function dvwaPageStartup($pActions) { if (in_array('authenticated', $pActions)) { if (!dvwaIsLoggedIn()) { dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'login.php'); } } if (in_array('phpids', $pActions)) { if (dvwaPhpIdsIsEnabled()) { dvwaPhpIdsTrap(); } } }
function dvwaPageStartup($pActions) { if (in_array('authenticated', $pActions)) { if (!dvwaIsLoggedIn()) { dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'login.php'); } } if (in_array('phpids', $pActions)) { if (dvwaPhpIdsIsEnabled()) { dvwaPhpIdsTrap(); } } if (in_array('admin', $pActions)) { if (!xlabisadmin()) { dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'login.php'); } } $setuser = xlabGetSqli('setuser', $_REQUEST); if (dvwaGetuser() == "admin" && !empty($setuser)) { $dvwasession =& dvwaSessionGrab(); $dvwasession['username'] = $setuser; } }
<?php const DVWA_WEB_PAGE_TO_ROOT = ''; require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); if (!dvwaIsLoggedIn()) { // The user shouldn't even be on this page //dvwaMessagePush( "You were not logged in" ); dvwaRedirect('login.php'); } dvwaLogout(); dvwaMessagePush("You have logged out"); dvwaRedirect('login.php');
function dvwaHtmlEcho($pPage) { $menuBlocks = array(); $menuBlocks['home'] = array(); if (dvwaIsLoggedIn()) { $menuBlocks['home'][] = array('id' => 'home', 'name' => 'Home', 'url' => '.'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup / Reset DB', 'url' => 'setup.php'); } else { $menuBlocks['home'][] = array('id' => 'setup', 'name' => 'Setup DVWA', 'url' => 'setup.php'); $menuBlocks['home'][] = array('id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php'); } if (dvwaIsLoggedIn()) { $menuBlocks['vulnerabilities'] = array(); $menuBlocks['vulnerabilities'][] = array('id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/'); $menuBlocks['vulnerabilities'][] = array('id' => 'exec', 'name' => 'Command Injection', 'url' => 'vulnerabilities/exec/'); $menuBlocks['vulnerabilities'][] = array('id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/'); $menuBlocks['vulnerabilities'][] = array('id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php'); $menuBlocks['vulnerabilities'][] = array('id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/'); $menuBlocks['vulnerabilities'][] = array('id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/'); $menuBlocks['vulnerabilities'][] = array('id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/'); $menuBlocks['vulnerabilities'][] = array('id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/'); } $menuBlocks['meta'] = array(); if (dvwaIsLoggedIn()) { $menuBlocks['meta'][] = array('id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php'); $menuBlocks['meta'][] = array('id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php'); } $menuBlocks['meta'][] = array('id' => 'about', 'name' => 'About', 'url' => 'about.php'); if (dvwaIsLoggedIn()) { $menuBlocks['logout'] = array(); $menuBlocks['logout'][] = array('id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php'); } $menuHtml = ''; foreach ($menuBlocks as $menuBlock) { $menuBlockHtml = ''; foreach ($menuBlock as $menuItem) { $selectedClass = $menuItem['id'] == $pPage['page_id'] ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT . $menuItem['url']; $menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem['name']}</a></li>\n"; } $menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>"; } // Get security cookie -- $securityLevelHtml = ''; switch (dvwaSecurityLevelGet()) { case 'low': $securityLevelHtml = 'low'; break; case 'medium': $securityLevelHtml = 'medium'; break; case 'high': $securityLevelHtml = 'high'; break; default: $securityLevelHtml = 'impossible'; break; } // -- END (security cookie) $phpIdsHtml = '<em>PHPIDS:</em> ' . (dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled'); $userInfoHtml = '<em>Username:</em> ' . dvwaCurrentUser(); $messagesHtml = messagesPopAllToHtml(); if ($messagesHtml) { $messagesHtml = "<div class=\"body_padded\">{$messagesHtml}</div>"; } $systemInfoHtml = ""; if (dvwaIsLoggedIn()) { $systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><em>Security Level:</em> {$securityLevelHtml}<br />{$phpIdsHtml}</div>"; } if ($pPage['source_button']) { $systemInfoHtml = dvwaButtonSourceHtmlGet($pPage['source_button']) . " {$systemInfoHtml}"; } if ($pPage['help_button']) { $systemInfoHtml = dvwaButtonHelpHtmlGet($pPage['help_button']) . " {$systemInfoHtml}"; } // Send Headers + main HTML code Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT'); // Date in the past echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>{$pPage['title']}</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/main.css\" />\r\n\r\n\t\t<link rel=\"icon\" type=\"\\image/ico\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "favicon.ico\" />\r\n\r\n\t\t<script type=\"text/javascript\" src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/js/dvwaPage.js\"></script>\r\n\r\n\t</head>\r\n\r\n\t<body class=\"home\">\r\n\t\t<div id=\"container\">\r\n\r\n\t\t\t<div id=\"header\">\r\n\r\n\t\t\t\t<img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/logo.png\" alt=\"Damn Vulnerable Web Application\" />\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_menu\">\r\n\r\n\t\t\t\t<div id=\"main_menu_padded\">\r\n\t\t\t\t{$menuHtml}\r\n\t\t\t\t</div>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"main_body\">\r\n\r\n\t\t\t\t{$pPage['body']}\r\n\t\t\t\t<br /><br />\r\n\t\t\t\t{$messagesHtml}\r\n\r\n\t\t\t</div>\r\n\r\n\t\t\t<div class=\"clear\">\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"system_info\">\r\n\t\t\t\t{$systemInfoHtml}\r\n\t\t\t</div>\r\n\r\n\t\t\t<div id=\"footer\">\r\n\r\n\t\t\t\t<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>\r\n\r\n\t\t\t</div>\r\n\r\n\t\t</div>\r\n\r\n\t</body>\r\n\r\n</html>"; }