Example #1
0
function dvwaHtmlEcho($pPage)
{
    $menuBlocks = array();
    $menuBlocks['home'] = array();
    $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.');
    $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php');
    $menuBlocks['vulnerabilities'] = array();
    $menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.');
    #$menuBlocks['vulnerabilities'][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' );
    $menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php');
    $menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS reflected', 'url' => 'vulnerabilities/xss_r/.');
    $menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS stored', 'url' => 'vulnerabilities/xss_s/.');
    if (dvwaIfWork()) {
        $menuBlocks['vulnerabilities'][] = array('id' => 'vulns', 'name' => 'Vulns', 'url' => 'vulnerabilities/vulns/.');
        $menuBlocks['vulnerabilities'][] = array('id' => 'work', 'name' => 'Work', 'url' => 'vulnerabilities/work/.');
    }
    if (dvwaIsCtf()) {
        $menuBlocks['vulnerabilities'][] = array('id' => 'ctf', 'name' => 'CTF', 'url' => 'vulnerabilities/ctf/?pid=1');
        $menuBlocks['vulnerabilities'][] = array('id' => 'submit', 'name' => 'Submit', 'url' => 'vulnerabilities/ctf/?pid=submit');
        $menuBlocks['vulnerabilities'][] = array('id' => 'score', 'name' => 'Score', 'url' => 'vulnerabilities/ctf/?pid=score&name=' . dvwaCurrentUser());
    }
    if (xlabisadmin()) {
        $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup', 'url' => 'setup.php');
        $menuBlocks['home'][] = array('id' => 'admin', 'name' => 'Admin', 'url' => 'vulnerabilities/admin/.');
        $menuBlocks['home'][] = array('id' => 'manager', 'name' => 'Manager', 'url' => 'vulnerabilities/admin/manager.php');
    }
    $menuBlocks['meta'] = array();
    $menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php');
    $menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php');
    $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php');
    $menuBlocks['logout'] = array();
    $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php');
    $menuHtml = '';
    foreach ($menuBlocks as $menuBlock) {
        $menuBlockHtml = '';
        foreach ($menuBlock as $menuItem) {
            $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : '';
            $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'];
            $menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>";
        }
        $menuHtml .= "<ul>{$menuBlockHtml}</ul>";
    }
    // Get security cookie --
    $securityLevelHtml = dvwaIsCtf() ? 'CTF' : dvwaSecurityLevelGet();
    // -- END
    $phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled');
    $userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser();
    $AppModel = '<b>AppModel:</b> ' . dvwaGetModel();
    $messagesHtml = messagesPopAllToHtml();
    if ($messagesHtml) {
        $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>";
    }
    $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br />{$AppModel}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
    if ($pPage['source_button'] && !dvwaIsCtf()) {
        $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}";
    }
    if ($pPage['help_button'] && !dvwaIsCtf()) {
        $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}";
    }
    if (dvwaIsCtf()) {
        $addr = xlabGetLocation();
        $systemInfoHtml = "<label for=\"QNUM\">CTF Numbers:</label><form action=\"{$addr}/vulnerabilities/ctf/\" method=\"GET\">" . dvwaGetlist() . "<input type=\"submit\" name=\"select\" value='select'>\n\t\t</form>" . "{$systemInfoHtml}";
        $value = (isset($_GET['pid']) and is_numeric($_GET['pid'])) ? $_GET['pid'] : '1';
        $ctfselect = xlabGetJs(xlabJqSelect("ctf_select", $value));
        #$ctfselect="<script>document.getElementById('ctf_select').options[5].setAttribute('selected', 'selected');</script>";
    }
    // Send Headers + main HTML code
    Header('Cache-Control: no-cache, must-revalidate');
    // HTTP/1.1
    Header('Content-Type: text/html;charset=utf-8');
    // TODO- proper XHTML headers...
    Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
    // Date in the past
    echo "\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>{$pPage['title']}</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\n\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\n\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\n\n\t</head>\n\n\t<body class=\"home\">\n\t\t<div id=\"container\">\n\n\t\t\t<div id=\"header\">\n\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_menu\">\n\n\t\t\t\t<div id=\"main_menu_padded\">\n\t\t\t\t{$menuHtml}\n\t\t\t\t</div>\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_body\">\n\t\t\t\t<script  src='../../dvwa/js/jquery.js' type='text/javascript' charset='utf-8'></script>\n\t\t\t\t{$pPage['body']}\n\t\t\t\n\t\t\t\t<br />\n\t\t\t\t<br />\n\t\t\t\t{$messagesHtml}\n\n\t\t\t</div>\n\n\t\t\t<div class=\"clear\">\n\t\t\t</div>\n\n\t\t\t<div id=\"system_info\">\n\t\t\t\t{$systemInfoHtml}\n\t\t\t</div>\n\n\t\t\t<div id=\"footer\">\n\t\t\t\t{$ctfselect}\n\t\t\t\t<p>HTJC SeclabX ASystem (XlabAS)  v" . dvwaVersionGet() . "</p>\n\n\t\t\t</div>\n\n\t\t</div>\n\n\t</body>\n\n</html>";
}
Example #2
0
<?php

if (!isset($_GET['pict'])) {
    dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=4&pict=hunter");
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF Question 4';
$page['page_id'] = 'ctf';
$page['help_button'] = 'sqli';
$page['source_button'] = 'sqli';
$pict = strtolower($_GET['pict']);
$pict = str_replace("script", '*', $pict);
if (ereg("\" +onerror *= *alert\\(document\\.cookie\\)[>| +.*]", $pict)) {
    require_once '../../hackable/ctf/ctf.php';
    $html = xlabGetJs("alert('{$FLAG['xss']}')");
}
$magicQuotesWarningHtml = '';
//
$location = xlabGetLocation();
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>窃贼的密码</h1>\n\t<ul>\n\t<img src=\"../../hackable/ctf/q4/{$pict}.jpg\"></img>\n\t</ul>\n\t</br>\n\t<h3>\n\t<li>You Should Steal The Cookie</li>\n\t</h3>\n{$html}\n</div>\n";