$risk = $risk == 'all' ? 'low' : $risk;
if ($vname == '' or $site == '' or $vdesc == '') {
$html = "submit vulns fail!!!";
dvwaMessagePush($html);
} else {
$user = dvwaCurrentUser();
$result = mysql_query("select serial from vulns where date=date(now()) order by serial desc;");
$num = mysql_numrows($result);
if ($num > 0) {
$serial = mysql_result($result, 0, "serial") + 1;
} else {
$serial = 1;
}
$sserial = sprintf("%02d", $serial);
$vid = "HTJC-SL" . date('Ymd') . "-" . $sserial;
if ($dvwaSession['config']['vid'] == '2' && isset($_POST['vid'])) {
$vid = $_POST['vid'];
}
$sql = "insert into vulns values('{$vid}',now(),'{$serial}','{$user}','{$site}','{$vname}','{$vdesc}','{$risk}')";
dvwadebug($sql);
mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>');
$html = "submit vulns successful!!!";
}
dvwaRedirect("{$_DVWA['location']}/vulnerabilities/vulns/");
}
$inputvid = "";
if ($dvwaSession['config']['vid'] == '2') {
$inputvid = "<td width=\"100\">Vid *</td> <td>\n\t\t<input name=\"vid\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>";
}
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Vulnerability Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Submit Vulns:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t{$inputvid}\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Risk *</td> <td>" . xlabGetRisklist('low') . "\n\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Site *</td> <td>\n\t\t<input name=\"site\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<textarea name=\"desc\" cols=\"50\" rows=\"3\" ></textarea></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"Submit Vulns\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t<div class=\"vulnerable_code_area\">\n\t<h3>Yous Vulns:</h3>\n\t<form action='#' method='POST'>\n\tName: <input type=text name=name value='{$name}'> \n\tSiteKey: <input type=text name=key value='{$key}'></br></br>\n\tFrom:<input type=text name=from value='{$from}'> \n\tTO:<input type=text name=to value='{$to}'></br></br>\n\tRisk:" . xlabGetRisklist() . " \n\t<input type='submit' name='Submit' value=\"Search\">\n\t</form></br>\n\t<table border=1 width=100%>\n\t<tr>\n\t<th>vid</th><th>author</th><th>name</th><th>risk</th><th>action</th>\n\t</tr>" . getvulns() . "\n\t</table>\n\t</div>\n\t{$html}\n</div>\n";
dvwaHtmlEcho($page);
if (isset($_POST['submit']) && $_POST['submit'] == 'updata') {
#dvwadebug();
$vid = xlabGetSqli('vid', $_POST);
$site = xlabGetSqli('site', $_POST);
$vname = xlabGetSqli('name', $_POST);
$vdesc = xlabGetSqli('desc', $_POST);
$author = xlabGetSqli('author', $_POST);
$risk = xlabGetSqli('risk', $_POST);
if ($user == "admin") {
$sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',author='{$author}',risk='{$risk}' where vid='{$vid}'";
} else {
$sql = "select vid from vulns where author='{$user}' and vid='{$vid}'";
if (mysql_num_rows(mysql_query($sql)) < 1) {
$html = "Can't access ";
$sql = '';
} else {
$sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',risk='{$risk}' where author='{$user}' and vid='{$vid}'";
}
}
dvwadebug($sql);
$result = @mysql_query($sql);
if ($result) {
$html .= "updata sussfully!!!";
} else {
$html .= "updata fail!!!";
}
}
$readonly = xlabisadmin() ? "" : "readonly=\\'readonly\\'";
$modifiauthor = xlabisadmin() ? "\n\t\t<tr>\n\t\t<td width=\"100\">Author *</td> <td>\n\t\t<input name=\"author\" type=\"text\" size=\"50\" value={$author}></td>\n\t\t</tr>" : "";
$page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Vulnerability Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Submit Vulns:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Vid *</td> <td>\n\t\t<input name=\"vid\" type=\"text\" size=\"50\" {$readonly} value={$vid}></td>\n\t\t</tr>\n\t\t<td width=\"100\">Risk *</td> <td>" . xlabGetRisklist($risk) . "\n\t\t{$modifiauthor}\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" value={$vname}></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Site *</td> <td>\n\t\t<input name=\"site\" type=\"text\" size=\"50\" value={$site}></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<textarea name=\"desc\" cols=\"50\" rows=\"3\" >{$vdesc}</textarea></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"updata\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\n\t\t{$html}\n\n\t</div>\n\t\n</div>\n";
dvwaHtmlEcho($page);