function db_login($user, $pass)
{
$login = "******";
$result = @pg_query($login) or die('<pre>' . pg_last_error() . '</pre>');
if ($result && pg_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('index.php');
}
}
dvwaGetconfig();
#dvwadebug();
if (isset($_POST['reg'])) {
$user = trim($_POST['username']);
$user = stripslashes($user);
$user = mysql_real_escape_string($user);
$pass = trim($_POST['password']);
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass_md5 = md5($pass);
$insert_md5 = "insert into users values ('','{$user}','{$user}','{$user}','{$pass_md5}','dvwa/hackable/users/gordonb.jpg')";
if ($user != '' and $pass != '' and $_POST['password'] == $_POST['password2']) {
// Login Successful...
$result_md5 = @mysql_query($insert_md5) or die('<pre>' . mysql_error() . '</br>insert fail,again!!</pre>');
dvwaRedirect('index.php');
dvwaMessagePush("You have reg succfully for '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('login.php');
}
// Login failed
dvwaMessagePush("reg failed");
dvwaRedirect('reg.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>XLABAS - REG</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\n\n\t</head>\n\n\t<body>\n\n\t<div align=\"center\">\n\t\n\t<br />\n\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\n\n\t<br />\n\t\n\t<form action=\"reg.php\" method=\"post\">\n\t\n\t<fieldset>\n\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\n\t\n\t\t\t\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\n\t\t\t\n\t\t\t<label for=\"pass\">Password2</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password2\"><br />\n\t\t\t\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Reg\" name=\"reg\"></p>\n\n\t</fieldset>\n\n\t</form>\n\n\t\n\t<br />\n\n\t{$messagesHtml}\n\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\t\n\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\n\t\n\t<p>Damn HTJC SeclabX ASystem (XlabAS) is a RandomStorm OpenSource project</p>\n\t\n\t</div> <!-- end align div -->\n\n\t</body>\n\n</html>\n";
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
dvwaDatabaseConnect();
if (isset($_POST['Login'])) {
$user = $_POST['username'];
$user = stripslashes($user);
$user = mysql_real_escape_string($user);
$pass = $_POST['password'];
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$qry = "SELECT * FROM `users` WHERE user='******' AND password='******';";
$result = @mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>');
if ($result && mysql_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('index.php');
}
// Login failed
dvwaMessagePush("Login failed");
dvwaRedirect('login.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Damn Vulnerable Web App (DVWA) - Login</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div align=\"center\">\r\n\t\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\t\r\n\t<form action=\"login.php\" method=\"post\">\r\n\t\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\t\r\n\t\t\t\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t</form>\r\n\r\n\t\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\t\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t\r\n\t<p>Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project</p>\r\n\t\r\n\t</div> <!-- end align div -->\r\n\r\n\t</body>\r\n\r\n</html>\r\n";
function dvwaPageReload()
{
dvwaRedirect($_SERVER['PHP_SELF']);
}
function checkToken($user_token, $session_token, $returnURL)
{
# Validate the given (CSRF) token
if ($user_token !== $session_token || !isset($session_token)) {
dvwaMessagePush('CSRF token is incorrect');
dvwaRedirect($returnURL);
}
}
<?php
if (!isset($_GET['content'])) {
dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=7&content=chun");
}
$file = $_GET['content'];
//The page we wish to display
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF 7';
$page['page_id'] = 'ctf';
$page['help_button'] = 'fi';
$page['source_button'] = 'fi';
@(include $file . '.php');
}
}
}
if ($_REQUEST['submit'] == 'del') {
$name = xlabGetSqli('name', $_GET);
$sql = "delete from config where name=\"{$name}\"";
echo $sql;
$result = mysql_query($sql);
if ($result) {
$html = "Delete sussfully!!!";
} else {
$html = "Delete fail!!!";
}
}
if ($_POST['submit'] == 'add') {
$name = xlabGetSqli('name', $_POST);
$value = xlabGetSqli('value', $_POST);
$desc = xlabGetSqli('desc', $_POST);
$sql = "insert into config values ('{$name}','{$value}','{$desc}')";
$result = mysql_query($sql);
if ($result) {
$html = "Insert sussfully!!!";
} else {
$html = "Insert fail!!!";
}
}
dvwaGetconfig();
dvwaRedirect("{$_DVWA['location']}/vulnerabilities/admin/");
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>System Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Setting Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Setting </td> \n\t\t<td>Values</td>\n\t\t<td>Act</td>\n\t\t</tr>\n\t\t{$config}\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"updata\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Add Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Value *</td> <td>\n\t\t<input name=\"value\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<input name=\"desc\" size=60></input></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"add\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t{$html}\n</div>\n";
dvwaHtmlEcho($page);
<?php
if (!isset($_GET['pict'])) {
dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=4&pict=hunter");
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF Question 4';
$page['page_id'] = 'ctf';
$page['help_button'] = 'sqli';
$page['source_button'] = 'sqli';
$pict = strtolower($_GET['pict']);
$pict = str_replace("script", '*', $pict);
if (ereg("\" +onerror *= *alert\\(document\\.cookie\\)[>| +.*]", $pict)) {
require_once '../../hackable/ctf/ctf.php';
$html = xlabGetJs("alert('{$FLAG['xss']}')");
}
$magicQuotesWarningHtml = '';
//
$location = xlabGetLocation();
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>窃贼的密码</h1>\n\t<ul>\n\t<img src=\"../../hackable/ctf/q4/{$pict}.jpg\"></img>\n\t</ul>\n\t</br>\n\t<h3>\n\t<li>You Should Steal The Cookie</li>\n\t</h3>\n{$html}\n</div>\n";
<?php
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF 10';
$page['page_id'] = 'ctf';
$page['help_button'] = 'brute';
$page['source_button'] = 'brute';
if (isset($_POST['submit']) and $_POST['submit'] == 'Login') {
if (!xlabautocode()) {
dvwaRedirect("./?pid=10&msg=check code error");
}
if ($_REQUEST['username'] != 'super') {
dvwaRedirect("./?pid=10&msg=uname error");
}
if ($_REQUEST['password'] != '1234qwer') {
dvwaRedirect("./?pid=10&msg=passwd error");
}
require_once '../../hackable/ctf/ctf.php';
$_GET['msg'] = $FLAG['brute'];
}
dvwaMessagePush(xlabGetXss('msg', $_GET));
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>一力降十会</h1>\n\t<div class=\"vulnerable_code_area\">\n\t<form action=\"#\" method=\"POST\">\n\t<label >Username:</label>\n\t<input type=\"text\" name=\"username\"></br></br>\n <label >Password:</label>\n <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password\"><br></br>\n <label >Authcode:</label>\n <input type=\"text\" name=\"authcode\"><br></br>\n <img onclick=newRandImg(); id='randImg' src=../checkcode.php><a<br></br>\n <input type=\"submit\" value=\"Login\" name=\"submit\" onclick='return checkvaild()'>\n </form>\n\t</div>\n{$html}\n<script>\n\tfunction newRandImg(){\n\t\tvar rm= new Date().getTime();\n\t document.getElementById('randImg').src='../checkcode.php?rm='+rm;\n\t document.getElementById('randImg').style.display='inline';\n\t}\n</script>\n</div>\n";
function checkTokens($token, $returnURL)
{
# Validate the Given TOKEN
if ($token !== $_SESSION['user_token']) {
dvwaRedirect($returnURL);
}
}
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
dvwaDatabaseConnect();
if (isset($_GET['del'])) {
$name = xlabGetSqli('del', $_GET);
if ($name == dvwaGetuser() or xlabisadmin()) {
$sql = "DELETE FROM userflag WHERE user='******'";
$result = mysql_query($sql);
dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} succfully!!!");
} else {
dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} fail!!!");
}
}
