$page['source_button'] = 'sqli';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch ($_COOKIE['security']) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
default:
$vulnerabilityFile = 'high.php';
break;
}
// Anti-CSRF
if ($vulnerabilityFile == 'high.php') {
generateTokens();
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}";
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: SQL Injection</h1>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<p>\r\n\t\t\t\tUser ID:\r\n\t\t\t\t<input type=\"text\" size=\"15\" name=\"id\">\r\n\t\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\">\r\n\t\t\t</p>";
if ($vulnerabilityFile == 'high.php') {
$page['body'] .= "\t\t\t" . tokenField();
}
$page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securiteam.com/securityreviews/5DP0N1P76E.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/SQL_injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/SQL_Injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://bobby-tables.com/') . "</li>\r\n\t</ul>\r\n</div>\r\n";
dvwaHtmlEcho($page);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$query = "SELECT table_schema, table_name, create_time\r\n\t\t\t\tFROM information_schema.tables\r\n\t\t\t\tWHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'\r\n\t\t\t\tLIMIT 1";
$result = @mysql_query($query);
if (mysql_num_rows($result) != 1) {
dvwaMessagePush("First time using DVWA.<br />Need to run 'setup.php'.");
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'setup.php');
}
$query = "SELECT * FROM `users` WHERE user='******' AND password='******';";
$result = @mysql_query($query) or die('<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>');
if ($result && mysql_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '{$user}'");
dvwaLogin($user);
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'index.php');
}
// Login failed
dvwaMessagePush('Login failed');
dvwaRedirect('login.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT');
// Date in the past
// Anti-CSRF
generateSessionToken();
echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div id=\"wrapper\">\r\n\r\n\t<div id=\"header\">\r\n\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\r\n\t</div> <!--<div id=\"header\">-->\r\n\r\n\t<div id=\"content\">\r\n\r\n\t<form action=\"login.php\" method=\"post\">\r\n\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\r\n\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\r\n\t\t\t<br />\r\n\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t" . tokenField() . "\r\n\r\n\t</form>\r\n\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t</div > <!--<div id=\"content\">-->\r\n\r\n\t<div id=\"footer\">\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)') . " is a RandomStorm OpenSource project.</p>\r\n\r\n\t</div> <!--<div id=\"footer\"> -->\r\n\r\n\t</div> <!--<div id=\"wrapper\"> -->\r\n\r\n\t</body>\r\n\r\n</html>";
dvwaPhpIdsEnabledSet(false);
dvwaMessagePush("PHPIDS is now disabled");
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach (array('low', 'medium', 'high', 'impossible') as $securityLevel) {
$selected = '';
if ($securityLevel == dvwaSecurityLevelGet()) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>Security level is currently: <em>{$securityLevel}</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>" . ucfirst($securityLevel) . "</option>";
}
$phpIdsHtml = 'PHPIDS is currently: ';
if (dvwaPhpIdsIsEnabled()) {
$phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">Disable PHPIDS</a>]';
} else {
$phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]';
}
// Anti-CSRF
generateSessionToken();
// Able to write to the PHPIDS log file?
$WarningHtml = '';
if (!is_writable($PHPIDSPath)) {
$WarningHtml .= "<div class=\"warning\"><em>Cannot write to the PHPIDS log file</em>: {$PHPIDSPath}</div>";
}
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>\r\n\t<br />\r\n\r\n\t<h2>Security Level</h2>\r\n\r\n\t{$securityHtml}\r\n\r\n\t<form action=\"#\" method=\"POST\">\r\n\t\t{$securityLevelHtml}\r\n\t\t<p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p>\r\n\t\t<ol>\r\n\t\t\t<li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li>\r\n\t\t\t<li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li>\r\n\t\t\t<li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li>\r\n\t\t\t<li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br />\r\n\t\t\t\tPriority to DVWA v1.9, this level was known as 'high'.</li>\r\n\t\t</ol>\r\n\t\t<select name=\"security\">\r\n\t\t\t{$securityOptionsHtml}\r\n\t\t</select>\r\n\t\t<input type=\"submit\" value=\"Submit\" name=\"seclev_submit\">\r\n\t\t" . tokenField() . "\r\n\t</form>\r\n\r\n\t<br />\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>PHPIDS</h2>\r\n\t{$WarningHtml}\r\n\t<p>" . dvwaExternalLinkUrlGet('https://github.com/PHPIDS/PHPIDS', 'PHPIDS') . " v" . dvwaPhpIdsVersionGet() . " (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p>\r\n\t<p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p>\r\n\t<p>You can enable PHPIDS across this site for the duration of your session.</p>\r\n\r\n\t<p>{$phpIdsHtml}</p>\r\n\t[<a href=\"?test=%22><script>eval(window.name)</script>\">Simulate attack</a>] -\r\n\t[<a href=\"ids_log.php\">View IDS log</a>]\r\n</div>";
dvwaHtmlEcho($page);
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
$page = dvwaPageNewGrab();
$page['title'] = 'Setup' . $page['title_separator'] . $page['title'];
$page['page_id'] = 'setup';
if (isset($_POST['create_db'])) {
// Anti-CSRF
checkToken($_REQUEST['user_token'], $_SESSION['session_token'], 'setup.php');
if ($DBMS == 'MySQL') {
include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php';
} elseif ($DBMS == 'PGSQL') {
// include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/PGSQL.php';
dvwaMessagePush('PostgreSQL is not yet fully supported.');
dvwaPageReload();
} else {
dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.');
dvwaPageReload();
}
}
// Anti-CSRF
generateSessionToken();
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\n\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php") . "</em></p>\n\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\n\t<hr />\n\t<br />\n\n\t<h2>Setup Check</h2>\n\n\t{$DVWAOS}<br />\n\tBackend database: <em>{$DBMS}</em><br />\n\tPHP version: <em>" . phpversion() . "</em><br />\n\t<br />\n\t{$SERVER_NAME}<br />\n\t<br />\n\t{$phpDisplayErrors}<br />\n\t{$phpSafeMode}<br/ >\n\t{$phpURLInclude}<br/ >\n\t{$phpURLFopen}<br />\n\t{$phpMagicQuotes}<br />\n\t{$phpGD}<br />\n\t{$phpMySQL}<br />\n\t{$phpPDO}<br />\n\t<br />\n\t{$MYSQL_USER}<br />\n\t{$MYSQL_PASS}<br />\n\t{$MYSQL_DB}<br />\n\t{$MYSQL_SERVER}<br />\n\t<br />\n\t{$DVWARecaptcha}<br />\n\t<br />\n\t{$DVWAUploadsWrite}<br />\n\t{$DVWAPHPWrite}<br />\n\t<br />\n\t<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />\n\t<br /><br /><br />\n\n\t<!-- Create db button -->\n\t<form action=\"#\" method=\"post\">\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\n\t\t" . tokenField() . "\n\t</form>\n\t<br />\n\t<hr />\n</div>";
dvwaHtmlEcho($page);
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Setup';
$page['page_id'] = 'setup';
if (isset($_POST['create_db'])) {
// Anti-CSRF
checkTokens($_POST['token'], "setup.php");
if ($DBMS == 'MySQL') {
include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php';
} elseif ($DBMS == 'PGSQL') {
// include_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/DBMS/PGSQL.php';
dvwaMessagePush('PostgreSQL is not yet fully supported.');
dvwaPageReload();
} else {
dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.');
dvwaPageReload();
}
}
// Anti-CSRF
generateTokens();
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\r\n\r\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.</br>\r\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd()) . "/config/config.inc.php</em></p>\r\n\r\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\r\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>Setup Check</h2>\r\n\r\n\t{$DVWAOS}<br />\r\n\tBackend Database: <em>" . $DBMS . "</em><br />\r\n\t<br />\r\n\tPHP Version: v<em>" . phpversion() . "</em><br />\r\n\t{$phpSafeMode}<br/ >\r\n\t{$phpDisplayErrors}<br />\r\n\t{$phpURLInclude}<br/ >\r\n\t{$phpURLFopen}<br />\r\n\t{$phpMagicQuotes}<br />\r\n\t<br />\r\n\t{$DVWARecaptcha}<br />\r\n\t<br />\r\n\t{$DVWAUploadsWrite}<br />\r\n\t{$DVWAPHPWrite}<br />\r\n\t<br />\r\n\t<i>Status with \"(*)\" indicate there could be possible issue(s) with a certain modules.</i><br />\r\n\t<br /><br /><br />\r\n\r\n\t<!-- Create db button -->\r\n\t<form action=\"#\" method=\"post\">\r\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\r\n\t\t" . tokenField() . "\r\n\t</form>\r\n</div>\r\n";
dvwaHtmlEcho($page);
