$user = dvwaCurrentUser();
$sql = "SELECT * FROM userflag WHERE user = '******' and pid='{$pid}' ";
$result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
if (dvwaisvaildflag($pid, $flag)) {
$str = "Correct";
} else {
$str = "Error";
}
$num = mysql_numrows($result);
if ($num == 0) {
$insert = "insert into userflag values('{$pid}','{$user}','{$flag}','{$str}')";
$result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>');
$html = "flag is submit succeed";
} else {
$update = "update userflag set flag='{$flag}',status='{$str}' where user='******' and pid='{$pid}'";
$result = mysql_query($update) or die('<pre>' . mysql_error() . '</pre>');
$html = "flag is update succeed";
}
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF Submit Flag';
$page['page_id'] = 'submit';
$page['help_button'] = 'submit';
$page['source_button'] = 'submit';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>CTF Submit Flag</h1>\n\n\t{$magicQuotesWarningHtml}\n\n\t<div class=\"vulnerable_code_area\">\n\t\n\t\t<form action=\"\" method=\"POST\">" . "CTF Number:<br> <br>" . dvwaGetlist() . "<br><br>Input you flag: <br><br>\n\t\t<input type=\"text\" size=60 id='flag' name=\"flag\" >\n\t\t<br><br>\n\t\t<input type=\"submit\" name=\"Submit\" value='Sumbit'>\n\t\t</form>\n\t</div>\n\t<h3>{$html}</h3>\n</div>\n";
function dvwaHtmlEcho($pPage)
{
$menuBlocks = array();
$menuBlocks['home'] = array();
$menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.');
$menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php');
$menuBlocks['vulnerabilities'] = array();
$menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.');
#$menuBlocks['vulnerabilities'][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' );
$menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS reflected', 'url' => 'vulnerabilities/xss_r/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS stored', 'url' => 'vulnerabilities/xss_s/.');
if (dvwaIfWork()) {
$menuBlocks['vulnerabilities'][] = array('id' => 'vulns', 'name' => 'Vulns', 'url' => 'vulnerabilities/vulns/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'work', 'name' => 'Work', 'url' => 'vulnerabilities/work/.');
}
if (dvwaIsCtf()) {
$menuBlocks['vulnerabilities'][] = array('id' => 'ctf', 'name' => 'CTF', 'url' => 'vulnerabilities/ctf/?pid=1');
$menuBlocks['vulnerabilities'][] = array('id' => 'submit', 'name' => 'Submit', 'url' => 'vulnerabilities/ctf/?pid=submit');
$menuBlocks['vulnerabilities'][] = array('id' => 'score', 'name' => 'Score', 'url' => 'vulnerabilities/ctf/?pid=score&name=' . dvwaCurrentUser());
}
if (xlabisadmin()) {
$menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup', 'url' => 'setup.php');
$menuBlocks['home'][] = array('id' => 'admin', 'name' => 'Admin', 'url' => 'vulnerabilities/admin/.');
$menuBlocks['home'][] = array('id' => 'manager', 'name' => 'Manager', 'url' => 'vulnerabilities/admin/manager.php');
}
$menuBlocks['meta'] = array();
$menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php');
$menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php');
$menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php');
$menuBlocks['logout'] = array();
$menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php');
$menuHtml = '';
foreach ($menuBlocks as $menuBlock) {
$menuBlockHtml = '';
foreach ($menuBlock as $menuItem) {
$selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : '';
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'];
$menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>";
}
$menuHtml .= "<ul>{$menuBlockHtml}</ul>";
}
// Get security cookie --
$securityLevelHtml = dvwaIsCtf() ? 'CTF' : dvwaSecurityLevelGet();
// -- END
$phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled');
$userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser();
$AppModel = '<b>AppModel:</b> ' . dvwaGetModel();
$messagesHtml = messagesPopAllToHtml();
if ($messagesHtml) {
$messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>";
}
$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br />{$AppModel}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
if ($pPage['source_button'] && !dvwaIsCtf()) {
$systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}";
}
if ($pPage['help_button'] && !dvwaIsCtf()) {
$systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}";
}
if (dvwaIsCtf()) {
$addr = xlabGetLocation();
$systemInfoHtml = "<label for=\"QNUM\">CTF Numbers:</label><form action=\"{$addr}/vulnerabilities/ctf/\" method=\"GET\">" . dvwaGetlist() . "<input type=\"submit\" name=\"select\" value='select'>\n\t\t</form>" . "{$systemInfoHtml}";
$value = (isset($_GET['pid']) and is_numeric($_GET['pid'])) ? $_GET['pid'] : '1';
$ctfselect = xlabGetJs(xlabJqSelect("ctf_select", $value));
#$ctfselect="<script>document.getElementById('ctf_select').options[5].setAttribute('selected', 'selected');</script>";
}
// Send Headers + main HTML code
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>{$pPage['title']}</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\n\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\n\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\n\n\t</head>\n\n\t<body class=\"home\">\n\t\t<div id=\"container\">\n\n\t\t\t<div id=\"header\">\n\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_menu\">\n\n\t\t\t\t<div id=\"main_menu_padded\">\n\t\t\t\t{$menuHtml}\n\t\t\t\t</div>\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_body\">\n\t\t\t\t<script src='../../dvwa/js/jquery.js' type='text/javascript' charset='utf-8'></script>\n\t\t\t\t{$pPage['body']}\n\t\t\t\n\t\t\t\t<br />\n\t\t\t\t<br />\n\t\t\t\t{$messagesHtml}\n\n\t\t\t</div>\n\n\t\t\t<div class=\"clear\">\n\t\t\t</div>\n\n\t\t\t<div id=\"system_info\">\n\t\t\t\t{$systemInfoHtml}\n\t\t\t</div>\n\n\t\t\t<div id=\"footer\">\n\t\t\t\t{$ctfselect}\n\t\t\t\t<p>HTJC SeclabX ASystem (XlabAS) v" . dvwaVersionGet() . "</p>\n\n\t\t\t</div>\n\n\t\t</div>\n\n\t</body>\n\n</html>";
}