function getvulns() { // Retrieve data $user_curr = dvwaCurrentUser(); $name = mysql_real_escape_string($_POST['name']); $key = mysql_real_escape_string($_POST['key']); $from = mysql_real_escape_string($_POST['from']); $to = mysql_real_escape_string($_POST['to']); $risk = xlabGetSqli('risk', $_POST); if ($name == $key and $key == $from and $form == $to and $to == '') { $name = $user; } if (!$from) { $from = '0000-00-00'; } if (!$to) { $to = date("Y-m-d"); } if ($risk == 'all') { $risk = ''; } if ($user == "admin") { $name = ''; $sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50"; } else { $sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50"; } $result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>'); $num = mysql_numrows($result); $i = 0; while ($i < $num) { $risk = mysql_result($result, $i, "risk"); $vid = mysql_result($result, $i, "vid"); $author = mysql_result($result, $i, "author"); $vname = htmlspecialchars(mysql_result($result, $i, "vname")); $act = "<a href='vact.php?act=detail&vid={$vid}'>detail </a>\n\t\t\t\t<a href='?act=delete&vid={$vid}'>delete </a>"; $html .= "</tr><td>{$vid}</td><td>{$author}</td><td>{$vname}</td><td>{$risk}</td><td>{$act}</td></tr>"; $i++; } return $html; }
function getreports($pre) { // Retrieve data $user = dvwaCurrentUser(); $name = mysql_real_escape_string($_POST['name']); $from = mysql_real_escape_string($_POST['from']); $to = mysql_real_escape_string($_POST['to']); if (!$from) { $from = '0000-00-00'; } if (!$to) { $to = date("Y-m-d"); } if ($user == "admin") { $sql = "SELECT * FROM report where date>='{$from}' and date <='{$to}' and name like'{$name}%' order by date desc limit 30"; } else { $sql = "SELECT * FROM report WHERE date>='{$from}' and date <='{$to}' and name='{$user}' order by date desc limit 30"; } #echo $sql; $result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>'); $num = mysql_numrows($result); $i = 0; while ($i < $num) { $date = mysql_result($result, $i, "date"); $name = mysql_result($result, $i, "name"); $report = htmlspecialchars(mysql_result($result, $i, "report")); $act = "<a href='vact.php?act=detail&date={$date}&user={$name}'>detail </a>\n\t\t\t\t<a href='?act=delete&date={$date}&user={$name}'>delete </a>"; if (!empty($pre)) { $html .= "</tr><td>{$date}</td><td>{$name}</td><td><pre>{$report}</pre></td><td>{$act}</td></tr>"; } else { $html .= "</tr><td>{$date}</td><td>{$name}</td><td><h4>{$report}</h4></td><td>{$act}</td></tr>"; } $i++; } return $html; }
// Get input $pass_new = $_POST['password_new']; $pass_conf = $_POST['password_conf']; // Check CAPTCHA from 3rd party $resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'], $_SERVER['REMOTE_ADDR'], $_POST['recaptcha_challenge_field'], $_POST['recaptcha_response_field']); // Did the CAPTCHA fail? if (!$resp->is_valid && ($_POST['recaptcha_response_field'] != 'hidd3n_valu3' || $_SERVER['HTTP_USER_AGENT'] != 'reCAPTCHA')) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if ($pass_new == $pass_conf) { $pass_new = mysql_real_escape_string($pass_new); $pass_new = md5($pass_new); // Update database $insert = "UPDATE `users` SET password = '******' WHERE user = '******' LIMIT 1;"; $result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>'); // Feedback for user $html .= "<pre>Password Changed.</pre>"; } else { // Ops. Password mismatch $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } mysql_close(); } // Generate Anti-CSRF token generateSessionToken();
<?php $page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 3</h3>\r\n\t\t<hr />\r\n\t\tWelcome back <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>"; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $page['body'] .= $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $page['body'] .= "**Missing Header**"; } $page['body'] .= "</em><br />\r\n\t\tYour user-agent address is: <em>" . $_SERVER['HTTP_USER_AGENT'] . "</em><br />\r\n\t\tYou came form: <em>{$_SERVER['HTTP_REFERER']}</em><br />\r\n\t\tI'm hosted at: <em>{$_SERVER['HTTP_HOST']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\r\n";
function dvwaHtmlEcho($pPage) { $menuBlocks = array(); $menuBlocks['home'] = array(); $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup / Reset', 'url' => 'setup.php'); $menuBlocks['vulnerabilities'] = array(); $menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/.'); $menuBlocks['meta'] = array(); $menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php'); $menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php'); $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php'); $menuBlocks['logout'] = array(); $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php'); $menuHtml = ''; foreach ($menuBlocks as $menuBlock) { $menuBlockHtml = ''; foreach ($menuBlock as $menuItem) { $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url']; $menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>\n"; } $menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>"; } // Get security cookie -- $securityLevelHtml = ''; switch (dvwaSecurityLevelGet()) { case 'low': $securityLevelHtml = 'low'; break; case 'medium': $securityLevelHtml = 'medium'; break; case 'high': $securityLevelHtml = 'high'; break; default: $securityLevelHtml = 'high'; break; } // -- END (security cookie) $phpIdsHtml = '<em>PHPIDS:</em> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled'); $userInfoHtml = '<em>Username:</em> ' . dvwaCurrentUser(); $messagesHtml = messagesPopAllToHtml(); if ($messagesHtml) { $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>"; } $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>"; if ($pPage['source_button']) { $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}"; } if ($pPage['help_button']) { $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}"; } // Send Headers + main HTML code Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>{$pPage['title']}</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\r\n\r\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\r\n\r\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\r\n\r\n\t</head>\r\n\r\n\t<body class=\"home\">\r\n\t\t<div id=\"container\">\r\n\r\n\t\t\t<div id=\"header\">\r\n\r\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_menu\">\r\n\r\n\t\t\t\t<div id=\"main_menu_padded\">\r\n\t\t\t\t{$menuHtml}\r\n\t\t\t\t</div>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_body\">\r\n\r\n\t\t\t\t{$pPage['body']}\r\n\t\t\t\t<br />\r\n\t\t\t\t<br />\r\n\t\t\t\t{$messagesHtml}\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div class=\"clear\">\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"system_info\">\r\n\t\t\t\t{$systemInfoHtml}\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"footer\">\r\n\r\n\t\t\t\t<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t</div>\r\n\r\n\t</body>\r\n\r\n</html>"; }
<?php $page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: File Inclusion</h1>\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<h3>File 1</h3>\r\n\t\t<hr />\r\n\t\tHello <em>" . dvwaCurrentUser() . "</em><br />\r\n\t\tYour IP address is: <em>{$_SERVER['REMOTE_ADDR']}</em><br /><br />\r\n\t\t[<em><a href=\"?page=include.php\">back</a></em>]\r\n\t</div>\r\n\r\n\t<h2>More info</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/Remote_File_Inclusion') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/Top_10_2007-A3') . "</li>\r\n\t</ul>\r\n</div>\n";
function dvwaHtmlEcho($pPage) { $menuBlocks = array(); $menuBlocks['home'] = array(); $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); $menuBlocks['vulnerabilities'] = array(); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-63321', 'name' => 'Regex #02-Domain too', 'url' => 'vulnerabilities/WooYun-2014-63321/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-61978', 'name' => 'CSRF #01-Flash Upload', 'url' => 'vulnerabilities/WooYun-2014-61978/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-61361', 'name' => 'Sqli QUERY_STRING', 'url' => 'vulnerabilities/WooYun-2014-61361/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-59940', 'name' => 'Regex #01-Domain fraud', 'url' => 'vulnerabilities/WooYun-2014-59940/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-53384', 'name' => 'Sqli filter #02-Once', 'url' => 'vulnerabilities/WooYun-2014-53384/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-52257', 'name' => 'Sqli Mysql #01', 'url' => 'vulnerabilities/WooYun-2014-52257/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-52248', 'name' => 'No [Comma] Sqli', 'url' => 'vulnerabilities/WooYun-2014-52248/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51950', 'name' => 'Sqli using [Slashes]', 'url' => 'vulnerabilities/WooYun-2014-51950/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51687', 'name' => 'Sqli filter #02-80sec', 'url' => 'vulnerabilities/WooYun-2014-51687/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51536', 'name' => 'XSS #08-mXSS', 'url' => 'vulnerabilities/WooYun-2014-51536/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-51505', 'name' => 'Sqli filter #01', 'url' => 'vulnerabilities/WooYun-2014-51505/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-50644', 'name' => 'No [Space] Sqli', 'url' => 'vulnerabilities/WooYun-2014-50644/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2014-50315', 'name' => 'XSS #07-SVG', 'url' => 'vulnerabilities/WooYun-2014-50315/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-34885', 'name' => 'Contradiction #01', 'url' => 'vulnerabilities/WooYun-2013-34885/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-31669', 'name' => 'Indirect SQLi #01', 'url' => 'vulnerabilities/WooYun-2013-31669/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-20759', 'name' => 'Decrypt #01-CCA2', 'url' => 'vulnerabilities/WooYun-2013-20759/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2013-19115', 'name' => 'Workflow #1-302', 'url' => 'vulnerabilities/WooYun-2013-19115/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16598', 'name' => 'XSS #06-Flash02', 'url' => 'vulnerabilities/WooYun-2012-16598/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16532', 'name' => 'XSS #05-Flash01', 'url' => 'vulnerabilities/WooYun-2012-16532/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16041', 'name' => 'XSS #04-Encoding', 'url' => 'vulnerabilities/WooYun-2012-16041/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-16003', 'name' => 'XSS #03-InComment', 'url' => 'vulnerabilities/WooYun-2012-16003/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-15979', 'name' => 'XSS #02-TwoVars', 'url' => 'vulnerabilities/WooYun-2012-15979/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2012-15969', 'name' => 'XSS #01-GBK', 'url' => 'vulnerabilities/WooYun-2012-15969/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'WooYun-2011-02236', 'name' => 'LFI+log', 'url' => 'vulnerabilities/WooYun-2011-02236/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'Drops-1015', 'name' => 'Linux pentest tricks', 'url' => 'vulnerabilities/Drops-1015/.'); $menuBlocks['meta'] = array(); $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php'); $menuBlocks['logout'] = array(); $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php'); $menuHtml = ''; foreach ($menuBlocks as $menuBlock) { $menuBlockHtml = ''; foreach ($menuBlock as $menuItem) { $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'list-group-item active' : 'list-group-item'; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url'] . '#here_body'; $menuBlockHtml .= "<a href=\"{$fixedUrl}\" onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\">{$menuItem['name']}</a>"; } $menuHtml .= "<ul>{$menuBlockHtml}</ul>"; } // Get security cookie -- $securityLevelHtml = ''; switch (dvwaSecurityLevelGet()) { case 'low': $securityLevelHtml = 'low'; break; case 'medium': $securityLevelHtml = 'medium'; break; case 'high': $securityLevelHtml = 'high'; break; default: $securityLevelHtml = 'low'; break; } // -- END $phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled'); $userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser(); $messagesHtml = messagesPopAllToHtml(); if ($messagesHtml) { $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>"; } $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>"; if ($pPage['source_button']) { $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}"; } if ($pPage['help_button']) { $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}"; } // Send Headers + main HTML code Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>{$pPage['title']}</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/bootstrap.min.css\" />\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/bootstrap-theme.min.css\" />\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/navbar-fixed-top.css\" />\r\n\r\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\r\n\r\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\r\n\r\n\t</head>\r\n\r\n\t<body class=\"home\">\r\n\r\n\t\t\t<div id=\"header\" style=\"text-align:center;\">\r\n\r\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/wooyun_logo.jpg\" alt=\"WooYun DVWA\" height=\"200\" width=\"800\"/>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t<div id=\"container\" align=\"center\">\r\n\r\n <div class=\"navbar navbar-default navbar-fixed-top\" role=\"navigation\" >\r\n <div class=\"container\">\r\n <div class=\"navbar-header\">\r\n <button type=\"button\" class=\"navbar-toggle collapsed\" data-toggle=\"collapse\" data-target=\".navbar-collapse\">\r\n <span class=\"sr-only\">Toggle navigation</span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n </button>\r\n <a class=\"navbar-brand\" href=\"#\">DVWA WooYun</a>\r\n </div>\r\n <div class=\"navbar-collapse collapse\">\r\n <ul class=\"nav navbar-nav\">\r\n <li><a href=\"/\">Home</a></li>\r\n <li><a href=\"http://wooyun.org\">Wooyun</a></li>\r\n <li><a href=\"/instructions.php#here_body\">Instructions</a></li>\r\n </ul>\r\n <ul class=\"nav navbar-nav navbar-right\">\r\n <li><a href=\"/about.php#here_body\">About</a></li>\r\n <li><a href=\"/logout.php\">Logout</a></li>\r\n </ul>\r\n </div><!--/.nav-collapse -->\r\n </div>\r\n </div>\r\n\r\n<a name=\"here_body\"></a><!-- 定义锚点 --> \r\n<br>\r\n<br>\r\n<br>\r\n\r\n\t\t\t<div id=\"main_menu\" style=\"width:20%;float:left;padding-left: 15px;\">\r\n\r\n\t\t\t\t<div class=\"row\">\r\n\t\t\t\t\t<div class=\"list-group\">\r\n\t\t\t\t\t\t{$menuHtml}\r\n\t\t\t\t\t</div>\r\n\t\t\t\t</div>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_body\" style=\"width:75%;float:right\">\r\n\r\n\t\t\t\t{$pPage['body']}\r\n\t\t\t\t<br />\r\n\t\t\t\t<br />\r\n\t\t\t\t{$messagesHtml}\r\n\t\t\t\t{$systemInfoHtml}\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div class=\"clear\">\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"footer\">\r\n\r\n\t\t\t\t<p>WooYun DVWA v" . dvwaVersionGet() . "</p>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t</div>\r\n\r\n\t</body>\r\n\r\n</html>"; }
<?php define('DVWA_WEB_PAGE_TO_ROOT', '../../'); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('authenticated', 'phpids')); $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'Work'; $page['page_id'] = 'work'; if (!dvwaIfWork()) { exit; } dvwaDatabaseConnect(); $user = dvwaCurrentUser(); $html = ''; if (isset($_GET['act']) && $_GET['act'] == 'detail') { $date = $_GET['date']; $author = $_GET['user']; if ($user == "admin") { $sql = "select * from report where date='{$date}' and name='{$author}'"; } else { $sql = "select * from report where name='{$user}' and date='{$date}'"; } #echo $sql; $result = mysql_query($sql); $num = mysql_numrows($result); if ($num > 0) { $date = mysql_result($result, 0, "date"); $name = mysql_result($result, 0, "name"); $report = mysql_result($result, 0, "report"); } /*
$pass_new = $_GET['password_new']; $pass_conf = $_GET['password_conf']; // Sanitise current password input $pass_curr = stripslashes($pass_curr); $pass_curr = mysql_real_escape_string($pass_curr); $pass_curr = md5($pass_curr); // Check that the current password is correct $data = $db->prepare('SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;'); $data->bindParam(':user', dvwaCurrentUser(), PDO::PARAM_STR); $data->bindParam(':password', $pass_curr, PDO::PARAM_STR); $data->execute(); // Do both new passwords match and does the current password match the user? if ($pass_new == $pass_conf && $data->rowCount() == 1) { // It does! $pass_new = stripslashes($pass_new); $pass_new = mysql_real_escape_string($pass_new); $pass_new = md5($pass_new); // Update database with new password $data = $db->prepare('UPDATE users SET password = (:password) WHERE user = (:user);'); $data->bindParam(':password', $pass_new, PDO::PARAM_STR); $data->bindParam(':user', dvwaCurrentUser(), PDO::PARAM_STR); $data->execute(); // Feedback for the user $html .= "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching $html .= "<pre>Passwords did not match or current password incorrect.</pre>"; } } // Generate Anti-CSRF token generateSessionToken();
function dvwaHtmlEcho($pPage) { $menuBlocks = array(); $menuBlocks['home'] = array(); $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); $menuBlocks['vulnerabilities'] = array(); $menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Execution', 'url' => 'vulnerabilities/exec/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.'); #$menuBlocks['vulnerabilities'][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' ); $menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'Upload', 'url' => 'vulnerabilities/upload/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS reflected', 'url' => 'vulnerabilities/xss_r/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS stored', 'url' => 'vulnerabilities/xss_s/.'); if (dvwaIfWork()) { $menuBlocks['vulnerabilities'][] = array('id' => 'vulns', 'name' => 'Vulns', 'url' => 'vulnerabilities/vulns/.'); $menuBlocks['vulnerabilities'][] = array('id' => 'work', 'name' => 'Work', 'url' => 'vulnerabilities/work/.'); } if (dvwaIsCtf()) { $menuBlocks['vulnerabilities'][] = array('id' => 'ctf', 'name' => 'CTF', 'url' => 'vulnerabilities/ctf/?pid=1'); $menuBlocks['vulnerabilities'][] = array('id' => 'submit', 'name' => 'Submit', 'url' => 'vulnerabilities/ctf/?pid=submit'); $menuBlocks['vulnerabilities'][] = array('id' => 'score', 'name' => 'Score', 'url' => 'vulnerabilities/ctf/?pid=score&name=' . dvwaCurrentUser()); } if (xlabisadmin()) { $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup', 'url' => 'setup.php'); $menuBlocks['home'][] = array('id' => 'admin', 'name' => 'Admin', 'url' => 'vulnerabilities/admin/.'); $menuBlocks['home'][] = array('id' => 'manager', 'name' => 'Manager', 'url' => 'vulnerabilities/admin/manager.php'); } $menuBlocks['meta'] = array(); $menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php'); $menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php'); $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php'); $menuBlocks['logout'] = array(); $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php'); $menuHtml = ''; foreach ($menuBlocks as $menuBlock) { $menuBlockHtml = ''; foreach ($menuBlock as $menuItem) { $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url']; $menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>"; } $menuHtml .= "<ul>{$menuBlockHtml}</ul>"; } // Get security cookie -- $securityLevelHtml = dvwaIsCtf() ? 'CTF' : dvwaSecurityLevelGet(); // -- END $phpIdsHtml = '<b>PHPIDS:</b> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled'); $userInfoHtml = '<b>Username:</b> ' . dvwaCurrentUser(); $AppModel = '<b>AppModel:</b> ' . dvwaGetModel(); $messagesHtml = messagesPopAllToHtml(); if ($messagesHtml) { $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>"; } $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br />{$AppModel}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>"; if ($pPage['source_button'] && !dvwaIsCtf()) { $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}"; } if ($pPage['help_button'] && !dvwaIsCtf()) { $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}"; } if (dvwaIsCtf()) { $addr = xlabGetLocation(); $systemInfoHtml = "<label for=\"QNUM\">CTF Numbers:</label><form action=\"{$addr}/vulnerabilities/ctf/\" method=\"GET\">" . dvwaGetlist() . "<input type=\"submit\" name=\"select\" value='select'>\n\t\t</form>" . "{$systemInfoHtml}"; $value = (isset($_GET['pid']) and is_numeric($_GET['pid'])) ? $_GET['pid'] : '1'; $ctfselect = xlabGetJs(xlabJqSelect("ctf_select", $value)); #$ctfselect="<script>document.getElementById('ctf_select').options[5].setAttribute('selected', 'selected');</script>"; } // Send Headers + main HTML code Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>{$pPage['title']}</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\n\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\n\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\n\n\t</head>\n\n\t<body class=\"home\">\n\t\t<div id=\"container\">\n\n\t\t\t<div id=\"header\">\n\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web App\" />\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_menu\">\n\n\t\t\t\t<div id=\"main_menu_padded\">\n\t\t\t\t{$menuHtml}\n\t\t\t\t</div>\n\n\t\t\t</div>\n\n\t\t\t<div id=\"main_body\">\n\t\t\t\t<script src='../../dvwa/js/jquery.js' type='text/javascript' charset='utf-8'></script>\n\t\t\t\t{$pPage['body']}\n\t\t\t\n\t\t\t\t<br />\n\t\t\t\t<br />\n\t\t\t\t{$messagesHtml}\n\n\t\t\t</div>\n\n\t\t\t<div class=\"clear\">\n\t\t\t</div>\n\n\t\t\t<div id=\"system_info\">\n\t\t\t\t{$systemInfoHtml}\n\t\t\t</div>\n\n\t\t\t<div id=\"footer\">\n\t\t\t\t{$ctfselect}\n\t\t\t\t<p>HTJC SeclabX ASystem (XlabAS) v" . dvwaVersionGet() . "</p>\n\n\t\t\t</div>\n\n\t\t</div>\n\n\t</body>\n\n</html>"; }
<?php if (isset($_GET['Change'])) { // Turn requests into variables $pass_curr = $_GET['password_current']; $pass_new = $_GET['password_new']; $pass_conf = $_GET['password_conf']; // Sanitise current password input $pass_curr = stripslashes($pass_curr); $pass_curr = mysql_real_escape_string($pass_curr); $pass_curr = md5($pass_curr); // Check that the current password is correct $query = "SELECT password FROM `users` WHERE user='******' AND password='******';"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>'); if ($pass_new == $pass_conf && ($result && mysql_num_rows($result) == 1)) { $pass_new = mysql_real_escape_string($pass_new); $pass_new = md5($pass_new); $insert = "UPDATE `users` SET password = '******' WHERE user = '******';"; $result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>'); $html .= "<pre>Password Changed.</pre>"; mysql_close(); } else { $html .= "<pre>Passwords did not match or current password incorrect.</pre>"; } }