$page['source_button'] = 'sqli'; dvwaDatabaseConnect(); $vulnerabilityFile = ''; switch ($_COOKIE['security']) { case 'low': $vulnerabilityFile = 'low.php'; break; case 'medium': $vulnerabilityFile = 'medium.php'; break; case 'high': default: $vulnerabilityFile = 'high.php'; break; } // Anti-CSRF if ($vulnerabilityFile == 'high.php') { generateTokens(); } require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}"; $magicQuotesWarningHtml = ''; // Check if Magic Quotes are on or off if (ini_get('magic_quotes_gpc') == true) { $magicQuotesWarningHtml = "<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>"; } $page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Vulnerability: SQL Injection</h1>\r\n\r\n\t{$magicQuotesWarningHtml}\r\n\r\n\t<div class=\"vulnerable_code_area\">\r\n\t\t<form action=\"#\" method=\"GET\">\r\n\t\t\t<p>\r\n\t\t\t\tUser ID:\r\n\t\t\t\t<input type=\"text\" size=\"15\" name=\"id\">\r\n\t\t\t\t<input type=\"submit\" name=\"Submit\" value=\"Submit\">\r\n\t\t\t</p>"; if ($vulnerabilityFile == 'high.php') { $page['body'] .= "\t\t\t" . tokenField(); } $page['body'] .= "\r\n\t\t</form>\r\n\t\t{$html}\r\n\t</div>\r\n\r\n\t<h2>More Information</h2>\r\n\t<ul>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://www.securiteam.com/securityreviews/5DP0N1P76E.html') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://en.wikipedia.org/wiki/SQL_injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('https://www.owasp.org/index.php/SQL_Injection') . "</li>\r\n\t\t<li>" . dvwaExternalLinkUrlGet('http://bobby-tables.com/') . "</li>\r\n\t</ul>\r\n</div>\r\n"; dvwaHtmlEcho($page);
$pass = mysql_real_escape_string($pass); $pass = md5($pass); $query = "SELECT table_schema, table_name, create_time\r\n\t\t\t\tFROM information_schema.tables\r\n\t\t\t\tWHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'\r\n\t\t\t\tLIMIT 1"; $result = @mysql_query($query); if (mysql_num_rows($result) != 1) { dvwaMessagePush("First time using DVWA.<br />Need to run 'setup.php'."); dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'setup.php'); } $query = "SELECT * FROM `users` WHERE user='******' AND password='******';"; $result = @mysql_query($query) or die('<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>'); if ($result && mysql_num_rows($result) == 1) { // Login Successful... dvwaMessagePush("You have logged in as '{$user}'"); dvwaLogin($user); dvwaRedirect(DVWA_WEB_PAGE_TO_ROOT . 'index.php'); } // Login failed dvwaMessagePush('Login failed'); dvwaRedirect('login.php'); } $messagesHtml = messagesPopAllToHtml(); Header('Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 Header('Content-Type: text/html;charset=utf-8'); // TODO- proper XHTML headers... Header('Expires: Tue, 23 Jun 2009 12:00:00 GMT'); // Date in the past // Anti-CSRF generateSessionToken(); echo "\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\r\n\t\t<title>Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</title>\r\n\r\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/css/login.css\" />\r\n\r\n\t</head>\r\n\r\n\t<body>\r\n\r\n\t<div id=\"wrapper\">\r\n\r\n\t<div id=\"header\">\r\n\r\n\t<br />\r\n\r\n\t<p><img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/login_logo.png\" /></p>\r\n\r\n\t<br />\r\n\r\n\t</div> <!--<div id=\"header\">-->\r\n\r\n\t<div id=\"content\">\r\n\r\n\t<form action=\"login.php\" method=\"post\">\r\n\r\n\t<fieldset>\r\n\r\n\t\t\t<label for=\"user\">Username</label> <input type=\"text\" class=\"loginInput\" size=\"20\" name=\"username\"><br />\r\n\r\n\r\n\t\t\t<label for=\"pass\">Password</label> <input type=\"password\" class=\"loginInput\" AUTOCOMPLETE=\"off\" size=\"20\" name=\"password\"><br />\r\n\r\n\t\t\t<br />\r\n\r\n\t\t\t<p class=\"submit\"><input type=\"submit\" value=\"Login\" name=\"Login\"></p>\r\n\r\n\t</fieldset>\r\n\r\n\t" . tokenField() . "\r\n\r\n\t</form>\r\n\r\n\t<br />\r\n\r\n\t{$messagesHtml}\r\n\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\t<br />\r\n\r\n\t<!-- <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/RandomStorm.png\" /> -->\r\n\t</div > <!--<div id=\"content\">-->\r\n\r\n\t<div id=\"footer\">\r\n\r\n\t<p>" . dvwaExternalLinkUrlGet('http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)') . " is a RandomStorm OpenSource project.</p>\r\n\r\n\t</div> <!--<div id=\"footer\"> -->\r\n\r\n\t</div> <!--<div id=\"wrapper\"> -->\r\n\r\n\t</body>\r\n\r\n</html>";
dvwaPhpIdsEnabledSet(false); dvwaMessagePush("PHPIDS is now disabled"); break; } dvwaPageReload(); } $securityOptionsHtml = ''; $securityLevelHtml = ''; foreach (array('low', 'medium', 'high', 'impossible') as $securityLevel) { $selected = ''; if ($securityLevel == dvwaSecurityLevelGet()) { $selected = ' selected="selected"'; $securityLevelHtml = "<p>Security level is currently: <em>{$securityLevel}</em>.<p>"; } $securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>" . ucfirst($securityLevel) . "</option>"; } $phpIdsHtml = 'PHPIDS is currently: '; if (dvwaPhpIdsIsEnabled()) { $phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">Disable PHPIDS</a>]'; } else { $phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]'; } // Anti-CSRF generateSessionToken(); // Able to write to the PHPIDS log file? $WarningHtml = ''; if (!is_writable($PHPIDSPath)) { $WarningHtml .= "<div class=\"warning\"><em>Cannot write to the PHPIDS log file</em>: {$PHPIDSPath}</div>"; } $page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>\r\n\t<br />\r\n\r\n\t<h2>Security Level</h2>\r\n\r\n\t{$securityHtml}\r\n\r\n\t<form action=\"#\" method=\"POST\">\r\n\t\t{$securityLevelHtml}\r\n\t\t<p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p>\r\n\t\t<ol>\r\n\t\t\t<li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li>\r\n\t\t\t<li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li>\r\n\t\t\t<li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li>\r\n\t\t\t<li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br />\r\n\t\t\t\tPriority to DVWA v1.9, this level was known as 'high'.</li>\r\n\t\t</ol>\r\n\t\t<select name=\"security\">\r\n\t\t\t{$securityOptionsHtml}\r\n\t\t</select>\r\n\t\t<input type=\"submit\" value=\"Submit\" name=\"seclev_submit\">\r\n\t\t" . tokenField() . "\r\n\t</form>\r\n\r\n\t<br />\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>PHPIDS</h2>\r\n\t{$WarningHtml}\r\n\t<p>" . dvwaExternalLinkUrlGet('https://github.com/PHPIDS/PHPIDS', 'PHPIDS') . " v" . dvwaPhpIdsVersionGet() . " (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p>\r\n\t<p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p>\r\n\t<p>You can enable PHPIDS across this site for the duration of your session.</p>\r\n\r\n\t<p>{$phpIdsHtml}</p>\r\n\t[<a href=\"?test=%22><script>eval(window.name)</script>\">Simulate attack</a>] -\r\n\t[<a href=\"ids_log.php\">View IDS log</a>]\r\n</div>"; dvwaHtmlEcho($page);
<?php define('DVWA_WEB_PAGE_TO_ROOT', ''); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); $page = dvwaPageNewGrab(); $page['title'] = 'Setup' . $page['title_separator'] . $page['title']; $page['page_id'] = 'setup'; if (isset($_POST['create_db'])) { // Anti-CSRF checkToken($_REQUEST['user_token'], $_SESSION['session_token'], 'setup.php'); if ($DBMS == 'MySQL') { include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php'; } elseif ($DBMS == 'PGSQL') { // include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/PGSQL.php'; dvwaMessagePush('PostgreSQL is not yet fully supported.'); dvwaPageReload(); } else { dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.'); dvwaPageReload(); } } // Anti-CSRF generateSessionToken(); $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\n\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php") . "</em></p>\n\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\n\t<hr />\n\t<br />\n\n\t<h2>Setup Check</h2>\n\n\t{$DVWAOS}<br />\n\tBackend database: <em>{$DBMS}</em><br />\n\tPHP version: <em>" . phpversion() . "</em><br />\n\t<br />\n\t{$SERVER_NAME}<br />\n\t<br />\n\t{$phpDisplayErrors}<br />\n\t{$phpSafeMode}<br/ >\n\t{$phpURLInclude}<br/ >\n\t{$phpURLFopen}<br />\n\t{$phpMagicQuotes}<br />\n\t{$phpGD}<br />\n\t{$phpMySQL}<br />\n\t{$phpPDO}<br />\n\t<br />\n\t{$MYSQL_USER}<br />\n\t{$MYSQL_PASS}<br />\n\t{$MYSQL_DB}<br />\n\t{$MYSQL_SERVER}<br />\n\t<br />\n\t{$DVWARecaptcha}<br />\n\t<br />\n\t{$DVWAUploadsWrite}<br />\n\t{$DVWAPHPWrite}<br />\n\t<br />\n\t<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />\n\t<br /><br /><br />\n\n\t<!-- Create db button -->\n\t<form action=\"#\" method=\"post\">\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\n\t\t" . tokenField() . "\n\t</form>\n\t<br />\n\t<hr />\n</div>"; dvwaHtmlEcho($page);
<?php define('DVWA_WEB_PAGE_TO_ROOT', ''); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('phpids')); $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'Setup'; $page['page_id'] = 'setup'; if (isset($_POST['create_db'])) { // Anti-CSRF checkTokens($_POST['token'], "setup.php"); if ($DBMS == 'MySQL') { include_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/DBMS/MySQL.php'; } elseif ($DBMS == 'PGSQL') { // include_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/DBMS/PGSQL.php'; dvwaMessagePush('PostgreSQL is not yet fully supported.'); dvwaPageReload(); } else { dvwaMessagePush('ERROR: Invalid database selected. Please review the config file syntax.'); dvwaPageReload(); } } // Anti-CSRF generateTokens(); $page['body'] .= "\r\n<div class=\"body_padded\">\r\n\t<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>\r\n\r\n\t<p>Click on the 'Create / Reset Database' button below to create or reset your database.</br>\r\n\tIf you get an error make sure you have the correct user credentials in: <em>" . realpath(getcwd()) . "/config/config.inc.php</em></p>\r\n\r\n\t<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />\r\n\tYou can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>\r\n\t<hr />\r\n\t<br />\r\n\r\n\t<h2>Setup Check</h2>\r\n\r\n\t{$DVWAOS}<br />\r\n\tBackend Database: <em>" . $DBMS . "</em><br />\r\n\t<br />\r\n\tPHP Version: v<em>" . phpversion() . "</em><br />\r\n\t{$phpSafeMode}<br/ >\r\n\t{$phpDisplayErrors}<br />\r\n\t{$phpURLInclude}<br/ >\r\n\t{$phpURLFopen}<br />\r\n\t{$phpMagicQuotes}<br />\r\n\t<br />\r\n\t{$DVWARecaptcha}<br />\r\n\t<br />\r\n\t{$DVWAUploadsWrite}<br />\r\n\t{$DVWAPHPWrite}<br />\r\n\t<br />\r\n\t<i>Status with \"(*)\" indicate there could be possible issue(s) with a certain modules.</i><br />\r\n\t<br /><br /><br />\r\n\r\n\t<!-- Create db button -->\r\n\t<form action=\"#\" method=\"post\">\r\n\t\t<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">\r\n\t\t" . tokenField() . "\r\n\t</form>\r\n</div>\r\n"; dvwaHtmlEcho($page);