function dvwaHtmlEcho($pPage) { $menuBlocks = array(); $menuBlocks['home'] = array(); $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); $menuBlocks['vulnerabilities'] = array(); $menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.'); #$menuBlocks['vulnerabilities'][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' ); $menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS reflected', 'url' => 'vulnerabilities/xss_r/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS stored', 'url' => 'vulnerabilities/xss_s/.'); if (dvwaIfWork()) { $menuBlocks['vulnerabilities'][] = array('id' => 'vulns', 'name' => 'Vulns', 'url' => 'vulnerabilities/vulns/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'work', 'name' => 'Work', 'url' => 'vulnerabilities/work/.'); } if (dvwaIsCtf()) { $menuBlocks['vulnerabilities'][] = array('id' => 'ctf', 'name' => 'CTF', 'url' => 'vulnerabilities/ctf/?pid=1'); $menuBlocks['vulnerabilities'][] = array('id' => 'submit', 'name' => 'Submit', 'url' => 'vulnerabilities/ctf/?pid=submit'); $menuBlocks['vulnerabilities'][] = array('id' => 'score', 'name' => 'Score', 'url' => 'vulnerabilities/ctf/?pid=score&name=' . dvwaCurrentUser()); } if (xlabisadmin()) { $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup', 'url' => 'setup.php'); $menuBlocks['home'][] = array('id' => 'admin', 'name' => 'Admin', 'url' => 'vulnerabilities/admin/.'); $menuBlocks['home'][] = array('id' => 'manager', 'name' => 'Manager', 'url' => 'vulnerabilities/admin/manager.php'); } $menuBlocks['meta'] = array(); $menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php'); $menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php'); $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php'); $menuBlocks['logout'] = array(); $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php'); $menuHtml = ''; foreach ($menuBlocks as $menuBlock) { $menuBlockHtml = ''; foreach ($menuBlock as $menuItem) { $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url']; $menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>"; } $menuHtml .= "<ul>{$menuBlockHtml}</ul>"; } // Get security cookie -- $securityLevelHtml = dvwaIsCtf() ? 'CTF' : dvwaSecurityLevelGet(); // -- END $phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled'); $userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser(); $AppModel = '<b>AppModel:</b> ' . dvwaGetModel(); $messagesHtml = messagesPopAllToHtml(); if ($messagesHtml) { $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>"; } $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br />{$AppModel}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>"; if ($pPage['source_button'] && !dvwaIsCtf()) { $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}"; } if ($pPage['help_button'] && !dvwaIsCtf()) { $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}"; } if (dvwaIsCtf()) { $addr = xlabGetLocation(); $systemInfoHtml = "<label for=\"QNUM\">CTF Numbers:</label><form action=\"{$addr}/vulnerabilities/ctf/\" method=\"GET\">" . dvwaGetlist() . "<input type=\"submit\" name=\"select\" value='select'>\n\t\t</form>" . "{$systemInfoHtml}"; $value = (isset($_GET['pid']) and is_numeric($_GET['pid'])) ? $_GET['pid'] : '1'; $ctfselect = xlabGetJs(xlabJqSelect("ctf_select", $value)); #$ctfselect="<script>document.getElementById('ctf_select').options[5].setAttribute('selected', 'selected');</script>"; } // Send Headers + main HTML code Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>{$pPage['title']}</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\n\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\n\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\n\n\t</head>\n\n\t<body class=\"home\">\n\t\t<div id=\"container\">\n\n\t\t\t<div id=\"header\">\n\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_menu\">\n\n\t\t\t\t<div id=\"main_menu_padded\">\n\t\t\t\t{$menuHtml}\n\t\t\t\t</div>\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_body\">\n\t\t\t\t<script src='../../dvwa/js/jquery.js' type='text/javascript' charset='utf-8'></script>\n\t\t\t\t{$pPage['body']}\n\t\t\t\n\t\t\t\t<br />\n\t\t\t\t<br />\n\t\t\t\t{$messagesHtml}\n\n\t\t\t</div>\n\n\t\t\t<div class=\"clear\">\n\t\t\t</div>\n\n\t\t\t<div id=\"system_info\">\n\t\t\t\t{$systemInfoHtml}\n\t\t\t</div>\n\n\t\t\t<div id=\"footer\">\n\t\t\t\t{$ctfselect}\n\t\t\t\t<p>HTJC SeclabX ASystem (XlabAS) v" . dvwaVersionGet() . "</p>\n\n\t\t\t</div>\n\n\t\t</div>\n\n\t</body>\n\n</html>"; }
<?php if (!isset($_GET['pict'])) { dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=4&pict=hunter"); } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF Question 4'; $page['page_id'] = 'ctf'; $page['help_button'] = 'sqli'; $page['source_button'] = 'sqli'; $pict = strtolower($_GET['pict']); $pict = str_replace("script", '*', $pict); if (ereg("\" +onerror *= *alert\\(document\\.cookie\\)[>| +.*]", $pict)) { require_once '../../hackable/ctf/ctf.php'; $html = xlabGetJs("alert('{$FLAG['xss']}')"); } $magicQuotesWarningHtml = ''; // $location = xlabGetLocation(); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>窃贼的密码</h1>\n\t<ul>\n\t<img src=\"../../hackable/ctf/q4/{$pict}.jpg\"></img>\n\t</ul>\n\t</br>\n\t<h3>\n\t<li>You Should Steal The Cookie</li>\n\t</h3>\n{$html}\n</div>\n";