function db_login($user, $pass) { $login = "******"; $result = @pg_query($login) or die('<pre>' . pg_last_error() . '</pre>'); if ($result && pg_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '" . $user . "'"); dvwaLogin($user); dvwaRedirect('index.php'); } }
dvwaGetconfig(); #dvwadebug(); if (isset($_POST['reg'])) { $user = trim($_POST['username']); $user = stripslashes($user); $user = mysql_real_escape_string($user); $pass = trim($_POST['password']); $pass = stripslashes($pass); $pass = mysql_real_escape_string($pass); $pass_md5 = md5($pass); $insert_md5 = "insert into users values ('','{$user}','{$user}','{$user}','{$pass_md5}','dvwa/hackable/users/gordonb.jpg')"; if ($user != '' and $pass != '' and $_POST['password'] == $_POST['password2']) { // Login Successful... $result_md5 = @mysql_query($insert_md5) or die('<pre>' . mysql_error() . '</br>insert fail,again!!</pre>'); dvwaRedirect('index.php'); dvwaMessagePush("You have reg succfully for '" . $user . "'"); dvwaLogin($user); dvwaRedirect('login.php'); } // Login failed dvwaMessagePush("reg failed"); dvwaRedirect('reg.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n\t<head>\n\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n\n\t\t<title>XLABAS - REG</title>\n\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\n\n\t</head>\n\n\t<body>\n\n\t<div align=\"center\">\n\t\n\t<br />\n\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\n\n\t<br />\n\t\n\t<form action=\"reg.php\" method=\"post\">\n\t\n\t<fieldset>\n\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\n\t\n\t\t\t\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\n\t\t\t\n\t\t\t<label for=\"pass\">Password2</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password2\"><br />\n\t\t\t\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Reg\" name=\"reg\"></p>\n\n\t</fieldset>\n\n\t</form>\n\n\t\n\t<br />\n\n\t{$messagesHtml}\n\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\n\t<br />\t\n\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\n\t\n\t<p>Damn HTJC SeclabX ASystem (XlabAS) is a RandomStorm OpenSource project</p>\n\t\n\t</div> <!-- end align div -->\n\n\t</body>\n\n</html>\n";
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); dvwaDatabaseConnect(); if (isset($_POST['Login'])) { $user = $_POST['username']; $user = stripslashes($user); $user = mysql_real_escape_string($user); $pass = $_POST['password']; $pass = stripslashes($pass); $pass = mysql_real_escape_string($pass); $pass = md5($pass); $qry = "SELECT * FROM `users` WHERE user='******' AND password='******';"; $result = @mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>'); if ($result && mysql_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '" . $user . "'"); dvwaLogin($user); dvwaRedirect('index.php'); } // Login failed dvwaMessagePush("Login failed"); dvwaRedirect('login.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header("Expires: Tue, 23 Jun 2009 12:00:00 GMT"); // Date in the past echo "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Damn Vulnerable Web App (DVWA) - Login</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div align=\"center\">\r\n\t\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\t\r\n\t<form action=\"login.php\" method=\"post\">\r\n\t\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\t\r\n\t\t\t\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t</form>\r\n\r\n\t\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\t\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t\r\n\t<p>Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project</p>\r\n\t\r\n\t</div> <!-- end align div -->\r\n\r\n\t</body>\r\n\r\n</html>\r\n";
function dvwaPageReload() { dvwaRedirect($_SERVER['PHP_SELF']); }
function checkToken($user_token, $session_token, $returnURL) { # Validate the given (CSRF) token if ($user_token !== $session_token || !isset($session_token)) { dvwaMessagePush('CSRF token is incorrect'); dvwaRedirect($returnURL); } }
<?php if (!isset($_GET['content'])) { dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=7&content=chun"); } $file = $_GET['content']; //The page we wish to display $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF 7'; $page['page_id'] = 'ctf'; $page['help_button'] = 'fi'; $page['source_button'] = 'fi'; @(include $file . '.php');
} } } if ($_REQUEST['submit'] == 'del') { $name = xlabGetSqli('name', $_GET); $sql = "delete from config where name=\"{$name}\""; echo $sql; $result = mysql_query($sql); if ($result) { $html = "Delete sussfully!!!"; } else { $html = "Delete fail!!!"; } } if ($_POST['submit'] == 'add') { $name = xlabGetSqli('name', $_POST); $value = xlabGetSqli('value', $_POST); $desc = xlabGetSqli('desc', $_POST); $sql = "insert into config values ('{$name}','{$value}','{$desc}')"; $result = mysql_query($sql); if ($result) { $html = "Insert sussfully!!!"; } else { $html = "Insert fail!!!"; } } dvwaGetconfig(); dvwaRedirect("{$_DVWA['location']}/vulnerabilities/admin/"); } $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>System Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Setting Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Setting </td> \n\t\t<td>Values</td>\n\t\t<td>Act</td>\n\t\t</tr>\n\t\t{$config}\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"updata\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Add Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Value *</td> <td>\n\t\t<input name=\"value\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<input name=\"desc\" size=60></input></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"add\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t{$html}\n</div>\n"; dvwaHtmlEcho($page);
<?php if (!isset($_GET['pict'])) { dvwaRedirect("{$_DVWA['location']}/vulnerabilities/ctf/?pid=4&pict=hunter"); } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF Question 4'; $page['page_id'] = 'ctf'; $page['help_button'] = 'sqli'; $page['source_button'] = 'sqli'; $pict = strtolower($_GET['pict']); $pict = str_replace("script", '*', $pict); if (ereg("\" +onerror *= *alert\\(document\\.cookie\\)[>| +.*]", $pict)) { require_once '../../hackable/ctf/ctf.php'; $html = xlabGetJs("alert('{$FLAG['xss']}')"); } $magicQuotesWarningHtml = ''; // $location = xlabGetLocation(); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>窃贼的密码</h1>\n\t<ul>\n\t<img src=\"../../hackable/ctf/q4/{$pict}.jpg\"></img>\n\t</ul>\n\t</br>\n\t<h3>\n\t<li>You Should Steal The Cookie</li>\n\t</h3>\n{$html}\n</div>\n";
<?php $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF 10'; $page['page_id'] = 'ctf'; $page['help_button'] = 'brute'; $page['source_button'] = 'brute'; if (isset($_POST['submit']) and $_POST['submit'] == 'Login') { if (!xlabautocode()) { dvwaRedirect("./?pid=10&msg=check code error"); } if ($_REQUEST['username'] != 'super') { dvwaRedirect("./?pid=10&msg=uname error"); } if ($_REQUEST['password'] != '1234qwer') { dvwaRedirect("./?pid=10&msg=passwd error"); } require_once '../../hackable/ctf/ctf.php'; $_GET['msg'] = $FLAG['brute']; } dvwaMessagePush(xlabGetXss('msg', $_GET)); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>一力降十会</h1>\n\t<div class=\"vulnerable_code_area\">\n\t<form action=\"#\" method=\"POST\">\n\t<label >Username:</label>\n\t<input type=\"text\" name=\"username\"></br></br>\n <label >Password:</label>\n <input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password\"><br></br>\n <label >Authcode:</label>\n <input type=\"text\" name=\"authcode\"><br></br>\n <img onclick=newRandImg(); id='randImg' src=../checkcode.php><a<br></br>\n <input type=\"submit\" value=\"Login\" name=\"submit\" onclick='return checkvaild()'>\n </form>\n\t</div>\n{$html}\n<script>\n\tfunction newRandImg(){\n\t\tvar rm= new Date().getTime();\n\t document.getElementById('randImg').src='../checkcode.php?rm='+rm;\n\t document.getElementById('randImg').style.display='inline';\n\t}\n</script>\n</div>\n";
function checkTokens($token, $returnURL) { # Validate the Given TOKEN if ($token !== $_SESSION['user_token']) { dvwaRedirect($returnURL); } }
<?php define('DVWA_WEB_PAGE_TO_ROOT', '../../../'); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('authenticated', 'phpids')); dvwaDatabaseConnect(); if (isset($_GET['del'])) { $name = xlabGetSqli('del', $_GET); if ($name == dvwaGetuser() or xlabisadmin()) { $sql = "DELETE FROM userflag WHERE user='******'"; $result = mysql_query($sql); dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} succfully!!!"); } else { dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} fail!!!"); } }