<?php if (!isset($_GET['pict'])) { dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=4&pict=hunter"); } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF Question 4'; $page['page_id'] = 'ctf'; $page['help_button'] = 'sqli'; $page['source_button'] = 'sqli'; $pict = strtolower($_GET['pict']); $pict = str_replace("script", '*', $pict); if (ereg("\" +onerror *= *alert\\(document\\.cookie\\)[>| +.*]", $pict)) { require_once '../../hackable/ctf/ctf.php'; $html = xlabGetJs("alert('{$FLAG['xss']}')"); } $magicQuotesWarningHtml = ''; // $location = xlabGetLocation(); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>窃贼的密码</h1>\n\t<ul>\n\t<img src=\"../../hackable/ctf/q4/{$pict}.jpg\"></img>\n\t</ul>\n\t</br>\n\t<h3>\n\t<li>You Should Steal The Cookie</li>\n\t</h3>\n{$html}\n</div>\n";
function xlabInit() { global $_DVWA; $session =& dvwaSessionGrab(); isset($session['security']) ? NULL : xlabSetSecurity(); $security_levels = array('low', 'medium', 'high', 'ctf'); isset($_DVWA['location']) ? NULL : ($_DVWA['location'] = xlabGetLocation()); empty($_DVWA['db_server']) ? $_DVWA['db_server'] = 'localhost' : NULL; empty($_DVWA['db_password']) ? $_DVWA['db_password'] = '******' : NULL; empty($_DVWA['ctf_password']) ? $_DVWA['ctf_password'] = '******' : NULL; }
<?php define('DVWA_WEB_PAGE_TO_ROOT', '../../../'); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('authenticated', 'phpids')); dvwaDatabaseConnect(); if (isset($_GET['del'])) { $name = xlabGetSqli('del', $_GET); if ($name == dvwaGetuser() or xlabisadmin()) { $sql = "DELETE FROM userflag WHERE user='******'"; $result = mysql_query($sql); dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} succfully!!!"); } else { dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} fail!!!"); } }