function getvulns()
{
// Retrieve data
$user_curr = dvwaCurrentUser();
$name = mysql_real_escape_string($_POST['name']);
$key = mysql_real_escape_string($_POST['key']);
$from = mysql_real_escape_string($_POST['from']);
$to = mysql_real_escape_string($_POST['to']);
$risk = xlabGetSqli('risk', $_POST);
if ($name == $key and $key == $from and $form == $to and $to == '') {
$name = $user;
}
if (!$from) {
$from = '0000-00-00';
}
if (!$to) {
$to = date("Y-m-d");
}
if ($risk == 'all') {
$risk = '';
}
if ($user == "admin") {
$name = '';
$sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50";
} else {
$sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50";
}
$result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$risk = mysql_result($result, $i, "risk");
$vid = mysql_result($result, $i, "vid");
$author = mysql_result($result, $i, "author");
$vname = htmlspecialchars(mysql_result($result, $i, "vname"));
$act = "<a href='vact.php?act=detail&vid={$vid}'>detail </a>\n\t\t\t\t<a href='?act=delete&vid={$vid}'>delete </a>";
$html .= "</tr><td>{$vid}</td><td>{$author}</td><td>{$vname}</td><td>{$risk}</td><td>{$act}</td></tr>";
$i++;
}
return $html;
}
<?php
$html = "";
if (isset($_POST['Submit'])) {
// Retrieve data
$pid = xlabGetSqli('pid', $_POST);
$flag = xlabGetSqli('flag', $_POST);
$user = dvwaCurrentUser();
$sql = "SELECT * FROM userflag WHERE user = '******' and pid='{$pid}' ";
$result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
if (dvwaisvaildflag($pid, $flag)) {
$str = "Correct";
} else {
$str = "Error";
}
$num = mysql_numrows($result);
if ($num == 0) {
$insert = "insert into userflag values('{$pid}','{$user}','{$flag}','{$str}')";
$result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>');
$html = "flag is submit succeed";
} else {
$update = "update userflag set flag='{$flag}',status='{$str}' where user='******' and pid='{$pid}'";
$result = mysql_query($update) or die('<pre>' . mysql_error() . '</pre>');
$html = "flag is update succeed";
}
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'CTF Submit Flag';
$page['page_id'] = 'submit';
$page['help_button'] = 'submit';
$page['source_button'] = 'submit';
}
}
}
if ($_REQUEST['submit'] == 'del') {
$name = xlabGetSqli('name', $_GET);
$sql = "delete from config where name=\"{$name}\"";
echo $sql;
$result = mysql_query($sql);
if ($result) {
$html = "Delete sussfully!!!";
} else {
$html = "Delete fail!!!";
}
}
if ($_POST['submit'] == 'add') {
$name = xlabGetSqli('name', $_POST);
$value = xlabGetSqli('value', $_POST);
$desc = xlabGetSqli('desc', $_POST);
$sql = "insert into config values ('{$name}','{$value}','{$desc}')";
$result = mysql_query($sql);
if ($result) {
$html = "Insert sussfully!!!";
} else {
$html = "Insert fail!!!";
}
}
dvwaGetconfig();
dvwaRedirect("{$_DVWA['location']}/vulnerabilities/admin/");
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>System Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Setting Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Setting </td> \n\t\t<td>Values</td>\n\t\t<td>Act</td>\n\t\t</tr>\n\t\t{$config}\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"updata\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Add Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Value *</td> <td>\n\t\t<input name=\"value\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<input name=\"desc\" size=60></input></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"add\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t{$html}\n</div>\n";
dvwaHtmlEcho($page);
function xlabautocode()
{
$code = xlabGetSqli('authcode', $_REQUEST);
$session =& dvwaSessionGrab();
if (isset($session['authcode']) and !empty($session['authcode']) and strcasecmp($session['authcode'], $code) == 0) {
return true;
}
return false;
}
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
require_once '../ainclude.php';
if (!dvwaIsCtf()) {
echo "You have must select ctf model !!!";
exit;
}
#dvwadebug($_CTF);
if (isset($_GET['pid'])) {
if (in_array($_GET['pid'], array('5', '6'))) {
dvwaDatabaseConnect_ctf('ctf');
} else {
dvwaDatabaseConnect();
}
$pid = xlabGetSqli('pid', $_GET);
if (!is_numeric($pid)) {
require_once 'manager/' . $pid . '.php';
} else {
require_once $_CTF['map'][$pid];
}
}
dvwaHtmlEcho($page);
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$pid = mysql_result($result, $i, "pid");
$user = mysql_result($result, $i, "user");
$flag = mysql_result($result, $i, "flag");
$status = mysql_result($result, $i, "status");
$html .= "</tr><td>{$pid}</td><td>{$user}</td><td>{$flag}</td><td>{$status}</td></tr>";
$i++;
}
return "\n\t<table border=1 width=100%>\n\t<tr>\n\t<th>Pid</th><th>User</th><th>Flag</th><th>Status</th>\n\t</tr>\n\t{$html}\n\t</table>";
}
$page = dvwaPageNewGrab();
$page['title'] .= $page['title_separator'] . 'View Score';
$page['page_id'] = 'score';
$page['help_button'] = 'score';
$page['source_button'] = 'score';
$magicQuotesWarningHtml = '';
// Check if Magic Quotes are on or off
if (ini_get('magic_quotes_gpc') == true) {
$magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>";
}
dvwaMessagePush($_GET['msg']);
if (isset($_GET['view'])) {
if ($_GET['view'] == dvwaGetuser() or xlabisadmin()) {
$table = getuserflag(xlabGetSqli('view', $_GET));
}
} else {
$table = getuserranking();
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>View Score</h1>\n\n\t{$magicQuotesWarningHtml}\n\n\t<div >\n\t{$table}\n\t</div>\n</div>\n";
<?php
define('DVWA_WEB_PAGE_TO_ROOT', '../../../');
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup(array('authenticated', 'phpids'));
dvwaDatabaseConnect();
if (isset($_GET['del'])) {
$name = xlabGetSqli('del', $_GET);
if ($name == dvwaGetuser() or xlabisadmin()) {
$sql = "DELETE FROM userflag WHERE user='******'";
$result = mysql_query($sql);
dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} succfully!!!");
} else {
dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} fail!!!");
}
}
$vid = mysql_result($result, 0, "vid");
$site = mysql_result($result, 0, "site");
$vname = mysql_result($result, 0, "vname");
$vdesc = mysql_result($result, 0, "vdesc");
$author = mysql_result($result, 0, "author");
$risk = mysql_result($result, 0, "risk");
}
}
if (isset($_POST['submit']) && $_POST['submit'] == 'updata') {
#dvwadebug();
$vid = xlabGetSqli('vid', $_POST);
$site = xlabGetSqli('site', $_POST);
$vname = xlabGetSqli('name', $_POST);
$vdesc = xlabGetSqli('desc', $_POST);
$author = xlabGetSqli('author', $_POST);
$risk = xlabGetSqli('risk', $_POST);
if ($user == "admin") {
$sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',author='{$author}',risk='{$risk}' where vid='{$vid}'";
} else {
$sql = "select vid from vulns where author='{$user}' and vid='{$vid}'";
if (mysql_num_rows(mysql_query($sql)) < 1) {
$html = "Can't access ";
$sql = '';
} else {
$sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',risk='{$risk}' where author='{$user}' and vid='{$vid}'";
}
}
dvwadebug($sql);
$result = @mysql_query($sql);
if ($result) {
$html .= "updata sussfully!!!";
