function dvwaClearIdsLog()
{
if (isset($_GET['clear_log'])) {
$fp = fopen(DVWA_WEB_PAGE_TO_PHPIDS_LOG, w);
fclose($fp);
dvwaMessagePush("PHPIDS log cleared");
dvwaPageReload();
}
}
function db_login($user, $pass)
{
$login = "******";
$result = @pg_query($login) or die('<pre>' . pg_last_error() . '</pre>');
if ($result && pg_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('index.php');
}
}
dvwaGetconfig();
#dvwadebug();
if (isset($_POST['reg'])) {
$user = trim($_POST['username']);
$user = stripslashes($user);
$user = mysql_real_escape_string($user);
$pass = trim($_POST['password']);
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass_md5 = md5($pass);
$insert_md5 = "insert into users values ('','{$user}','{$user}','{$user}','{$pass_md5}','dvwa/hackable/users/gordonb.jpg')";
if ($user != '' and $pass != '' and $_POST['password'] == $_POST['password2']) {
// Login Successful...
$result_md5 = @mysql_query($insert_md5) or die('<pre>' . mysql_error() . '</br>insert fail,again!!</pre>');
dvwaRedirect('index.php');
dvwaMessagePush("You have reg succfully for '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('login.php');
}
// Login failed
dvwaMessagePush("reg failed");
dvwaRedirect('reg.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>XLABAS - REG</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\n\n\t</head>\n\n\t<body>\n\n\t<div align=\"center\">\n\t\n\t<br />\n\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\n\n\t<br />\n\t\n\t<form action=\"reg.php\" method=\"post\">\n\t\n\t<fieldset>\n\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\n\t\n\t\t\t\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\n\t\t\t\n\t\t\t<label for=\"pass\">Password2</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password2\"><br />\n\t\t\t\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Reg\" name=\"reg\"></p>\n\n\t</fieldset>\n\n\t</form>\n\n\t\n\t<br />\n\n\t{$messagesHtml}\n\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\t\n\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\n\t\n\t<p>Damn HTJC SeclabX ASystem (XlabAS) is a RandomStorm OpenSource project</p>\n\t\n\t</div> <!-- end align div -->\n\n\t</body>\n\n</html>\n";
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
dvwaDatabaseConnect();
if (isset($_POST['Login'])) {
$user = $_POST['username'];
$user = stripslashes($user);
$user = mysql_real_escape_string($user);
$pass = $_POST['password'];
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$qry = "SELECT * FROM `users` WHERE user='******' AND password='******';";
$result = @mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>');
if ($result && mysql_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '" . $user . "'");
dvwaLogin($user);
dvwaRedirect('index.php');
}
// Login failed
dvwaMessagePush("Login failed");
dvwaRedirect('login.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT");
// Date in the past
echo "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Damn Vulnerable Web App (DVWA) - Login</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div align=\"center\">\r\n\t\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\t\r\n\t<form action=\"login.php\" method=\"post\">\r\n\t\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\t\r\n\t\t\t\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t</form>\r\n\r\n\t\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\t\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t\r\n\t<p>Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project</p>\r\n\t\r\n\t</div> <!-- end align div -->\r\n\r\n\t</body>\r\n\r\n</html>\r\n";
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$query = "SELECT table_schema, table_name, create_time\r\n\t\t\t\tFROM information_schema.tables\r\n\t\t\t\tWHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'\r\n\t\t\t\tLIMIT 1";
$result = @mysql_query($query);
if (mysql_num_rows($result) != 1) {
dvwaMessagePush("First time using DVWA.<br />Need to run 'setup.php'.");
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'setup.php');
}
$query = "SELECT * FROM `users` WHERE user='******' AND password='******';";
$result = @mysql_query($query) or die('<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>');
if ($result && mysql_num_rows($result) == 1) {
// Login Successful...
dvwaMessagePush("You have logged in as '{$user}'");
dvwaLogin($user);
dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'index.php');
}
// Login failed
dvwaMessagePush('Login failed');
dvwaRedirect('login.php');
}
$messagesHtml = messagesPopAllToHtml();
Header('Cache-Control: no-cache, must-revalidate');
// HTTP/1.1
Header('Content-Type: text/html;charset=utf-8');
// TODO- proper XHTML headers...
Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT');
// Date in the past
// Anti-CSRF
generateSessionToken();
echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div id=\"wrapper\">\r\n\r\n\t<div id=\"header\">\r\n\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\r\n\t</div> <!--<div id=\"header\">-->\r\n\r\n\t<div id=\"content\">\r\n\r\n\t<form action=\"login.php\" method=\"post\">\r\n\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\r\n\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\r\n\t\t\t<br />\r\n\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t" . tokenField() . "\r\n\r\n\t</form>\r\n\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t</div > <!--<div id=\"content\">-->\r\n\r\n\t<div id=\"footer\">\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)') . " is a RandomStorm OpenSource project.</p>\r\n\r\n\t</div> <!--<div id=\"footer\"> -->\r\n\r\n\t</div> <!--<div id=\"wrapper\"> -->\r\n\r\n\t</body>\r\n\r\n</html>";
<?php
const DVWA_WEB_PAGE_TO_ROOT = '';
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
if (!dvwaIsLoggedIn()) {
// The user shouldn't even be on this page
//dvwaMessagePush( "You were not logged in" );
dvwaRedirect('login.php');
}
dvwaLogout();
dvwaMessagePush("You have logged out");
dvwaRedirect('login.php');
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('phpids'));
$page = dvwaPageNewGrab();
$page['title'] = 'Setup' . $page['title_separator'] . $page['title'];
$page['page_id'] = 'setup';
if (isset($_POST['create_db'])) {
// Anti-CSRF
checkToken($_REQUEST['user_token'], $_SESSION['session_token'], 'setup.php');
if ($DBMS == 'MySQL') {
include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php';
} elseif ($DBMS == 'PGSQL') {
// include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/PGSQL.php';
dvwaMessagePush('PostgreSQL is not yet fully supported.');
dvwaPageReload();
} else {
dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.');
dvwaPageReload();
}
}
// Anti-CSRF
generateSessionToken();
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\n\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php") . "</em></p>\n\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\n\t<hr />\n\t<br />\n\n\t<h2>Setup Check</h2>\n\n\t{$DVWAOS}<br />\n\tBackend database: <em>{$DBMS}</em><br />\n\tPHP version: <em>" . phpversion() . "</em><br />\n\t<br />\n\t{$SERVER_NAME}<br />\n\t<br />\n\t{$phpDisplayErrors}<br />\n\t{$phpSafeMode}<br/ >\n\t{$phpURLInclude}<br/ >\n\t{$phpURLFopen}<br />\n\t{$phpMagicQuotes}<br />\n\t{$phpGD}<br />\n\t{$phpMySQL}<br />\n\t{$phpPDO}<br />\n\t<br />\n\t{$MYSQL_USER}<br />\n\t{$MYSQL_PASS}<br />\n\t{$MYSQL_DB}<br />\n\t{$MYSQL_SERVER}<br />\n\t<br />\n\t{$DVWARecaptcha}<br />\n\t<br />\n\t{$DVWAUploadsWrite}<br />\n\t{$DVWAPHPWrite}<br />\n\t<br />\n\t<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />\n\t<br /><br /><br />\n\n\t<!-- Create db button -->\n\t<form action=\"#\" method=\"post\">\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\n\t\t" . tokenField() . "\n\t</form>\n\t<br />\n\t<hr />\n</div>";
dvwaHtmlEcho($page);
function dvwaDatabaseConnect()
{
global $_DVWA;
global $DBMS;
global $DBMS_connError;
global $db;
if ($DBMS == 'MySQL') {
if (!@mysql_connect($_DVWA['db_server'], $_DVWA['db_user'], $_DVWA['db_password']) || !@mysql_select_db($_DVWA['db_database'])) {
//die( $DBMS_connError );
dvwaMessagePush($DBMS_connError);
dvwaRedirect('setup.php');
}
// MySQL PDO Prepared Statements (high levels)
$db = new PDO('mysql:host=' . $_DVWA['db_server'] . ';dbname=' . $_DVWA['db_database'] . ';charset=utf8', $_DVWA['db_user'], $_DVWA['db_password']);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
} elseif ($DBMS == 'PGSQL') {
//$dbconn = pg_connect("host={$_DVWA[ 'db_server' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ])}"
//or die( $DBMS_connError );
dvwaMessagePush('PostgreSQL is not yet fully supported.');
dvwaPageReload();
} else {
die('Unknown $DBMS selected');
}
}
function checkToken($user_token, $session_token, $returnURL)
{
# Validate the given (CSRF) token
if ($user_token !== $session_token || !isset($session_token)) {
dvwaMessagePush('CSRF token is incorrect');
dvwaRedirect($returnURL);
}
}
$result = @mysql_query($sql);
if ($result) {
$html .= "delete sussfully!!!";
} else {
$html .= "delete fail!!!";
}
}
if (isset($_POST['submit'])) {
$vname = xlabGetSqli('name', $_POST);
$site = xlabGetSqli('site', $_POST);
$vdesc = xlabGetSqli('desc', $_POST);
$risk = xlabGetSqli('risk', $_POST);
$risk = $risk == 'all' ? 'low' : $risk;
if ($vname == '' or $site == '' or $vdesc == '') {
$html = "submit vulns fail!!!";
dvwaMessagePush($html);
} else {
$user = dvwaCurrentUser();
$result = mysql_query("select serial from vulns where date=date(now()) order by serial desc;");
$num = mysql_numrows($result);
if ($num > 0) {
$serial = mysql_result($result, 0, "serial") + 1;
} else {
$serial = 1;
}
$sserial = sprintf("%02d", $serial);
$vid = "HTJC-SL" . date('Ymd') . "-" . $sserial;
if ($dvwaSession['config']['vid'] == '2' && isset($_POST['vid'])) {
$vid = $_POST['vid'];
}
$sql = "insert into vulns values('{$vid}',now(),'{$serial}','{$user}','{$site}','{$vname}','{$vdesc}','{$risk}')";
$securityLevel = 'medium';
break;
}
dvwaSecurityLevelSet($securityLevel);
dvwaMessagePush("Security level set to {$securityLevel}");
dvwaPageReload();
}
if (isset($_GET['phpids'])) {
switch ($_GET['phpids']) {
case 'on':
dvwaPhpIdsEnabledSet(true);
dvwaMessagePush("PHPIDS is now enabled");
break;
case 'off':
dvwaPhpIdsEnabledSet(false);
dvwaMessagePush("PHPIDS is now disabled");
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach (array('low', 'medium', 'high') as $securityLevel) {
$selected = '';
if ($securityLevel == dvwaSecurityLevelGet()) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>Security Level is currently <em>{$securityLevel}</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>{$securityLevel}</option>";
}
$phpIdsHtml = 'PHPIDS is currently ';
dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("la tabla 'users' ha sido creada.");
// Insert some data into users
// Get the base directory for the avatar media...
$baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . ':8080' . $_SERVER['PHP_SELF'];
$stripPos = strpos($baseUrl, 'Cross-Site-Scripting/setup.php');
$baseUrl = substr($baseUrl, 0, $stripPos) . 'Cross-Site-Scripting/hackable/users/';
$insert = "INSERT INTO users VALUES\r\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'),\r\n\t('2','Bolivar','Cortes','Bholy10',MD5('abc123'),'{$baseUrl}gordonb.jpg'),\r\n\t('3','Viviana','Castillo','Vivi',MD5('charley'),'{$baseUrl}1337.jpg'),\r\n\t('4','Samuel','Labrador','Sami',MD5('letmein'),'{$baseUrl}pablo.jpg'),\r\n\t('5','Jose','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');";
if (!mysql_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("Datos insertados en la tabla 'users'.");
// Create guestbook table
$create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));";
if (!mysql_query($create_tb_guestbook)) {
dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("la tabla 'guestbook' ha sido creada.");
// Insert data into 'guestbook'
$insert = "INSERT INTO guestbook VALUES\r\n('1','Esto es un comentario de prueba.','test');";
if (!mysql_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("Datos insertados en la tabla 'guestbook'.");
dvwaMessagePush("Setup realizado!");
dvwaPageReload();
<?php
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF 10';
$page['page_id'] = 'ctf';
$page['help_button'] = 'brute';
$page['source_button'] = 'brute';
if (isset($_POST['submit']) and $_POST['submit'] == 'Login') {
if (!xlabautocode()) {
dvwaRedirect("./?pid=10&msg=check code error");
}
if ($_REQUEST['username'] != 'super') {
dvwaRedirect("./?pid=10&msg=uname error");
}
if ($_REQUEST['password'] != '1234qwer') {
dvwaRedirect("./?pid=10&msg=passwd error");
}
require_once '../../hackable/ctf/ctf.php';
$_GET['msg'] = $FLAG['brute'];
}
dvwaMessagePush(xlabGetXss('msg', $_GET));
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>一力降十会</h1>\n\t<div class=\"vulnerable_code_area\">\n\t<form action=\"#\" method=\"POST\">\n\t<label >Username:</label>\n\t<input type=\"text\" name=\"username\"></br></br>\n <label >Password:</label>\n <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password\"><br></br>\n <label >Authcode:</label>\n <input type=\"text\" name=\"authcode\"><br></br>\n <img onclick=newRandImg(); id='randImg' src=../checkcode.php><a<br></br>\n <input type=\"submit\" value=\"Login\" name=\"submit\" onclick='return checkvaild()'>\n </form>\n\t</div>\n{$html}\n<script>\n\tfunction newRandImg(){\n\t\tvar rm= new Date().getTime();\n\t document.getElementById('randImg').src='../checkcode.php?rm='+rm;\n\t document.getElementById('randImg').style.display='inline';\n\t}\n</script>\n</div>\n";
$securityLevel = 'medium';
break;
}
dvwaSecurityLevelSet($securityLevel);
dvwaMessagePush("El nivel de Seguridad configurado a {$securityLevel}");
dvwaPageReload();
}
if (isset($_GET['phpids'])) {
switch ($_GET['phpids']) {
case 'on':
dvwaPhpIdsEnabledSet(true);
dvwaMessagePush("PHPIDS esta activado");
break;
case 'off':
dvwaPhpIdsEnabledSet(false);
dvwaMessagePush("PHPIDS esta desactivado");
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach (array('low', 'medium', 'high') as $securityLevel) {
$selected = '';
if ($securityLevel == dvwaSecurityLevelGet()) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>El nivel de Seguridad actualmente es: <em>{$securityLevel}</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>{$securityLevel}</option>";
}
$phpIdsHtml = 'PHPIDS is currently ';
<?php
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF 11';
$page['page_id'] = 'ctf';
$page['help_button'] = 'audit';
$page['source_button'] = 'audit';
//
require_once '../../hackable/ctf/ctf.php';
//cookie: seclab_ctf_11=111111222222333333
//auth=1412148&encode=YzJWamJHRmllRjlqZEdaZk1URT0=
if ($_POST['submit'] == 'check') {
if ($_COOKIE['seclab_ctf_11'] == '111111222222333333') {
if (((int) $_POST['auth'] ^ 0x1234) >> 0x6 == 0x5678) {
if (base64_decode($_POST['encode']) == base64_encode("seclabx_ctf_11")) {
$flag = $FLAG['audit'];
$vaild = 1;
}
}
}
}
if (empty($vaild)) {
$flag = "You have must input vaild parameter";
}
dvwaMessagePush($flag);
$page['body'] .= "\n<div class=\"body_padded\">\n<h1>你看的懂?</h1>\n<img width=100% heigh=100% src=../../hackable/ctf/q11/bloodelves.jpg>\n<!--\nif(\$_POST['submit']=='check'){\n\tif(\$_COOKIE['seclab_ctf_11']=='111111222222333333'){\n\t\tif(((int)\$_POST['auth'] ^ 0x1234) >> 0x6 == 0x5678){\n\t\t\tif(base64_decode(\$_POST['encode'])==base64_encode(\"seclabx_ctf_11\")){\n\t\t\t\t\$flag=\$FLAG['audit'];\n\t\t\t\t\$vaild=1;\n\t\t\t}\n\t\t}\n\t}\n}\nif(empty(\$vaild)){\n\t\$flag=\"You have must input vaild parameter\";\n}\n-->\n</div>\n";
// Insert some data into users
// Get the base directory for the avatar media...
$baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];
$stripPos = strpos($baseUrl, 'setup.php');
$baseUrl = substr($baseUrl, 0, $stripPos) . 'hackable/users/';
$insert = "INSERT INTO users VALUES\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'),\n\t('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'),\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'),\n\t('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');";
if (!mysql_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("Data inserted into 'users' table.");
// Create guestbook table
$create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));";
if (!mysql_query($create_tb_guestbook)) {
dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("'guestbook' table was created.");
// Insert data into 'guestbook'
$insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');";
if (!mysql_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . mysql_error());
dvwaPageReload();
}
dvwaMessagePush("Data inserted into 'guestbook' table.");
// Done
dvwaMessagePush("<em>Setup successful</em>!");
if (!dvwaIsLoggedIn()) {
dvwaMessagePush("Please <a href='login.php'>login</a>.<script>setTimeout(function(){window.location.href='login.php'},5000);</script>");
}
dvwaPageReload();
$baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];
$stripPos = strpos($baseUrl, 'dvwa/setup.php');
$baseUrl = substr($baseUrl, 0, $stripPos) . 'dvwa/hackable/users/';
$insert = "INSERT INTO users VALUES\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'),\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg'),\n\t('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg'),\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg'),\n\t('5','bob','smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');";
if (!pg_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . pg_last_error());
dvwaPageReload();
}
dvwaMessagePush("Data inserted into 'users' table.");
// Create guestbook table
$drop_table = "DROP table IF EXISTS guestbook;";
if (!@pg_query($drop_table)) {
dvwaMessagePush("Could not drop existing users table<br />SQL: " . pg_last_error());
dvwaPageReload();
}
$create_tb_guestbook = "CREATE TABLE guestbook (comment text, name text, comment_id SERIAL PRIMARY KEY);";
if (!pg_query($create_tb_guestbook)) {
dvwaMessagePush("guestbook table could not be created<br />SQL: " . pg_last_error());
dvwaPageReload();
}
dvwaMessagePush("'guestbook' table was created.");
// Insert data into 'guestbook'
$insert = "INSERT INTO guestbook (comment, name) VALUES('This is a test comment.','admin')";
if (!pg_query($insert)) {
dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . pg_last_error());
dvwaPageReload();
}
dvwaMessagePush("Data inserted into 'guestbook' table.");
dvwaMessagePush("Setup successful!");
dvwaPageReload();
pg_close($dbconn);
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$pid = mysql_result($result, $i, "pid");
$user = mysql_result($result, $i, "user");
$flag = mysql_result($result, $i, "flag");
$status = mysql_result($result, $i, "status");
$html .= "</tr><td>{$pid}</td><td>{$user}</td><td>{$flag}</td><td>{$status}</td></tr>";
$i++;
}
return "\n\t<table border=1 width=100%>\n\t<tr>\n\t<th>Pid</th><th>User</th><th>Flag</th><th>Status</th>\n\t</tr>\n\t{$html}\n\t</table>";
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'View Score';
$page['page_id'] = 'score';
$page['help_button'] = 'score';
$page['source_button'] = 'score';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
dvwaMessagePush($_GET['msg']);
if (isset($_GET['view'])) {
if ($_GET['view'] == dvwaGetuser() or xlabisadmin()) {
$table = getuserflag(xlabGetSqli('view', $_GET));
}
} else {
$table = getuserranking();
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>View Score</h1>\n\n\t{$magicQuotesWarningHtml}\n\n\t<div >\n\t{$table}\n\t</div>\n</div>\n";
