function getvulns() { // Retrieve data $user_curr = dvwaCurrentUser(); $name = mysql_real_escape_string($_POST['name']); $key = mysql_real_escape_string($_POST['key']); $from = mysql_real_escape_string($_POST['from']); $to = mysql_real_escape_string($_POST['to']); $risk = xlabGetSqli('risk', $_POST); if ($name == $key and $key == $from and $form == $to and $to == '') { $name = $user; } if (!$from) { $from = '0000-00-00'; } if (!$to) { $to = date("Y-m-d"); } if ($risk == 'all') { $risk = ''; } if ($user == "admin") { $name = ''; $sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50"; } else { $sql = "SELECT vid,author,vname,risk FROM vulns where date>='{$from}' and date<='{$to}' and author like '%{$name}%' and site like '%{$key}%' and risk like '%{$risk}%' order by date desc limit 50"; } $result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>'); $num = mysql_numrows($result); $i = 0; while ($i < $num) { $risk = mysql_result($result, $i, "risk"); $vid = mysql_result($result, $i, "vid"); $author = mysql_result($result, $i, "author"); $vname = htmlspecialchars(mysql_result($result, $i, "vname")); $act = "<a href='vact.php?act=detail&vid={$vid}'>detail </a>\n\t\t\t\t<a href='?act=delete&vid={$vid}'>delete </a>"; $html .= "</tr><td>{$vid}</td><td>{$author}</td><td>{$vname}</td><td>{$risk}</td><td>{$act}</td></tr>"; $i++; } return $html; }
<?php $html = ""; if (isset($_POST['Submit'])) { // Retrieve data $pid = xlabGetSqli('pid', $_POST); $flag = xlabGetSqli('flag', $_POST); $user = dvwaCurrentUser(); $sql = "SELECT * FROM userflag WHERE user = '******' and pid='{$pid}' "; $result = mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>'); if (dvwaisvaildflag($pid, $flag)) { $str = "Correct"; } else { $str = "Error"; } $num = mysql_numrows($result); if ($num == 0) { $insert = "insert into userflag values('{$pid}','{$user}','{$flag}','{$str}')"; $result = mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>'); $html = "flag is submit succeed"; } else { $update = "update userflag set flag='{$flag}',status='{$str}' where user='******' and pid='{$pid}'"; $result = mysql_query($update) or die('<pre>' . mysql_error() . '</pre>'); $html = "flag is update succeed"; } } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'CTF Submit Flag'; $page['page_id'] = 'submit'; $page['help_button'] = 'submit'; $page['source_button'] = 'submit';
} } } if ($_REQUEST['submit'] == 'del') { $name = xlabGetSqli('name', $_GET); $sql = "delete from config where name=\"{$name}\""; echo $sql; $result = mysql_query($sql); if ($result) { $html = "Delete sussfully!!!"; } else { $html = "Delete fail!!!"; } } if ($_POST['submit'] == 'add') { $name = xlabGetSqli('name', $_POST); $value = xlabGetSqli('value', $_POST); $desc = xlabGetSqli('desc', $_POST); $sql = "insert into config values ('{$name}','{$value}','{$desc}')"; $result = mysql_query($sql); if ($result) { $html = "Insert sussfully!!!"; } else { $html = "Insert fail!!!"; } } dvwaGetconfig(); dvwaRedirect("{$_DVWA['location']}/vulnerabilities/admin/"); } $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>System Manage</h1>\n\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Setting Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Setting </td> \n\t\t<td>Values</td>\n\t\t<td>Act</td>\n\t\t</tr>\n\t\t{$config}\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"updata\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t<div class=\"vulnerable_code_area\">\n\n\t\t<h3>Add Config:</h3>\n\t\t<form action=\"#\" method=\"POST\">\n\t\t<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">\n\t\t<tr>\n\t\t<td width=\"100\">Name *</td> <td>\n\t\t<input name=\"name\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Value *</td> <td>\n\t\t<input name=\"value\" type=\"text\" size=\"50\" ></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\">Desc *</td> <td>\n\t\t<input name=\"desc\" size=60></input></td>\n\t\t</tr>\n\t\t<tr>\n\t\t<td width=\"100\"> </td>\n\t\t<td>\n\t\t<input name=\"submit\" type=\"submit\" value=\"add\" onClick=\"return checkForm();\"></td>\n\t\t</tr>\n\t\t</table>\n\t\t</form>\n\t</div>\n\t\n\t{$html}\n</div>\n"; dvwaHtmlEcho($page);
function xlabautocode() { $code = xlabGetSqli('authcode', $_REQUEST); $session =& dvwaSessionGrab(); if (isset($session['authcode']) and !empty($session['authcode']) and strcasecmp($session['authcode'], $code) == 0) { return true; } return false; }
<?php define('DVWA_WEB_PAGE_TO_ROOT', '../../'); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('authenticated', 'phpids')); require_once '../ainclude.php'; if (!dvwaIsCtf()) { echo "You have must select ctf model !!!"; exit; } #dvwadebug($_CTF); if (isset($_GET['pid'])) { if (in_array($_GET['pid'], array('5', '6'))) { dvwaDatabaseConnect_ctf('ctf'); } else { dvwaDatabaseConnect(); } $pid = xlabGetSqli('pid', $_GET); if (!is_numeric($pid)) { require_once 'manager/' . $pid . '.php'; } else { require_once $_CTF['map'][$pid]; } } dvwaHtmlEcho($page);
$num = mysql_numrows($result); $i = 0; while ($i < $num) { $pid = mysql_result($result, $i, "pid"); $user = mysql_result($result, $i, "user"); $flag = mysql_result($result, $i, "flag"); $status = mysql_result($result, $i, "status"); $html .= "</tr><td>{$pid}</td><td>{$user}</td><td>{$flag}</td><td>{$status}</td></tr>"; $i++; } return "\n\t<table border=1 width=100%>\n\t<tr>\n\t<th>Pid</th><th>User</th><th>Flag</th><th>Status</th>\n\t</tr>\n\t{$html}\n\t</table>"; } $page = dvwaPageNewGrab(); $page['title'] .= $page['title_separator'] . 'View Score'; $page['page_id'] = 'score'; $page['help_button'] = 'score'; $page['source_button'] = 'score'; $magicQuotesWarningHtml = ''; // Check if Magic Quotes are on or off if (ini_get('magic_quotes_gpc') == true) { $magicQuotesWarningHtml = "\t<div class=\"warning\">Magic Quotes are on, you will not be able to inject SQL.</div>"; } dvwaMessagePush($_GET['msg']); if (isset($_GET['view'])) { if ($_GET['view'] == dvwaGetuser() or xlabisadmin()) { $table = getuserflag(xlabGetSqli('view', $_GET)); } } else { $table = getuserranking(); } $page['body'] .= "\n<div class=\"body_padded\">\n\t<h1>View Score</h1>\n\n\t{$magicQuotesWarningHtml}\n\n\t<div >\n\t{$table}\n\t</div>\n</div>\n";
<?php define('DVWA_WEB_PAGE_TO_ROOT', '../../../'); require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php'; dvwaPageStartup(array('authenticated', 'phpids')); dvwaDatabaseConnect(); if (isset($_GET['del'])) { $name = xlabGetSqli('del', $_GET); if ($name == dvwaGetuser() or xlabisadmin()) { $sql = "DELETE FROM userflag WHERE user='******'"; $result = mysql_query($sql); dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} succfully!!!"); } else { dvwaRedirect(xlabGetLocation() . "/vulnerabilities/ctf/?pid=score&msg=delete {$name} fail!!!"); } }
$vid = mysql_result($result, 0, "vid"); $site = mysql_result($result, 0, "site"); $vname = mysql_result($result, 0, "vname"); $vdesc = mysql_result($result, 0, "vdesc"); $author = mysql_result($result, 0, "author"); $risk = mysql_result($result, 0, "risk"); } } if (isset($_POST['submit']) && $_POST['submit'] == 'updata') { #dvwadebug(); $vid = xlabGetSqli('vid', $_POST); $site = xlabGetSqli('site', $_POST); $vname = xlabGetSqli('name', $_POST); $vdesc = xlabGetSqli('desc', $_POST); $author = xlabGetSqli('author', $_POST); $risk = xlabGetSqli('risk', $_POST); if ($user == "admin") { $sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',author='{$author}',risk='{$risk}' where vid='{$vid}'"; } else { $sql = "select vid from vulns where author='{$user}' and vid='{$vid}'"; if (mysql_num_rows(mysql_query($sql)) < 1) { $html = "Can't access "; $sql = ''; } else { $sql = "update vulns set site='{$site}',vname='{$vname}',vdesc='{$vdesc}',risk='{$risk}' where author='{$user}' and vid='{$vid}'"; } } dvwadebug($sql); $result = @mysql_query($sql); if ($result) { $html .= "updata sussfully!!!";