function xss($data)
{
if (is_array($data)) {
$escaped = array();
foreach ($data as $key => $value) {
$escaped[$key] = xss($value);
}
return $escaped;
}
return htmlspecialchars($data);
}
function full($site)
{
print "[-] Start full scanning mode.\n";
pmapwn($site, 1);
print "[-] Start SQL Injection Scan\n";
sql($site, 1);
print "[-] Start XSS Scan\n";
xss($site, 1);
print "[-] Start RFI Scan\n";
rfi($site, 1);
print "[-] Start LFI Scan\n";
lfi($site, 1);
}
/***使用文件存储模式下,creds和payloads路径,建议使用md5哈希后的复杂目录***/
$store_path = "./e160e60f7414a7bba0b46565c1ce0646/";
/***Cookie生成规则***/
#$token = md5(md5(md5(base64_encode(date("Y-m-d").$_SERVER['REMOTE_ADDR'].$username.$password))));
$token = md5(md5(md5(base64_encode($username . $password))));
/***全局参数***/
$ip = base64_encode($_SERVER['REMOTE_ADDR']);
$area = base64_encode(ip_lookup());
$time = date('Y-m-d H:i:s');
$user_lang = base64_encode($_SERVER['HTTP_ACCEPT_LANGUAGE']);
$user_agent = base64_encode($_SERVER['HTTP_USER_AGENT']);
/***当收到数据时触发XSS函数***/
if ($_REQUEST["cookie"] or $_REQUEST["location"]) {
$cookie = base64_encode($_REQUEST['cookie']);
$referer = base64_encode($_REQUEST['location']);
xss();
}
$common_head = <<<EOF
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
<meta http-equiv="Cache-Control" content="max-age=0" forua="true"/>
<meta http-equiv="Cache-Control" content="no-cache"/>
<meta http-equiv="Expires" content="0"/>
<title>#XSS</title>
<style>
body,ul,li{
\tmargin:0; padding:0;
\tfont-family: "Microsoft YaHei" ! important;
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<?php
require_once 'func.php';
$name = xss($_POST['name']);
$pass = encrypt(xss($_POST['pswd']));
require_once 'config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql conncet ERROR";
}
$query = "SELECT * FROM users WHERE usr_name='" . $name . "' AND usr_passwd = '" . $pass . "'";
if (!getaline($query, $link)) {
echo "登陆失败";
closedb($link);
goback();
} else {
closedb($link);
session_begin();
$ses = array('user' => $name, 'pass' => $pass);
create_session($ses);
if ($name == "admin") {
jump('/admin/admin.php');
}
jump('unit.php');
closedb($link);
}
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<?php
require_once 'func.php';
$chapter = xss($_POST['c']);
$destination = "uploadimg/" . $chapter;
session_begin();
if (!isset($_SESSION['user']) || !isset($_SESSION['pass'])) {
jump('unit.php');
}
require_once 'config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql conncet ERROR";
}
$sql = "SELECT * FROM users WHERE usr_name='" . $_SESSION['user'] . "'";
$ret = runquery($sql, $link);
$row = getresult($ret);
$uid = $row['usr_stuno'];
?>
<html>
<head>
<title>第<?php
echo $chapter;
?>
章</title>
<link href="http://libs.baidu.com/bootstrap/3.0.3/css/bootstrap.min.css" rel="stylesheet">
<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<script src="http://libs.baidu.com/bootstrap/3.0.3/js/bootstrap.min.js"></script>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
function xss($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if ($_SESSION['signed_in']) {
$sql = "SELECT * FROM users where userID='" . $_SESSION['user_id'] . "'";
$result = mysql_query($sql);
if (!$result) {
echo 'sorry error occured try sometime later';
} else {
if (isset($_POST['submit'])) {
if (!empty($_POST['content'])) {
$content = xss($_POST['content']);
} else {
$error1 = "please fill all the fields";
}
if (empty($error1)) {
$query = mysql_query("INSERT INTO `hackathon`.`pop_posts` (`id`, `p_content`, `p_img`, `p_url`, `p_by`, `p_date`) VALUES('','" . $content . "','','','" . $_SESSION['user_id'] . "',NOW())") or die(mysql_error());
if ($query) {
$con = "Successfully posted";
} else {
$error = "error occurred try afterwards";
}
}
}
}
}
?>
for ($a = 0; $a < $n; $a++) {
$b = $a;
while ($b < 0 || intval($rtimes[$b - 1]) > intval($rtimes[$b])) {
$mid = $rtimes[$b - 1];
$rtimes[$b - 1] = $rtimes[$b];
$rtimes[$b] = $mid;
$mid = $rnames[$b - 1];
$rnames[$b - 1] = $rnames[$b];
$rnames[$b] = $mid;
$b--;
}
}
function xss($val)
{
$val = str_replace("&", "&", $val);
$val = str_replace("<", "<", $val);
$val = str_replace(">", ">", $val);
$val = str_replace('"', """, $val);
$val = str_replace("'", "'", $val);
$val = str_replace("/", "/", $val);
return $val;
}
for ($j = $n - 1; $j >= 0; $j--) {
$cmp = json_decode(file_get_contents("./data/comps/" . $rnames[$j]));
echo "<tr>";
echo "<td><a href='./comp/?" . substr($rnames[$j], 0, -5) . "'>" . xss($cmp->name) . "</a></td>";
echo "<td>" . count($cmp->rows) . "</td>";
echo "<td>" . xss($cmp->date) . "</td>";
echo "<td><a href='./region/?" . str_replace(" ", "", strtolower($cmp->region)) . "'>" . xss($cmp->region) . "</a></td>";
echo "</tr>";
}
<td><strong id="js-profile-email"><?php
echo xss($this->userinfo->email);
?>
</strong></td>
<tr>
</tr>
<td>Имя:</td>
<td><strong><?php
echo xss($this->userinfo->name);
?>
</strong></td>
<tr>
</tr>
<td>Доступ:</td>
<td><strong><?php
echo xss($this->userinfo->access);
?>
</strong></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-xs-4 col-md-6">
<form id="js-profile-form-change-password">
<div class="card card-default">
<div class="card-header">
$pass = encrypt(xss($_POST['pswd']));
$email = xss($_POST['mail']);
$no = xss($_POST['stuno']);
$major = xss($_POST['major']);
$time = date("Y-m-d h:i:s", time());
if (!isNumber($no)) {
echo '<script>alert(\'学号必须为纯数字\');</script>';
jump("reg.html");
die;
}
if (!isEmail($email)) {
echo '<script>alert(\'错误的E-mail地址\');</script>';
jump("reg.html");
die;
}
if (!isEngLength(xss($_POST['pswd']), 6, 15)) {
echo '<script>alert(\'密码长度必须在6-15位之间!\');</script>';
jump("reg.html");
die;
}
require_once 'config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql Connect ERROR";
}
$query = "SELECT * FROM users WHERE usr_name=" . '"' . $name . '"';
$res = mysql_query($query, $link);
if (mysql_num_rows($res)) {
echo '<script type="text/javascript">alert("这个用户名已经存在!")</script>';
jump("reg.html");
die;
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<?php
require_once '../func.php';
$chapter = xss($_POST['chapter']);
$ty = xss($_POST['ty']);
$no = xss($_POST['no']);
require_once '../config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql Connect ERROR";
}
if ($ty == "judgement") {
$query = "DELETE FROM judgement_" . $chapter . " WHERE judgement_no=" . $no;
} elseif ($ty == "blank") {
$query = "DELETE FROM fill_" . $chapter . " WHERE fill_no=" . $no;
} elseif ($ty = "choice") {
$query = "DELETE FROM choice_" . $chapter . " WHERE choice_no=" . $no;
}
if (mysql_query($query, $link)) {
echo "题目删除成功";
jump('delete.php');
} else {
echo "题目删除失败";
jump('delete.php');
}
<?php $folder = xss($_GET['id']); ?> <div class="row"> <div class="col-lg-12"> <ul class="breadcrumb" style="font-size:25px"> <li><a href="admin.php"><i class="fa fa-home"></i> Inicio</a></li> <li><a href="#"><i class="fa fa-folder"></i> <?php echo $folder; ?> </a></li> </ul> </div> </div> <div class="row"> <div class="col-xs-6 col-sm-4 col-md-2 col-lg-2"> <a href="admin.php?m=file&id=1001"> <div class="panel bg-f403 panel-colorful text-center"> <div class="panel-body"> <i class="fa fa-file-o" style="font-size:90px;"></i> </div> <div class="bg-white" style="padding:5px;"> <h4 class="mar-no text-thin">1001</h4> </div> </div> </a> </div> <div class="col-xs-6 col-sm-4 col-md-2 col-lg-2"> <a href="admin.php?m=file">
require_once '../config.php';
$link = conn_db($hostname, $username, $password, $database);
$score = 0;
for ($i = 1; $i <= $one; $i++) {
$aid[$i] = (int) xss($_POST['aid'][$i]);
$qid[$i] = (int) xss($_POST['qid'][$i]);
$uid[$i] = (int) xss($_POST['uid'][$i]);
$key[$i] = xss($_POST['key'][$i]);
$type = (int) xss($_POST['ty']);
$time = date("Y-m-d h:i:s", time());
$chapter = (int) xss($_POST['chapter'][$i]);
$query = "SELECT usr_name FROM users WHERE usr_stuno='" . $uid[$i] . "'";
$ret = runquery($query, $link);
$row = mysql_fetch_row($ret);
$name = $row[0];
$key[$i] = xss($_POST['key'][$i]);
if ($key[$i] == '1') {
$score = $score + 5;
$query = "UPDATE fill_answer_" . $chapter . " SET correct='" . $key[$i] . "' WHERE fill_answer_no='" . $aid[$i] . "'";
$ret = runquery($query, $link);
} else {
$query1 = "UPDATE fill_answer_" . $chapter . " SET correct='" . $key[$i] . "' WHERE fill_answer_no='" . $aid[$i] . "'";
$query2 = "INSERT INTO wrong_answer (chapter,type,stuno,no,fin_time,usr_name) VALUES ('" . $chapter . "','2','" . $uid[$i] . "','" . $qid[$i] . "','" . $time . "','" . $name . "')";
echo $query2;
$ret1 = runquery($query1, $link);
$ret2 = runquery($query2, $link);
}
}
$query = "UPDATE score SET score_" . $chapter . "_2='" . $score . "' WHERE usr_stuno='" . $uid[1] . "'";
runquery($query, $link);
jump("reply.php");
<?php $id = xss($_GET['id']); ?> <div class="row"> <div class="col-lg-12"> <ul class="breadcrumb" style="font-size:25px"> <li><a href="admin.php"><i class="fa fa-home"></i> Inicio</a></li> <li><a href="admin.php?m=folder&id=1000-1050"><i class="fa fa-folder"></i> 1000 - 1050 </a></li> <li><a href="#"><i class="fa fa-file"></i> 1000</a></li> </ul> </div> </div> <div class="row"> <div class="col-md-12"> <embed src="pdf/pantallas seguros.pdf" width="100%" height="1000px"> </div> </div>
function scan()
{
print "\n Options:\n";
print " sqli - SQL Injection\n";
print " xss - Cross Site Scripting\n";
print " lfi - Local File Inclusion\n";
print " rfi - Remote File Inclusion\n";
print " all - F**k shit up\n";
print " What: ";
$choice = fopen("php://stdin", "r");
$what = fgets($choice);
print "\n File: ";
$choicef = fopen("php://stdin", "r");
$whatf = fgets($choicef);
$whatf = trim($whatf);
if (file_exists('out/' . $whatf)) {
if (trim($what) == 'sqli' || trim($what) == 'all' || trim($what) == 'sqli&xss') {
print "\n\n - Testing SQL Injection for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
sqli(urldecode($link));
}
}
if (trim($what) == 'xss' || trim($what) == 'all' || trim($what) == 'sqli&xss') {
print "\n\n - Testing Cross Site Scripting for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
xss(urldecode($link));
}
}
if (trim($what) == 'lfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) {
print "\n\n - Testing Local File Inclusion for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
lfi(urldecode($link));
}
}
if (trim($what) == 'rfi' || trim($what) == 'all' || trim($what == 'lfi&rfi')) {
print "\n\n - Testing Remote File Inclusion for " . count(file('out/' . $whatf)) . " parameters ({$whatf})\n";
$urls = file('out/' . $whatf);
foreach ($urls as $link) {
rfi(urldecode($link));
}
}
} else {
print "\nFile doesnt exist!\n";
}
}
</p>
<form id="reset-form" action="<?php
echo $this->path;
?>
user/reset" method="post">
<div class="form-group">
<label>Укажите новый пароль</label>
<input type="password" class="form-control underlined" name="password" placeholder="Пароль" data-msg-required="Введите новый пароль" required>
</div>
<div class="form-group">
<input type="hidden" name="_token" value="<?php
echo $this->csrf_token;
?>
">
<input type="hidden" name="key" value="<?php
echo xss($this->key);
?>
">
<button type="submit" class="btn btn-block btn-primary">Сохранить новый пароль</button>
</div>
<div class="form-group clearfix">
<a class="pull-left" href="<?php
echo $this->path;
?>
">Войти</a>
<a class="pull-right" href="<?php
echo $this->path;
?>
user/register">Зарегистрироваться</a>
</div>
</form>
<?php
require_once 'func.php';
session_begin();
if (!isset($_SESSION['user']) || !isset($_SESSION['pass'])) {
jump('unit.php');
}
$one = count($_POST['qid']);
$score = 75;
for ($i = 0; $i < $one; $i++) {
$uid[$i] = (int) xss($_POST['uid'][$i]);
$qid[$i] = (int) xss($_POST['qid'][$i]);
$key[$i] = xss($_POST['key'][$i]);
$type = (int) xss($_POST['type'][$i]);
$time = date("Y-m-d h:i:s", time());
$chapter = $_POST['ty'];
$name = xss($_POST['uname']);
require_once 'config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql conncet ERROR";
}
if ($type == 1) {
$query = "SELECT answer FROM judgement_" . $chapter . " WHERE judgement_no='" . $qid[$i] . "'";
$ret = runquery($query, $link);
$row = mysql_fetch_row($ret);
if ($key[$i] == $row[0]) {
$correct = 1;
} else {
$correct = 0;
$query = "INSERT INTO wrong_answer (chapter,type,stuno,no,fin_time,usr_name) values ('" . $chapter . "','" . $type . "','" . $uid[$i] . "','" . $qid[$i] . "','" . $time . "','" . $name . "')";
//echo $query;
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<?php
require_once '../func.php';
$chapter = xss($_POST['chapter']);
$stem = xss($_POST['stem']);
$ty = xss($_POST['ty']);
$answer = xss($_POST['answer']);
require_once '../config.php';
$link = conn_db($hostname, $username, $password, $database);
if (!$link) {
echo "Mysql Connect ERROR";
}
if ($ty == "judgement") {
$query = "INSERT INTO judgement_" . $chapter . " (chapter,stem,answer,type) values ('" . $chapter . "','" . $stem . "','" . $answer . "','1')";
} elseif ($ty == "blank") {
$query = "INSERT INTO fill_" . $chapter . " (chapter,stem,answer,type) values ('" . $chapter . "','" . $stem . "','" . $answer . "','1')";
} elseif ($ty = "choice") {
$query = "INSERT INTO choice_" . $chapter . " (chapter,stem,answer,type) values ('" . $chapter . "','" . $stem . "','" . $answer . "','1')";
}
if (mysql_query($query, $link)) {
echo "yes";
jump('subject.php');
} else {
echo "no";
jump('subject.php');
}
<?php
if (isset($_REQUEST['sEcho'])) {
echo json_encode(array('sEcho' => intval($_REQUEST['sEcho']), 'iTotalRecords' => 1, 'iTotalDisplayRecords' => 1, 'aaData' => array(array(1, 2, 3, 4, 5)), 'post' => xss($_POST), 'get' => xss($_GET), 'post_length' => count(array_keys($_POST)), 'get_length' => count(array_keys($_GET))));
} else {
echo json_encode(array('aaData' => array(array(1, 2, 3, 4, 5)), 'post' => xss($_POST), 'get' => xss($_GET), 'post_length' => count(array_keys($_POST)), 'get_length' => count(array_keys($_GET))));
}
// This script shouldn't be hosted on a public server, but to prevent attacks:
function xss($a)
{
$out = array();
foreach ($a as $key => $value) {
$out[$key] = htmlentities($value);
}
return $out;
}
?>
" width="<?php
echo xss($_GET["ParamWidth"]);
?>
"></iframe>
<?php
} else {
?>
<iframe frameborder="0" src="<?php
echo xss($_GET["ParamUrl"]);
?>
" height="<?php
echo xss($_GET["ParamHeight"]);
?>
" width="<?php
echo xss($_GET["ParamWidth"]);
?>
"></iframe>
<?php
}
?>
</div>
<div id="side">
<a href="http://twitter.com/MME_IT" target="blank_" class="button"><img src="./images/twitter.png"></a>
<a href="http://be.linkedin.com/in/malikmesellem" target="blank_" class="button"><img src="./images/linkedin.png"></a>
<a href="http://www.facebook.com/pages/MME-IT-Audits-Security/104153019664877" target="blank_" class="button"><img src="./images/facebook.png"></a>
<a href="http://itsecgames.blogspot.com" target="blank_" class="button"><img src="./images/blogger.png"></a>
/**
* 对话框式编辑BUG模板
*/
public function editbugtplAction()
{
$sets = array('tplname' => xss($_POST['tplname']), 'tplhtml' => $_POST['tplhtml']);
$this->model->updateBugtpl($sets, $_POST['editid']);
$this->outputJson(0, 'ok', $_POST['editid']);
}
<div class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<span>Regions (<?php
echo count($regions);
?>
)</span>
</h3>
</div>
<div class="panel-body">
<?php
foreach ($regions as $region) {
echo "<div class='comp'>";
echo "<a style='font-size: 12pt' href='../region?" . $region->handle . "'>" . xss($region->name) . "</a>";
echo "<div><strong>Super Region:</strong> " . xss($region->superregion) . "</div>";
echo "";
echo "</div>";
echo "<hr/>";
}
?>
</div>
</div>
</div>
</div>
<div class="modal fade" id="modal_comp">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>