<!-- from http://hakipedia.com/index.php/Local_File_Inclusion -->
<?php
include "../common/header.php";
?>
<?php
hint("will include the arg specified in the POST parameter \"file\", strips prepended \"../\" strings, must encode / with %2f");
?>
<form action="/LFI-10/index.php" method="POST">
<input type="text" name="file">
</form>
<?php
$file = str_replace('../', '', $_POST['file']);
if (isset($file)) {
include "pages/{$file}";
} else {
include "index.php";
}
<?php
include "../common/header.php";
?>
<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php
hint("will include the arg specified in the GET parameter \"file\", looks for .php at end - bypass by apending /. (slash plus dot)");
?>
<form action="/LFI-3/index.php" method="GET">
<input type="text" name="file">
</form>
<?php
if (substr($_POST['file'], -4, 4) != '.php') {
echo file_get_contents($_POST['file']);
} else {
echo 'You are not allowed to see source files!' . "\n";
}
?>
/**
* Update Posted Log
*/
function update_log_form($mode)
{
global $cfg, $lang, $row, $text_cols, $log_table;
$row['id'] = htmlspecialchars($row['id']);
$row['name'] = htmlspecialchars($row['name']);
$row['href'] = htmlspecialchars($row['href']);
$row['category'] = htmlspecialchars($row['category']);
$row['comment'] = htmlspecialchars($row['comment']);
$row['mod'] = htmlspecialchars($row['mod']);
$row['ping_uri'] = htmlspecialchars($row['ping_uri']);
if ($cfg['xml_lang'] == 'ja') {
$input_check = 'inputCheck()';
$confirm_delete = 'confirmDelete()';
} else {
$input_check = 'inputCheck_e()';
$confirm_delete = 'confirmDelete_e()';
}
if ($cfg['trackback'] == 'on') {
if ($row['ping_uri'] == '') {
$ping_uri = 'http://';
} else {
$ping_uri = $row['ping_uri'];
}
$trackback_ping_form = <<<EOD
<p id="trackback-form">
<label for="send-ping-uri">{$lang['tb_sendurl']}:</label><br />
<input type="text" id="send-ping-uri" name="send_ping_uri" size="40" accesskey="z" tabindex="1" value="{$ping_uri}" class="bordered" />
<select name="encode" tabindex="1">
<option value="UTF-8" selected="selected">UTF-8</option>
<option value="EUC-JP">EUC-JP</option>
<option value="SJIS">Shift_JIS</option>
</select>
</p>
<p>
{$lang['send_update_ping']} :
<input type="radio" tabindex="1" name="send_update_ping" value="no" checked="checked" />No
<input type="radio" tabindex="1" name="send_update_ping" value="yes" />Yes
</p>
EOD;
} else {
$trackback_ping_form = '';
}
if ($mode == 'draft') {
$date = htmlspecialchars($row['date']);
$dform = <<<EOD
<label for="date-and-time">{$lang['date_and_time']} :</label><br />
<input type="text" id="date-and-time" name="date" tabindex="1" value="{$date}" size="20" class="bordered" />
<input type="checkbox" id="custom-date" name="custom_date" tabindex="1" /><label for="custom-date">{$lang['use_custom_date']}</label><br />
EOD;
$target = 'draft_updated';
$draft_status = $lang['draft'];
$no_change_mod_time = '';
$make_private = '';
$update_submit_title = $lang['draft_update'];
$delete_submit_title = $lang['draft_destroy'];
} else {
$date = '';
$dform = '';
$target = 'updated';
$draft_status = '';
$no_change_mod_time = '<input type="checkbox" name="no_update_mod" tabindex="1" value="yes" checked="checked" /> ' . $lang['no_update_timestamp'];
$make_private = '<p><input type="checkbox" name="private" tabindex="1" value="1" /> ' . $lang['make_private'] . '</p>';
$update_submit_title = $lang['update'];
$delete_submit_title = $lang['delete'];
}
// Set variables
$id = $row['id'];
$name = $row['name'];
$href = $row['href'];
$comment = $row['comment'];
$mod = $row['mod'];
$categories = add_categories();
$tag_buttons = display_tag_buttons();
$upload_file_form = display_upload_file_form();
$hint = hint();
$contents = <<<EOD
<div class="section">
<h2>{$draft_status} {$lang['update']} : {$lang['log']}ID {$id}</h2>
<div class="section">
<form id="addform" action="./{$target}.php" method="post" enctype="multipart/form-data">
<p>
{$dform}
<label for="article-title">{$lang['title']} :</label><br />
<input type="text" name="name" id="article-title" tabindex="1" value="{$name}" size="40" class="bordered" /><br />
<label for="article-title-uri">URI{$hint['href']} : </label><br />
<input type="text" name="href" id="article-title-uri" tabindex="1" value="{$href}" size="40" class="bordered" /><br />
</p>
{$categories}
<p>
<label for="comment">{$lang['comment']}{$hint['comment']} : </label><br />
{$tag_buttons}
<br />
<textarea id="comment" name="comment" tabindex="1" rows="20" cols="{$text_cols}" >{$comment}</textarea><br />
</p>
{$upload_file_form}
<p>
{$no_change_mod_time}
<input type="hidden" name="mod" value="{$mod}" />
</p>
{$make_private}{$trackback_ping_form}
<div class="submit-button">
<input type="hidden" name="id" value="{$id}" />
<input class="backbutton" tabindex="1" accesskey="u" type="submit" value="{$update_submit_title}" />
</div>
</form>
<form id="del" action="./delete.php" method="post" onsubmit="return {$confirm_delete}">
<div class="submit-button">
<input type="hidden" name="id" value="{$id}" />
<input tabindex="2" accesskey="d" type="submit" value="{$delete_submit_title}" />
</div>
</form>
</div><!-- End .section -->
</div><!-- End .section -->
EOD;
return $contents;
}
<?php
include "../common/header.php";
?>
<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php
hint("will include the arg specified in the POST parameter \"library\", appends .php to end, use null byte %00 to bypass");
?>
<form action="/LFI-7/index.php" method="POST">
<input type="text" name="library">
</form>
<?php
include "includes/" . $_POST['library'] . ".php";
?>
<?php
include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php
hint("will exec 'whois' with the arg specified in the POST parameter \"domain\"");
?>
<form action="/CMD-4/index.php" method="POST">
<input type="text" name="domain">
</form>
<pre>
<?php
system("whois " . $_POST["domain"]);
?>
</pre>
$extra = $q[ExtraGlad];
$limitskl = $q[LimitSkl];
print "<input id=GladLimit type=hidden value={$q['LimitGlad']}>";
print "<input id=SklLimit type=hidden value={$q['LimitSkl']}>";
print "<input id=Extra type=hidden value={$q['ExtraGlad']}>";
} else {
print "<input id=GladLimit type=hidden value=7>";
print "<input id=SklLimit type=hidden value=0>";
print "<input id=Extra type=hidden value=1>";
}
print "</table>";
$sendData = $id ? "send_data(0,null,{$id},0)" : "open_saveDialog(true)";
print "<div style='margin-top:10px;'><table border=0 bgcolor=78746C cellspacing=1 cellpadding=6><td bgcolor=#515E64><a href='javascript:{$sendData};' class='blue'><img src=\"/images/icons/save.gif\" width=16px height=14px border=0 align=\"absmiddle\"><b> " . message(175) . "</a></td></table></div>";
//<table width=300px border=0 cellspacing=0 cellpadding=0><td></td></table>
if ($form->hint) {
print "<br><div>" . hint($form->hint, $form->pageid) . "</div>";
}
?>
<script language="JavaScript">
<!-- www.cgi.ru -->
var up, down;
var min1, sec1;
var cmin, csec;
function Minutes(data)
{
<!-- from http://hakipedia.com/index.php/Local_File_Inclusion -->
<?php
include "../common/header.php";
?>
<?php
hint("not everything you need to play with is in a text field");
?>
<form action="/LFI-11/index.php" method="POST">
<input type="text" name="file">
<input type="hidden" name="style" name="stylepath">
</form>
<?php
include $_POST['stylepath'];
$file = str_replace('../', '', $_POST['file']);
if (isset($file)) {
include "pages/{$file}";
} else {
include "index.php";
}
<?php
$arr = array("Ane", "Ancient", "Arch", "Aventine", "Baths", "Beth", "Boih", "Campidoglio", "Capella", "Castel", "Hadrian", "Hotel");
$queryText = trim($_POST['query']);
if ($queryText == "") {
echo "";
} else {
$result = hint($queryText, $arr);
echo implode(",", $result);
}
function hint($queryText, $arr)
{
//截取数组里的每个字符串的前查询字符串的长度与查询字符串比较
$temp = array();
$strLen = strlen($queryText);
for ($i = 0; $i < count($arr); $i++) {
if (strtolower(substr($arr[$i], 0, $strLen)) === strtolower($queryText)) {
array_push($temp, $arr[$i]);
}
}
return $temp;
}
<?php
include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php
hint("will include the arg specified in the POST parameter \"page\"");
?>
<form action="/LFI-6/index.php" method="POST">
<input type="text" name="page">
</form>
<?php
include $_POST["page"];
<?php
include "../common/header.php";
?>
<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php
hint("will include the arg specified in the GET parameter \"class\", appends .php to end, defeat with NULL byte %00");
?>
<form action="/LFI-4/index.php" method="GET">
<input type="text" name="class">
</form>
<?php
include 'includes/class_' . addslashes($_GET['class']) . '.php';
?>
<?php
include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php
hint("will exec the arg specified in the GET parameter \"cmd\"");
?>
<form action="/CMD-1/index.php" method="GET">
<input type="text" name="cmd">
</form>
<?php
system($_GET["cmd"]);
if (isset($_GET['edit']) && is_numeric($_GET['edit'])) {
if (!isset($_SESSION['modify']) || $_SESSION['modify'] != $_GET['edit'] && !$admin) {
hint('No privilege!');
header('location: ' . URL . '?modify=' . $_GET['edit']);
} else {
$sth = $db->prepare('SELECT * FROM post WHERE id = ' . $_GET['edit']);
$sth->execute();
$sth->bindColumn('id', $id);
$sth->bindColumn('author', $author);
$sth->bindColumn('mail', $mail);
$sth->bindColumn('title', $title);
$sth->bindColumn('content', $content);
$sth->bindColumn('homepage', $homepage);
$sth->fetch();
if (empty($id)) {
hint('No Article No.' . $_GET['edit'] . ' !');
header('location: ' . URL);
} else {
include 'template/' . TEMPLATE . '/header.tpl.php';
include 'template/' . TEMPLATE . '/edit.tpl.php';
include 'template/' . TEMPLATE . '/footer.tpl.php';
unset($_SESSION['hint']);
}
}
// close the database connection
$db = NULL;
exit;
}
// Admin Page
if (isset($_GET['admin'])) {
include 'template/' . TEMPLATE . '/header.tpl.php';
<?php
include "../common/header.php";
?>
<!-- from https://www.owasp.org/index.php/Path_Traversal -->
<?php
hint("will include the arg specified in the HTTP Cookie parameter \"TEMPLATE\"");
$template = 'blue.php';
if (array_key_exists($_COOKIE['TEMPLATE'])) {
$template = $_COOKIE['TEMPLATE'];
}
include "/Users/josenazario/templates/" . $template;
<?php
include "../common/header.php";
?>
<!-- from https://pentesterlab.com/exercises/php_include_and_post_exploitation/course -->
<?php
hint("not everything you need to inject is in a text input field ...");
?>
<form action="/CMD-6/index.php" method="POST">
<input type="text" name="domain">
<input type="hidden" name="server" value="whois.publicinterestregistry.net">
</form>
<pre>
<?php
if (preg_match('/^[-a-z0-9]+\\.a[cdefgilmnoqrstuwxz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmoz]|e[cegrstu]|f[ijkmor]|g[abdefghilmnpqrstuwy]|h[kmnrtu]|i[delmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdeghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrstwy]|qa|r[eosuw]|s[abcdeghijklmnortuvyz]|t[cdfghjklmnoprtvwz]|u[agksyz]|v[aceginu]|w[fs]|y[et]|z[amw]|biz|cat|com|edu|gov|int|mil|net|org|pro|tel|aero|arpa|asia|coop|info|jobs|mobi|name|museum|travel|arpa|xn--[a-z0-9]+$/', strtolower($_POST["domain"]))) {
system("whois -h " . $_POST["server"] . " " . $_POST["domain"]);
} else {
echo "malformed domain name";
}
?>
</pre>
?>
</a></td>
<?php
}
?>
</tr>
</table>
<?php
}
}
?>
<br><?php
if ($form->hint) {
print hint($form->hint, $form->pageid, $form->name) . "<br>";
}
?>
</td><td width=30px> </td>
</tr>
</table>
</td>
<td> </td>
</tr>
</table></td>
</tr>
<tr>
<td valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td> </td>
<td width="768" class="bottom"><table width="100%" height="89" border="0" cellpadding="0" cellspacing="0">
<?php
include "../common/header.php";
?>
<!-- from http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/ -->
<?php
hint("will include the arg specified in the GET parameter \"library\", appends .php to end, escape with NULL byte %00");
?>
<form action="/LFI-1/index.php" method="GET">
<input type="text" name="library">
</form>
<?php
include "includes/" . $_GET['library'] . ".php";
?>
<?php
if ($form->hint) {
print "<br>" . hint($form->hint, $form->pageid) . "<br>";
}
print "<center><img src=\"/images/line-sep4.gif\" width=491 height=30><br><a href=\"{$PHP_SELF}?act=insert&type={$type}\" class=black>" . message(2) . "</a> |\n <a href=\"{$PHP_SELF}?type={$type}\" class=black>" . message(3) . "</a> |\n<a href=\"{$PHP_SELF}?type={$type}&act=create\" class=black>" . message(6) . "</a>\n<br><img src=\"/images/line-sep4.gif\" width=491 height=30></center>";
print "</center><br>";
print "</table></td>";
print "</table></td><tr><td height=50px background=\"/images/admin-bottom-bg.gif\"></table>";
//drawfooter();
$db->close();
} else {
$rfp = fopen(stripslashes($target_file), "rb");
$target_txt = @fread($rfp, filesize($target_file));
flock($rfp, LOCK_SH);
$file_txt = $target_txt;
fputs($rfp, $target_txt);
flock($rfp, LOCK_UN);
fclose($rfp);
}
}
if (isset($file_txt)) {
$file_txt = htmlspecialchars($file_txt);
} else {
$file_txt = htmlspecialchars($lang['edit_file_default_msg']);
}
$hint = hint();
////////////////////////// PRESENTATION ////////////////////////////
$contents = <<<EOD
<div class="section">
<h2>{$lang['system_admin']}</h2>
<ul class="flip-menu">
<li><a href="./admin_top.php">{$lang['sys_env']}</a></li>
<li><a href="./preferences.php">{$lang['preferences']}</a></li>
<li><span class="cur-tab">{$lang['edit_custom_file']}</span></li>
<li><a href="./db_status.php">{$lang['db_table_status']}</a></li>
</ul>
{$error_msg}
<form action="{$_SERVER['PHP_SELF']}" method="post">
<p>
<select name="load_file">