diff --git a/dvwa/.gitignore b/dvwa/.gitignore new file mode 100644 index 0000000..723dba7 --- /dev/null +++ b/dvwa/.gitignore @@ -0,0 +1,5 @@ +config/config.inc.php +Dockerfile + +# Vim swap files +.*swp diff --git a/dvwa/CHANGELOG.md b/dvwa/CHANGELOG.md index a8f38d8..8f6e0c6 100644 --- a/dvwa/CHANGELOG.md +++ b/dvwa/CHANGELOG.md @@ -1,6 +1,12 @@ DAMN VULNERABLE WEB APPLICATION ======================= +v1.10 (*Not Yet Released) +====== + ++ Improved IIS support. (@g0tmi1k) ++ Improved setup system check. (@g0tmi1k) + v1.9 (2015-10-05) ====== @@ -32,7 +38,7 @@ v1.9 (2015-10-05) + Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k) + Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k) + Updated README and documentation. (@g0tmi1k) -+ Various code cleanups in the core PHP files+CSS. (@g0tmi1k) ++ Various code cleanups in the core PHP files + CSS. (@g0tmi1k) + Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k) v1.8 (2013-05-01) @@ -152,6 +158,5 @@ Links ===== + Homepage: http://www.dvwa.co.uk -+ Project Home: https://github.com/RandomStorm/DVWA _Created by the DVWA team._ diff --git a/dvwa/README.md b/dvwa/README.md index 1736317..718e100 100644 --- a/dvwa/README.md +++ b/dvwa/README.md @@ -1,17 +1,14 @@ -![DVWA](https://www.randomstorm.com/images/tools/dvwa.png "DVWA") - # DAMN VULNERABLE WEB APPLICATION Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment. -The aim of DVWA is to **practice some of the most common web vulnerability**, with **various difficultly levels**, with a simple straightforward interface. -Please note, there are **both documented and undocumented vulnerability** with this software. This is intentional. You are encouraged to try and discover as many issues as possible. - +The aim of DVWA is to **practice some of the most common web vulnerabilities**, with **various levels of difficulty**, with a simple straightforward interface. +Please note, there are **both documented and undocumented vulnerabilities** with this software. This is intentional. You are encouraged to try and discover as many issues as possible. - - - ## WARNING! -Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommend using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. Inside a guest machine, you can downloading and install [XAMPP](https://www.apachefriends.org/en/xampp.html) for the web server and database. +Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. Inside a guest machine, you can download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) for the web server and database. ### Disclaimer @@ -37,23 +34,32 @@ You should have received a copy of the GNU General Public License along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.org/licenses/. - - - +## Download and install as a docker container +- [dockerhub page](https://hub.docker.com/r/vulnerables/web-dvwa/) +`docker run --rm -it -p 80:80 vulnerables/web-dvwa` + +Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here. ## Download DVWA is available either as a package that will run on your own web server or as a Live CD: - + DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA` - + DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.9.zip) - Released 2015-10-05 + + DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/ethicalhack3r/DVWA/archive/v1.9.zip) - Released 2015-10-05 + DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08 + + DVWA Development Source (Latest) [Download ZIP](https://github.com/ethicalhack3r/DVWA/archive/master.zip) // `git clone https://github.com/ethicalhack3r/DVWA` - - - ## Installation -### Windows + XAMPP +**Please make sure your config/config.inc.php file exists. Only having a config.inc.php.dist will not be sufficient and you'll have to edit it to suit your environment and rename it to config.inc.php. [Windows may hide the trailing extension.](https://support.microsoft.com/en-in/help/865219/how-to-show-or-hide-file-name-extensions-in-windows-explorer)** -Installation video: -https://www.youtube.com/watch?v=GzIj07jt8rM +### Installation Videos + +- [How to setup DVWA (Damn Vulnerable Web Application) on Ubuntu](https://www.youtube.com/watch?v=5BG6iq_AUvM) [21:01 minutes] +- [Installing Damn Vulnerable Web Application (DVWA) on Windows 10](https://www.youtube.com/watch?v=cak2lQvBRAo) [12:39 minutes] + +### Windows + XAMPP The easiest way to install DVWA is to download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) if you do not already have a web server setup. @@ -68,27 +74,40 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_: -`apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd` - +`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php` ### Database Setup To set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create / Reset Database` button. This will create / reset the database for you with some data in. -If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. +If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. *This differs from config.inc.php.dist, which is an example file.* The variables are set to the following by default: -``` +```php $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = 'p@ssw0rd'; $_DVWA[ 'db_database' ] = 'dvwa'; ``` +Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands: + +```mysql +mysql> create database dvwa; +Query OK, 1 row affected (0.00 sec) + +mysql> grant all on dvwa.* to dvwa@localhost identified by 'xxx'; +Query OK, 0 rows affected, 1 warning (0.01 sec) + +mysql> flush privileges; +Query OK, 0 rows affected (0.00 sec) + + +``` + ### Other Configuration -Depening on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis. -Note, You are unable to use PHP v7.0 or later with DVWA. +Depending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis. **Folder Permissions**: @@ -120,17 +139,17 @@ Login URL: http://127.0.0.1/dvwa/login.php ### Troubleshooting For the latest troubleshooting information please visit: -https://github.com/RandomStorm/DVWA/issues +https://github.com/ethicalhack3r/DVWA/issues -+Q. SQL Injection wont work on PHP v5.2.6. ++Q. SQL Injection won't work on PHP v5.2.6. --A.If you are using PHP v5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work. +-A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work. In `.htaccess`: -Replace: +Replace (please note it may say mod_php7): -``` +```php php_flag magic_quotes_gpc off #php_flag allow_url_fopen on @@ -140,7 +159,7 @@ Replace: With: -``` +```php magic_quotes_gpc = Off allow_url_fopen = On @@ -150,18 +169,21 @@ With: +Q. Command Injection won't work. --A. Apache may not have high enough priviledges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator. +-A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator. -+Q. My XSS payload won't run in IE. ++Q. Why can't the database connect on CentOS? --A. If you're running IE8 or above, IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter. +-A. You may be running into problems with SELinux. Either disable SELinux or run this command to allow the webserver to talk to the database: +``` +setsebool -P httpd_can_network_connect_db 1 +``` - - - ## Links -Homepage: http://www.dvwa.co.uk +Homepage: http://www.dvwa.co.uk/ -Project Home: https://github.com/RandomStorm/DVWA +Project Home: https://github.com/ethicalhack3r/DVWA *Created by the DVWA team* diff --git a/dvwa/about.php b/dvwa/about.php index 4beb3a6..2b83d0a 100644 --- a/dvwa/about.php +++ b/dvwa/about.php @@ -11,11 +11,11 @@ $page[ 'page_id' ] = 'about'; $page[ 'body' ] .= "
-

About

+

About

Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

The official documentation for DVWA can be found here.

-

DVWA is a RandomStorm OpenSource project. All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.

+

All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.

Links

    @@ -28,16 +28,16 @@ $page[ 'body' ] .= "

    Credits

      -
    • Craig
      • -
    • Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "
      • -
    • Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "
      • -
    • Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','http://tedi.heriyanto.net' ) . "
      • -
    • Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "
      • -
    • RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "
      • -
    • Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "
    • Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "
      • +
    • Craig
    • g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "
      • +
    • Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "
      • +
    • Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "
      • +
    • RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "
      • +
    • Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "
    • Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . "
      • +
    • Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','tedi.heriyanto.net' ) . "
      • +
    • Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "
    • PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet( 'http://github.com/PHPIDS/PHPIDS', 'PHPIDS group' ) . "
      • @@ -55,6 +55,7 @@ $page[ 'body' ] .= "
\n"; dvwaHtmlEcho( $page ); + exit; ?> diff --git a/dvwa/config/config.inc.php b/dvwa/config/config.inc.php.dist similarity index 81% rename from dvwa/config/config.inc.php rename to dvwa/config/config.inc.php.dist index a740e10..a03dd25 100644 --- a/dvwa/config/config.inc.php +++ b/dvwa/config/config.inc.php.dist @@ -11,11 +11,14 @@ $DBMS = 'MySQL'; # Database variables # WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup. # Please use a database dedicated to DVWA. +# +# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user. +# See README.md for more information on this. $_DVWA = array(); $_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root'; -$_DVWA[ 'db_password' ] = 'vulnerables'; +$_DVWA[ 'db_password' ] = 'p@ssw0rd'; # Only used with PostgreSQL/PGSQL database selection. $_DVWA[ 'db_port '] = '5432'; @@ -23,9 +26,8 @@ $_DVWA[ 'db_port '] = '5432'; # ReCAPTCHA settings # Used for the 'Insecure CAPTCHA' module # You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create -# Thanks to http://stackoverflow.com/questions/34274492/dvwa-setup-php-function-allow-url-include-disabled -$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; -$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ'; +$_DVWA[ 'recaptcha_public_key' ] = ''; +$_DVWA[ 'recaptcha_private_key' ] = ''; # Default security level # Default value for the secuirty level with each session. diff --git a/dvwa/dvwa/includes/DBMS/MySQL.php b/dvwa/dvwa/includes/DBMS/MySQL.php index f68e836..c390612 100644 --- a/dvwa/dvwa/includes/DBMS/MySQL.php +++ b/dvwa/dvwa/includes/DBMS/MySQL.php @@ -6,55 +6,57 @@ This file contains all of the code to setup the initial MySQL database. (setup.p */ -if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ) ) { - dvwaMessagePush( "Could not connect to the database.
Please check the config file." ); +define( 'DVWA_WEB_PAGE_TO_ROOT', '../../../' ); + +if( !@($GLOBALS["___mysqli_ston"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] )) ) { + dvwaMessagePush( "Could not connect to the MySQL service.
Please check the config file." ); + if ($_DVWA[ 'db_user' ] == "root") { + dvwaMessagePush( 'Your database user is root, if you are using MariaDB, this will not work, please read the README.md file.' ); + } dvwaPageReload(); } // Create database $drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};"; -if( !@mysql_query( $drop_db ) ) { - dvwaMessagePush( "Could not drop existing database
SQL: ".mysql_error() ); +if( !@mysqli_query($GLOBALS["___mysqli_ston"], $drop_db ) ) { + dvwaMessagePush( "Could not drop existing database
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } $create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};"; -if( !@mysql_query( $create_db ) ) { - dvwaMessagePush( "Could not create database
SQL: ".mysql_error() ); +if( !@mysqli_query($GLOBALS["___mysqli_ston"], $create_db ) ) { + dvwaMessagePush( "Could not create database
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } dvwaMessagePush( "Database has been created." ); // Create table 'users' -if( !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) { +if( !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) { dvwaMessagePush( 'Could not connect to database.' ); dvwaPageReload(); } $create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));"; -if( !mysql_query( $create_tb ) ) { - dvwaMessagePush( "Table could not be created
SQL: ".mysql_error() ); +if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb ) ) { + dvwaMessagePush( "Table could not be created
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } dvwaMessagePush( "'users' table was created." ); // Insert some data into users -// Get the base directory for the avatar media... -$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ]; -$stripPos = strpos( $baseUrl, 'setup.php' ); -$baseUrl = substr( $baseUrl, 0, $stripPos ).'hackable/users/'; +$avatarUrl = '/hackable/users/'; $insert = "INSERT INTO users VALUES - ('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'), - ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'), - ('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'), - ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'), - ('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');"; -if( !mysql_query( $insert ) ) { - dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: ".mysql_error() ); + ('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'), + ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'), + ('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'), + ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'), + ('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');"; +if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } dvwaMessagePush( "Data inserted into 'users' table." ); @@ -62,8 +64,8 @@ dvwaMessagePush( "Data inserted into 'users' table." ); // Create guestbook table $create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));"; -if( !mysql_query( $create_tb_guestbook ) ) { - dvwaMessagePush( "Table could not be created
SQL: ".mysql_error() ); +if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb_guestbook ) ) { + dvwaMessagePush( "Table could not be created
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } dvwaMessagePush( "'guestbook' table was created." ); @@ -71,15 +73,28 @@ dvwaMessagePush( "'guestbook' table was created." ); // Insert data into 'guestbook' $insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');"; -if( !mysql_query( $insert ) ) { - dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: ".mysql_error() ); +if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); } dvwaMessagePush( "Data inserted into 'guestbook' table." ); + + +// Copy .bak for a fun directory listing vuln +$conf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php'; +$bakconf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php.bak'; +if (file_exists($conf)) { + // Who cares if it fails. Suppress. + @copy($conf, $bakconf); +} + +dvwaMessagePush( "Backup file /config/config.inc.php.bak automatically created" ); + // Done dvwaMessagePush( "Setup successful!" ); + if( !dvwaIsLoggedIn()) dvwaMessagePush( "Please login." ); dvwaPageReload(); diff --git a/dvwa/dvwa/includes/dvwaPage.inc.php b/dvwa/dvwa/includes/dvwaPage.inc.php index 88ff699..2629f88 100644 --- a/dvwa/dvwa/includes/dvwaPage.inc.php +++ b/dvwa/dvwa/includes/dvwaPage.inc.php @@ -1,12 +1,16 @@ 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'weak_id', 'name' => 'Weak Session IDs', 'url' => 'vulnerabilities/weak_id/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' ); } $menuBlocks[ 'meta' ] = array(); @@ -223,7 +231,7 @@ function dvwaHtmlEcho( $pPage ) { foreach( $menuBlock as $menuItem ) { $selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ]; - $menuBlockHtml .= "
  • {$menuItem[ 'name' ]}
    • \n"; + $menuBlockHtml .= "
  • {$menuItem[ 'name' ]}
    • \n"; } $menuHtml .= ""; } @@ -322,6 +330,7 @@ function dvwaHtmlEcho( $pPage ) {

    Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "

    +
    @@ -409,23 +418,23 @@ function dvwaSourceHtmlEcho( $pPage ) { // To be used on all external links -- function dvwaExternalLinkUrlGet( $pLink,$text=null ) { if(is_null( $text )) { - return '' . $pLink . ''; + return '' . $pLink . ''; } else { - return '' . $text . ''; + return '' . $text . ''; } } // -- END ( external links) function dvwaButtonHelpHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } function dvwaButtonSourceHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } @@ -433,7 +442,7 @@ function dvwaButtonSourceHtmlGet( $pId ) { if( $DBMS == 'MySQL' ) { $DBMS = htmlspecialchars(strip_tags( $DBMS )); - $DBMS_errorFunc = 'mysql_error()'; + $DBMS_errorFunc = 'mysqli_error()'; } elseif( $DBMS == 'PGSQL' ) { $DBMS = htmlspecialchars(strip_tags( $DBMS )); @@ -458,8 +467,8 @@ function dvwaDatabaseConnect() { global $db; if( $DBMS == 'MySQL' ) { - if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ) - || !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) { + if( !@($GLOBALS["___mysqli_ston"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] )) + || !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) { //die( $DBMS_connError ); dvwaLogout(); dvwaMessagePush( 'Unable to connect to the database.
    ' . $DBMS_errorFunc ); @@ -493,11 +502,11 @@ function dvwaRedirect( $pLocation ) { // XSS Stored guestbook function -- function dvwaGuestbook() { $query = "SELECT name, comment FROM guestbook"; - $result = mysql_query( $query ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); $guestbook = ''; - while( $row = mysql_fetch_row( $result ) ) { + while( $row = mysqli_fetch_row( $result ) ) { if( dvwaSecurityLevelGet() == 'impossible' ) { $name = htmlspecialchars( $row[0] ); $comment = htmlspecialchars( $row[1] ); @@ -540,23 +549,32 @@ function tokenField() { # Return a field for the (CSRF) token // Setup Functions -- -$PHPUploadPath = realpath( getcwd() ) . "/hackable/uploads/"; -$PHPIDSPath = realpath( getcwd() ) . "/external/phpids/" . dvwaPhpIdsVersionGet() . "/lib/IDS/tmp/phpids_log.txt"; +$PHPUploadPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "hackable" . DIRECTORY_SEPARATOR . "uploads" ) . DIRECTORY_SEPARATOR; +$PHPIDSPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "external" . DIRECTORY_SEPARATOR . "phpids" . DIRECTORY_SEPARATOR . dvwaPhpIdsVersionGet() . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "IDS" . DIRECTORY_SEPARATOR . "tmp" . DIRECTORY_SEPARATOR . "phpids_log.txt" ); +$PHPCONFIGPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config"); -$phpDisplayErrors = 'PHP function display_errors: ' . ( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) -$phpSafeMode = 'PHP function safe_mode: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$phpMagicQuotes = 'PHP function magic_quotes_gpc: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI -$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI -$phpGD = 'PHP module php-gd: Installed' : 'failure">Missing' ) . ''; // File Upload +$phpDisplayErrors = 'PHP function display_errors: ' . ( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) +$phpSafeMode = 'PHP function safe_mode: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpMagicQuotes = 'PHP function magic_quotes_gpc: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpGD = 'PHP module gd: Installed' : 'failure">Missing' ) . ''; // File Upload +$phpMySQL = 'PHP module mysql: Installed' : 'failure">Missing' ) . ''; // Core DVWA +$phpPDO = 'PHP module pdo_mysql: Installed' : 'failure">Missing' ) . ''; // SQLi $DVWARecaptcha = 'reCAPTCHA key: ' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . ''; -$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': Yes)' : 'failure">No' ) . ''; // File Upload -$DVWAPHPWrite = 'Writable file ' . $PHPIDSPath . ': Yes' : 'failure">No' ) . ''; // PHPIDS +$DVWAUploadsWrite = '[User: ' . get_current_user() . '] Writable folder ' . $PHPUploadPath . ': Yes' : 'failure">No' ) . ''; // File Upload +$bakWritable = '[User: ' . get_current_user() . '] Writable folder ' . $PHPCONFIGPath . ': Yes' : 'failure">No' ) . ''; // config.php.bak check // File Upload +$DVWAPHPWrite = '[User: ' . get_current_user() . '] Writable file ' . $PHPIDSPath . ': Yes' : 'failure">No' ) . ''; // PHPIDS -$DVWAOS = 'Operating system: ' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . ''; -$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF +$DVWAOS = 'Operating system: ' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . ''; +$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF + +$MYSQL_USER = 'MySQL username: ' . $_DVWA[ 'db_user' ] . ''; +$MYSQL_PASS = 'MySQL password: ' . ( ($_DVWA[ 'db_password' ] != "" ) ? '******' : '*blank*' ) . ''; +$MYSQL_DB = 'MySQL database: ' . $_DVWA[ 'db_database' ] . ''; +$MYSQL_SERVER = 'MySQL host: ' . $_DVWA[ 'db_server' ] . ''; // -- END (Setup Functions) ?> diff --git a/dvwa/dvwa/js/add_event_listeners.js b/dvwa/dvwa/js/add_event_listeners.js new file mode 100644 index 0000000..5d9a82f --- /dev/null +++ b/dvwa/dvwa/js/add_event_listeners.js @@ -0,0 +1,24 @@ +// These functions need to be called after the content they reference +// has been added to the page otherwise they will fail. + +function addEventListeners() { + var source_button = document.getElementById ("source_button"); + + if (source_button) { + source_button.addEventListener("click", function() { + var url=source_button.dataset.sourceUrl; + popUp (url); + }); + } + + var help_button = document.getElementById ("help_button"); + + if (help_button) { + help_button.addEventListener("click", function() { + var url=help_button.dataset.helpUrl; + popUp (url); + }); + } +} + +addEventListeners(); diff --git a/dvwa/dvwa/js/dvwaPage.js b/dvwa/dvwa/js/dvwaPage.js index d5ea37b..0775a9d 100644 --- a/dvwa/dvwa/js/dvwaPage.js +++ b/dvwa/dvwa/js/dvwaPage.js @@ -3,7 +3,8 @@ function popUp(URL) { day = new Date(); id = day.getTime(); - eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=500,height=300,left = 540,top = 250');"); + window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250'); + //eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');"); } /* Form validation */ @@ -20,7 +21,7 @@ with (field) { } } -function validate_form(thisform) { +function validateGuestbookForm(thisform) { with (thisform) { // Guestbook form @@ -33,3 +34,6 @@ with (thisform) { } } +function confirmClearGuestbook() { + return confirm("Are you sure you want to clear the guestbook?"); +} diff --git a/dvwa/external/recaptcha/recaptchalib.php b/dvwa/external/recaptcha/recaptchalib.php old mode 100755 new mode 100644 index 4fc5a9f..eef4818 --- a/dvwa/external/recaptcha/recaptchalib.php +++ b/dvwa/external/recaptcha/recaptchalib.php @@ -1,279 +1,45 @@ $value ) - $req .= $key . '=' . urlencode( stripslashes($value) ) . '&'; - - // Cut the last '&' - $req=substr($req,0,strlen($req)-1); - return $req; +function recaptcha_check_answer($key, $response){ + return CheckCaptcha($key, $response); } +function CheckCaptcha($key, $response) { + try { + $url = 'https://www.google.com/recaptcha/api/siteverify'; + $dat = array( + 'secret' => $key, + 'response' => urlencode($response), + 'remoteip' => urlencode($_SERVER['REMOTE_ADDR']) + ); -/** - * Submits an HTTP POST to a reCAPTCHA server - * @param string $host - * @param string $path - * @param array $data - * @param int port - * @return array response - */ -function _recaptcha_http_post($host, $path, $data, $port = 80) { + $opt = array( + 'http' => array( + 'header' => "Content-type: application/x-www-form-urlencoded\r\n", + 'method' => 'POST', + 'content' => http_build_query($dat) + ) + ); - $req = _recaptcha_qsencode ($data); + $context = stream_context_create($opt); + $result = file_get_contents($url, false, $context); - $http_request = "POST $path HTTP/1.0\r\n"; - $http_request .= "Host: $host\r\n"; - $http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n"; - $http_request .= "Content-Length: " . strlen($req) . "\r\n"; - $http_request .= "User-Agent: reCAPTCHA/PHP\r\n"; - $http_request .= "\r\n"; - $http_request .= $req; + return json_decode($result)->success; - $response = ''; - if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) { - die ('Could not open socket'); - } - - fwrite($fs, $http_request); - - while ( !feof($fs) ) - $response .= fgets($fs, 1160); // One TCP-IP packet - fclose($fs); - $response = explode("\r\n\r\n", $response, 2); - - return $response; -} - - - -/** - * Gets the challenge HTML (javascript and non-javascript version). - * This is called from the browser, and the resulting reCAPTCHA HTML widget - * is embedded within the HTML form it was called from. - * @param string $pubkey A public key for reCAPTCHA - * @param string $error The error given by reCAPTCHA (optional, default is null) - * @param boolean $use_ssl Should the request be made over ssl? (optional, default is false) - - * @return string - The HTML to be embedded in the user's form. - */ -function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false) -{ - - # commented out to deal with error in DVWA - ethicalhack3r - #if ($pubkey == null || $pubkey == '') { - # die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); - #} - - if ($use_ssl) { - $server = RECAPTCHA_API_SECURE_SERVER; - } else { - $server = RECAPTCHA_API_SERVER; - } - - $errorpart = ""; - if ($error) { - $errorpart = "&error=" . $error; - } - return ' - - '; -} - - - - -/** - * A ReCaptchaResponse is returned from recaptcha_check_answer() - */ -class ReCaptchaResponse { - var $is_valid; - var $error; -} - - -/** - * Calls an HTTP POST function to verify if the user's guess was correct - * @param string $privkey - * @param string $remoteip - * @param string $challenge - * @param string $response - * @param array $extra_params an array of extra variables to post to the server - * @return ReCaptchaResponse - */ -function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array()) -{ - if ($privkey == null || $privkey == '') { - die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); + } catch (Exception $e) { + return null; } - if ($remoteip == null || $remoteip == '') { - die ("For security reasons, you must pass the remote ip to reCAPTCHA"); - } - - - - //discard spam submissions - if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) { - $recaptcha_response = new ReCaptchaResponse(); - $recaptcha_response->is_valid = false; - $recaptcha_response->error = 'incorrect-captcha-sol'; - return $recaptcha_response; - } - - $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify", - array ( - 'privatekey' => $privkey, - 'remoteip' => $remoteip, - 'challenge' => $challenge, - 'response' => $response - ) + $extra_params - ); - - $answers = explode ("\n", $response [1]); - $recaptcha_response = new ReCaptchaResponse(); - - if (trim ($answers [0]) == 'true') { - $recaptcha_response->is_valid = true; - } - else { - $recaptcha_response->is_valid = false; - $recaptcha_response->error = $answers [1]; - } - return $recaptcha_response; - } -/** - * gets a URL where the user can sign up for reCAPTCHA. If your application - * has a configuration page where you enter a key, you should provide a link - * using this function. - * @param string $domain The domain where the page is hosted - * @param string $appname The name of your application - */ -function recaptcha_get_signup_url ($domain = null, $appname = null) { - return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname)); +function recaptcha_get_html($pubKey){ + return " + +
    + "; } -function _recaptcha_aes_pad($val) { - $block_size = 16; - $numpad = $block_size - (strlen ($val) % $block_size); - return str_pad($val, strlen ($val) + $numpad, chr($numpad)); -} - -/* Mailhide related code */ - -function _recaptcha_aes_encrypt($val,$ky) { - if (! function_exists ("mcrypt_encrypt")) { - die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed."); - } - $mode=MCRYPT_MODE_CBC; - $enc=MCRYPT_RIJNDAEL_128; - $val=_recaptcha_aes_pad($val); - return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"); -} - - -function _recaptcha_mailhide_urlbase64 ($x) { - return strtr(base64_encode ($x), '+/', '-_'); -} - -/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */ -function recaptcha_mailhide_url($pubkey, $privkey, $email) { - if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) { - die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " . - "you can do so at http://www.google.com/recaptcha/mailhide/apikey"); - } - - - $ky = pack('H*', $privkey); - $cryptmail = _recaptcha_aes_encrypt ($email, $ky); - - return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail); -} - -/** - * gets the parts of the email to expose to the user. - * eg, given johndoe@example,com return ["john", "example.com"]. - * the email is then displayed as john...@example.com - */ -function _recaptcha_mailhide_email_parts ($email) { - $arr = preg_split("/@/", $email ); - - if (strlen ($arr[0]) <= 4) { - $arr[0] = substr ($arr[0], 0, 1); - } else if (strlen ($arr[0]) <= 6) { - $arr[0] = substr ($arr[0], 0, 3); - } else { - $arr[0] = substr ($arr[0], 0, 4); - } - return $arr; -} - -/** - * Gets html to display an email address given a public an private key. - * to get a key, go to: - * - * http://www.google.com/recaptcha/mailhide/apikey - */ -function recaptcha_mailhide_html($pubkey, $privkey, $email) { - $emailparts = _recaptcha_mailhide_email_parts ($email); - $url = recaptcha_mailhide_url ($pubkey, $privkey, $email); - - return htmlentities($emailparts[0]) . "...@" . htmlentities ($emailparts [1]); - -} - - ?> diff --git a/dvwa/hackable/flags/fi.php b/dvwa/hackable/flags/fi.php index a9a29c4..71e0ffe 100644 --- a/dvwa/hackable/flags/fi.php +++ b/dvwa/hackable/flags/fi.php @@ -12,8 +12,8 @@ if( !defined( 'DVWA_WEB_PAGE_TO_ROOT' ) ) { echo "2.) My name is Sherlock Holmes. It is my business to know what other people don't know.\n\n

    \n"; -$line3 = "3.) Romeo, Romeo! wherefore art thou Romeo?"; -$line3 = "--LINE MISSING--"; +$line3 = "3.) Romeo, Romeo! Wherefore art thou Romeo?"; +$line3 = "--LINE HIDDEN ;)--"; echo $line3 . "\n\n

    \n"; $line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu"; diff --git a/dvwa/index.php b/dvwa/index.php index f672abe..b07a685 100644 --- a/dvwa/index.php +++ b/dvwa/index.php @@ -13,14 +13,14 @@ $page[ 'body' ] .= "

    Welcome to Damn Vulnerable Web Application!

    Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

    -

    The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface.

    +

    The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficultly, with a simple straightforward interface.


    General Instructions

    It is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.

    Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

    -

    DVWA also includes a Web Application Firewall (WAF), PHPIDS, which can be enabled at any stage to further increase the difficulty. This will demonstrate how adding another layer of security may block certain malicious actions. Note, there are also various public methods at bypassing these protections (so this can be see an as extension for more advance users)!

    +

    DVWA also includes a Web Application Firewall (WAF), PHPIDS, which can be enabled at any stage to further increase the difficulty. This will demonstrate how adding another layer of security may block certain malicious actions. Note, there are also various public methods at bypassing these protections (so this can be seen as an extension for more advanced users)!

    There is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.


    diff --git a/dvwa/login.php b/dvwa/login.php index d0ca8bc..cbd37d9 100644 --- a/dvwa/login.php +++ b/dvwa/login.php @@ -13,26 +13,26 @@ if( isset( $_POST[ 'Login' ] ) ) { $user = $_POST[ 'username' ]; $user = stripslashes( $user ); - $user = mysql_real_escape_string( $user ); + $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = $_POST[ 'password' ]; $pass = stripslashes( $pass ); - $pass = mysql_real_escape_string( $pass ); + $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); $query = ("SELECT table_schema, table_name, create_time FROM information_schema.tables WHERE table_schema='{$_DVWA['db_database']}' AND table_name='users' LIMIT 1"); - $result = @mysql_query( $query ); - if( mysql_num_rows( $result ) != 1 ) { + $result = @mysqli_query($GLOBALS["___mysqli_ston"], $query ); + if( mysqli_num_rows( $result ) != 1 ) { dvwaMessagePush( "First time using DVWA.
    Need to run 'setup.php'." ); dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' ); } $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';"; - $result = @mysql_query( $query ) or die( '
    ' . mysql_error() . '.
    Try installing again.
    ' ); - if( $result && mysql_num_rows( $result ) == 1 ) { // Login Successful... + $result = @mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '.
    Try installing again.
    ' ); + if( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful... dvwaMessagePush( "You have logged in as '{$user}'" ); dvwaLogin( $user ); dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' ); @@ -120,7 +120,7 @@ echo "
    -

    " . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)' ) . " is a RandomStorm OpenSource project.

    +

    " . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)' ) . "

    diff --git a/dvwa/security.php b/dvwa/security.php index 2a4a7ce..f5ece06 100644 --- a/dvwa/security.php +++ b/dvwa/security.php @@ -62,8 +62,17 @@ foreach( array( 'low', 'medium', 'high', 'impossible' ) as $securityLevel ) { } $phpIdsHtml = 'PHPIDS is currently: '; + +// Able to write to the PHPIDS log file? +$WarningHtml = ''; + if( dvwaPhpIdsIsEnabled() ) { $phpIdsHtml .= 'enabled. [Disable PHPIDS]'; + + # Only check if PHPIDS is enabled + if( !is_writable( $PHPIDSPath ) ) { + $WarningHtml .= "
    Cannot write to the PHPIDS log file: ${PHPIDSPath}
    "; + } } else { $phpIdsHtml .= 'disabled. [Enable PHPIDS]'; @@ -72,13 +81,6 @@ else { // Anti-CSRF generateSessionToken(); -// Able to write to the PHPIDS log file? -$WarningHtml = ''; -if( !is_writable( $PHPIDSPath ) ) { - $WarningHtml .= "
    Cannot write to the PHPIDS log file: ${PHPIDSPath}
    "; -} - - $page[ 'body' ] .= "

    DVWA Security

    @@ -96,7 +98,7 @@ $page[ 'body' ] .= "
  • Medium - This setting is mainly to give an example to the user of bad security practices, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.
  • High - This option is an extension to the medium difficulty, with a mixture of harder or alternative bad practices to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.
  • Impossible - This level should be secure against all vulnerabilities. It is used to compare the vulnerable source code to the secure source code.
    - Priority to DVWA v1.9, this level was known as 'high'.
    • + Prior to DVWA v1.9, this level was known as 'high'. + + + +'; + diff --git a/dvwa/vulnerabilities/csp/source/impossible.js b/dvwa/vulnerabilities/csp/source/impossible.js new file mode 100644 index 0000000..11b56aa --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/impossible.js @@ -0,0 +1,19 @@ +function clickButton() { + var s = document.createElement("script"); + s.src = "source/jsonp_impossible.php"; + document.body.appendChild(s); +} + +function solveSum(obj) { + if ("answer" in obj) { + document.getElementById("answer").innerHTML = obj['answer']; + } +} + +var solve_button = document.getElementById ("solve"); + +if (solve_button) { + solve_button.addEventListener("click", function() { + clickButton(); + }); +} diff --git a/dvwa/vulnerabilities/csp/source/impossible.php b/dvwa/vulnerabilities/csp/source/impossible.php new file mode 100644 index 0000000..320fd2f --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/impossible.php @@ -0,0 +1,23 @@ + + +

    Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.

    The CSP settings only allow external JavaScript on the local server and no inline code.

    +

    1+2+3+4+5=

    + + + + +'; + diff --git a/dvwa/vulnerabilities/csp/source/jsonp.php b/dvwa/vulnerabilities/csp/source/jsonp.php new file mode 100644 index 0000000..fcfc535 --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/jsonp.php @@ -0,0 +1,13 @@ + "15"); + +echo $callback . "(".json_encode($outp).")"; +?> diff --git a/dvwa/vulnerabilities/csp/source/jsonp_impossible.php b/dvwa/vulnerabilities/csp/source/jsonp_impossible.php new file mode 100644 index 0000000..090a38b --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/jsonp_impossible.php @@ -0,0 +1,7 @@ + "15"); + +echo "solveSum (".json_encode($outp).")"; +?> diff --git a/dvwa/vulnerabilities/csp/source/low.php b/dvwa/vulnerabilities/csp/source/low.php new file mode 100644 index 0000000..ea25c72 --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/low.php @@ -0,0 +1,22 @@ + + +"; +} +$page[ 'body' ] .= ' +
    +

    You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:

    + + +
    +'; diff --git a/dvwa/vulnerabilities/csp/source/medium.php b/dvwa/vulnerabilities/csp/source/medium.php new file mode 100644 index 0000000..0fd0320 --- /dev/null +++ b/dvwa/vulnerabilities/csp/source/medium.php @@ -0,0 +1,25 @@ +alert(1) + +?> + +

    Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.

    + + + +'; diff --git a/dvwa/vulnerabilities/csrf/source/high.php b/dvwa/vulnerabilities/csrf/source/high.php index 29542c7..2b3f2e3 100644 --- a/dvwa/vulnerabilities/csrf/source/high.php +++ b/dvwa/vulnerabilities/csrf/source/high.php @@ -11,12 +11,12 @@ if( isset( $_GET[ 'Change' ] ) ) { // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! - $pass_new = mysql_real_escape_string( $pass_new ); + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; - $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); // Feedback for the user $html .= "
    Password Changed.
    "; @@ -26,7 +26,7 @@ if( isset( $_GET[ 'Change' ] ) ) { $html .= "
    Passwords did not match.
    "; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token diff --git a/dvwa/vulnerabilities/csrf/source/impossible.php b/dvwa/vulnerabilities/csrf/source/impossible.php index eb98a51..0b69b36 100644 --- a/dvwa/vulnerabilities/csrf/source/impossible.php +++ b/dvwa/vulnerabilities/csrf/source/impossible.php @@ -11,7 +11,7 @@ if( isset( $_GET[ 'Change' ] ) ) { // Sanitise current password input $pass_curr = stripslashes( $pass_curr ); - $pass_curr = mysql_real_escape_string( $pass_curr ); + $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_curr = md5( $pass_curr ); // Check that the current password is correct @@ -24,7 +24,7 @@ if( isset( $_GET[ 'Change' ] ) ) { if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { // It does! $pass_new = stripslashes( $pass_new ); - $pass_new = mysql_real_escape_string( $pass_new ); + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update database with new password diff --git a/dvwa/vulnerabilities/csrf/source/low.php b/dvwa/vulnerabilities/csrf/source/low.php index 4e5cbd0..4787125 100644 --- a/dvwa/vulnerabilities/csrf/source/low.php +++ b/dvwa/vulnerabilities/csrf/source/low.php @@ -8,12 +8,12 @@ if( isset( $_GET[ 'Change' ] ) ) { // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! - $pass_new = mysql_real_escape_string( $pass_new ); + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; - $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); // Feedback for the user $html .= "
    Password Changed.
    "; @@ -23,7 +23,7 @@ if( isset( $_GET[ 'Change' ] ) ) { $html .= "
    Passwords did not match.
    "; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> diff --git a/dvwa/vulnerabilities/csrf/source/medium.php b/dvwa/vulnerabilities/csrf/source/medium.php index b0b1c3d..459368b 100644 --- a/dvwa/vulnerabilities/csrf/source/medium.php +++ b/dvwa/vulnerabilities/csrf/source/medium.php @@ -2,7 +2,7 @@ if( isset( $_GET[ 'Change' ] ) ) { // Checks to see where the request came from - if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) { + if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; @@ -10,12 +10,12 @@ if( isset( $_GET[ 'Change' ] ) ) { // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! - $pass_new = mysql_real_escape_string( $pass_new ); + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; - $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); // Feedback for the user $html .= "
    Password Changed.
    "; @@ -30,7 +30,7 @@ if( isset( $_GET[ 'Change' ] ) ) { $html .= "
    That request didn't look correct.
    "; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> diff --git a/dvwa/vulnerabilities/fi/file3.php b/dvwa/vulnerabilities/fi/file3.php index 401bcb6..c910679 100644 --- a/dvwa/vulnerabilities/fi/file3.php +++ b/dvwa/vulnerabilities/fi/file3.php @@ -7,15 +7,16 @@ $page[ 'body' ] .= "

    File 3

    Welcome back " . dvwaCurrentUser() . "
    - Your IP address is: "; -if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) - $page[ 'body' ] .= $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; -else - $page[ 'body' ] .= "**Missing Header**"; -$page[ 'body' ] .= "
    - Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
    - You came form: {$_SERVER[ 'HTTP_REFERER' ]}
    - I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}

    + Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
    "; +if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) { + $page[ 'body' ] .= "Forwarded for: " . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; + $page[ 'body' ] .= "
    "; +} + $page[ 'body' ] .= "Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
    "; +if( array_key_exists( 'HTTP_REFERER', $_SERVER )) { + $page[ 'body' ] .= "You came from: {$_SERVER[ 'HTTP_REFERER' ]}
    "; +} + $page[ 'body' ] .= "I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}

    [back]
    diff --git a/dvwa/vulnerabilities/fi/help/help.php b/dvwa/vulnerabilities/fi/help/help.php index 997577e..c02dfaf 100644 --- a/dvwa/vulnerabilities/fi/help/help.php +++ b/dvwa/vulnerabilities/fi/help/help.php @@ -20,7 +20,7 @@

    Objective

    -

    Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion.

    +

    Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion.



    diff --git a/dvwa/vulnerabilities/javascript/help/help.php b/dvwa/vulnerabilities/javascript/help/help.php new file mode 100644 index 0000000..a679d2e --- /dev/null +++ b/dvwa/vulnerabilities/javascript/help/help.php @@ -0,0 +1,52 @@ +
    +

    Help - Client Side JavaScript

    + +
    +

    About

    +

    The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.

    + +
    + +

    Objective

    +

    Simply submit the phrase "success" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.

    + +
    +

    Low Level

    +

    All the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.

    + 
    Spoiler: Change the phrase to success and then use the function generate_token() to update the token.
    + +


    + +

    Medium Level

    +

    + The JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way. +

    + 
    Spoiler: The file uses the setTimeout function to run the do_elsesomething function which generates the token.
    + +


    + +

    High Level

    +

    + The JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission. +

    + 
    Spoiler: If it helps, two packers have been used, the first is from Dan's Tools and the second is the JavaScript Obfuscator Tool.
    + 
    Spoiler 2: This deobfuscation tool seems to work the best on this code deobfuscate javascript.
    + 
    Spoiler 3: This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.
    + +


    + +

    Impossible Level

    +

    You can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.

    + +
    + +
    + +

    Reference:

    +
      +
      • +
      • +
      • +
      • +
    +
    diff --git a/dvwa/vulnerabilities/javascript/index.php b/dvwa/vulnerabilities/javascript/index.php new file mode 100644 index 0000000..1e5b580 --- /dev/null +++ b/dvwa/vulnerabilities/javascript/index.php @@ -0,0 +1,123 @@ +Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + case 'medium': + if ($token == strrev("XXsuccessXX")) { + $message = "

    Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + case 'high': + if ($token == hash("sha256", hash("sha256", "XX" . strrev("success")) . "ZZ")) { + $message = "

    Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + default: + $vulnerabilityFile = 'impossible.php'; + break; + } + } else { + $message = "

    You got the phrase wrong.

    "; + } + } else { + $message = "

    Missing phrase or token.

    "; + } +} + +if ( $_COOKIE[ 'security' ] == "impossible" ) { +$page[ 'body' ] = << +

    Vulnerability: JavaScript Attacks

    + +
    +

    + You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level. +

    +EOF; +} else { +$page[ 'body' ] = << +

    Vulnerability: JavaScript Attacks

    + +
    +

    + Submit the word "success" to win. +

    + + $message + +
    + + + +
    +EOF; +} + +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/javascript/source/{$vulnerabilityFile}"; + +$page[ 'body' ] .= << +EOF; + +$page[ 'body' ] .= " +

    More Information

    +
      +
    • " . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . "
      • +
    +

    Module developed by Digininja.

    +
    \n"; + +dvwaHtmlEcho( $page ); + +?> diff --git a/dvwa/vulnerabilities/javascript/source/high.js b/dvwa/vulnerabilities/javascript/source/high.js new file mode 100644 index 0000000..30c3833 --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/high.js @@ -0,0 +1 @@ +var a=['fromCharCode','toString','replace','BeJ','\x5cw+','Lyg','SuR','(w(){\x273M\x203L\x27;q\x201l=\x273K\x203I\x203J\x20T\x27;q\x201R=1c\x202I===\x271n\x27;q\x20Y=1R?2I:{};p(Y.3N){1R=1O}q\x202L=!1R&&1c\x202M===\x271n\x27;q\x202o=!Y.2S&&1c\x202d===\x271n\x27&&2d.2Q&&2d.2Q.3S;p(2o){Y=3R}z\x20p(2L){Y=2M}q\x202G=!Y.3Q&&1c\x202g===\x271n\x27&&2g.X;q\x202s=1c\x202l===\x27w\x27&&2l.3P;q\x201y=!Y.3H&&1c\x20Z!==\x272T\x27;q\x20m=\x273G\x27.3z(\x27\x27);q\x202w=[-3y,3x,3v,3w];q\x20U=[24,16,8,0];q\x20K=[3A,3B,3F,3E,3D,3C,3T,3U,4d,4c,4b,49,4a,4e,4f,4j,4i,4h,3u,48,47,3Z,3Y,3X,3V,3W,40,41,46,45,43,42,4k,3f,38,36,39,37,34,33,2Y,31,2Z,35,3t,3n,3m,3l,3o,3p,3s,3r,3q,3k,3j,3d,3a,3c,3b,3e,3h,3g,3i,4g];q\x201E=[\x271e\x27,\x2727\x27,\x271G\x27,\x272R\x27];q\x20l=[];p(Y.2S||!1z.1K){1z.1K=w(1x){A\x204C.Q.2U.1I(1x)===\x27[1n\x201z]\x27}}p(1y&&(Y.50||!Z.1N)){Z.1N=w(1x){A\x201c\x201x===\x271n\x27&&1x.1w&&1x.1w.1J===Z}}q\x202m=w(1X,x){A\x20w(s){A\x20O\x20N(x,1d).S(s)[1X]()}};q\x202a=w(x){q\x20P=2m(\x271e\x27,x);p(2o){P=2P(P,x)}P.1T=w(){A\x20O\x20N(x)};P.S=w(s){A\x20P.1T().S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2m(T,x)}A\x20P};q\x202P=w(P,x){q\x201S=2O(\x222N(\x271S\x27)\x22);q\x201Y=2O(\x222N(\x271w\x27).1Y\x22);q\x202n=x?\x271H\x27:\x271q\x27;q\x202z=w(s){p(1c\x20s===\x272p\x27){A\x201S.2x(2n).S(s,\x274S\x27).1G(\x271e\x27)}z{p(s===2q||s===2T){1u\x20O\x201t(1l)}z\x20p(s.1J===Z){s=O\x202r(s)}}p(1z.1K(s)||Z.1N(s)||s.1J===1Y){A\x201S.2x(2n).S(O\x201Y(s)).1G(\x271e\x27)}z{A\x20P(s)}};A\x202z};q\x202k=w(1X,x){A\x20w(G,s){A\x20O\x201P(G,x,1d).S(s)[1X]()}};q\x202f=w(x){q\x20P=2k(\x271e\x27,x);P.1T=w(G){A\x20O\x201P(G,x)};P.S=w(G,s){A\x20P.1T(G).S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2k(T,x)}A\x20P};w\x20N(x,1v){p(1v){l[0]=l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0;k.l=l}z{k.l=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}p(x){k.C=4I;k.B=4H;k.E=4l;k.F=4U;k.J=4J;k.I=4K;k.H=4L;k.D=4T}z{k.C=4X;k.B=4W;k.E=4Y;k.F=4Z;k.J=4V;k.I=4O;k.H=4F;k.D=4s}k.1C=k.1A=k.L=k.2i=0;k.1U=k.1L=1O;k.2j=1d;k.x=x}N.Q.S=w(s){p(k.1U){A}q\x202h,T=1c\x20s;p(T!==\x272p\x27){p(T===\x271n\x27){p(s===2q){1u\x20O\x201t(1l)}z\x20p(1y&&s.1J===Z){s=O\x202r(s)}z\x20p(!1z.1K(s)){p(!1y||!Z.1N(s)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}2h=1d}q\x20r,M=0,i,W=s.W,l=k.l;4t(M>2]|=s[M]<>2]|=r<>2]|=(2t|(r>>6))<>2]|=(R|(r&V))<=2E){l[i>>2]|=(2D|(r>>12))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<>2]|=(2X|(r>>18))<>2]|=(R|((r>>12)&V))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<=1k){k.1C=l[16];k.1A=i-1k;k.1W();k.1L=1d}z{k.1A=i}}p(k.L>4r){k.2i+=k.L/2H<<0;k.L=k.L%2H}A\x20k};N.Q.1s=w(){p(k.1U){A}k.1U=1d;q\x20l=k.l,i=k.2u;l[16]=k.1C;l[i>>2]|=2w[i&3];k.1C=l[16];p(i>=4q){p(!k.1L){k.1W()}l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}l[14]=k.2i<<3|k.L>>>29;l[15]=k.L<<3;k.1W()};N.Q.1W=w(){q\x20a=k.C,b=k.B,c=k.E,d=k.F,e=k.J,f=k.I,g=k.H,h=k.D,l=k.l,j,1a,1b,1j,v,1f,1h,1B,1Z,1V,1D;1g(j=16;j<1k;++j){v=l[j-15];1a=((v>>>7)|(v<<25))^((v>>>18)|(v<<14))^(v>>>3);v=l[j-2];1b=((v>>>17)|(v<<15))^((v>>>19)|(v<<13))^(v>>>10);l[j]=l[j-16]+1a+l[j-7]+1b<<0}1D=b&c;1g(j=0;j<1k;j+=4){p(k.2j){p(k.x){1B=4m;v=l[0]-4n;h=v-4o<<0;d=v+4p<<0}z{1B=4v;v=l[0]-4w;h=v-4G<<0;d=v+4D<<0}k.2j=1O}z{1a=((a>>>2)|(a<<30))^((a>>>13)|(a<<19))^((a>>>22)|(a<<10));1b=((e>>>6)|(e<<26))^((e>>>11)|(e<<21))^((e>>>25)|(e<<7));1B=a&b;1j=1B^(a&c)^1D;1h=(e&f)^(~e&g);v=h+1b+1h+K[j]+l[j];1f=1a+1j;h=d+v<<0;d=v+1f<<0}1a=((d>>>2)|(d<<30))^((d>>>13)|(d<<19))^((d>>>22)|(d<<10));1b=((h>>>6)|(h<<26))^((h>>>11)|(h<<21))^((h>>>25)|(h<<7));1Z=d&a;1j=1Z^(d&b)^1B;1h=(h&e)^(~h&f);v=g+1b+1h+K[j+1]+l[j+1];1f=1a+1j;g=c+v<<0;c=v+1f<<0;1a=((c>>>2)|(c<<30))^((c>>>13)|(c<<19))^((c>>>22)|(c<<10));1b=((g>>>6)|(g<<26))^((g>>>11)|(g<<21))^((g>>>25)|(g<<7));1V=c&d;1j=1V^(c&a)^1Z;1h=(g&h)^(~g&e);v=f+1b+1h+K[j+2]+l[j+2];1f=1a+1j;f=b+v<<0;b=v+1f<<0;1a=((b>>>2)|(b<<30))^((b>>>13)|(b<<19))^((b>>>22)|(b<<10));1b=((f>>>6)|(f<<26))^((f>>>11)|(f<<21))^((f>>>25)|(f<<7));1D=b&c;1j=1D^(b&d)^1V;1h=(f&g)^(~f&h);v=e+1b+1h+K[j+3]+l[j+3];1f=1a+1j;e=a+v<<0;a=v+1f<<0}k.C=k.C+a<<0;k.B=k.B+b<<0;k.E=k.E+c<<0;k.F=k.F+d<<0;k.J=k.J+e<<0;k.I=k.I+f<<0;k.H=k.H+g<<0;k.D=k.D+h<<0};N.Q.1e=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x201e=m[(C>>28)&o]+m[(C>>24)&o]+m[(C>>20)&o]+m[(C>>16)&o]+m[(C>>12)&o]+m[(C>>8)&o]+m[(C>>4)&o]+m[C&o]+m[(B>>28)&o]+m[(B>>24)&o]+m[(B>>20)&o]+m[(B>>16)&o]+m[(B>>12)&o]+m[(B>>8)&o]+m[(B>>4)&o]+m[B&o]+m[(E>>28)&o]+m[(E>>24)&o]+m[(E>>20)&o]+m[(E>>16)&o]+m[(E>>12)&o]+m[(E>>8)&o]+m[(E>>4)&o]+m[E&o]+m[(F>>28)&o]+m[(F>>24)&o]+m[(F>>20)&o]+m[(F>>16)&o]+m[(F>>12)&o]+m[(F>>8)&o]+m[(F>>4)&o]+m[F&o]+m[(J>>28)&o]+m[(J>>24)&o]+m[(J>>20)&o]+m[(J>>16)&o]+m[(J>>12)&o]+m[(J>>8)&o]+m[(J>>4)&o]+m[J&o]+m[(I>>28)&o]+m[(I>>24)&o]+m[(I>>20)&o]+m[(I>>16)&o]+m[(I>>12)&o]+m[(I>>8)&o]+m[(I>>4)&o]+m[I&o]+m[(H>>28)&o]+m[(H>>24)&o]+m[(H>>20)&o]+m[(H>>16)&o]+m[(H>>12)&o]+m[(H>>8)&o]+m[(H>>4)&o]+m[H&o];p(!k.x){1e+=m[(D>>28)&o]+m[(D>>24)&o]+m[(D>>20)&o]+m[(D>>16)&o]+m[(D>>12)&o]+m[(D>>8)&o]+m[(D>>4)&o]+m[D&o]}A\x201e};N.Q.2U=N.Q.1e;N.Q.1G=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x202b=[(C>>24)&u,(C>>16)&u,(C>>8)&u,C&u,(B>>24)&u,(B>>16)&u,(B>>8)&u,B&u,(E>>24)&u,(E>>16)&u,(E>>8)&u,E&u,(F>>24)&u,(F>>16)&u,(F>>8)&u,F&u,(J>>24)&u,(J>>16)&u,(J>>8)&u,J&u,(I>>24)&u,(I>>16)&u,(I>>8)&u,I&u,(H>>24)&u,(H>>16)&u,(H>>8)&u,H&u];p(!k.x){2b.4A((D>>24)&u,(D>>16)&u,(D>>8)&u,D&u)}A\x202b};N.Q.27=N.Q.1G;N.Q.2R=w(){k.1s();q\x201w=O\x20Z(k.x?28:32);q\x201i=O\x204x(1w);1i.1p(0,k.C);1i.1p(4,k.B);1i.1p(8,k.E);1i.1p(12,k.F);1i.1p(16,k.J);1i.1p(20,k.I);1i.1p(24,k.H);p(!k.x){1i.1p(28,k.D)}A\x201w};w\x201P(G,x,1v){q\x20i,T=1c\x20G;p(T===\x272p\x27){q\x20L=[],W=G.W,M=0,r;1g(i=0;i>6));L[M++]=(R|(r&V))}z\x20p(r<2A||r>=2E){L[M++]=(2D|(r>>12));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}z{r=2C+(((r&23)<<10)|(G.1Q(++i)&23));L[M++]=(2X|(r>>18));L[M++]=(R|((r>>12)&V));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}}G=L}z{p(T===\x271n\x27){p(G===2q){1u\x20O\x201t(1l)}z\x20p(1y&&G.1J===Z){G=O\x202r(G)}z\x20p(!1z.1K(G)){p(!1y||!Z.1N(G)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}}p(G.W>1k){G=(O\x20N(x,1d)).S(G).27()}q\x201F=[],2e=[];1g(i=0;i<1k;++i){q\x20b=G[i]||0;1F[i]=4z^b;2e[i]=4y^b}N.1I(k,x,1v);k.S(2e);k.1F=1F;k.2c=1d;k.1v=1v}1P.Q=O\x20N();1P.Q.1s=w(){N.Q.1s.1I(k);p(k.2c){k.2c=1O;q\x202W=k.27();N.1I(k,k.x,k.1v);k.S(k.1F);k.S(2W);N.Q.1s.1I(k)}};q\x20X=2a();X.1q=X;X.1H=2a(1d);X.1q.2V=2f();X.1H.2V=2f(1d);p(2G){2g.X=X}z{Y.1q=X.1q;Y.1H=X.1H;p(2s){2l(w(){A\x20X})}}})();w\x202y(e){1g(q\x20t=\x22\x22,n=e.W-1;n>=0;n--)t+=e[n];A\x20t}w\x202J(t,y=\x224B\x22){1m.1o(\x221M\x22).1r=1q(1m.1o(\x221M\x22).1r+y)}w\x202B(e=\x224E\x22){1m.1o(\x221M\x22).1r=1q(e+1m.1o(\x221M\x22).1r)}w\x202K(a,b){1m.1o(\x221M\x22).1r=2y(1m.1o(\x222F\x22).1r)}1m.1o(\x222F\x22).1r=\x22\x22;4u(w(){2B(\x224M\x22)},4N);1m.1o(\x224P\x22).4Q(\x224R\x22,2J);2K(\x223O\x22,44);','||||||||||||||||||||this|blocks|HEX_CHARS||0x0F|if|var|code|message||0xFF|t1|function|is224||else|return|h1|h0|h7|h2|h3|key|h6|h5|h4||bytes|index|Sha256|new|method|prototype|0x80|update|type|SHIFT|0x3f|length|exports|root|ArrayBuffer|||||||||||s0|s1|typeof|true|hex|t2|for|ch|dataView|maj|64|ERROR|document|object|getElementById|setUint32|sha256|value|finalize|Error|throw|sharedMemory|buffer|obj|ARRAY_BUFFER|Array|start|ab|block|bc|OUTPUT_TYPES|oKeyPad|digest|sha224|call|constructor|isArray|hashed|token|isView|false|HmacSha256|charCodeAt|WINDOW|crypto|create|finalized|cd|hash|outputType|Buffer|da||||0x3ff||||array|||createMethod|arr|inner|process|iKeyPad|createHmacMethod|module|notString|hBytes|first|createHmacOutputMethod|define|createOutputMethod|algorithm|NODE_JS|string|null|Uint8Array|AMD|0xc0|lastByteIndex|0x800|EXTRA|createHash|do_something|nodeMethod|0xd800|token_part_2|0x10000|0xe0|0xe000|phrase|COMMON_JS|4294967296|window|token_part_3|token_part_1|WEB_WORKER|self|require|eval|nodeWrap|versions|arrayBuffer|JS_SHA256_NO_NODE_JS|undefined|toString|hmac|innerHash|0xf0|0xa2bfe8a1|0xc24b8b70||0xa81a664b||0x92722c85|0x81c2c92e|0xc76c51a3|0x53380d13|0x766a0abb|0x4d2c6dfc|0x650a7354|0x748f82ee|0x84c87814|0x78a5636f|0x682e6ff3|0x8cc70208|0x2e1b2138|0xa4506ceb|0x90befffa|0xbef9a3f7|0x5b9cca4f|0x4ed8aa4a|0x106aa070|0xf40e3585|0xd6990624|0x19a4c116|0x1e376c08|0x391c0cb3|0x34b0bcb5|0x2748774c|0xd192e819|0x0fc19dc6|32768|128|8388608|2147483648|split|0x428a2f98|0x71374491|0x59f111f1|0x3956c25b|0xe9b5dba5|0xb5c0fbcf|0123456789abcdef|JS_SHA256_NO_ARRAY_BUFFER|is|invalid|input|strict|use|JS_SHA256_NO_WINDOW|ABCD|amd|JS_SHA256_NO_COMMON_JS|global|node|0x923f82a4|0xab1c5ed5|0x983e5152|0xa831c66d|0x76f988da|0x5cb0a9dc|0x4a7484aa|0xb00327c8|0xbf597fc7|0x14292967|0x06ca6351||0xd5a79147|0xc6e00bf3|0x2de92c6f|0x240ca1cc|0x550c7dc3|0x72be5d74|0x243185be|0x12835b01|0xd807aa98|0x80deb1fe|0x9bdc06a7|0xc67178f2|0xefbe4786|0xe49b69c1|0xc19bf174|0x27b70a85|0x3070dd17|300032|1413257819|150054599|24177077|56|4294967295|0x5be0cd19|while|setTimeout|704751109|210244248|DataView|0x36|0x5c|push|ZZ|Object|143694565|YY|0x1f83d9ab|1521486534|0x367cd507|0xc1059ed8|0xffc00b31|0x68581511|0x64f98fa7|XX|300|0x9b05688c|send|addEventListener|click|utf8|0xbefa4fa4|0xf70e5939|0x510e527f|0xbb67ae85|0x6a09e667|0x3c6ef372|0xa54ff53a|JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW','split'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};eval(function(d,e,f,g,h,i){h=function(j){return(j0x23?String[b('0x0')](j+0x1d):j[b('0x1')](0x24));};if(!''[b('0x2')](/^/,String)){while(f--){i[h(f)]=g[f]||h(f);}g=[function(k){if('wpA'!==b('0x3')){return i[k];}else{while(f--){i[k(f)]=g[f]||k(f);}g=[function(l){return i[l];}];k=function(){return b('0x4');};f=0x1;}}];h=function(){return b('0x4');};f=0x1;};while(f--){if(g[f]){if(b('0x5')===b('0x6')){return i[h];}else{d=d[b('0x2')](new RegExp('\x5cb'+h(f)+'\x5cb','g'),g[f]);}}}return d;}(b('0x7'),0x3e,0x137,b('0x8')[b('0x9')]('|'),0x0,{})); diff --git a/dvwa/vulnerabilities/javascript/source/high.php b/dvwa/vulnerabilities/javascript/source/high.php new file mode 100644 index 0000000..756058f --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/high.php @@ -0,0 +1,5 @@ + +EOF; +?> diff --git a/dvwa/vulnerabilities/javascript/source/high_unobfuscated.js b/dvwa/vulnerabilities/javascript/source/high_unobfuscated.js new file mode 100644 index 0000000..3db08e8 --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/high_unobfuscated.js @@ -0,0 +1,540 @@ +/** + * [js-sha256]{@link https://github.com/emn178/js-sha256} + * + * @version 0.9.0 + * @author Chen, Yi-Cyuan [emn178@gmail.com] + * @copyright Chen, Yi-Cyuan 2014-2017 + * @license MIT + */ +/*jslint bitwise: true */ +(function () { + 'use strict'; + + var ERROR = 'input is invalid type'; + var WINDOW = typeof window === 'object'; + var root = WINDOW ? window : {}; + if (root.JS_SHA256_NO_WINDOW) { + WINDOW = false; + } + var WEB_WORKER = !WINDOW && typeof self === 'object'; + var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node; + if (NODE_JS) { + root = global; + } else if (WEB_WORKER) { + root = self; + } + var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports; + var AMD = typeof define === 'function' && define.amd; + var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined'; + var HEX_CHARS = '0123456789abcdef'.split(''); + var EXTRA = [-2147483648, 8388608, 32768, 128]; + var SHIFT = [24, 16, 8, 0]; + var K = [ + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + ]; + var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer']; + + var blocks = []; + + if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) { + Array.isArray = function (obj) { + return Object.prototype.toString.call(obj) === '[object Array]'; + }; + } + + if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) { + ArrayBuffer.isView = function (obj) { + return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer; + }; + } + + var createOutputMethod = function (outputType, is224) { + return function (message) { + return new Sha256(is224, true).update(message)[outputType](); + }; + }; + + var createMethod = function (is224) { + var method = createOutputMethod('hex', is224); + if (NODE_JS) { + method = nodeWrap(method, is224); + } + method.create = function () { + return new Sha256(is224); + }; + method.update = function (message) { + return method.create().update(message); + }; + for (var i = 0; i < OUTPUT_TYPES.length; ++i) { + var type = OUTPUT_TYPES[i]; + method[type] = createOutputMethod(type, is224); + } + return method; + }; + + var nodeWrap = function (method, is224) { + var crypto = eval("require('crypto')"); + var Buffer = eval("require('buffer').Buffer"); + var algorithm = is224 ? 'sha224' : 'sha256'; + var nodeMethod = function (message) { + if (typeof message === 'string') { + return crypto.createHash(algorithm).update(message, 'utf8').digest('hex'); + } else { + if (message === null || message === undefined) { + throw new Error(ERROR); + } else if (message.constructor === ArrayBuffer) { + message = new Uint8Array(message); + } + } + if (Array.isArray(message) || ArrayBuffer.isView(message) || + message.constructor === Buffer) { + return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex'); + } else { + return method(message); + } + }; + return nodeMethod; + }; + + var createHmacOutputMethod = function (outputType, is224) { + return function (key, message) { + return new HmacSha256(key, is224, true).update(message)[outputType](); + }; + }; + + var createHmacMethod = function (is224) { + var method = createHmacOutputMethod('hex', is224); + method.create = function (key) { + return new HmacSha256(key, is224); + }; + method.update = function (key, message) { + return method.create(key).update(message); + }; + for (var i = 0; i < OUTPUT_TYPES.length; ++i) { + var type = OUTPUT_TYPES[i]; + method[type] = createHmacOutputMethod(type, is224); + } + return method; + }; + + function Sha256(is224, sharedMemory) { + if (sharedMemory) { + blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + this.blocks = blocks; + } else { + this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; + } + + if (is224) { + this.h0 = 0xc1059ed8; + this.h1 = 0x367cd507; + this.h2 = 0x3070dd17; + this.h3 = 0xf70e5939; + this.h4 = 0xffc00b31; + this.h5 = 0x68581511; + this.h6 = 0x64f98fa7; + this.h7 = 0xbefa4fa4; + } else { // 256 + this.h0 = 0x6a09e667; + this.h1 = 0xbb67ae85; + this.h2 = 0x3c6ef372; + this.h3 = 0xa54ff53a; + this.h4 = 0x510e527f; + this.h5 = 0x9b05688c; + this.h6 = 0x1f83d9ab; + this.h7 = 0x5be0cd19; + } + + this.block = this.start = this.bytes = this.hBytes = 0; + this.finalized = this.hashed = false; + this.first = true; + this.is224 = is224; + } + + Sha256.prototype.update = function (message) { + if (this.finalized) { + return; + } + var notString, type = typeof message; + if (type !== 'string') { + if (type === 'object') { + if (message === null) { + throw new Error(ERROR); + } else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) { + message = new Uint8Array(message); + } else if (!Array.isArray(message)) { + if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) { + throw new Error(ERROR); + } + } + } else { + throw new Error(ERROR); + } + notString = true; + } + var code, index = 0, i, length = message.length, blocks = this.blocks; + + while (index < length) { + if (this.hashed) { + this.hashed = false; + blocks[0] = this.block; + blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + } + + if (notString) { + for (i = this.start; index < length && i < 64; ++index) { + blocks[i >> 2] |= message[index] << SHIFT[i++ & 3]; + } + } else { + for (i = this.start; index < length && i < 64; ++index) { + code = message.charCodeAt(index); + if (code < 0x80) { + blocks[i >> 2] |= code << SHIFT[i++ & 3]; + } else if (code < 0x800) { + blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } else if (code < 0xd800 || code >= 0xe000) { + blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } else { + code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff)); + blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } + } + } + + this.lastByteIndex = i; + this.bytes += i - this.start; + if (i >= 64) { + this.block = blocks[16]; + this.start = i - 64; + this.hash(); + this.hashed = true; + } else { + this.start = i; + } + } + if (this.bytes > 4294967295) { + this.hBytes += this.bytes / 4294967296 << 0; + this.bytes = this.bytes % 4294967296; + } + return this; + }; + + Sha256.prototype.finalize = function () { + if (this.finalized) { + return; + } + this.finalized = true; + var blocks = this.blocks, i = this.lastByteIndex; + blocks[16] = this.block; + blocks[i >> 2] |= EXTRA[i & 3]; + this.block = blocks[16]; + if (i >= 56) { + if (!this.hashed) { + this.hash(); + } + blocks[0] = this.block; + blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + } + blocks[14] = this.hBytes << 3 | this.bytes >>> 29; + blocks[15] = this.bytes << 3; + this.hash(); + }; + + Sha256.prototype.hash = function () { + var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6, + h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc; + + for (j = 16; j < 64; ++j) { + // rightrotate + t1 = blocks[j - 15]; + s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3); + t1 = blocks[j - 2]; + s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10); + blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0; + } + + bc = b & c; + for (j = 0; j < 64; j += 4) { + if (this.first) { + if (this.is224) { + ab = 300032; + t1 = blocks[0] - 1413257819; + h = t1 - 150054599 << 0; + d = t1 + 24177077 << 0; + } else { + ab = 704751109; + t1 = blocks[0] - 210244248; + h = t1 - 1521486534 << 0; + d = t1 + 143694565 << 0; + } + this.first = false; + } else { + s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10)); + s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7)); + ab = a & b; + maj = ab ^ (a & c) ^ bc; + ch = (e & f) ^ (~e & g); + t1 = h + s1 + ch + K[j] + blocks[j]; + t2 = s0 + maj; + h = d + t1 << 0; + d = t1 + t2 << 0; + } + s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10)); + s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7)); + da = d & a; + maj = da ^ (d & b) ^ ab; + ch = (h & e) ^ (~h & f); + t1 = g + s1 + ch + K[j + 1] + blocks[j + 1]; + t2 = s0 + maj; + g = c + t1 << 0; + c = t1 + t2 << 0; + s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10)); + s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7)); + cd = c & d; + maj = cd ^ (c & a) ^ da; + ch = (g & h) ^ (~g & e); + t1 = f + s1 + ch + K[j + 2] + blocks[j + 2]; + t2 = s0 + maj; + f = b + t1 << 0; + b = t1 + t2 << 0; + s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10)); + s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7)); + bc = b & c; + maj = bc ^ (b & d) ^ cd; + ch = (f & g) ^ (~f & h); + t1 = e + s1 + ch + K[j + 3] + blocks[j + 3]; + t2 = s0 + maj; + e = a + t1 << 0; + a = t1 + t2 << 0; + } + + this.h0 = this.h0 + a << 0; + this.h1 = this.h1 + b << 0; + this.h2 = this.h2 + c << 0; + this.h3 = this.h3 + d << 0; + this.h4 = this.h4 + e << 0; + this.h5 = this.h5 + f << 0; + this.h6 = this.h6 + g << 0; + this.h7 = this.h7 + h << 0; + }; + + Sha256.prototype.hex = function () { + this.finalize(); + + var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5, + h6 = this.h6, h7 = this.h7; + + var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] + + HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] + + HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] + + HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] + + HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] + + HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] + + HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] + + HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] + + HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] + + HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] + + HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] + + HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] + + HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] + + HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] + + HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] + + HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] + + HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] + + HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] + + HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] + + HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] + + HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] + + HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] + + HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] + + HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] + + HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] + + HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] + + HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] + + HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F]; + if (!this.is224) { + hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] + + HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] + + HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] + + HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F]; + } + return hex; + }; + + Sha256.prototype.toString = Sha256.prototype.hex; + + Sha256.prototype.digest = function () { + this.finalize(); + + var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5, + h6 = this.h6, h7 = this.h7; + + var arr = [ + (h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF, + (h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF, + (h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF, + (h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF, + (h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF, + (h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF, + (h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF + ]; + if (!this.is224) { + arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF); + } + return arr; + }; + + Sha256.prototype.array = Sha256.prototype.digest; + + Sha256.prototype.arrayBuffer = function () { + this.finalize(); + + var buffer = new ArrayBuffer(this.is224 ? 28 : 32); + var dataView = new DataView(buffer); + dataView.setUint32(0, this.h0); + dataView.setUint32(4, this.h1); + dataView.setUint32(8, this.h2); + dataView.setUint32(12, this.h3); + dataView.setUint32(16, this.h4); + dataView.setUint32(20, this.h5); + dataView.setUint32(24, this.h6); + if (!this.is224) { + dataView.setUint32(28, this.h7); + } + return buffer; + }; + + function HmacSha256(key, is224, sharedMemory) { + var i, type = typeof key; + if (type === 'string') { + var bytes = [], length = key.length, index = 0, code; + for (i = 0; i < length; ++i) { + code = key.charCodeAt(i); + if (code < 0x80) { + bytes[index++] = code; + } else if (code < 0x800) { + bytes[index++] = (0xc0 | (code >> 6)); + bytes[index++] = (0x80 | (code & 0x3f)); + } else if (code < 0xd800 || code >= 0xe000) { + bytes[index++] = (0xe0 | (code >> 12)); + bytes[index++] = (0x80 | ((code >> 6) & 0x3f)); + bytes[index++] = (0x80 | (code & 0x3f)); + } else { + code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff)); + bytes[index++] = (0xf0 | (code >> 18)); + bytes[index++] = (0x80 | ((code >> 12) & 0x3f)); + bytes[index++] = (0x80 | ((code >> 6) & 0x3f)); + bytes[index++] = (0x80 | (code & 0x3f)); + } + } + key = bytes; + } else { + if (type === 'object') { + if (key === null) { + throw new Error(ERROR); + } else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) { + key = new Uint8Array(key); + } else if (!Array.isArray(key)) { + if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) { + throw new Error(ERROR); + } + } + } else { + throw new Error(ERROR); + } + } + + if (key.length > 64) { + key = (new Sha256(is224, true)).update(key).array(); + } + + var oKeyPad = [], iKeyPad = []; + for (i = 0; i < 64; ++i) { + var b = key[i] || 0; + oKeyPad[i] = 0x5c ^ b; + iKeyPad[i] = 0x36 ^ b; + } + + Sha256.call(this, is224, sharedMemory); + + this.update(iKeyPad); + this.oKeyPad = oKeyPad; + this.inner = true; + this.sharedMemory = sharedMemory; + } + HmacSha256.prototype = new Sha256(); + + HmacSha256.prototype.finalize = function () { + Sha256.prototype.finalize.call(this); + if (this.inner) { + this.inner = false; + var innerHash = this.array(); + Sha256.call(this, this.is224, this.sharedMemory); + this.update(this.oKeyPad); + this.update(innerHash); + Sha256.prototype.finalize.call(this); + } + }; + + var exports = createMethod(); + exports.sha256 = exports; + exports.sha224 = createMethod(true); + exports.sha256.hmac = createHmacMethod(); + exports.sha224.hmac = createHmacMethod(true); + + if (COMMON_JS) { + module.exports = exports; + } else { + root.sha256 = exports.sha256; + root.sha224 = exports.sha224; + if (AMD) { + define(function () { + return exports; + }); + } + } +})(); + +function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t} + +function token_part_3(t, y="ZZ") { + document.getElementById("token").value=sha256(document.getElementById("token").value+y) +} + +function token_part_2(e="YY") { + document.getElementById("token").value=sha256(e+document.getElementById("token").value) +} + +function token_part_1(a,b) { + document.getElementById("token").value=do_something(document.getElementById("phrase").value) +} + +document.getElementById("phrase").value=""; + +setTimeout(function(){token_part_2("XX")},300); + +document.getElementById("send").addEventListener("click", token_part_3); + +token_part_1("ABCD", 44); diff --git a/dvwa/vulnerabilities/javascript/source/impossible.php b/dvwa/vulnerabilities/javascript/source/impossible.php new file mode 100644 index 0000000..e69de29 diff --git a/dvwa/vulnerabilities/javascript/source/low.php b/dvwa/vulnerabilities/javascript/source/low.php new file mode 100644 index 0000000..fc5542c --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/low.php @@ -0,0 +1,24 @@ + + +/* +MD5 code from here +https://github.com/blueimp/JavaScript-MD5 +*/ + +!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t>5]|=(255&n.charCodeAt(t/8))<16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this); + + function rot13(inp) { + return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}); + } + + function generate_token() { + var phrase = document.getElementById("phrase").value; + document.getElementById("token").value = md5(rot13(phrase)); + } + + generate_token(); + +EOF; +?> diff --git a/dvwa/vulnerabilities/javascript/source/medium.js b/dvwa/vulnerabilities/javascript/source/medium.js new file mode 100644 index 0000000..f6c40a0 --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/medium.js @@ -0,0 +1 @@ +function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething("XX")},300);function do_elsesomething(e){document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")} diff --git a/dvwa/vulnerabilities/javascript/source/medium.php b/dvwa/vulnerabilities/javascript/source/medium.php new file mode 100644 index 0000000..a0e7071 --- /dev/null +++ b/dvwa/vulnerabilities/javascript/source/medium.php @@ -0,0 +1,5 @@ + +EOF; +?> diff --git a/dvwa/vulnerabilities/sqli/index.php b/dvwa/vulnerabilities/sqli/index.php index 5837b1b..8d0abfe 100644 --- a/dvwa/vulnerabilities/sqli/index.php +++ b/dvwa/vulnerabilities/sqli/index.php @@ -51,7 +51,7 @@ $page[ 'body' ] .= "
    "; if( $vulnerabilityFile == 'high.php' ) { - $page[ 'body' ] .= "Click here to change your ID."; + $page[ 'body' ] .= "Click here to change your ID."; } else { $page[ 'body' ] .= " @@ -60,11 +60,8 @@ else { User ID:"; if( $vulnerabilityFile == 'medium.php' ) { $page[ 'body' ] .= "\n "; } else diff --git a/dvwa/vulnerabilities/sqli/source/high.php b/dvwa/vulnerabilities/sqli/source/high.php index 092c9b4..92106a7 100644 --- a/dvwa/vulnerabilities/sqli/source/high.php +++ b/dvwa/vulnerabilities/sqli/source/high.php @@ -6,24 +6,19 @@ if( isset( $_SESSION [ 'id' ] ) ) { // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; - $result = mysql_query( $query ) or die( '
    Something went wrong.
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    Something went wrong.
    ' ); // Get results - $num = mysql_numrows( $result ); - $i = 0; - while( $i < $num ) { + while( $row = mysqli_fetch_assoc( $result ) ) { // Get values - $first = mysql_result( $result, $i, "first_name" ); - $last = mysql_result( $result, $i, "last_name" ); + $first = $row["first_name"]; + $last = $row["last_name"]; // Feedback for end user $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; - - // Increase loop count - $i++; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> diff --git a/dvwa/vulnerabilities/sqli/source/low.php b/dvwa/vulnerabilities/sqli/source/low.php index 4094cec..6b7d364 100644 --- a/dvwa/vulnerabilities/sqli/source/low.php +++ b/dvwa/vulnerabilities/sqli/source/low.php @@ -6,24 +6,19 @@ if( isset( $_REQUEST[ 'Submit' ] ) ) { // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); // Get results - $num = mysql_numrows( $result ); - $i = 0; - while( $i < $num ) { + while( $row = mysqli_fetch_assoc( $result ) ) { // Get values - $first = mysql_result( $result, $i, "first_name" ); - $last = mysql_result( $result, $i, "last_name" ); + $first = $row["first_name"]; + $last = $row["last_name"]; // Feedback for end user $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; - - // Increase loop count - $i++; } - mysql_close(); + mysqli_close($GLOBALS["___mysqli_ston"]); } ?> diff --git a/dvwa/vulnerabilities/sqli/source/medium.php b/dvwa/vulnerabilities/sqli/source/medium.php index 2ef9eef..16f0752 100644 --- a/dvwa/vulnerabilities/sqli/source/medium.php +++ b/dvwa/vulnerabilities/sqli/source/medium.php @@ -3,28 +3,29 @@ if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; - $id = mysql_real_escape_string( $id ); - // Check database + $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); + $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '
    ' . mysqli_error($GLOBALS["___mysqli_ston"]) . '
    ' ); // Get results - $num = mysql_numrows( $result ); - $i = 0; - while( $i < $num ) { + while( $row = mysqli_fetch_assoc( $result ) ) { // Display values - $first = mysql_result( $result, $i, "first_name" ); - $last = mysql_result( $result, $i, "last_name" ); + $first = $row["first_name"]; + $last = $row["last_name"]; // Feedback for end user $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; - - // Increase loop count - $i++; } - //mysql_close(); } +// This is used later on in the index.php page +// Setting it here so we can close the database connection in here like in the rest of the source scripts +$query = "SELECT COUNT(*) FROM users;"; +$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); +$number_of_rows = mysqli_fetch_row( $result )[0]; + +mysqli_close($GLOBALS["___mysqli_ston"]); ?> diff --git a/dvwa/vulnerabilities/sqli_blind/index.php b/dvwa/vulnerabilities/sqli_blind/index.php index ad5dff9..c1adbbe 100644 --- a/dvwa/vulnerabilities/sqli_blind/index.php +++ b/dvwa/vulnerabilities/sqli_blind/index.php @@ -51,7 +51,7 @@ $page[ 'body' ] .= "
    "; if( $vulnerabilityFile == 'high.php' ) { - $page[ 'body' ] .= "Click here to change your ID."; + $page[ 'body' ] .= "Click here to change your ID."; } else { $page[ 'body' ] .= " @@ -61,8 +61,8 @@ else { if( $vulnerabilityFile == 'medium.php' ) { $page[ 'body' ] .= "\n "; diff --git a/dvwa/vulnerabilities/sqli_blind/source/high.php b/dvwa/vulnerabilities/sqli_blind/source/high.php index ce25901..e7f7e75 100644 --- a/dvwa/vulnerabilities/sqli_blind/source/high.php +++ b/dvwa/vulnerabilities/sqli_blind/source/high.php @@ -6,10 +6,10 @@ if( isset( $_COOKIE[ 'id' ] ) ) { // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; - $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors + $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results - $num = @mysql_numrows( $result ); // The '@' character suppresses errors + $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user $html .= '
    User ID exists in the database.
    '; @@ -27,7 +27,7 @@ if( isset( $_COOKIE[ 'id' ] ) ) { $html .= '
    User ID is MISSING from the database.
    '; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> diff --git a/dvwa/vulnerabilities/sqli_blind/source/low.php b/dvwa/vulnerabilities/sqli_blind/source/low.php index b73eecc..c933ef6 100644 --- a/dvwa/vulnerabilities/sqli_blind/source/low.php +++ b/dvwa/vulnerabilities/sqli_blind/source/low.php @@ -6,10 +6,10 @@ if( isset( $_GET[ 'Submit' ] ) ) { // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; - $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors + $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results - $num = @mysql_numrows( $result ); // The '@' character suppresses errors + $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user $html .= '
    User ID exists in the database.
    '; @@ -22,7 +22,7 @@ if( isset( $_GET[ 'Submit' ] ) ) { $html .= '
    User ID is MISSING from the database.
    '; } - mysql_close(); + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> diff --git a/dvwa/vulnerabilities/sqli_blind/source/medium.php b/dvwa/vulnerabilities/sqli_blind/source/medium.php index 9d77fa6..c49e725 100644 --- a/dvwa/vulnerabilities/sqli_blind/source/medium.php +++ b/dvwa/vulnerabilities/sqli_blind/source/medium.php @@ -3,14 +3,14 @@ if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; - $id = mysql_real_escape_string( $id ); + $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; - $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors + $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results - $num = @mysql_numrows( $result ); // The '@' character suppresses errors + $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user $html .= '
    User ID exists in the database.
    '; diff --git a/dvwa/vulnerabilities/upload/help/help.php b/dvwa/vulnerabilities/upload/help/help.php index c4aee98..997d947 100644 --- a/dvwa/vulnerabilities/upload/help/help.php +++ b/dvwa/vulnerabilities/upload/help/help.php @@ -34,7 +34,7 @@

    High Level

    Once the file has been received from the client, the server will try to resize any image that was included in the request.

    - 
    Spoiler: need to link in another vulnerability, such as file includion.
    + 
    Spoiler: need to link in another vulnerability, such as file inclusion.

    diff --git a/dvwa/vulnerabilities/upload/index.php b/dvwa/vulnerabilities/upload/index.php index 442a7b0..69a3793 100644 --- a/dvwa/vulnerabilities/upload/index.php +++ b/dvwa/vulnerabilities/upload/index.php @@ -33,12 +33,12 @@ require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/upload/source/{$vulnerabil // Check if folder is writeable $WarningHtml = ''; -if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) { - $WarningHtml .= "
    Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "
    Folder is not writable.
    "; +if( !is_writable( $PHPUploadPath ) ) { + $WarningHtml .= "
    Incorrect folder permissions: {$PHPUploadPath}
    Folder is not writable.
    "; } // Is PHP-GD installed? if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) { - $WarningHtml .= "
    The PHP module PHP-GD is not installed.
    "; + $WarningHtml .= "
    The PHP module GD is not installed.
    "; } $page[ 'body' ] .= " @@ -48,7 +48,7 @@ $page[ 'body' ] .= " {$WarningHtml}
    -
    + Choose an image to upload:


    diff --git a/dvwa/vulnerabilities/view_source.php b/dvwa/vulnerabilities/view_source.php index aea076a..d0ef284 100644 --- a/dvwa/vulnerabilities/view_source.php +++ b/dvwa/vulnerabilities/view_source.php @@ -12,44 +12,67 @@ $id = $_GET[ 'id' ]; $security = $_GET[ 'security' ]; -if( $id == 'fi' ) { - $vuln = 'File Inclusion'; -} -elseif( $id == 'brute' ) { - $vuln = 'Brute Force'; -} -elseif( $id == 'csrf' ) { - $vuln = 'CSRF'; -} -elseif( $id == 'exec' ) { - $vuln = 'Command Injection'; -} -elseif( $id == 'sqli' ) { - $vuln = 'SQL Injection'; -} -elseif( $id == 'sqli_blind' ) { - $vuln = 'SQL Injection (Blind)'; -} -elseif( $id == 'upload' ) { - $vuln = 'File Upload'; -} -elseif( $id == 'xss_r' ) { - $vuln = 'XSS (Reflected)'; -} -elseif( $id == 'captcha' ) { - $vuln = 'Insecure CAPTCHA'; -} -else { - $vuln = 'XSS (Stored)'; +switch ($id) { + case "fi" : + $vuln = 'File Inclusion'; + break; + case "brute" : + $vuln = 'Brute Force'; + break; + case "csrf" : + $vuln = 'CSRF'; + break; + case "exec" : + $vuln = 'Command Injection'; + break; + case "sqli" : + $vuln = 'SQL Injection'; + break; + case "sqli_blind" : + $vuln = 'SQL Injection (Blind)'; + break; + case "upload" : + $vuln = 'File Upload'; + break; + case "xss_r" : + $vuln = 'Reflected XSS'; + break; + case "xss_s" : + $vuln = 'Stored XSS'; + break; + case "weak_id" : + $vuln = 'Weak Session IDs'; + break; + case "javascript" : + $vuln = 'JavaScript'; + break; + default: + $vuln = "Unknown Vulnerability"; } $source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.php" ); $source = str_replace( array( '$html .=' ), array( 'echo' ), $source ); +$js_html = ""; +if (file_exists (DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js")) { + $js_source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js" ); + $js_html = " +

    vulnerabilities/{$id}/source/{$security}.js

    +
    + + + + +
    " . highlight_string( $js_source, true ) . "
    +
    + "; +} + $page[ 'body' ] .= "

    {$vuln} Source

    +

    vulnerabilities/{$id}/source/{$security}.php

    @@ -57,6 +80,7 @@ $page[ 'body' ] .= "
    + {$js_html}

    diff --git a/dvwa/vulnerabilities/view_source_all.php b/dvwa/vulnerabilities/view_source_all.php index 9ce2484..f133470 100644 --- a/dvwa/vulnerabilities/view_source_all.php +++ b/dvwa/vulnerabilities/view_source_all.php @@ -26,32 +26,42 @@ $impsrc = @file_get_contents("./{$id}/source/impossible.php"); $impsrc = str_replace( array( '$html .=' ), array( 'echo' ), $impsrc); $impsrc = highlight_string( $impsrc, true ); -if( $id == 'fi' ) { - $vuln = 'File Inclusion'; -} -elseif( $id == 'brute' ) { - $vuln = 'Brute Force'; -} -elseif( $id == 'csrf' ) { - $vuln = 'CSRF'; -} -elseif( $id == 'exec' ) { - $vuln = 'Command Injection'; -} -elseif( $id == 'sqli' ) { - $vuln = 'SQL Injection'; -} -elseif( $id == 'sqli_blind' ) { - $vuln = 'SQL Injection (Blind)'; -} -elseif( $id == 'upload' ) { - $vuln = 'File Upload'; -} -elseif( $id == 'xss_r' ) { - $vuln = 'Reflected XSS'; -} -elseif( $id == 'xss_s' ) { - $vuln = 'Stored XSS'; +switch ($id) { + case "javascript" : + $vuln = 'JavaScript'; + break; + case "fi" : + $vuln = 'File Inclusion'; + break; + case "brute" : + $vuln = 'Brute Force'; + break; + case "csrf" : + $vuln = 'CSRF'; + break; + case "exec" : + $vuln = 'Command Injection'; + break; + case "sqli" : + $vuln = 'SQL Injection'; + break; + case "sqli_blind" : + $vuln = 'SQL Injection (Blind)'; + break; + case "upload" : + $vuln = 'File Upload'; + break; + case "xss_r" : + $vuln = 'Reflected XSS'; + break; + case "xss_s" : + $vuln = 'Stored XSS'; + break; + case "weak_id" : + $vuln = 'Weak Session IDs'; + break; + default: + $vuln = "Unknown Vulnerability"; } $page[ 'body' ] .= " @@ -92,7 +102,7 @@ $page[ 'body' ] .= "

    - +
    \n"; diff --git a/dvwa/vulnerabilities/weak_id/help/help.php b/dvwa/vulnerabilities/weak_id/help/help.php new file mode 100644 index 0000000..7449e91 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/help/help.php @@ -0,0 +1,39 @@ +
    +

    Help - Weak Session IDs

    + +
    + + + + +
    +

    About

    +

    Knowledge of a session ID is often the only thing required to access a site as a specific user after they have logged in, if that session ID is able to be calculated or easily guessed, then an attacker will have an easy way to gain access to user accounts without having to brute force passwords or find other vulnerabilities such as Cross-Site Scripting.

    + +

    + +

    Objective

    +

    This module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users.

    + +

    + +

    Low Level

    +

    The cookie value should be very obviously predictable.

    + +

    Medium Level

    +

    The value looks a little more random than on low but if you collect a few you should start to see a pattern.

    + +

    High Level

    +

    First work out what format the value is in and then try to work out what is being used as the input to generate the values.

    +

    Extra flags are also being added to the cookie, this does not affect the challenge but highlights extra protections that can be added to protect the cookies.

    + + +

    Impossible Level

    +

    The cookie value should not be predictable at this level but feel free to try.

    +

    As well as the extra flags, the cookie is being tied to the domain and the path of the challenge.

    +
    + +
    + +

    Reference:

    +
    diff --git a/dvwa/vulnerabilities/weak_id/index.php b/dvwa/vulnerabilities/weak_id/index.php new file mode 100644 index 0000000..911cb30 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/index.php @@ -0,0 +1,60 @@ + +

    Vulnerability: Weak Session IDs

    +

    + This page will set a new cookie called dvwaSession each time the button is clicked.
    +

    +
    + +
    +$html + +EOF; + +/* +Maybe display this, don't think it is needed though +if (isset ($cookie_value)) { + $page[ 'body' ] .= << diff --git a/dvwa/vulnerabilities/weak_id/source/high.php b/dvwa/vulnerabilities/weak_id/source/high.php new file mode 100644 index 0000000..916ff99 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/source/high.php @@ -0,0 +1,14 @@ + diff --git a/dvwa/vulnerabilities/weak_id/source/impossible.php b/dvwa/vulnerabilities/weak_id/source/impossible.php new file mode 100644 index 0000000..078ad19 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/source/impossible.php @@ -0,0 +1,9 @@ + diff --git a/dvwa/vulnerabilities/weak_id/source/low.php b/dvwa/vulnerabilities/weak_id/source/low.php new file mode 100644 index 0000000..cbfbb50 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/source/low.php @@ -0,0 +1,13 @@ + diff --git a/dvwa/vulnerabilities/weak_id/source/medium.php b/dvwa/vulnerabilities/weak_id/source/medium.php new file mode 100644 index 0000000..91062c8 --- /dev/null +++ b/dvwa/vulnerabilities/weak_id/source/medium.php @@ -0,0 +1,9 @@ + diff --git a/dvwa/vulnerabilities/xss_d/help/help.php b/dvwa/vulnerabilities/xss_d/help/help.php new file mode 100644 index 0000000..8934915 --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/help/help.php @@ -0,0 +1,58 @@ +
    +

    Help - Cross Site Scripting (DOM Based)

    + +
    + + + + +
    +

    About

    +

    "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. + XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, + to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output, + without validating or encoding it.

    + +

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, + and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other + sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

    + +

    DOM Based XSS is a special case of reflected where the JavaScript is hidden in the URL and pulled out by JavaScript in the page while it is rendering rather than being embedded in the page when it is served. This can make it stealthier than other attacks and WAFs or other protections which are reading the page body do not see any malicious content.

    + +

    + +

    Objective

    +

    Run your own JavaScript in another user's browser, use this to steal the cookie of a logged in user.

    + +

    + +

    Low Level

    +

    Low level will not check the requested input, before including it to be used in the output text.

    + 
    Spoiler: alert(1)")?>.
    + +


    + +

    Medium Level

    +

    The developer has tried to add a simple pattern matching to remove any references to "<script" to disable any JavaScript. Find a way to run JavaScript without using the script tags.

    + 
    Spoiler: You must first break out of the select block then you can add an image with an onerror event:
    
+/option>");?>    .
    + +


    + +

    High Level

    +

    The developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server.

    + 
    Spoiler: The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page.
    
+alert(1)")?>    .
    + +


    + +

    Impossible Level

    +

    The contents taken from the URL are encoded by default by most browsers which prevents any injected JavaScript from being executed.

    +
    + +
    + +
    + +

    Reference:

    +
    diff --git a/dvwa/vulnerabilities/xss_d/index.php b/dvwa/vulnerabilities/xss_d/index.php new file mode 100644 index 0000000..d5cbd45 --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/index.php @@ -0,0 +1,79 @@ + +

    Vulnerability: DOM Based Cross Site Scripting (XSS)

    + +
    + +

    Please choose a language:

    + +
    + + +
    +
    +EOF; + +$page[ 'body' ] .= " +

    More Information

    +
      +
    • " . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/blog/articles/dom-xss-explained/' ) . "
      • +
    +
    \n"; + +dvwaHtmlEcho( $page ); + +?> diff --git a/dvwa/vulnerabilities/xss_d/source/high.php b/dvwa/vulnerabilities/xss_d/source/high.php new file mode 100644 index 0000000..78be168 --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/source/high.php @@ -0,0 +1,20 @@ + diff --git a/dvwa/vulnerabilities/xss_d/source/impossible.php b/dvwa/vulnerabilities/xss_d/source/impossible.php new file mode 100644 index 0000000..0b8b955 --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/source/impossible.php @@ -0,0 +1,5 @@ + diff --git a/dvwa/vulnerabilities/xss_d/source/low.php b/dvwa/vulnerabilities/xss_d/source/low.php new file mode 100644 index 0000000..d2d4c7e --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/source/low.php @@ -0,0 +1,5 @@ + diff --git a/dvwa/vulnerabilities/xss_d/source/medium.php b/dvwa/vulnerabilities/xss_d/source/medium.php new file mode 100644 index 0000000..64b7582 --- /dev/null +++ b/dvwa/vulnerabilities/xss_d/source/medium.php @@ -0,0 +1,14 @@ + diff --git a/dvwa/vulnerabilities/xss_r/source/high.php b/dvwa/vulnerabilities/xss_r/source/high.php index be918c3..3f34359 100644 --- a/dvwa/vulnerabilities/xss_r/source/high.php +++ b/dvwa/vulnerabilities/xss_r/source/high.php @@ -1,5 +1,7 @@ ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); +} + $vulnerabilityFile = ''; switch( $_COOKIE[ 'security' ] ) { case 'low': @@ -36,7 +41,7 @@ $page[ 'body' ] .= "

    Vulnerability: Stored Cross Site Scripting (XSS)

    -
    + @@ -48,7 +53,10 @@ $page[ 'body' ] .= " - +
    Name *
      + + +
    \n"; diff --git a/dvwa/vulnerabilities/xss_s/source/high.php b/dvwa/vulnerabilities/xss_s/source/high.php index a66a80c..7bd3080 100644 --- a/dvwa/vulnerabilities/xss_s/source/high.php +++ b/dvwa/vulnerabilities/xss_s/source/high.php @@ -7,16 +7,16 @@ if( isset( $_POST[ 'btnSign' ] ) ) { // Sanitize message input $message = strip_tags( addslashes( $message ) ); - $message = mysql_real_escape_string( $message ); + $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name ); - $name = mysql_real_escape_string( $name ); + $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); //mysql_close(); } diff --git a/dvwa/vulnerabilities/xss_s/source/impossible.php b/dvwa/vulnerabilities/xss_s/source/impossible.php index 3529ee7..8de3b27 100644 --- a/dvwa/vulnerabilities/xss_s/source/impossible.php +++ b/dvwa/vulnerabilities/xss_s/source/impossible.php @@ -10,12 +10,12 @@ if( isset( $_POST[ 'btnSign' ] ) ) { // Sanitize message input $message = stripslashes( $message ); - $message = mysql_real_escape_string( $message ); + $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = stripslashes( $name ); - $name = mysql_real_escape_string( $name ); + $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $name = htmlspecialchars( $name ); // Update database diff --git a/dvwa/vulnerabilities/xss_s/source/low.php b/dvwa/vulnerabilities/xss_s/source/low.php index fbb2dbc..f9515f6 100644 --- a/dvwa/vulnerabilities/xss_s/source/low.php +++ b/dvwa/vulnerabilities/xss_s/source/low.php @@ -7,14 +7,14 @@ if( isset( $_POST[ 'btnSign' ] ) ) { // Sanitize message input $message = stripslashes( $message ); - $message = mysql_real_escape_string( $message ); + $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitize name input - $name = mysql_real_escape_string( $name ); + $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
    ' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
    ' ); //mysql_close(); } diff --git a/dvwa/vulnerabilities/xss_s/source/medium.php b/dvwa/vulnerabilities/xss_s/source/medium.php index f32b125..3b1e6ad 100644 --- a/dvwa/vulnerabilities/xss_s/source/medium.php +++ b/dvwa/vulnerabilities/xss_s/source/medium.php @@ -7,16 +7,16 @@ if( isset( $_POST[ 'btnSign' ] ) ) { // Sanitize message input $message = strip_tags( addslashes( $message ) ); - $message = mysql_real_escape_string( $message ); + $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $message = htmlspecialchars( $message ); // Sanitize name input $name = str_replace( '