function dvwaClearIdsLog() { if (isset($_GET['clear_log'])) { $fp = fopen(DVWA_WEB_PAGE_TO_PHPIDS_LOG, w); fclose($fp); dvwaMessagePush("PHPIDS log cleared"); dvwaPageReload(); } }
function db_login($user, $pass) { $login = "******"; $result = @pg_query($login) or die('<pre>' . pg_last_error() . '</pre>'); if ($result && pg_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '" . $user . "'"); dvwaLogin($user); dvwaRedirect('index.php'); } }
dvwaGetconfig(); #dvwadebug(); if (isset($_POST['reg'])) { $user = trim($_POST['username']); $user = stripslashes($user); $user = mysql_real_escape_string($user); $pass = trim($_POST['password']); $pass = stripslashes($pass); $pass = mysql_real_escape_string($pass); $pass_md5 = md5($pass); $insert_md5 = "insert into users values ('','{$user}','{$user}','{$user}','{$pass_md5}','dvwa/hackable/users/gordonb.jpg')"; if ($user != '' and $pass != '' and $_POST['password'] == $_POST['password2']) { // Login Successful... $result_md5 = @mysql_query($insert_md5) or die('<pre>' . mysql_error() . '</br>insert fail,again!!</pre>'); dvwaRedirect('index.php'); dvwaMessagePush("You have reg succfully for '" . $user . "'"); dvwaLogin($user); dvwaRedirect('login.php'); } // Login failed dvwaMessagePush("reg failed"); dvwaRedirect('reg.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>XLABAS - REG</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\n\n\t</head>\n\n\t<body>\n\n\t<div align=\"center\">\n\t\n\t<br />\n\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\n\n\t<br />\n\t\n\t<form action=\"reg.php\" method=\"post\">\n\t\n\t<fieldset>\n\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\n\t\n\t\t\t\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\n\t\t\t\n\t\t\t<label for=\"pass\">Password2</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password2\"><br />\n\t\t\t\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Reg\" name=\"reg\"></p>\n\n\t</fieldset>\n\n\t</form>\n\n\t\n\t<br />\n\n\t{$messagesHtml}\n\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\t\n\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\n\t\n\t<p>Damn HTJC SeclabX ASystem (XlabAS) is a RandomStorm OpenSource project</p>\n\t\n\t</div> <!-- end align div -->\n\n\t</body>\n\n</html>\n";
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); dvwaDatabaseConnect(); if (isset($_POST['Login'])) { $user = $_POST['username']; $user = stripslashes($user); $user = mysql_real_escape_string($user); $pass = $_POST['password']; $pass = stripslashes($pass); $pass = mysql_real_escape_string($pass); $pass = md5($pass); $qry = "SELECT * FROM `users` WHERE user='******' AND password='******';"; $result = @mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>'); if ($result && mysql_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '" . $user . "'"); dvwaLogin($user); dvwaRedirect('index.php'); } // Login failed dvwaMessagePush("Login failed"); dvwaRedirect('login.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Damn Vulnerable Web App (DVWA) - Login</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div align=\"center\">\r\n\t\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\t\r\n\t<form action=\"login.php\" method=\"post\">\r\n\t\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\t\r\n\t\t\t\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t</form>\r\n\r\n\t\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\t\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t\r\n\t<p>Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project</p>\r\n\t\r\n\t</div> <!-- end align div -->\r\n\r\n\t</body>\r\n\r\n</html>\r\n";
$pass = stripslashes($pass); $pass = mysql_real_escape_string($pass); $pass = md5($pass); $query = "SELECT table_schema, table_name, create_time\r\n\t\t\t\tFROM information_schema.tables\r\n\t\t\t\tWHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'\r\n\t\t\t\tLIMIT 1"; $result = @mysql_query($query); if (mysql_num_rows($result) != 1) { dvwaMessagePush("First time using DVWA.<br />Need to run 'setup.php'."); dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'setup.php'); } $query = "SELECT * FROM `users` WHERE user='******' AND password='******';"; $result = @mysql_query($query) or die('<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>'); if ($result && mysql_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '{$user}'"); dvwaLogin($user); dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'index.php'); } // Login failed dvwaMessagePush('Login failed'); dvwaRedirect('login.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT'); // Date in the past // Anti-CSRF generateSessionToken(); echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div id=\"wrapper\">\r\n\r\n\t<div id=\"header\">\r\n\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\r\n\t</div> <!--<div id=\"header\">-->\r\n\r\n\t<div id=\"content\">\r\n\r\n\t<form action=\"login.php\" method=\"post\">\r\n\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\r\n\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\r\n\t\t\t<br />\r\n\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t" . tokenField() . "\r\n\r\n\t</form>\r\n\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t</div > <!--<div id=\"content\">-->\r\n\r\n\t<div id=\"footer\">\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)') . " is a RandomStorm OpenSource project.</p>\r\n\r\n\t</div> <!--<div id=\"footer\"> -->\r\n\r\n\t</div> <!--<div id=\"wrapper\"> -->\r\n\r\n\t</body>\r\n\r\n</html>";
<?php const DVWA_WEB_PAGE_TO_ROOT = ''; require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); if (!dvwaIsLoggedIn()) { // The user shouldn't even be on this page //dvwaMessagePush( "You were not logged in" ); dvwaRedirect('login.php'); } dvwaLogout(); dvwaMessagePush("You have logged out"); dvwaRedirect('login.php');
<?php define('DVWA_WEB_PAGE_TO_ROOT', ''); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); $page = dvwaPageNewGrab(); $page['title'] = 'Setup' . $page['title_separator'] . $page['title']; $page['page_id'] = 'setup'; if (isset($_POST['create_db'])) { // Anti-CSRF checkToken($_REQUEST['user_token'], $_SESSION['session_token'], 'setup.php'); if ($DBMS == 'MySQL') { include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php'; } elseif ($DBMS == 'PGSQL') { // include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/PGSQL.php'; dvwaMessagePush('PostgreSQL is not yet fully supported.'); dvwaPageReload(); } else { dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.'); dvwaPageReload(); } } // Anti-CSRF generateSessionToken(); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\n\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php") . "</em></p>\n\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\n\t<hr />\n\t<br />\n\n\t<h2>Setup Check</h2>\n\n\t{$DVWAOS}<br />\n\tBackend database: <em>{$DBMS}</em><br />\n\tPHP version: <em>" . phpversion() . "</em><br />\n\t<br />\n\t{$SERVER_NAME}<br />\n\t<br />\n\t{$phpDisplayErrors}<br />\n\t{$phpSafeMode}<br/ >\n\t{$phpURLInclude}<br/ >\n\t{$phpURLFopen}<br />\n\t{$phpMagicQuotes}<br />\n\t{$phpGD}<br />\n\t{$phpMySQL}<br />\n\t{$phpPDO}<br />\n\t<br />\n\t{$MYSQL_USER}<br />\n\t{$MYSQL_PASS}<br />\n\t{$MYSQL_DB}<br />\n\t{$MYSQL_SERVER}<br />\n\t<br />\n\t{$DVWARecaptcha}<br />\n\t<br />\n\t{$DVWAUploadsWrite}<br />\n\t{$DVWAPHPWrite}<br />\n\t<br />\n\t<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />\n\t<br /><br /><br />\n\n\t<!-- Create db button -->\n\t<form action=\"#\" method=\"post\">\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\n\t\t" . tokenField() . "\n\t</form>\n\t<br />\n\t<hr />\n</div>"; dvwaHtmlEcho($page);
function dvwaDatabaseConnect() { global $_DVWA; global $DBMS; global $DBMS_connError; global $db; if ($DBMS == 'MySQL') { if (!@mysql_connect($_DVWA['db_server'], $_DVWA['db_user'], $_DVWA['db_password']) || !@mysql_select_db($_DVWA['db_database'])) { //die( $DBMS_connError ); dvwaMessagePush($DBMS_connError); dvwaRedirect('setup.php'); } // MySQL PDO Prepared Statements (high levels) $db = new PDO('mysql:host=' . $_DVWA['db_server'] . ';dbname=' . $_DVWA['db_database'] . ';charset=utf8', $_DVWA['db_user'], $_DVWA['db_password']); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); } elseif ($DBMS == 'PGSQL') { //$dbconn = pg_connect("host={$_DVWA[ 'db_server' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ])}" //or die( $DBMS_connError ); dvwaMessagePush('PostgreSQL is not yet fully supported.'); dvwaPageReload(); } else { die('Unknown $DBMS selected'); } }
function checkToken($user_token, $session_token, $returnURL) { # Validate the given (CSRF) token if ($user_token !== $session_token || !isset($session_token)) { dvwaMessagePush('CSRF token is incorrect'); dvwaRedirect($returnURL); } }
$result = @mysql_query($sql); if ($result) { $html .= "delete sussfully!!!"; } else { $html .= "delete fail!!!"; } } if (isset($_POST['submit'])) { $vname = xlabGetSqli('name', $_POST); $site = xlabGetSqli('site', $_POST); $vdesc = xlabGetSqli('desc', $_POST); $risk = xlabGetSqli('risk', $_POST); $risk = $risk == 'all' ? 'low' : $risk; if ($vname == '' or $site == '' or $vdesc == '') { $html = "submit vulns fail!!!"; dvwaMessagePush($html); } else { $user = dvwaCurrentUser(); $result = mysql_query("select serial from vulns where date=date(now()) order by serial desc;"); $num = mysql_numrows($result); if ($num > 0) { $serial = mysql_result($result, 0, "serial") + 1; } else { $serial = 1; } $sserial = sprintf("%02d", $serial); $vid = "HTJC-SL" . date('Ymd') . "-" . $sserial; if ($dvwaSession['config']['vid'] == '2' && isset($_POST['vid'])) { $vid = $_POST['vid']; } $sql = "insert into vulns values('{$vid}',now(),'{$serial}','{$user}','{$site}','{$vname}','{$vdesc}','{$risk}')";
$securityLevel = 'medium'; break; } dvwaSecurityLevelSet($securityLevel); dvwaMessagePush("Security level set to {$securityLevel}"); dvwaPageReload(); } if (isset($_GET['phpids'])) { switch ($_GET['phpids']) { case 'on': dvwaPhpIdsEnabledSet(true); dvwaMessagePush("PHPIDS is now enabled"); break; case 'off': dvwaPhpIdsEnabledSet(false); dvwaMessagePush("PHPIDS is now disabled"); break; } dvwaPageReload(); } $securityOptionsHtml = ''; $securityLevelHtml = ''; foreach (array('low', 'medium', 'high') as $securityLevel) { $selected = ''; if ($securityLevel == dvwaSecurityLevelGet()) { $selected = ' selected="selected"'; $securityLevelHtml = "<p>Security Level is currently <em>{$securityLevel}</em>.<p>"; } $securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>{$securityLevel}</option>"; } $phpIdsHtml = 'PHPIDS is currently ';
dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("la tabla 'users' ha sido creada."); // Insert some data into users // Get the base directory for the avatar media... $baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . ':8080' . $_SERVER['PHP_SELF']; $stripPos = strpos($baseUrl, 'Cross-Site-Scripting/setup.php'); $baseUrl = substr($baseUrl, 0, $stripPos) . 'Cross-Site-Scripting/hackable/users/'; $insert = "INSERT INTO users VALUES\r\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'),\r\n\t('2','Bolivar','Cortes','Bholy10',MD5('abc123'),'{$baseUrl}gordonb.jpg'),\r\n\t('3','Viviana','Castillo','Vivi',MD5('charley'),'{$baseUrl}1337.jpg'),\r\n\t('4','Samuel','Labrador','Sami',MD5('letmein'),'{$baseUrl}pablo.jpg'),\r\n\t('5','Jose','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');"; if (!mysql_query($insert)) { dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("Datos insertados en la tabla 'users'."); // Create guestbook table $create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));"; if (!mysql_query($create_tb_guestbook)) { dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("la tabla 'guestbook' ha sido creada."); // Insert data into 'guestbook' $insert = "INSERT INTO guestbook VALUES\r\n('1','Esto es un comentario de prueba.','test');"; if (!mysql_query($insert)) { dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("Datos insertados en la tabla 'guestbook'."); dvwaMessagePush("Setup realizado!"); dvwaPageReload();
<?php $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF 10'; $page['page_id'] = 'ctf'; $page['help_button'] = 'brute'; $page['source_button'] = 'brute'; if (isset($_POST['submit']) and $_POST['submit'] == 'Login') { if (!xlabautocode()) { dvwaRedirect("./?pid=10&msg=check code error"); } if ($_REQUEST['username'] != 'super') { dvwaRedirect("./?pid=10&msg=uname error"); } if ($_REQUEST['password'] != '1234qwer') { dvwaRedirect("./?pid=10&msg=passwd error"); } require_once '../../hackable/ctf/ctf.php'; $_GET['msg'] = $FLAG['brute']; } dvwaMessagePush(xlabGetXss('msg', $_GET)); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>一力降十会</h1>\n\t<div class=\"vulnerable_code_area\">\n\t<form action=\"#\" method=\"POST\">\n\t<label >Username:</label>\n\t<input type=\"text\" name=\"username\"></br></br>\n <label >Password:</label>\n <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password\"><br></br>\n <label >Authcode:</label>\n <input type=\"text\" name=\"authcode\"><br></br>\n <img onclick=newRandImg(); id='randImg' src=../checkcode.php><a<br></br>\n <input type=\"submit\" value=\"Login\" name=\"submit\" onclick='return checkvaild()'>\n </form>\n\t</div>\n{$html}\n<script>\n\tfunction newRandImg(){\n\t\tvar rm= new Date().getTime();\n\t document.getElementById('randImg').src='../checkcode.php?rm='+rm;\n\t document.getElementById('randImg').style.display='inline';\n\t}\n</script>\n</div>\n";
$securityLevel = 'medium'; break; } dvwaSecurityLevelSet($securityLevel); dvwaMessagePush("El nivel de Seguridad configurado a {$securityLevel}"); dvwaPageReload(); } if (isset($_GET['phpids'])) { switch ($_GET['phpids']) { case 'on': dvwaPhpIdsEnabledSet(true); dvwaMessagePush("PHPIDS esta activado"); break; case 'off': dvwaPhpIdsEnabledSet(false); dvwaMessagePush("PHPIDS esta desactivado"); break; } dvwaPageReload(); } $securityOptionsHtml = ''; $securityLevelHtml = ''; foreach (array('low', 'medium', 'high') as $securityLevel) { $selected = ''; if ($securityLevel == dvwaSecurityLevelGet()) { $selected = ' selected="selected"'; $securityLevelHtml = "<p>El nivel de Seguridad actualmente es: <em>{$securityLevel}</em>.<p>"; } $securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>{$securityLevel}</option>"; } $phpIdsHtml = 'PHPIDS is currently ';
<?php $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF 11'; $page['page_id'] = 'ctf'; $page['help_button'] = 'audit'; $page['source_button'] = 'audit'; // require_once '../../hackable/ctf/ctf.php'; //cookie: seclab_ctf_11=111111222222333333 //auth=1412148&encode=YzJWamJHRmllRjlqZEdaZk1URT0= if ($_POST['submit'] == 'check') { if ($_COOKIE['seclab_ctf_11'] == '111111222222333333') { if (((int) $_POST['auth'] ^ 0x1234) >> 0x6 == 0x5678) { if (base64_decode($_POST['encode']) == base64_encode("seclabx_ctf_11")) { $flag = $FLAG['audit']; $vaild = 1; } } } } if (empty($vaild)) { $flag = "You have must input vaild parameter"; } dvwaMessagePush($flag); $page['body'] .= "\n<div class=\"body_padded\">\n<h1>你看的懂?</h1>\n<img width=100% heigh=100% src=../../hackable/ctf/q11/bloodelves.jpg>\n<!--\nif(\$_POST['submit']=='check'){\n\tif(\$_COOKIE['seclab_ctf_11']=='111111222222333333'){\n\t\tif(((int)\$_POST['auth'] ^ 0x1234) >> 0x6 == 0x5678){\n\t\t\tif(base64_decode(\$_POST['encode'])==base64_encode(\"seclabx_ctf_11\")){\n\t\t\t\t\$flag=\$FLAG['audit'];\n\t\t\t\t\$vaild=1;\n\t\t\t}\n\t\t}\n\t}\n}\nif(empty(\$vaild)){\n\t\$flag=\"You have must input vaild parameter\";\n}\n-->\n</div>\n";
// Insert some data into users // Get the base directory for the avatar media... $baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF']; $stripPos = strpos($baseUrl, 'setup.php'); $baseUrl = substr($baseUrl, 0, $stripPos) . 'hackable/users/'; $insert = "INSERT INTO users VALUES\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'),\n\t('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'),\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'),\n\t('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');"; if (!mysql_query($insert)) { dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("Data inserted into 'users' table."); // Create guestbook table $create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));"; if (!mysql_query($create_tb_guestbook)) { dvwaMessagePush("Table could not be created<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("'guestbook' table was created."); // Insert data into 'guestbook' $insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');"; if (!mysql_query($insert)) { dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . mysql_error()); dvwaPageReload(); } dvwaMessagePush("Data inserted into 'guestbook' table."); // Done dvwaMessagePush("<em>Setup successful</em>!"); if (!dvwaIsLoggedIn()) { dvwaMessagePush("Please <a href='login.php'>login</a>.<script>setTimeout(function(){window.location.href='login.php'},5000);</script>"); } dvwaPageReload();
$baseUrl = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF']; $stripPos = strpos($baseUrl, 'dvwa/setup.php'); $baseUrl = substr($baseUrl, 0, $stripPos) . 'dvwa/hackable/users/'; $insert = "INSERT INTO users VALUES\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'),\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg'),\n\t('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg'),\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg'),\n\t('5','bob','smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');"; if (!pg_query($insert)) { dvwaMessagePush("Data could not be inserted into 'users' table<br />SQL: " . pg_last_error()); dvwaPageReload(); } dvwaMessagePush("Data inserted into 'users' table."); // Create guestbook table $drop_table = "DROP table IF EXISTS guestbook;"; if (!@pg_query($drop_table)) { dvwaMessagePush("Could not drop existing users table<br />SQL: " . pg_last_error()); dvwaPageReload(); } $create_tb_guestbook = "CREATE TABLE guestbook (comment text, name text, comment_id SERIAL PRIMARY KEY);"; if (!pg_query($create_tb_guestbook)) { dvwaMessagePush("guestbook table could not be created<br />SQL: " . pg_last_error()); dvwaPageReload(); } dvwaMessagePush("'guestbook' table was created."); // Insert data into 'guestbook' $insert = "INSERT INTO guestbook (comment, name) VALUES('This is a test comment.','admin')"; if (!pg_query($insert)) { dvwaMessagePush("Data could not be inserted into 'guestbook' table<br />SQL: " . pg_last_error()); dvwaPageReload(); } dvwaMessagePush("Data inserted into 'guestbook' table."); dvwaMessagePush("Setup successful!"); dvwaPageReload(); pg_close($dbconn);
$num = mysql_numrows($result); $i = 0; while ($i < $num) { $pid = mysql_result($result, $i, "pid"); $user = mysql_result($result, $i, "user"); $flag = mysql_result($result, $i, "flag"); $status = mysql_result($result, $i, "status"); $html .= "</tr><td>{$pid}</td><td>{$user}</td><td>{$flag}</td><td>{$status}</td></tr>"; $i++; } return "\n\t<table border=1 width=100%>\n\t<tr>\n\t<th>Pid</th><th>User</th><th>Flag</th><th>Status</th>\n\t</tr>\n\t{$html}\n\t</table>"; } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'View Score'; $page['page_id'] = 'score'; $page['help_button'] = 'score'; $page['source_button'] = 'score'; $magicQuotesWarningHtml = ''; // Check if Magic Quotes are on or off if (ini_get('magic_quotes_gpc') == true) { $magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>"; } dvwaMessagePush($_GET['msg']); if (isset($_GET['view'])) { if ($_GET['view'] == dvwaGetuser() or xlabisadmin()) { $table = getuserflag(xlabGetSqli('view', $_GET)); } } else { $table = getuserranking(); } $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>View Score</h1>\n\n\t{$magicQuotesWarningHtml}\n\n\t<div >\n\t{$table}\n\t</div>\n</div>\n";