<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 2</h3>\r\n\t\t<hr />\r\n\t\t\"<em>I needed a password eight characters long so I picked Snow White and the Seven Dwarves.</em>\" ~ Nick Helm<br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\n";
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: Stored Cross Site Scripting (XSS)';
$page['page_id'] = 'xss_s';
$page['help_button'] = 'xss_s';
$page['source_button'] = 'xss_s';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
// Anti-CSRF
if ($vulnerabilityFile == 'high.php') {
generateTokens();
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/xss_s/source/{$vulnerabilityFile}";
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: Stored Cross Site Scripting (XSS)</h1>\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form method=\"post\" name=\"guestform\" onsubmit=\"return validate_form(this)\">\r\n\t\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\r\n\t\t\t\t<tr>\r\n\t\t\t\t\t<td width=\"100\">Name *</td>\r\n\t\t\t\t\t<td><input name=\"txtName\" type=\"text\" size=\"30\" maxlength=\"10\"></td>\r\n\t\t\t\t</tr>\r\n\t\t\t\t<tr>\r\n\t\t\t\t\t<td width=\"100\">Message *</td>\r\n\t\t\t\t\t<td><textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea></td>\r\n\t\t\t\t</tr>\r\n\t\t\t\t<tr>\r\n\t\t\t\t\t<td width=\"100\"> </td>\r\n\t\t\t\t\t<td><input name=\"btnSign\" type=\"submit\" value=\"Sign Guestbook\" onClick=\"return checkForm();\"></td>\r\n\t\t\t\t</tr>\r\n\t\t\t</table>";
if ($vulnerabilityFile == 'high.php') {
$page['body'] .= "\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\t<br />\r\n\r\n\t" . dvwaGuestbook() . "\r\n\t<br />\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Cross-site_scripting') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.cgisecurity.com/xss-faq.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.scriptalert1.com/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: Brute Force';
$page['page_id'] = 'brute';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/brute/source/{$vulnerabilityFile}";
$page['help_button'] = 'brute';
$page['source_button'] = 'brute';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: Brute Force</h1>\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\t<h2>Login</h2>\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\tUsername:<br><input type=\"text\" name=\"username\"><br>\r\n\t\t\tPassword:<br><input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password\"><br>\r\n\t\t\t<input type=\"submit\" value=\"Login\" name=\"Login\">\r\n\t\t</form>\r\n\r\n\t\t{$html}\r\n\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securityfocus.com/infocus/1192') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$query = "SELECT table_schema, table_name, create_time\r\n\t\t\t\tFROM information_schema.tables\r\n\t\t\t\tWHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'\r\n\t\t\t\tLIMIT 1";
$result = @mysql_query($query);
if (mysql_num_rows($result) != 1) {
dvwaMessagePush("First time using DVWA.<br />Need to run 'setup.php'.");
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'setup.php');
}
$query = "SELECT * FROM `users` WHERE user='******' AND password='******';";
$result = @mysql_query($query) or die('<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>');
if ($result && mysql_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '{$user}'");
dvwaLogin($user);
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'index.php');
}
// Login failed
dvwaMessagePush('Login failed');
dvwaRedirect('login.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT');
// Date in the past
// Anti-CSRF
generateSessionToken();
echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div id=\"wrapper\">\r\n\r\n\t<div id=\"header\">\r\n\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\r\n\t</div> <!--<div id=\"header\">-->\r\n\r\n\t<div id=\"content\">\r\n\r\n\t<form action=\"login.php\" method=\"post\">\r\n\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\r\n\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\r\n\t\t\t<br />\r\n\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t" . tokenField() . "\r\n\r\n\t</form>\r\n\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t</div > <!--<div id=\"content\">-->\r\n\r\n\t<div id=\"footer\">\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)') . " is a RandomStorm OpenSource project.</p>\r\n\r\n\t</div> <!--<div id=\"footer\"> -->\r\n\r\n\t</div> <!--<div id=\"wrapper\"> -->\r\n\r\n\t</body>\r\n\r\n</html>";
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: Brute Force';
$page['page_id'] = 'exec';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/exec/source/{$vulnerabilityFile}";
$page['help_button'] = 'exec';
$page['source_button'] = 'exec';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: Command Execution</h1>\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\t<h2>Ping for FREE</h2>\r\n\r\n\t\t<p>Enter an IP address below:</p>\r\n\t\t<form name=\"ping\" action=\"#\" method=\"post\">\r\n\t\t\t<input type=\"text\" name=\"ip\" size=\"30\">\r\n\t\t\t<input type=\"submit\" value=\"submit\" name=\"submit\">\r\n\t\t</form>\r\n\r\n\t\t{$html}\r\n\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.ss64.com/bash/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.ss64.com/nt/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'WooYun-2014-52248';
$page['page_id'] = 'WooYun-2014-52248';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/WooYun-2014-52248/source/{$vulnerabilityFile}";
$page['help_button'] = 'WooYun-2014-52248';
$page['source_button'] = 'WooYun-2014-52248';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\r\n\t<HeadlineFont><span class=\"label label-primary\">WooYun-2014-52248</span></HeadlineFont>\r\n\r\n\t<br>\t<br>\t<br>\t<br>\t<br>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\t<h3>Login User ID:</h3>\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<input type=\"text\" name=\"id\" class=\"form-control\" style=\"width:50%;\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\" class=\"btn btn-lg btn-info\">\r\n\t\t</form>\r\n\r\n\t\t{$html}\r\n\r\n\r\n\t</div>\r\n\r\n\t<br>\r\n\t<br>\r\n\t<br>\r\n\t<div class=\"panel panel-primary\">\r\n <div class=\"panel-heading\">\r\n <h3 class=\"panel-title\">Original Bug Report</h3>\r\n </div>\r\n <div class=\"panel-body\">\r\n \t<li>" . dvwaExternalLinkUrlGet('http://www.wooyun.org/bugs/wooyun-2014-052248') . "</li>\r\n </div>\r\n </div>\r\n\r\n</div>\r\n";
dvwaHtmlEcho($page);
However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.</p>
<p>The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form.</p>
<pre>Spoiler: <span class="spoiler">?id=a UNION SELECT 1,2;-- -&Submit=Submit</span>.</pre>
<br />
<h3>High Level</h3>
<p>This is very similar to the low level, however this time the attacker is inputting the value in a different manner.
The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.</p>
<pre>Spoiler: <span class="spoiler">ID: a' UNION SELECT "text1","text2";-- -&Submit=Submit</span>.</pre>
<br />
<h3>Impossible Level</h3>
<p>The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer,
and has distinguish which sections are code, and the rest is data.</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php
echo dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/SQL_Injection');
?>
</p>
</div>
<h3>Medium Level</h3>
<p>For the medium level challenge, there is a check to see where the last requested page came from. The developer believes if it matches the current domain,
it must of come from the web application so it can be trusted.</p>
<p>It may be required to link in multiple vulnerabilities to exploit this vector, such as reflective XSS.</p>
<br />
<h3>High Level</h3>
<p>In the high level, the developer has added an "anti Cross-Site Request Forgery (CSRF) token". In order by bypass this protection method, another vulnerability will be required.</p>
<pre>Spoiler: <span class="spoiler">e.g. Javascript is a executed on the client side, in the browser</span>.</pre>
<br />
<h3>Impossible Level</h3>
<p>In the impossible level, the challenge will extent the high level and asks for the current user's password. As this cannot be found out (only predicted or brute forced),
there is not an attack vector here.</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php
echo dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)');
?>
</p>
</div>
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
$page = dvwaPageNewGrab();
$page['title'] = 'About' . $page['title_separator'] . $page['title'];
$page['page_id'] = 'about';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h2>About</h2>\r\n\t<p>Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")</p>\r\n\t<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment</p>\r\n\t<p>The official documentation for DVWA can be found <a href=\"docs/DVWA_v1.3.pdf\">here</a>.</p>\r\n\t<p>DVWA is a RandomStorm OpenSource project. All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.</p>\r\n\r\n\t<h2>Links</h2>\r\n\t<ul>\r\n\t\t<li>Homepage: " . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/') . "</li>\r\n\t\t<li>Project Home: " . dvwaExternalLinkUrlGet('https://github.com/RandomStorm/DVWA') . "</li>\r\n\t\t<li>Bug Tracker: " . dvwaExternalLinkUrlGet('https://github.com/RandomStorm/DVWA/issues') . "</li>\r\n\t\t<li>Souce Control: " . dvwaExternalLinkUrlGet('https://github.com/RandomStorm/DVWA/commits/master') . "</li>\r\n\t\t<li>Wiki: " . dvwaExternalLinkUrlGet('https://github.com/RandomStorm/DVWA/wiki') . "</li>\r\n\t</ul>\r\n\r\n\t<h2>Credits</h2>\r\n\t<ul>\r\n\t\t<li>Brooks Garrett: " . dvwaExternalLinkUrlGet('http://brooksgarrett.com/', 'www.brooksgarrett.com') . "</li>\r\n\t\t<li>Craig</li>\r\n\t\t<li>g0tmi1k: " . dvwaExternalLinkUrlGet('https://blog.g0tmi1k.com/', 'g0tmi1k.com') . "</li>\r\n\t\t<li>Jamesr: " . dvwaExternalLinkUrlGet('https://www.creativenucleus.com/', 'www.creativenucleus.com') . " / " . dvwaExternalLinkUrlGet('http://www.designnewcastle.co.uk/', 'www.designnewcastle.co.uk') . "</li>\r\n\t\t<li>Jason Jones: " . dvwaExternalLinkUrlGet('http://www.linux-ninja.com/', 'www.linux-ninja.com') . "</li>\r\n\t\t<li>RandomStorm: " . dvwaExternalLinkUrlGet('https://www.randomstorm.com/', 'www.randomstorm.com') . "</li>\r\n\t\t<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet('https://www.dewhurstsecurity.com/', 'www.dewhurstsecurity.com') . "</li>\r\n\t\t<li>Shinkurt: " . dvwaExternalLinkUrlGet('http://www.paulosyibelo.com/', 'www.paulosyibelo.com') . "</li>\r\n\t\t<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet('http://tedi.heriyanto.net/', 'tedi.heriyanto.net') . "</li>\r\n\t\t<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet('https://www.tmacuk.co.uk/', 'www.tmacuk.co.uk') . "</li>\r\n\t</ul>\r\n\t<ul>\r\n\t\t<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet('http://github.com/PHPIDS/PHPIDS', 'PHPIDS group') . "</li>\r\n\t</ul>\r\n\r\n\t<h2>License</h2>\r\n\t<p>Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify\r\n\tit under the terms of the GNU General Public License as published by\r\n\tthe Free Software Foundation, either version 3 of the License, or\r\n\t(at your option) any later version.</p>\r\n\t<p>The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under <a href=\"" . DVWA_WEB_PAGE_TO_ROOT . "instructions.php?doc=PHPIDS-license\">separate terms</a> to the DVWA code.</p>\r\n\r\n\t<h2>Development</h2>\r\n\t<p>Everyone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.</p>\r\n</div>\n";
dvwaHtmlEcho($page);
exit;
<?php
const DVWA_WEB_PAGE_TO_ROOT = '';
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'About';
$page['page_id'] = 'about';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>About</h1>\r\n\r\n\t<p>\r\n\tVersion " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")\r\n\t<br /><br />\r\n\tDVWA is a RandomStorm OpenSource project. All material is copyright 2008-2011 RandomStorm & Ryan Dewhurst.\r\n\t</p>\r\n\r\n\t<h2>Links</h2>\r\n\r\n\t<ul>\r\n\t\t<li>Homepage: " . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/') . "</li>\r\n\t\t<li>Project Home: " . dvwaExternalLinkUrlGet('http://code.google.com/p/dvwa/') . "</li>\r\n\t\t<li>Issues: " . dvwaExternalLinkUrlGet('http://code.google.com/p/dvwa/issues/list') . "</li>\r\n\t\t<li>SVN: " . dvwaExternalLinkUrlGet('http://dvwa.googlecode.com/svn/trunk/') . "</li>\r\n\r\n\t</ul>\r\n\r\n\t<h2>Credits</h2>\r\n\r\n\t<ul>\r\n\t\t<li>Craig: " . dvwaExternalLinkUrlGet('http://www.youreadmyblog.info/', 'www.youreadmyblog.info') . "</li>\r\n\t\t<li>Jamesr: " . dvwaExternalLinkUrlGet('http://www.creativenucleus.com/', 'www.creativenucleus.com') . " / " . dvwaExternalLinkUrlGet('http://www.designnewcastle.co.uk/', 'www.designnewcastle.co.uk') . "</li>\r\n\t\t<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet('http://www.ethicalhack3r.co.uk/', 'www.ethicalhack3r.co.uk') . "</li>\r\n\t\t<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet('http://tedi.heriyanto.net/', 'http://tedi.heriyanto.net') . "</li>\r\n\t\t<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet('http://www.tmacuk.co.uk/', 'www.tmacuk.co.uk') . "</li>\r\n\t\t<li>RandomStorm: " . dvwaExternalLinkUrlGet('http://www.randomstorm.com/', 'www.randomstorm.com') . "</li>\r\n\t\t<li>Jason Jones: " . dvwaExternalLinkUrlGet('http://www.linux-ninja.com/', 'www.linux-ninja.com') . "</li>\r\n\t\t<li>Brooks Garrett: " . dvwaExternalLinkUrlGet('http://brooksgarrett.com/', 'www.brooksgarrett.com') . "</li>\r\n\t</ul>\r\n\r\n\t<ul>\r\n\t\t<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet('http://php-ids.org/', 'PHPIDS group') . "</li>\r\n\t</ul>\r\n\r\n\t<h2>License</h2>\r\n\r\n\t<p>Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify\r\n\tit under the terms of the GNU General Public License as published by\r\n\tthe Free Software Foundation, either version 3 of the License, or\r\n\t(at your option) any later version.</p>\r\n\r\n\t<p>The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under <a href=\"" . DVWA_WEB_PAGE_TO_ROOT . "instructions.php?doc=PHPIDS-license\">separate terms</a> to the DVWA code.</p>\r\n\r\n\t<h2>Development</h2>\r\n\r\n\t<p>Everyone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.</p>\r\n\t\r\n\r\n</div>\r\n";
dvwaHtmlEcho($page);
exit;
echo dvwaExternalLinkUrlGet('https://secure.php.net/manual/en/wrappers.php', 'PHP Streams');
?>
</span>.</pre>
<br />
<h3>High Level</h3>
<p>The developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename,
they use a wildcard to include them all.</p>
<pre>Spoiler: <span class="spoiler">LFI: The filename only has start with a certain value.</span>.
Spoiler: <span class="spoiler">RFI: Need to link in another vulnerability, such as file upload</span>.</pre>
<br />
<h3>Impossible Level</h3>
<p>The developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack.</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php
echo dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3');
?>
</p>
</div>
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: Cross Site Request Forgery (CSRF)';
$page['page_id'] = 'csrf';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csrf/source/{$vulnerabilityFile}";
$page['help_button'] = 'csrf';
$page['source_button'] = 'csrf';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n <h1>Vulnerability: Cross Site Request Forgery (CSRF)</h1>\r\n <div class=\"vulnerable_code_area\">\r\n\t<h3>Change your admin password:</h3>\r\n\t<br />\r\n\t<form action=\"#\" method=\"GET\">";
if (dvwaSecurityLevelGet() == 'high') {
$page['body'] .= "\r\n\t Current password:<br />\r\n\t <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_current\"><br />";
}
$page['body'] .= "\r\n\t New password:<br />\r\n\t <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_new\"><br />\r\n\t Confirm new password:<br />\r\n\t <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_conf\"><br />\r\n\t <input type=\"submit\" value=\"Change\" name=\"Change\">\r\n\t</form>\r\n\t{$html}\r\n </div>\r\n\r\n <h2>More info</h2>\r\n <ul>\r\n\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-Site_Request_Forgery') . "</li>\r\n\t<li>" . dvwaExternalLinkUrlGet('http://www.cgisecurity.com/csrf-faq.html') . "</li>\r\n\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Cross-site_request_forgery ') . "</li>\r\n </ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
if (isset($_GET['phpids'])) {
switch ($_GET['phpids']) {
case 'on':
dvwaPhpIdsEnabledSet(true);
dvwaMessagePush("PHPIDS is now enabled");
break;
case 'off':
dvwaPhpIdsEnabledSet(false);
dvwaMessagePush("PHPIDS is now disabled");
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach (array('low', 'medium', 'high') as $securityLevel) {
$selected = '';
if ($securityLevel == dvwaSecurityLevelGet()) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>Security Level is currently <em>{$securityLevel}</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>{$securityLevel}</option>";
}
$phpIdsHtml = 'PHPIDS is currently ';
if (dvwaPhpIdsIsEnabled()) {
$phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">disable PHPIDS</a>]';
} else {
$phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">enable PHPIDS</a>]';
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\"></h1>\r\n\r\n\t<br />\r\n\t\r\n\t<h2>Script Security</h2>\r\n\r\n\t{$securityHtml}\r\n\r\n\t<form action=\"#\" method=\"POST\">\r\n\t\t{$securityLevelHtml}\r\n\t\t<p>You can set the security level to low, medium or high.</p>\r\n\t\t<p>The security level changes the vulnerability level of DVWA.</p>\r\n\r\n\t\t<select name=\"security\">\r\n\t\t\t{$securityOptionsHtml}\r\n\t\t</select>\r\n\t\t<input type=\"submit\" value=\"Submit\" name=\"seclev_submit\">\r\n\t</form>\r\n\r\n\t<br />\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>PHPIDS</h2>\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://php-ids.org/', 'PHPIDS') . " v." . dvwaPhpIdsVersionGet() . " (PHP-Intrusion Detection System) is a security layer for PHP based web applications. </p>\r\n\t<p>You can enable PHPIDS across this site for the duration of your session.</p>\r\n\r\n\t<p>{$phpIdsHtml}</p>\r\n\t[<a href=\"?test=%22><script>eval(window.name)</script>\">Simulate attack</a>] -\r\n\t[<a href=\"ids_log.php\">View IDS log</a>]\r\n\t\r\n</div>\r\n";
dvwaHtmlEcho($page);
dvwaPhpIdsEnabledSet(false);
dvwaMessagePush("PHPIDS is now disabled");
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach (array('low', 'medium', 'high', 'impossible') as $securityLevel) {
$selected = '';
if ($securityLevel == dvwaSecurityLevelGet()) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>Security level is currently: <em>{$securityLevel}</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>" . ucfirst($securityLevel) . "</option>";
}
$phpIdsHtml = 'PHPIDS is currently: ';
if (dvwaPhpIdsIsEnabled()) {
$phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">Disable PHPIDS</a>]';
} else {
$phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]';
}
// Anti-CSRF
generateSessionToken();
// Able to write to the PHPIDS log file?
$WarningHtml = '';
if (!is_writable($PHPIDSPath)) {
$WarningHtml .= "<div class=\"warning\"><em>Cannot write to the PHPIDS log file</em>: {$PHPIDSPath}</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>\r\n\t<br />\r\n\r\n\t<h2>Security Level</h2>\r\n\r\n\t{$securityHtml}\r\n\r\n\t<form action=\"#\" method=\"POST\">\r\n\t\t{$securityLevelHtml}\r\n\t\t<p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p>\r\n\t\t<ol>\r\n\t\t\t<li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li>\r\n\t\t\t<li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li>\r\n\t\t\t<li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li>\r\n\t\t\t<li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br />\r\n\t\t\t\tPriority to DVWA v1.9, this level was known as 'high'.</li>\r\n\t\t</ol>\r\n\t\t<select name=\"security\">\r\n\t\t\t{$securityOptionsHtml}\r\n\t\t</select>\r\n\t\t<input type=\"submit\" value=\"Submit\" name=\"seclev_submit\">\r\n\t\t" . tokenField() . "\r\n\t</form>\r\n\r\n\t<br />\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>PHPIDS</h2>\r\n\t{$WarningHtml}\r\n\t<p>" . dvwaExternalLinkUrlGet('https://github.com/PHPIDS/PHPIDS', 'PHPIDS') . " v" . dvwaPhpIdsVersionGet() . " (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p>\r\n\t<p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p>\r\n\t<p>You can enable PHPIDS across this site for the duration of your session.</p>\r\n\r\n\t<p>{$phpIdsHtml}</p>\r\n\t[<a href=\"?test=%22><script>eval(window.name)</script>\">Simulate attack</a>] -\r\n\t[<a href=\"ids_log.php\">View IDS log</a>]\r\n</div>";
dvwaHtmlEcho($page);
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: SQL Injection (Blind)';
$page['page_id'] = 'sqli_blind';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli_blind/source/{$vulnerabilityFile}";
$page['help_button'] = 'sqli_blind';
$page['source_button'] = 'sqli_blind';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: SQL Injection (Blind)</h1>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\t<h3>User ID:</h3>\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<input type=\"text\" name=\"id\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\">\r\n\t\t</form>\r\n\r\n\t\t{$html}\r\n\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securiteam.com/securityreviews/5DP0N1P76E.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://en.wikipedia.org/wiki/SQL_injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.unixwiz.net/techtips/sql-injection.html') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
$page['help_button'] = 'csrf';
$page['source_button'] = 'csrf';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
// Anti-CSRF
if ($vulnerabilityFile == 'high.php') {
generateTokens();
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csrf/source/{$vulnerabilityFile}";
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n <h1>Vulnerability: Cross Site Request Forgery (CSRF)</h1>\r\n\r\n <div class=\"vulnerable_code_area\">\r\n\t\t<h3>Change your admin password:</h3>\r\n\t\t<br />\r\n\r\n\t\t<form action=\"#\" method=\"GET\">";
if (dvwaSecurityLevelGet() == 'high') {
$page['body'] .= "\r\n\t\t\tCurrent password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_current\"><br />";
}
$page['body'] .= "\r\n\t\t\tNew password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_new\"><br />\r\n\t\t\tConfirm new password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_conf\"><br />\r\n\t\t\t<br />\r\n\t\t\t<input type=\"submit\" value=\"Change\" name=\"Change\">";
if ($vulnerabilityFile == 'high.php') {
$page['body'] .= "\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n </div>\r\n\r\n <h2>More Information</h2>\r\n <ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-Site_Request_Forgery') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.cgisecurity.com/csrf-faq.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Cross-site_request_forgery ') . "</li>\r\n </ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: Reflected Cross Site Scripting (XSS)';
$page['page_id'] = 'xss_r';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/xss_r/source/{$vulnerabilityFile}";
$page['help_button'] = 'xss_r';
$page['source_button'] = 'xss_r';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: Reflected Cross Site Scripting (XSS)</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form name=\"XSS\" action=\"#\" method=\"GET\">\r\n\t\t\t<p>What's your name?</p>\r\n\t\t\t<input type=\"text\" name=\"name\">\r\n\t\t\t<input type=\"submit\" value=\"Submit\">\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Cross-site_scripting') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.cgisecurity.com/xss-faq.html') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\tTo include a file edit the ?page=index.php in the URL to determine which file is included.\r\n\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\r\n";
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: SQL Injection';
$page['page_id'] = 'sqli';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}";
$page['help_button'] = 'sqli';
$page['source_button'] = 'sqli';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: SQL Injection</h1>\r\n\t{$magicQuotesWarningHtml}\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<p>User ID:</p>\r\n\t\t\t<input type=\"text\" name=\"id\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\">\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securiteam.com/securityreviews/5DP0N1P76E.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/SQL_injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/SQL_Injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://bobby-tables.com/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 1</h3>\r\n\t\t<hr />\r\n\t\tHello <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>{$_SERVER['REMOTE_ADDR']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\n";
function urlReplace($matches)
{
return dvwaExternalLinkUrlGet($matches[1]);
}
break;
default:
$vulnerabilityFile = 'impossible.php';
break;
}
$hide_form = false;
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/captcha/source/{$vulnerabilityFile}";
// Check if we have a reCAPTCHA key
$WarningHtml = '';
if ($_DVWA['recaptcha_public_key'] == "") {
$WarningHtml = "<div class=\"warning\"><em>reCAPTCHA API key missing</em> from config file: " . realpath(dirname(dirname(getcwd())) . "/config/config.inc.php") . "</div>";
$html = "<em>Please register for a key</em> from reCAPTCHA: " . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create');
$hide_form = true;
}
$page['body'] .= "\r\n\t<div class=\"body_padded\">\r\n\t<h1>Vulnerability: Insecure CAPTCHA</h1>\r\n\r\n\t{$WarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form action=\"#\" method=\"POST\" ";
if ($hide_form) {
$page['body'] .= "style=\"display:none;\"";
}
$page['body'] .= ">\r\n\t\t\t<h3>Change your password:</h3>\r\n\t\t\t<br />\r\n\r\n\t\t\t<input type=\"hidden\" name=\"step\" value=\"1\" />\n";
if ($vulnerabilityFile == 'impossible.php') {
$page['body'] .= "\r\n\t\t\tCurrent password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_current\"><br />";
}
$page['body'] .= "\t\t\tNew password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_new\"><br />\r\n\t\t\tConfirm new password:<br />\r\n\t\t\t<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_conf\"><br />\r\n\r\n\t\t\t" . recaptcha_get_html($_DVWA['recaptcha_public_key']);
if ($vulnerabilityFile == 'high.php') {
$page['body'] .= "\n\n\t\t\t<!-- **DEV NOTE** Response: 'hidd3n_valu3' && User-Agent: 'reCAPTCHA' **/DEV NOTE** -->\n";
}
if ($vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php') {
$page['body'] .= "\n\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t\t<br />\r\n\r\n\t\t\t<input type=\"submit\" value=\"Change\" name=\"Change\">\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.captcha.net/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)') . "</li>\r\n\t</ul>\r\n</div>\n";
dvwaHtmlEcho($page);
<p>The developer has tried to add a simple pattern matching to remove any references to "<script>", to disable any JavaScript.</p>
<pre>Spoiler: <span class="spoiler">Its cAse sENSiTiVE</span>.</pre>
<br />
<h3>High Level</h3>
<p>The developer now believes they can disable all JavaScript by removing the pattern "<s*c*r*i*p*t".</p>
<pre>Spoiler: <span class="spoiler">HTML events</span>.</pre>
<br />
<h3>Impossible Level</h3>
<p>Using inbuilt PHP functions (such as "<?php
echo dvwaExternalLinkUrlGet('https://secure.php.net/manual/en/function.htmlspecialchars.php', 'htmlspecialchars()');
?>
"),
its possible to escape any values which would alter the behaviour of the input.</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php
echo dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)');
?>
</p>
</div>
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t[<em><a href=\"?page=file1.php\">file1.php</a></em>] - [<em><a href=\"?page=file2.php\">file2.php</a></em>] - [<em><a href=\"?page=file3.php\">file3.php</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\r\n";
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
$vulnerabilityFile = 'high.php';
break;
default:
$vulnerabilityFile = 'impossible.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/upload/source/{$vulnerabilityFile}";
// Check if folder is writeable
$WarningHtml = '';
if (!is_writable($PHPUploadPath)) {
$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: {$PHPUploadPath}<br /><em>Folder is not writable.</em></div>";
}
// Is PHP-GD installed?
if (!extension_loaded('gd') || !function_exists('gd_info')) {
$WarningHtml .= "<div class=\"warning\">The PHP module <em>GD is not installed</em>.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Upload</h1>\r\n\r\n\t{$WarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form enctype=\"multipart/form-data\" action=\"#\" method=\"POST\" />\r\n\t\t\t<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\" />\r\n\t\t\tChoose an image to upload:<br /><br />\r\n\t\t\t<input name=\"uploaded\" type=\"file\" /><br />\r\n\t\t\t<br />\r\n\t\t\t<input type=\"submit\" name=\"Upload\" value=\"Upload\" />\n";
if ($vulnerabilityFile == 'impossible.php') {
$page['body'] .= "\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Unrestricted_File_Upload') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://blogs.securiteam.com/index.php/archives/1268') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.acunetix.com/websitesecurity/upload-forms-threat/') . "</li>\r\n\t</ul>\r\n</div>";
dvwaHtmlEcho($page);
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'WooYun-2013-31669';
$page['page_id'] = 'WooYun-2013-31669';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/WooYun-2013-31669/source/{$vulnerabilityFile}";
$page['help_button'] = 'WooYun-2013-31669';
$page['source_button'] = 'WooYun-2013-31669';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\r\n\t<HeadlineFont><span class=\"label label-primary\">WooYun-2013-31669</span></HeadlineFont>\r\n\r\n\t<br>\t<br>\t<br>\t<br>\t<br>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\r\n\t\t<div class=\"well\">\r\n\t\tWe used cookie to simulate the db in&out,you can view your own cookie to see what's inside your database.And bear in mind you don't actually have the data shown in your cookies\r\n\t\t我们使用了cookie来模拟数据库输入与输出,你可以直接查看你的cookie看到数据库里存储了什么,不过要记住在现实环境下你是不知道这些信息的!\r\n\t\t</div>\r\n\r\n\t\t<h3>Login User ID:</h3>\r\n\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<input type=\"text\" name=\"id\" class=\"form-control\" style=\"width:50%;\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"login\" class=\"btn btn-lg btn-info\">\r\n\t\t</form>\r\n\t\t<br>\r\n\t\t<h3>编辑用户名:</h3>\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<input type=\"text\" name=\"name\" class=\"form-control\" style=\"width:50%;\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"edit\" class=\"btn btn-lg btn-info\">\r\n\t\t</form>\r\n\r\n\t\t<br>\r\n\t\t<h3>查看用户信息:</h3>\r\n\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<input type=\"submit\" name=\"Submit\" value=\"view\" class=\"btn btn-lg btn-info\">\r\n\t\t</form>\r\n\r\n\t\t{$html}\r\n\r\n\r\n\t</div>\r\n\r\n\t<br>\r\n\t<br>\r\n\t<br>\r\n\t<div class=\"panel panel-primary\">\r\n <div class=\"panel-heading\">\r\n <h3 class=\"panel-title\">Original Bug Report</h3>\r\n </div>\r\n <div class=\"panel-body\">\r\n \t<li>" . dvwaExternalLinkUrlGet('http://www.wooyun.org/bugs/wooyun-2010-031669') . "</li>\r\n </div>\r\n </div>\r\n\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 3</h3>\r\n\t\t<hr />\r\n\t\tWelcome back <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>";
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
$page['body'] .= $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$page['body'] .= "**Missing Header**";
}
$page['body'] .= "</em><br />\r\n\t\tYour user-agent address is: <em>" . $_SERVER['HTTP_USER_AGENT'] . "</em><br />\r\n\t\tYou came form: <em>{$_SERVER['HTTP_REFERER']}</em><br />\r\n\t\tI'm hosted at: <em>{$_SERVER['HTTP_HOST']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\r\n";
<h3>Medium Level</h3>
<p>When using the medium level, it will check the reported file type from the client when its being uploaded.</p>
<pre>Spoiler: <span class="spoiler">Worth looking for any restrictions within any "hidden" form fields</span>.</pre>
<br />
<h3>High Level</h3>
<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file includion</span>.</pre>
<br />
<h3>Impossible Level</h3>
<p>This will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping
any "non-image" code (including metadata).</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php
echo dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Unrestricted_File_Upload');
?>
</p>
</div>
$page['source_button'] = 'sqli';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
// Anti-CSRF
if ($vulnerabilityFile == 'high.php') {
generateTokens();
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}";
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: SQL Injection</h1>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<p>\r\n\t\t\t\tUser ID:\r\n\t\t\t\t<input type=\"text\" size=\"15\" name=\"id\">\r\n\t\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\">\r\n\t\t\t</p>";
if ($vulnerabilityFile == 'high.php') {
$page['body'] .= "\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securiteam.com/securityreviews/5DP0N1P76E.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/SQL_injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/SQL_Injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://bobby-tables.com/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Vulnerability: File Upload';
$page['page_id'] = 'upload';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/upload/source/{$vulnerabilityFile}";
$page['help_button'] = 'upload';
$page['source_button'] = 'upload';
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Upload</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form enctype=\"multipart/form-data\" action=\"#\" method=\"POST\" />\r\n\t\t\t<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\" />\r\n\t\t\tChoose an image to upload:<br />\r\n\t\t\t<input name=\"uploaded\" type=\"file\" /><br />\r\n\t\t\t<input type=\"submit\" name=\"Upload\" value=\"Upload\" />\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Unrestricted_File_Upload') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://blogs.securiteam.com/index.php/archives/1268') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.acunetix.com/websitesecurity/upload-forms-threat/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
