user,$pass,$udb) or die("<p style=\"color:red;\"><b>Error: </b> connection to MySQL failed. Please re-enter information and try again.</p>");
-mysqli_query($db, $query) or die("Unable to access MYSQL");
-$result = mysqli_query($db, $query);
-$row = mysqli_fetch_array($result);
-$column=$row['password'];
-echo "<b>Query Result: $column</b><br>";
-$mysqli_close($db);
+	$udb=$_POST['mysql_get'];//Database
+	$user=$_POST['username'];
+	$pass=$_POST['password'];
+	$query=$_POST['myquery'];//Commands
+	$host=$_POST['host'];
+	//If the variables are not empty, continue
+	if (isset($udb, $user, $pass, $query, $host)){
+		//Set all current values as session variables below
+		$_SESSION['saved_info']="1";$_SESSION['udb']="$udb";$_SESSION['mysql_user']="$user";$_SESSION['mysql_pass']="$pass";$_SESSION['query']="$query";$_SESSION['host']="$host";
+    		echo "<br> MySQL Query results: <br>";
+    		include("data.php");
+    		$databaseName = $_POST[mysql_get];
+    		$query = $_POST[myquery];
+		$db = mysqli_connect($host,$user,$pass,$udb) or die("<p style=\"color:red;\"><b>Error: </b> connection to MySQL failed. Please re-enter information and try again.</p>");
+    		mysqli_query($db, $query) or die("Unable to access MYSQL DataBase");
+    		$result = mysqli_query($db, $query);
+    		$row = mysqli_fetch_all($result, MYSQLI_ASSOC);
+    		$stringArray = json_encode($row);
+    		$stringArray = str_replace(",", "<br>", $stringArray);
+    		$stringArray = str_replace(array('[', ']', '}', '"'), "", $stringArray);
+    		$stringArray = str_replace("{", "<br>", $stringArray);
+   		$stringArray = str_replace(":", ": ", $stringArray);
+    		echo $stringArray;
+		$mysqli_close($db);
+	}
 ?>
 </html>

shell.php

@@ -22,8 +22,13 @@
 $cwd=getcwd();
 echo "<br>Current directory: $cwd<br>";
 $shell = $_POST['query_box'];
-$run = exec("$shell");
-echo "<br><b>Output: $run</b><br>";
+if (!empty($_POST['query_box'])) {
+	$run = exec("$shell");
+	echo "<br><b>Output: </b><br>";
+	echo "<pre>$run</pre>";
+}else{
+	echo "<b>Nothing has been run yet.</b>";	
+}
 ?>  
 </body>
 </html>