function getvulns()
{
// Retrieve data
$user_curr = dvwaCurrentUser();
$name = mysql_real_escape_string($_POST['name']);
$key = mysql_real_escape_string($_POST['key']);
$from = mysql_real_escape_string($_POST['from']);
$to = mysql_real_escape_string($_POST['to']);
$risk = xlabGetSqli('risk', $_POST);
if ($name == $key and $key == $from and $form == $to and $to == '') {
$name = $user;
}
if (!$from) {
$from = '0000-00-00';
}
if (!$to) {
$to = date("Y-m-d");
}
if ($risk == 'all') {
$risk = '';
}
if ($user == "admin") {
$name = '';
$sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50";
} else {
$sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50";
}
$result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$risk = mysql_result($result, $i, "risk");
$vid = mysql_result($result, $i, "vid");
$author = mysql_result($result, $i, "author");
$vname = htmlspecialchars(mysql_result($result, $i, "vname"));
$act = "<a href='vact.php?act=detail&vid={$vid}'>detail </a>\n\t\t\t\t<a href='?act=delete&vid={$vid}'>delete </a>";
$html .= "</tr><td>{$vid}</td><td>{$author}</td><td>{$vname}</td><td>{$risk}</td><td>{$act}</td></tr>";
$i++;
}
return $html;
}
function getreports($pre)
{
// Retrieve data
$user = dvwaCurrentUser();
$name = mysql_real_escape_string($_POST['name']);
$from = mysql_real_escape_string($_POST['from']);
$to = mysql_real_escape_string($_POST['to']);
if (!$from) {
$from = '0000-00-00';
}
if (!$to) {
$to = date("Y-m-d");
}
if ($user == "admin") {
$sql = "SELECT * FROM report where date>='{$from}' and date <='{$to}' and name like'{$name}%' order by date desc limit 30";
} else {
$sql = "SELECT * FROM report WHERE date>='{$from}' and date <='{$to}' and name='{$user}' order by date desc limit 30";
}
#echo $sql;
$result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$date = mysql_result($result, $i, "date");
$name = mysql_result($result, $i, "name");
$report = htmlspecialchars(mysql_result($result, $i, "report"));
$act = "<a href='vact.php?act=detail&date={$date}&user={$name}'>detail </a>\n\t\t\t\t<a href='?act=delete&date={$date}&user={$name}'>delete </a>";
if (!empty($pre)) {
$html .= "</tr><td>{$date}</td><td>{$name}</td><td><pre>{$report}</pre></td><td>{$act}</td></tr>";
} else {
$html .= "</tr><td>{$date}</td><td>{$name}</td><td><h4>{$report}</h4></td><td>{$act}</td></tr>";
}
$i++;
}
return $html;
}
// Get input
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'], $_SERVER['REMOTE_ADDR'], $_POST['recaptcha_challenge_field'], $_POST['recaptcha_response_field']);
// Did the CAPTCHA fail?
if (!$resp->is_valid && ($_POST['recaptcha_response_field'] != 'hidd3n_valu3' || $_SERVER['HTTP_USER_AGENT'] != 'reCAPTCHA')) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
// CAPTCHA was correct. Do both new passwords match?
if ($pass_new == $pass_conf) {
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
// Update database
$insert = "UPDATE `users` SET password = '******' WHERE user = '******' LIMIT 1;";
$result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>');
// Feedback for user
$html .= "<pre>Password Changed.</pre>";
} else {
// Ops. Password mismatch
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
}
mysql_close();
}
// Generate Anti-CSRF token
generateSessionToken();
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 3</h3>\r\n\t\t<hr />\r\n\t\tWelcome back <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>";
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
$page['body'] .= $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$page['body'] .= "**Missing Header**";
}
$page['body'] .= "</em><br />\r\n\t\tYour user-agent address is: <em>" . $_SERVER['HTTP_USER_AGENT'] . "</em><br />\r\n\t\tYou came form: <em>{$_SERVER['HTTP_REFERER']}</em><br />\r\n\t\tI'm hosted at: <em>{$_SERVER['HTTP_HOST']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\r\n";
function dvwaHtmlEcho($pPage)
{
$menuBlocks = array();
$menuBlocks['home'] = array();
$menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.');
$menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php');
$menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup / Reset', 'url' => 'setup.php');
$menuBlocks['vulnerabilities'] = array();
$menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/.');
$menuBlocks['meta'] = array();
$menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php');
$menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php');
$menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php');
$menuBlocks['logout'] = array();
$menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php');
$menuHtml = '';
foreach ($menuBlocks as $menuBlock) {
$menuBlockHtml = '';
foreach ($menuBlock as $menuItem) {
$selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : '';
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'];
$menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>\n";
}
$menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>";
}
// Get security cookie --
$securityLevelHtml = '';
switch (dvwaSecurityLevelGet()) {
case 'low':
$securityLevelHtml = 'low';
break;
case 'medium':
$securityLevelHtml = 'medium';
break;
case 'high':
$securityLevelHtml = 'high';
break;
default:
$securityLevelHtml = 'high';
break;
}
// -- END (security cookie)
$phpIdsHtml = '<em>PHPIDS:</em> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled');
$userInfoHtml = '<em>Username:</em> ' . dvwaCurrentUser();
$messagesHtml = messagesPopAllToHtml();
if ($messagesHtml) {
$messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>";
}
$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
if ($pPage['source_button']) {
$systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}";
}
if ($pPage['help_button']) {
$systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}";
}
// Send Headers + main HTML code
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>{$pPage['title']}</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\r\n\r\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\r\n\r\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\r\n\r\n\t</head>\r\n\r\n\t<body class=\"home\">\r\n\t\t<div id=\"container\">\r\n\r\n\t\t\t<div id=\"header\">\r\n\r\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_menu\">\r\n\r\n\t\t\t\t<div id=\"main_menu_padded\">\r\n\t\t\t\t{$menuHtml}\r\n\t\t\t\t</div>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_body\">\r\n\r\n\t\t\t\t{$pPage['body']}\r\n\t\t\t\t<br />\r\n\t\t\t\t<br />\r\n\t\t\t\t{$messagesHtml}\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div class=\"clear\">\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"system_info\">\r\n\t\t\t\t{$systemInfoHtml}\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"footer\">\r\n\r\n\t\t\t\t<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t</div>\r\n\r\n\t</body>\r\n\r\n</html>";
}
<?php
$page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 1</h3>\r\n\t\t<hr />\r\n\t\tHello <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>{$_SERVER['REMOTE_ADDR']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\n";
function dvwaHtmlEcho($pPage)
{
$menuBlocks = array();
$menuBlocks['home'] = array();
$menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.');
$menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php');
$menuBlocks['vulnerabilities'] = array();
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-63321', 'name' => 'Regex #02-Domain too', 'url' => 'vulnerabilities/WooYun-2014-63321/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-61978', 'name' => 'CSRF #01-Flash Upload', 'url' => 'vulnerabilities/WooYun-2014-61978/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-61361', 'name' => 'Sqli QUERY_STRING', 'url' => 'vulnerabilities/WooYun-2014-61361/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-59940', 'name' => 'Regex #01-Domain fraud', 'url' => 'vulnerabilities/WooYun-2014-59940/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-53384', 'name' => 'Sqli filter #02-Once', 'url' => 'vulnerabilities/WooYun-2014-53384/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-52257', 'name' => 'Sqli Mysql #01', 'url' => 'vulnerabilities/WooYun-2014-52257/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-52248', 'name' => 'No [Comma] Sqli', 'url' => 'vulnerabilities/WooYun-2014-52248/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51950', 'name' => 'Sqli using [Slashes]', 'url' => 'vulnerabilities/WooYun-2014-51950/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51687', 'name' => 'Sqli filter #02-80sec', 'url' => 'vulnerabilities/WooYun-2014-51687/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51536', 'name' => 'XSS #08-mXSS', 'url' => 'vulnerabilities/WooYun-2014-51536/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51505', 'name' => 'Sqli filter #01', 'url' => 'vulnerabilities/WooYun-2014-51505/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-50644', 'name' => 'No [Space] Sqli', 'url' => 'vulnerabilities/WooYun-2014-50644/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-50315', 'name' => 'XSS #07-SVG', 'url' => 'vulnerabilities/WooYun-2014-50315/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-34885', 'name' => 'Contradiction #01', 'url' => 'vulnerabilities/WooYun-2013-34885/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-31669', 'name' => 'Indirect SQLi #01', 'url' => 'vulnerabilities/WooYun-2013-31669/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-20759', 'name' => 'Decrypt #01-CCA2', 'url' => 'vulnerabilities/WooYun-2013-20759/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-19115', 'name' => 'Workflow #1-302', 'url' => 'vulnerabilities/WooYun-2013-19115/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16598', 'name' => 'XSS #06-Flash02', 'url' => 'vulnerabilities/WooYun-2012-16598/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16532', 'name' => 'XSS #05-Flash01', 'url' => 'vulnerabilities/WooYun-2012-16532/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16041', 'name' => 'XSS #04-Encoding', 'url' => 'vulnerabilities/WooYun-2012-16041/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16003', 'name' => 'XSS #03-InComment', 'url' => 'vulnerabilities/WooYun-2012-16003/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-15979', 'name' => 'XSS #02-TwoVars', 'url' => 'vulnerabilities/WooYun-2012-15979/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-15969', 'name' => 'XSS #01-GBK', 'url' => 'vulnerabilities/WooYun-2012-15969/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2011-02236', 'name' => 'LFI+log', 'url' => 'vulnerabilities/WooYun-2011-02236/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'Drops-1015', 'name' => 'Linux pentest tricks', 'url' => 'vulnerabilities/Drops-1015/.');
$menuBlocks['meta'] = array();
$menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php');
$menuBlocks['logout'] = array();
$menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php');
$menuHtml = '';
foreach ($menuBlocks as $menuBlock) {
$menuBlockHtml = '';
foreach ($menuBlock as $menuItem) {
$selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'list-group-item active' : 'list-group-item';
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'] . '#here_body';
$menuBlockHtml .= "<a href=\"{$fixedUrl}\" onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\">{$menuItem['name']}</a>";
}
$menuHtml .= "<ul>{$menuBlockHtml}</ul>";
}
// Get security cookie --
$securityLevelHtml = '';
switch (dvwaSecurityLevelGet()) {
case 'low':
$securityLevelHtml = 'low';
break;
case 'medium':
$securityLevelHtml = 'medium';
break;
case 'high':
$securityLevelHtml = 'high';
break;
default:
$securityLevelHtml = 'low';
break;
}
// -- END
$phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled');
$userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser();
$messagesHtml = messagesPopAllToHtml();
if ($messagesHtml) {
$messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>";
}
$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
if ($pPage['source_button']) {
$systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}";
}
if ($pPage['help_button']) {
$systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}";
}
// Send Headers + main HTML code
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>{$pPage['title']}</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/bootstrap.min.css\" />\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/bootstrap-theme.min.css\" />\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/navbar-fixed-top.css\" />\r\n\r\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\r\n\r\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\r\n\r\n\t</head>\r\n\r\n\t<body class=\"home\">\r\n\r\n\t\t\t<div id=\"header\" style=\"text-align:center;\">\r\n\r\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/wooyun_logo.jpg\" alt=\"WooYun DVWA\" height=\"200\" width=\"800\"/>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t<div id=\"container\" align=\"center\">\r\n\r\n <div class=\"navbar navbar-default navbar-fixed-top\" role=\"navigation\" >\r\n <div class=\"container\">\r\n <div class=\"navbar-header\">\r\n <button type=\"button\" class=\"navbar-toggle collapsed\" data-toggle=\"collapse\" data-target=\".navbar-collapse\">\r\n <span class=\"sr-only\">Toggle navigation</span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n </button>\r\n <a class=\"navbar-brand\" href=\"#\">DVWA WooYun</a>\r\n </div>\r\n <div class=\"navbar-collapse collapse\">\r\n <ul class=\"nav navbar-nav\">\r\n <li><a href=\"/\">Home</a></li>\r\n <li><a href=\"http://wooyun.org\">Wooyun</a></li>\r\n <li><a href=\"/instructions.php#here_body\">Instructions</a></li>\r\n </ul>\r\n <ul class=\"nav navbar-nav navbar-right\">\r\n <li><a href=\"/about.php#here_body\">About</a></li>\r\n <li><a href=\"/logout.php\">Logout</a></li>\r\n </ul>\r\n </div><!--/.nav-collapse -->\r\n </div>\r\n </div>\r\n\r\n<a name=\"here_body\"></a><!-- 定义锚点 --> \r\n<br>\r\n<br>\r\n<br>\r\n\r\n\t\t\t<div id=\"main_menu\" style=\"width:20%;float:left;padding-left: 15px;\">\r\n\r\n\t\t\t\t<div class=\"row\">\r\n\t\t\t\t\t<div class=\"list-group\">\r\n\t\t\t\t\t\t{$menuHtml}\r\n\t\t\t\t\t</div>\r\n\t\t\t\t</div>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_body\" style=\"width:75%;float:right\">\r\n\r\n\t\t\t\t{$pPage['body']}\r\n\t\t\t\t<br />\r\n\t\t\t\t<br />\r\n\t\t\t\t{$messagesHtml}\r\n\t\t\t\t{$systemInfoHtml}\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div class=\"clear\">\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"footer\">\r\n\r\n\t\t\t\t<p>WooYun DVWA v" . dvwaVersionGet() . "</p>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t</div>\r\n\r\n\t</body>\r\n\r\n</html>";
}
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'Work';
$page['page_id'] = 'work';
if (!dvwaIfWork()) {
exit;
}
dvwaDatabaseConnect();
$user = dvwaCurrentUser();
$html = '';
if (isset($_GET['act']) && $_GET['act'] == 'detail') {
$date = $_GET['date'];
$author = $_GET['user'];
if ($user == "admin") {
$sql = "select * from report where date='{$date}' and name='{$author}'";
} else {
$sql = "select * from report where name='{$user}' and date='{$date}'";
}
#echo $sql;
$result = mysql_query($sql);
$num = mysql_numrows($result);
if ($num > 0) {
$date = mysql_result($result, 0, "date");
$name = mysql_result($result, 0, "name");
$report = mysql_result($result, 0, "report");
}
/*
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
// Sanitise current password input
$pass_curr = stripslashes($pass_curr);
$pass_curr = mysql_real_escape_string($pass_curr);
$pass_curr = md5($pass_curr);
// Check that the current password is correct
$data = $db->prepare('SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;');
$data->bindParam(':user', dvwaCurrentUser(), PDO::PARAM_STR);
$data->bindParam(':password', $pass_curr, PDO::PARAM_STR);
$data->execute();
// Do both new passwords match and does the current password match the user?
if ($pass_new == $pass_conf && $data->rowCount() == 1) {
// It does!
$pass_new = stripslashes($pass_new);
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
// Update database with new password
$data = $db->prepare('UPDATE users SET password = (:password) WHERE user = (:user);');
$data->bindParam(':password', $pass_new, PDO::PARAM_STR);
$data->bindParam(':user', dvwaCurrentUser(), PDO::PARAM_STR);
$data->execute();
// Feedback for the user
$html .= "<pre>Password Changed.</pre>";
} else {
// Issue with passwords matching
$html .= "<pre>Passwords did not match or current password incorrect.</pre>";
}
}
// Generate Anti-CSRF token
generateSessionToken();
function dvwaHtmlEcho($pPage)
{
$menuBlocks = array();
$menuBlocks['home'] = array();
$menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.');
$menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php');
$menuBlocks['vulnerabilities'] = array();
$menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.');
#$menuBlocks['vulnerabilities'][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' );
$menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS reflected', 'url' => 'vulnerabilities/xss_r/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS stored', 'url' => 'vulnerabilities/xss_s/.');
if (dvwaIfWork()) {
$menuBlocks['vulnerabilities'][] = array('id' => 'vulns', 'name' => 'Vulns', 'url' => 'vulnerabilities/vulns/.');
$menuBlocks['vulnerabilities'][] = array('id' => 'work', 'name' => 'Work', 'url' => 'vulnerabilities/work/.');
}
if (dvwaIsCtf()) {
$menuBlocks['vulnerabilities'][] = array('id' => 'ctf', 'name' => 'CTF', 'url' => 'vulnerabilities/ctf/?pid=1');
$menuBlocks['vulnerabilities'][] = array('id' => 'submit', 'name' => 'Submit', 'url' => 'vulnerabilities/ctf/?pid=submit');
$menuBlocks['vulnerabilities'][] = array('id' => 'score', 'name' => 'Score', 'url' => 'vulnerabilities/ctf/?pid=score&name=' . dvwaCurrentUser());
}
if (xlabisadmin()) {
$menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup', 'url' => 'setup.php');
$menuBlocks['home'][] = array('id' => 'admin', 'name' => 'Admin', 'url' => 'vulnerabilities/admin/.');
$menuBlocks['home'][] = array('id' => 'manager', 'name' => 'Manager', 'url' => 'vulnerabilities/admin/manager.php');
}
$menuBlocks['meta'] = array();
$menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php');
$menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php');
$menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php');
$menuBlocks['logout'] = array();
$menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php');
$menuHtml = '';
foreach ($menuBlocks as $menuBlock) {
$menuBlockHtml = '';
foreach ($menuBlock as $menuItem) {
$selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : '';
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'];
$menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>";
}
$menuHtml .= "<ul>{$menuBlockHtml}</ul>";
}
// Get security cookie --
$securityLevelHtml = dvwaIsCtf() ? 'CTF' : dvwaSecurityLevelGet();
// -- END
$phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled');
$userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser();
$AppModel = '<b>AppModel:</b> ' . dvwaGetModel();
$messagesHtml = messagesPopAllToHtml();
if ($messagesHtml) {
$messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>";
}
$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br />{$AppModel}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
if ($pPage['source_button'] && !dvwaIsCtf()) {
$systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}";
}
if ($pPage['help_button'] && !dvwaIsCtf()) {
$systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}";
}
if (dvwaIsCtf()) {
$addr = xlabGetLocation();
$systemInfoHtml = "<label for=\"QNUM\">CTF Numbers:</label><form action=\"{$addr}/vulnerabilities/ctf/\" method=\"GET\">" . dvwaGetlist() . "<input type=\"submit\" name=\"select\" value='select'>\n\t\t</form>" . "{$systemInfoHtml}";
$value = (isset($_GET['pid']) and is_numeric($_GET['pid'])) ? $_GET['pid'] : '1';
$ctfselect = xlabGetJs(xlabJqSelect("ctf_select", $value));
#$ctfselect="<script>document.getElementById('ctf_select').options[5].setAttribute('selected', 'selected');</script>";
}
// Send Headers + main HTML code
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>{$pPage['title']}</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\n\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\n\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\n\n\t</head>\n\n\t<body class=\"home\">\n\t\t<div id=\"container\">\n\n\t\t\t<div id=\"header\">\n\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_menu\">\n\n\t\t\t\t<div id=\"main_menu_padded\">\n\t\t\t\t{$menuHtml}\n\t\t\t\t</div>\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_body\">\n\t\t\t\t<script src='../../dvwa/js/jquery.js' type='text/javascript' charset='utf-8'></script>\n\t\t\t\t{$pPage['body']}\n\t\t\t\n\t\t\t\t<br />\n\t\t\t\t<br />\n\t\t\t\t{$messagesHtml}\n\n\t\t\t</div>\n\n\t\t\t<div class=\"clear\">\n\t\t\t</div>\n\n\t\t\t<div id=\"system_info\">\n\t\t\t\t{$systemInfoHtml}\n\t\t\t</div>\n\n\t\t\t<div id=\"footer\">\n\t\t\t\t{$ctfselect}\n\t\t\t\t<p>HTJC SeclabX ASystem (XlabAS) v" . dvwaVersionGet() . "</p>\n\n\t\t\t</div>\n\n\t\t</div>\n\n\t</body>\n\n</html>";
}
<?php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_curr = $_GET['password_current'];
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
// Sanitise current password input
$pass_curr = stripslashes($pass_curr);
$pass_curr = mysql_real_escape_string($pass_curr);
$pass_curr = md5($pass_curr);
// Check that the current password is correct
$query = "SELECT password FROM `users` WHERE user='******' AND password='******';";
$result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>');
if ($pass_new == $pass_conf && ($result && mysql_num_rows($result) == 1)) {
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert = "UPDATE `users` SET password = '******' WHERE user = '******';";
$result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>');
$html .= "<pre>Password Changed.</pre>";
mysql_close();
} else {
$html .= "<pre>Passwords did not match or current password incorrect.</pre>";
}
}
