dvwa updated
This commit is contained in:
parent
8f3c3af4fb
commit
c37af6fc80
5
dvwa/.gitignore
vendored
Normal file
5
dvwa/.gitignore
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
config/config.inc.php
|
||||||
|
Dockerfile
|
||||||
|
|
||||||
|
# Vim swap files
|
||||||
|
.*swp
|
@ -1,6 +1,12 @@
|
|||||||
DAMN VULNERABLE WEB APPLICATION
|
DAMN VULNERABLE WEB APPLICATION
|
||||||
=======================
|
=======================
|
||||||
|
|
||||||
|
v1.10 (*Not Yet Released)
|
||||||
|
======
|
||||||
|
|
||||||
|
+ Improved IIS support. (@g0tmi1k)
|
||||||
|
+ Improved setup system check. (@g0tmi1k)
|
||||||
|
|
||||||
v1.9 (2015-10-05)
|
v1.9 (2015-10-05)
|
||||||
======
|
======
|
||||||
|
|
||||||
@ -32,7 +38,7 @@ v1.9 (2015-10-05)
|
|||||||
+ Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k)
|
+ Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k)
|
||||||
+ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k)
|
+ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k)
|
||||||
+ Updated README and documentation. (@g0tmi1k)
|
+ Updated README and documentation. (@g0tmi1k)
|
||||||
+ Various code cleanups in the core PHP files+CSS. (@g0tmi1k)
|
+ Various code cleanups in the core PHP files + CSS. (@g0tmi1k)
|
||||||
+ Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k)
|
+ Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k)
|
||||||
|
|
||||||
v1.8 (2013-05-01)
|
v1.8 (2013-05-01)
|
||||||
@ -152,6 +158,5 @@ Links
|
|||||||
=====
|
=====
|
||||||
|
|
||||||
+ Homepage: http://www.dvwa.co.uk
|
+ Homepage: http://www.dvwa.co.uk
|
||||||
+ Project Home: https://github.com/RandomStorm/DVWA
|
|
||||||
|
|
||||||
_Created by the DVWA team._
|
_Created by the DVWA team._
|
||||||
|
@ -1,17 +1,14 @@
|
|||||||
![DVWA](https://www.randomstorm.com/images/tools/dvwa.png "DVWA")
|
|
||||||
|
|
||||||
# DAMN VULNERABLE WEB APPLICATION
|
# DAMN VULNERABLE WEB APPLICATION
|
||||||
|
|
||||||
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
|
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
|
||||||
|
|
||||||
The aim of DVWA is to **practice some of the most common web vulnerability**, with **various difficultly levels**, with a simple straightforward interface.
|
The aim of DVWA is to **practice some of the most common web vulnerabilities**, with **various levels of difficulty**, with a simple straightforward interface.
|
||||||
Please note, there are **both documented and undocumented vulnerability** with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
|
Please note, there are **both documented and undocumented vulnerabilities** with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
## WARNING!
|
## WARNING!
|
||||||
|
|
||||||
Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommend using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. Inside a guest machine, you can downloading and install [XAMPP](https://www.apachefriends.org/en/xampp.html) for the web server and database.
|
Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. Inside a guest machine, you can download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) for the web server and database.
|
||||||
|
|
||||||
### Disclaimer
|
### Disclaimer
|
||||||
|
|
||||||
@ -37,23 +34,32 @@ You should have received a copy of the GNU General Public License
|
|||||||
along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.org/licenses/.
|
along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.org/licenses/.
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
## Download and install as a docker container
|
||||||
|
- [dockerhub page](https://hub.docker.com/r/vulnerables/web-dvwa/)
|
||||||
|
`docker run --rm -it -p 80:80 vulnerables/web-dvwa`
|
||||||
|
|
||||||
|
Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here.
|
||||||
|
|
||||||
## Download
|
## Download
|
||||||
|
|
||||||
DVWA is available either as a package that will run on your own web server or as a Live CD:
|
DVWA is available either as a package that will run on your own web server or as a Live CD:
|
||||||
|
|
||||||
+ DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA`
|
+ DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/ethicalhack3r/DVWA/archive/v1.9.zip) - Released 2015-10-05
|
||||||
+ DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.9.zip) - Released 2015-10-05
|
|
||||||
+ DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08
|
+ DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08
|
||||||
|
+ DVWA Development Source (Latest) [Download ZIP](https://github.com/ethicalhack3r/DVWA/archive/master.zip) // `git clone https://github.com/ethicalhack3r/DVWA`
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
### Windows + XAMPP
|
**Please make sure your config/config.inc.php file exists. Only having a config.inc.php.dist will not be sufficient and you'll have to edit it to suit your environment and rename it to config.inc.php. [Windows may hide the trailing extension.](https://support.microsoft.com/en-in/help/865219/how-to-show-or-hide-file-name-extensions-in-windows-explorer)**
|
||||||
|
|
||||||
Installation video:
|
### Installation Videos
|
||||||
https://www.youtube.com/watch?v=GzIj07jt8rM
|
|
||||||
|
- [How to setup DVWA (Damn Vulnerable Web Application) on Ubuntu](https://www.youtube.com/watch?v=5BG6iq_AUvM) [21:01 minutes]
|
||||||
|
- [Installing Damn Vulnerable Web Application (DVWA) on Windows 10](https://www.youtube.com/watch?v=cak2lQvBRAo) [12:39 minutes]
|
||||||
|
|
||||||
|
### Windows + XAMPP
|
||||||
|
|
||||||
The easiest way to install DVWA is to download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) if you do not already have a web server setup.
|
The easiest way to install DVWA is to download and install [XAMPP](https://www.apachefriends.org/en/xampp.html) if you do not already have a web server setup.
|
||||||
|
|
||||||
@ -68,27 +74,40 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then
|
|||||||
|
|
||||||
If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:
|
If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:
|
||||||
|
|
||||||
`apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd`
|
`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php`
|
||||||
|
|
||||||
|
|
||||||
### Database Setup
|
### Database Setup
|
||||||
|
|
||||||
To set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create / Reset Database` button. This will create / reset the database for you with some data in.
|
To set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create / Reset Database` button. This will create / reset the database for you with some data in.
|
||||||
|
|
||||||
If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`.
|
If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. *This differs from config.inc.php.dist, which is an example file.*
|
||||||
|
|
||||||
The variables are set to the following by default:
|
The variables are set to the following by default:
|
||||||
|
|
||||||
```
|
```php
|
||||||
$_DVWA[ 'db_user' ] = 'root';
|
$_DVWA[ 'db_user' ] = 'root';
|
||||||
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
|
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
|
||||||
$_DVWA[ 'db_database' ] = 'dvwa';
|
$_DVWA[ 'db_database' ] = 'dvwa';
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
|
||||||
|
|
||||||
|
```mysql
|
||||||
|
mysql> create database dvwa;
|
||||||
|
Query OK, 1 row affected (0.00 sec)
|
||||||
|
|
||||||
|
mysql> grant all on dvwa.* to dvwa@localhost identified by 'xxx';
|
||||||
|
Query OK, 0 rows affected, 1 warning (0.01 sec)
|
||||||
|
|
||||||
|
mysql> flush privileges;
|
||||||
|
Query OK, 0 rows affected (0.00 sec)
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
### Other Configuration
|
### Other Configuration
|
||||||
|
|
||||||
Depening on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
|
Depending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
|
||||||
Note, You are unable to use PHP v7.0 or later with DVWA.
|
|
||||||
|
|
||||||
**Folder Permissions**:
|
**Folder Permissions**:
|
||||||
|
|
||||||
@ -120,17 +139,17 @@ Login URL: http://127.0.0.1/dvwa/login.php
|
|||||||
### Troubleshooting
|
### Troubleshooting
|
||||||
|
|
||||||
For the latest troubleshooting information please visit:
|
For the latest troubleshooting information please visit:
|
||||||
https://github.com/RandomStorm/DVWA/issues
|
https://github.com/ethicalhack3r/DVWA/issues
|
||||||
|
|
||||||
+Q. SQL Injection wont work on PHP v5.2.6.
|
+Q. SQL Injection won't work on PHP v5.2.6.
|
||||||
|
|
||||||
-A.If you are using PHP v5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work.
|
-A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work.
|
||||||
|
|
||||||
In `.htaccess`:
|
In `.htaccess`:
|
||||||
|
|
||||||
Replace:
|
Replace (please note it may say mod_php7):
|
||||||
|
|
||||||
```
|
```php
|
||||||
<IfModule mod_php5.c>
|
<IfModule mod_php5.c>
|
||||||
php_flag magic_quotes_gpc off
|
php_flag magic_quotes_gpc off
|
||||||
#php_flag allow_url_fopen on
|
#php_flag allow_url_fopen on
|
||||||
@ -140,7 +159,7 @@ Replace:
|
|||||||
|
|
||||||
With:
|
With:
|
||||||
|
|
||||||
```
|
```php
|
||||||
<IfModule mod_php5.c>
|
<IfModule mod_php5.c>
|
||||||
magic_quotes_gpc = Off
|
magic_quotes_gpc = Off
|
||||||
allow_url_fopen = On
|
allow_url_fopen = On
|
||||||
@ -150,18 +169,21 @@ With:
|
|||||||
|
|
||||||
+Q. Command Injection won't work.
|
+Q. Command Injection won't work.
|
||||||
|
|
||||||
-A. Apache may not have high enough priviledges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator.
|
-A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator.
|
||||||
|
|
||||||
+Q. My XSS payload won't run in IE.
|
+Q. Why can't the database connect on CentOS?
|
||||||
|
|
||||||
-A. If you're running IE8 or above, IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter.
|
-A. You may be running into problems with SELinux. Either disable SELinux or run this command to allow the webserver to talk to the database:
|
||||||
|
```
|
||||||
|
setsebool -P httpd_can_network_connect_db 1
|
||||||
|
```
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
## Links
|
## Links
|
||||||
|
|
||||||
Homepage: http://www.dvwa.co.uk
|
Homepage: http://www.dvwa.co.uk/
|
||||||
|
|
||||||
Project Home: https://github.com/RandomStorm/DVWA
|
Project Home: https://github.com/ethicalhack3r/DVWA
|
||||||
|
|
||||||
*Created by the DVWA team*
|
*Created by the DVWA team*
|
||||||
|
@ -11,11 +11,11 @@ $page[ 'page_id' ] = 'about';
|
|||||||
|
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
<div class=\"body_padded\">
|
<div class=\"body_padded\">
|
||||||
<h1>About</h1>
|
<h2>About</h2>
|
||||||
<p>Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")</p>
|
<p>Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")</p>
|
||||||
<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment</p>
|
<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment</p>
|
||||||
<p>The official documentation for DVWA can be found <a href=\"docs/DVWA_v1.3.pdf\">here</a>.</p>
|
<p>The official documentation for DVWA can be found <a href=\"docs/DVWA_v1.3.pdf\">here</a>.</p>
|
||||||
<p>DVWA is a RandomStorm OpenSource project. All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.</p>
|
<p>All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.</p>
|
||||||
|
|
||||||
<h2>Links</h2>
|
<h2>Links</h2>
|
||||||
<ul>
|
<ul>
|
||||||
@ -28,16 +28,16 @@ $page[ 'body' ] .= "
|
|||||||
|
|
||||||
<h2>Credits</h2>
|
<h2>Credits</h2>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Craig</li>
|
|
||||||
<li>Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "</li>
|
|
||||||
<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "</li>
|
|
||||||
<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','http://tedi.heriyanto.net' ) . "</li>
|
|
||||||
<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "</li>
|
|
||||||
<li>RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "</li>
|
|
||||||
<li>Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "</li>
|
|
||||||
<li>Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "</li>
|
<li>Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "</li>
|
||||||
|
<li>Craig</li>
|
||||||
<li>g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "</li>
|
<li>g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "</li>
|
||||||
|
<li>Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "</li>
|
||||||
|
<li>Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "</li>
|
||||||
|
<li>RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "</li>
|
||||||
|
<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "</li>
|
||||||
<li>Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . "</li>
|
<li>Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . "</li>
|
||||||
|
<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','tedi.heriyanto.net' ) . "</li>
|
||||||
|
<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "</li>
|
||||||
</ul>
|
</ul>
|
||||||
<ul>
|
<ul>
|
||||||
<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet( 'http://github.com/PHPIDS/PHPIDS', 'PHPIDS group' ) . "</li>
|
<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet( 'http://github.com/PHPIDS/PHPIDS', 'PHPIDS group' ) . "</li>
|
||||||
@ -55,6 +55,7 @@ $page[ 'body' ] .= "
|
|||||||
</div>\n";
|
</div>\n";
|
||||||
|
|
||||||
dvwaHtmlEcho( $page );
|
dvwaHtmlEcho( $page );
|
||||||
|
|
||||||
exit;
|
exit;
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -11,11 +11,14 @@ $DBMS = 'MySQL';
|
|||||||
# Database variables
|
# Database variables
|
||||||
# WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
|
# WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
|
||||||
# Please use a database dedicated to DVWA.
|
# Please use a database dedicated to DVWA.
|
||||||
|
#
|
||||||
|
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
|
||||||
|
# See README.md for more information on this.
|
||||||
$_DVWA = array();
|
$_DVWA = array();
|
||||||
$_DVWA[ 'db_server' ] = '127.0.0.1';
|
$_DVWA[ 'db_server' ] = '127.0.0.1';
|
||||||
$_DVWA[ 'db_database' ] = 'dvwa';
|
$_DVWA[ 'db_database' ] = 'dvwa';
|
||||||
$_DVWA[ 'db_user' ] = 'root';
|
$_DVWA[ 'db_user' ] = 'root';
|
||||||
$_DVWA[ 'db_password' ] = 'vulnerables';
|
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
|
||||||
|
|
||||||
# Only used with PostgreSQL/PGSQL database selection.
|
# Only used with PostgreSQL/PGSQL database selection.
|
||||||
$_DVWA[ 'db_port '] = '5432';
|
$_DVWA[ 'db_port '] = '5432';
|
||||||
@ -23,9 +26,8 @@ $_DVWA[ 'db_port '] = '5432';
|
|||||||
# ReCAPTCHA settings
|
# ReCAPTCHA settings
|
||||||
# Used for the 'Insecure CAPTCHA' module
|
# Used for the 'Insecure CAPTCHA' module
|
||||||
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create
|
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create
|
||||||
# Thanks to http://stackoverflow.com/questions/34274492/dvwa-setup-php-function-allow-url-include-disabled
|
$_DVWA[ 'recaptcha_public_key' ] = '';
|
||||||
$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
|
$_DVWA[ 'recaptcha_private_key' ] = '';
|
||||||
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
|
|
||||||
|
|
||||||
# Default security level
|
# Default security level
|
||||||
# Default value for the secuirty level with each session.
|
# Default value for the secuirty level with each session.
|
@ -6,55 +6,57 @@ This file contains all of the code to setup the initial MySQL database. (setup.p
|
|||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ) ) {
|
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../../' );
|
||||||
dvwaMessagePush( "Could not connect to the database.<br/>Please check the config file." );
|
|
||||||
|
if( !@($GLOBALS["___mysqli_ston"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] )) ) {
|
||||||
|
dvwaMessagePush( "Could not connect to the MySQL service.<br />Please check the config file." );
|
||||||
|
if ($_DVWA[ 'db_user' ] == "root") {
|
||||||
|
dvwaMessagePush( 'Your database user is root, if you are using MariaDB, this will not work, please read the README.md file.' );
|
||||||
|
}
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Create database
|
// Create database
|
||||||
$drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};";
|
$drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};";
|
||||||
if( !@mysql_query( $drop_db ) ) {
|
if( !@mysqli_query($GLOBALS["___mysqli_ston"], $drop_db ) ) {
|
||||||
dvwaMessagePush( "Could not drop existing database<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Could not drop existing database<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
|
|
||||||
$create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};";
|
$create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};";
|
||||||
if( !@mysql_query( $create_db ) ) {
|
if( !@mysqli_query($GLOBALS["___mysqli_ston"], $create_db ) ) {
|
||||||
dvwaMessagePush( "Could not create database<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Could not create database<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
dvwaMessagePush( "Database has been created." );
|
dvwaMessagePush( "Database has been created." );
|
||||||
|
|
||||||
|
|
||||||
// Create table 'users'
|
// Create table 'users'
|
||||||
if( !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) {
|
if( !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) {
|
||||||
dvwaMessagePush( 'Could not connect to database.' );
|
dvwaMessagePush( 'Could not connect to database.' );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
|
|
||||||
$create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));";
|
$create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));";
|
||||||
if( !mysql_query( $create_tb ) ) {
|
if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb ) ) {
|
||||||
dvwaMessagePush( "Table could not be created<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Table could not be created<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
dvwaMessagePush( "'users' table was created." );
|
dvwaMessagePush( "'users' table was created." );
|
||||||
|
|
||||||
|
|
||||||
// Insert some data into users
|
// Insert some data into users
|
||||||
// Get the base directory for the avatar media...
|
$avatarUrl = '/hackable/users/';
|
||||||
$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ];
|
|
||||||
$stripPos = strpos( $baseUrl, 'setup.php' );
|
|
||||||
$baseUrl = substr( $baseUrl, 0, $stripPos ).'hackable/users/';
|
|
||||||
|
|
||||||
$insert = "INSERT INTO users VALUES
|
$insert = "INSERT INTO users VALUES
|
||||||
('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),
|
('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'),
|
||||||
('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'),
|
('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'),
|
||||||
('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'),
|
('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'),
|
||||||
('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'),
|
('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'),
|
||||||
('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');";
|
('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');";
|
||||||
if( !mysql_query( $insert ) ) {
|
if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) {
|
||||||
dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
dvwaMessagePush( "Data inserted into 'users' table." );
|
dvwaMessagePush( "Data inserted into 'users' table." );
|
||||||
@ -62,8 +64,8 @@ dvwaMessagePush( "Data inserted into 'users' table." );
|
|||||||
|
|
||||||
// Create guestbook table
|
// Create guestbook table
|
||||||
$create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));";
|
$create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));";
|
||||||
if( !mysql_query( $create_tb_guestbook ) ) {
|
if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb_guestbook ) ) {
|
||||||
dvwaMessagePush( "Table could not be created<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Table could not be created<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
dvwaMessagePush( "'guestbook' table was created." );
|
dvwaMessagePush( "'guestbook' table was created." );
|
||||||
@ -71,15 +73,28 @@ dvwaMessagePush( "'guestbook' table was created." );
|
|||||||
|
|
||||||
// Insert data into 'guestbook'
|
// Insert data into 'guestbook'
|
||||||
$insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');";
|
$insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');";
|
||||||
if( !mysql_query( $insert ) ) {
|
if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) {
|
||||||
dvwaMessagePush( "Data could not be inserted into 'guestbook' table<br />SQL: ".mysql_error() );
|
dvwaMessagePush( "Data could not be inserted into 'guestbook' table<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
}
|
}
|
||||||
dvwaMessagePush( "Data inserted into 'guestbook' table." );
|
dvwaMessagePush( "Data inserted into 'guestbook' table." );
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// Copy .bak for a fun directory listing vuln
|
||||||
|
$conf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php';
|
||||||
|
$bakconf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php.bak';
|
||||||
|
if (file_exists($conf)) {
|
||||||
|
// Who cares if it fails. Suppress.
|
||||||
|
@copy($conf, $bakconf);
|
||||||
|
}
|
||||||
|
|
||||||
|
dvwaMessagePush( "Backup file /config/config.inc.php.bak automatically created" );
|
||||||
|
|
||||||
// Done
|
// Done
|
||||||
dvwaMessagePush( "<em>Setup successful</em>!" );
|
dvwaMessagePush( "<em>Setup successful</em>!" );
|
||||||
|
|
||||||
if( !dvwaIsLoggedIn())
|
if( !dvwaIsLoggedIn())
|
||||||
dvwaMessagePush( "Please <a href='login.php'>login</a>.<script>setTimeout(function(){window.location.href='login.php'},5000);</script>" );
|
dvwaMessagePush( "Please <a href='login.php'>login</a>.<script>setTimeout(function(){window.location.href='login.php'},5000);</script>" );
|
||||||
dvwaPageReload();
|
dvwaPageReload();
|
||||||
|
@ -1,12 +1,16 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
if( !defined( 'DVWA_WEB_PAGE_TO_ROOT' ) ) {
|
if( !defined( 'DVWA_WEB_PAGE_TO_ROOT' ) ) {
|
||||||
define( 'DVWA System error- WEB_PAGE_TO_ROOT undefined' );
|
die( 'DVWA System error- WEB_PAGE_TO_ROOT undefined' );
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
session_start(); // Creates a 'Full Path Disclosure' vuln.
|
session_start(); // Creates a 'Full Path Disclosure' vuln.
|
||||||
|
|
||||||
|
if (!file_exists(DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php')) {
|
||||||
|
die ("DVWA System error - config file not found. Copy config/config.inc.php.dist to config/config.inc.php and configure to your environment.");
|
||||||
|
}
|
||||||
|
|
||||||
// Include configs
|
// Include configs
|
||||||
require_once DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php';
|
require_once DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php';
|
||||||
require_once( 'dvwaPhpIds.inc.php' );
|
require_once( 'dvwaPhpIds.inc.php' );
|
||||||
@ -35,12 +39,12 @@ if( !isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $secu
|
|||||||
|
|
||||||
// DVWA version
|
// DVWA version
|
||||||
function dvwaVersionGet() {
|
function dvwaVersionGet() {
|
||||||
return '1.9';
|
return '1.10 *Development*';
|
||||||
}
|
}
|
||||||
|
|
||||||
// DVWA release date
|
// DVWA release date
|
||||||
function dvwaReleaseDateGet() {
|
function dvwaReleaseDateGet() {
|
||||||
return '2015-09-19';
|
return '2015-10-08';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -200,8 +204,12 @@ function dvwaHtmlEcho( $pPage ) {
|
|||||||
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' );
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' );
|
||||||
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' );
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' );
|
||||||
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' );
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' );
|
||||||
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'weak_id', 'name' => 'Weak Session IDs', 'url' => 'vulnerabilities/weak_id/' );
|
||||||
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' );
|
||||||
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' );
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' );
|
||||||
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );
|
||||||
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' );
|
||||||
|
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$menuBlocks[ 'meta' ] = array();
|
$menuBlocks[ 'meta' ] = array();
|
||||||
@ -223,7 +231,7 @@ function dvwaHtmlEcho( $pPage ) {
|
|||||||
foreach( $menuBlock as $menuItem ) {
|
foreach( $menuBlock as $menuItem ) {
|
||||||
$selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : '';
|
$selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : '';
|
||||||
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ];
|
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ];
|
||||||
$menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem[ 'name' ]}</a></li>\n";
|
$menuBlockHtml .= "<li class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem[ 'name' ]}</a></li>\n";
|
||||||
}
|
}
|
||||||
$menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>";
|
$menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>";
|
||||||
}
|
}
|
||||||
@ -322,6 +330,7 @@ function dvwaHtmlEcho( $pPage ) {
|
|||||||
<div id=\"footer\">
|
<div id=\"footer\">
|
||||||
|
|
||||||
<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>
|
<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>
|
||||||
|
<script src='/dvwa/js/add_event_listeners.js'></script>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@ -409,23 +418,23 @@ function dvwaSourceHtmlEcho( $pPage ) {
|
|||||||
// To be used on all external links --
|
// To be used on all external links --
|
||||||
function dvwaExternalLinkUrlGet( $pLink,$text=null ) {
|
function dvwaExternalLinkUrlGet( $pLink,$text=null ) {
|
||||||
if(is_null( $text )) {
|
if(is_null( $text )) {
|
||||||
return '<a href="http://hiderefer.com/?' . $pLink . '" target="_blank">' . $pLink . '</a>';
|
return '<a href="' . $pLink . '" target="_blank">' . $pLink . '</a>';
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
return '<a href="http://hiderefer.com/?' . $pLink . '" target="_blank">' . $text . '</a>';
|
return '<a href="' . $pLink . '" target="_blank">' . $text . '</a>';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// -- END ( external links)
|
// -- END ( external links)
|
||||||
|
|
||||||
function dvwaButtonHelpHtmlGet( $pId ) {
|
function dvwaButtonHelpHtmlGet( $pId ) {
|
||||||
$security = dvwaSecurityLevelGet();
|
$security = dvwaSecurityLevelGet();
|
||||||
return "<input type=\"button\" value=\"View Help\" class=\"popup_button\" onClick=\"javascript:popUp( '" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_help.php?id={$pId}&security={$security}' )\">";
|
return "<input type=\"button\" value=\"View Help\" class=\"popup_button\" id='help_button' data-help-url='" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_help.php?id={$pId}&security={$security}' )\">";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function dvwaButtonSourceHtmlGet( $pId ) {
|
function dvwaButtonSourceHtmlGet( $pId ) {
|
||||||
$security = dvwaSecurityLevelGet();
|
$security = dvwaSecurityLevelGet();
|
||||||
return "<input type=\"button\" value=\"View Source\" class=\"popup_button\" onClick=\"javascript:popUp( '" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_source.php?id={$pId}&security={$security}' )\">";
|
return "<input type=\"button\" value=\"View Source\" class=\"popup_button\" id='source_button' data-source-url='" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_source.php?id={$pId}&security={$security}' )\">";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -433,7 +442,7 @@ function dvwaButtonSourceHtmlGet( $pId ) {
|
|||||||
|
|
||||||
if( $DBMS == 'MySQL' ) {
|
if( $DBMS == 'MySQL' ) {
|
||||||
$DBMS = htmlspecialchars(strip_tags( $DBMS ));
|
$DBMS = htmlspecialchars(strip_tags( $DBMS ));
|
||||||
$DBMS_errorFunc = 'mysql_error()';
|
$DBMS_errorFunc = 'mysqli_error()';
|
||||||
}
|
}
|
||||||
elseif( $DBMS == 'PGSQL' ) {
|
elseif( $DBMS == 'PGSQL' ) {
|
||||||
$DBMS = htmlspecialchars(strip_tags( $DBMS ));
|
$DBMS = htmlspecialchars(strip_tags( $DBMS ));
|
||||||
@ -458,8 +467,8 @@ function dvwaDatabaseConnect() {
|
|||||||
global $db;
|
global $db;
|
||||||
|
|
||||||
if( $DBMS == 'MySQL' ) {
|
if( $DBMS == 'MySQL' ) {
|
||||||
if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] )
|
if( !@($GLOBALS["___mysqli_ston"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ))
|
||||||
|| !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) {
|
|| !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) {
|
||||||
//die( $DBMS_connError );
|
//die( $DBMS_connError );
|
||||||
dvwaLogout();
|
dvwaLogout();
|
||||||
dvwaMessagePush( 'Unable to connect to the database.<br />' . $DBMS_errorFunc );
|
dvwaMessagePush( 'Unable to connect to the database.<br />' . $DBMS_errorFunc );
|
||||||
@ -493,11 +502,11 @@ function dvwaRedirect( $pLocation ) {
|
|||||||
// XSS Stored guestbook function --
|
// XSS Stored guestbook function --
|
||||||
function dvwaGuestbook() {
|
function dvwaGuestbook() {
|
||||||
$query = "SELECT name, comment FROM guestbook";
|
$query = "SELECT name, comment FROM guestbook";
|
||||||
$result = mysql_query( $query );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query );
|
||||||
|
|
||||||
$guestbook = '';
|
$guestbook = '';
|
||||||
|
|
||||||
while( $row = mysql_fetch_row( $result ) ) {
|
while( $row = mysqli_fetch_row( $result ) ) {
|
||||||
if( dvwaSecurityLevelGet() == 'impossible' ) {
|
if( dvwaSecurityLevelGet() == 'impossible' ) {
|
||||||
$name = htmlspecialchars( $row[0] );
|
$name = htmlspecialchars( $row[0] );
|
||||||
$comment = htmlspecialchars( $row[1] );
|
$comment = htmlspecialchars( $row[1] );
|
||||||
@ -540,23 +549,32 @@ function tokenField() { # Return a field for the (CSRF) token
|
|||||||
|
|
||||||
|
|
||||||
// Setup Functions --
|
// Setup Functions --
|
||||||
$PHPUploadPath = realpath( getcwd() ) . "/hackable/uploads/";
|
$PHPUploadPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "hackable" . DIRECTORY_SEPARATOR . "uploads" ) . DIRECTORY_SEPARATOR;
|
||||||
$PHPIDSPath = realpath( getcwd() ) . "/external/phpids/" . dvwaPhpIdsVersionGet() . "/lib/IDS/tmp/phpids_log.txt";
|
$PHPIDSPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "external" . DIRECTORY_SEPARATOR . "phpids" . DIRECTORY_SEPARATOR . dvwaPhpIdsVersionGet() . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "IDS" . DIRECTORY_SEPARATOR . "tmp" . DIRECTORY_SEPARATOR . "phpids_log.txt" );
|
||||||
|
$PHPCONFIGPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config");
|
||||||
|
|
||||||
|
|
||||||
$phpDisplayErrors = 'PHP function display_errors: <em>' . ( ini_get( 'display_errors' ) ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' ); // Verbose error messages (e.g. full path disclosure)
|
$phpDisplayErrors = 'PHP function display_errors: <em>' . ( ini_get( 'display_errors' ) ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' ); // Verbose error messages (e.g. full path disclosure)
|
||||||
$phpSafeMode = 'PHP function safe_mode: <span class="' . ( ini_get( 'safe_mode' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>'; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
|
$phpSafeMode = 'PHP function safe_mode: <span class="' . ( ini_get( 'safe_mode' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>'; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
|
||||||
$phpMagicQuotes = 'PHP function magic_quotes_gpc: <span class="' . ( ini_get( 'magic_quotes_gpc' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>'; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
|
$phpMagicQuotes = 'PHP function magic_quotes_gpc: <span class="' . ( ini_get( 'magic_quotes_gpc' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>'; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
|
||||||
$phpURLInclude = 'PHP function allow_url_include: <span class="' . ( ini_get( 'allow_url_include' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>'; // RFI
|
$phpURLInclude = 'PHP function allow_url_include: <span class="' . ( ini_get( 'allow_url_include' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>'; // RFI
|
||||||
$phpURLFopen = 'PHP function allow_url_fopen: <span class="' . ( ini_get( 'allow_url_fopen' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>'; // RFI
|
$phpURLFopen = 'PHP function allow_url_fopen: <span class="' . ( ini_get( 'allow_url_fopen' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>'; // RFI
|
||||||
$phpGD = 'PHP module php-gd: <span class="' . ( ( extension_loaded( 'gd' ) && function_exists( 'gd_info' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>'; // File Upload
|
$phpGD = 'PHP module gd: <span class="' . ( ( extension_loaded( 'gd' ) && function_exists( 'gd_info' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>'; // File Upload
|
||||||
|
$phpMySQL = 'PHP module mysql: <span class="' . ( ( extension_loaded( 'mysqli' ) && function_exists( 'mysqli_query' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>'; // Core DVWA
|
||||||
|
$phpPDO = 'PHP module pdo_mysql: <span class="' . ( extension_loaded( 'pdo_mysql' ) ? 'success">Installed' : 'failure">Missing' ) . '</span>'; // SQLi
|
||||||
$DVWARecaptcha = 'reCAPTCHA key: <span class="' . ( ( isset( $_DVWA[ 'recaptcha_public_key' ] ) && $_DVWA[ 'recaptcha_public_key' ] != '' ) ? 'success">' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . '</span>';
|
$DVWARecaptcha = 'reCAPTCHA key: <span class="' . ( ( isset( $_DVWA[ 'recaptcha_public_key' ] ) && $_DVWA[ 'recaptcha_public_key' ] != '' ) ? 'success">' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . '</span>';
|
||||||
|
|
||||||
$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': <span class="' . ( is_writable( $PHPUploadPath ) ? 'success">Yes)' : 'failure">No' ) . '</span>'; // File Upload
|
$DVWAUploadsWrite = '[User: ' . get_current_user() . '] Writable folder ' . $PHPUploadPath . ': <span class="' . ( is_writable( $PHPUploadPath ) ? 'success">Yes' : 'failure">No' ) . '</span>'; // File Upload
|
||||||
$DVWAPHPWrite = 'Writable file ' . $PHPIDSPath . ': <span class="' . ( is_writable( $PHPIDSPath ) ? 'success">Yes' : 'failure">No' ) . '</span>'; // PHPIDS
|
$bakWritable = '[User: ' . get_current_user() . '] Writable folder ' . $PHPCONFIGPath . ': <span class="' . ( is_writable( $PHPCONFIGPath ) ? 'success">Yes' : 'failure">No' ) . '</span>'; // config.php.bak check // File Upload
|
||||||
|
$DVWAPHPWrite = '[User: ' . get_current_user() . '] Writable file ' . $PHPIDSPath . ': <span class="' . ( is_writable( $PHPIDSPath ) ? 'success">Yes' : 'failure">No' ) . '</span>'; // PHPIDS
|
||||||
|
|
||||||
$DVWAOS = 'Operating system: <em>' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '</em>';
|
$DVWAOS = 'Operating system: <em>' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '</em>';
|
||||||
$SERVER_NAME = 'Web Server SERVER_NAME: <em>' . $_SERVER[ 'SERVER_NAME' ] . '</em>'; // CSRF
|
$SERVER_NAME = 'Web Server SERVER_NAME: <em>' . $_SERVER[ 'SERVER_NAME' ] . '</em>'; // CSRF
|
||||||
|
|
||||||
|
$MYSQL_USER = 'MySQL username: <em>' . $_DVWA[ 'db_user' ] . '</em>';
|
||||||
|
$MYSQL_PASS = 'MySQL password: <em>' . ( ($_DVWA[ 'db_password' ] != "" ) ? '******' : '*blank*' ) . '</em>';
|
||||||
|
$MYSQL_DB = 'MySQL database: <em>' . $_DVWA[ 'db_database' ] . '</em>';
|
||||||
|
$MYSQL_SERVER = 'MySQL host: <em>' . $_DVWA[ 'db_server' ] . '</em>';
|
||||||
// -- END (Setup Functions)
|
// -- END (Setup Functions)
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
24
dvwa/dvwa/js/add_event_listeners.js
Normal file
24
dvwa/dvwa/js/add_event_listeners.js
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
// These functions need to be called after the content they reference
|
||||||
|
// has been added to the page otherwise they will fail.
|
||||||
|
|
||||||
|
function addEventListeners() {
|
||||||
|
var source_button = document.getElementById ("source_button");
|
||||||
|
|
||||||
|
if (source_button) {
|
||||||
|
source_button.addEventListener("click", function() {
|
||||||
|
var url=source_button.dataset.sourceUrl;
|
||||||
|
popUp (url);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
var help_button = document.getElementById ("help_button");
|
||||||
|
|
||||||
|
if (help_button) {
|
||||||
|
help_button.addEventListener("click", function() {
|
||||||
|
var url=help_button.dataset.helpUrl;
|
||||||
|
popUp (url);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
addEventListeners();
|
@ -3,7 +3,8 @@
|
|||||||
function popUp(URL) {
|
function popUp(URL) {
|
||||||
day = new Date();
|
day = new Date();
|
||||||
id = day.getTime();
|
id = day.getTime();
|
||||||
eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=500,height=300,left = 540,top = 250');");
|
window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');
|
||||||
|
//eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Form validation */
|
/* Form validation */
|
||||||
@ -20,7 +21,7 @@ with (field) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function validate_form(thisform) {
|
function validateGuestbookForm(thisform) {
|
||||||
with (thisform) {
|
with (thisform) {
|
||||||
|
|
||||||
// Guestbook form
|
// Guestbook form
|
||||||
@ -33,3 +34,6 @@ with (thisform) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function confirmClearGuestbook() {
|
||||||
|
return confirm("Are you sure you want to clear the guestbook?");
|
||||||
|
}
|
||||||
|
288
dvwa/external/recaptcha/recaptchalib.php
vendored
Executable file → Normal file
288
dvwa/external/recaptcha/recaptchalib.php
vendored
Executable file → Normal file
@ -1,279 +1,45 @@
|
|||||||
<?php
|
<?php
|
||||||
/*
|
|
||||||
* This is a PHP library that handles calling reCAPTCHA.
|
|
||||||
* - Documentation and latest version
|
|
||||||
* http://recaptcha.net/plugins/php/
|
|
||||||
* - Get a reCAPTCHA API Key
|
|
||||||
* https://www.google.com/recaptcha/admin/create
|
|
||||||
* - Discussion group
|
|
||||||
* http://groups.google.com/group/recaptcha
|
|
||||||
*
|
|
||||||
* Copyright (c) 2007 reCAPTCHA -- http://recaptcha.net
|
|
||||||
* AUTHORS:
|
|
||||||
* Mike Crawford
|
|
||||||
* Ben Maurer
|
|
||||||
*
|
|
||||||
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
* of this software and associated documentation files (the "Software"), to deal
|
|
||||||
* in the Software without restriction, including without limitation the rights
|
|
||||||
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
* copies of the Software, and to permit persons to whom the Software is
|
|
||||||
* furnished to do so, subject to the following conditions:
|
|
||||||
*
|
|
||||||
* The above copyright notice and this permission notice shall be included in
|
|
||||||
* all copies or substantial portions of the Software.
|
|
||||||
*
|
|
||||||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
||||||
* THE SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/**
|
// new php7 captcha v2 implementation.
|
||||||
* The reCAPTCHA server URL's
|
|
||||||
*/
|
|
||||||
define("RECAPTCHA_API_SERVER", "http://www.google.com/recaptcha/api");
|
|
||||||
define("RECAPTCHA_API_SECURE_SERVER", "https://www.google.com/recaptcha/api");
|
|
||||||
define("RECAPTCHA_VERIFY_SERVER", "www.google.com");
|
|
||||||
|
|
||||||
/**
|
function recaptcha_check_answer($key, $response){
|
||||||
* Encodes the given data into a query string format
|
return CheckCaptcha($key, $response);
|
||||||
* @param $data - array of string elements to be encoded
|
|
||||||
* @return string - encoded request
|
|
||||||
*/
|
|
||||||
function _recaptcha_qsencode ($data) {
|
|
||||||
$req = "";
|
|
||||||
foreach ( $data as $key => $value )
|
|
||||||
$req .= $key . '=' . urlencode( stripslashes($value) ) . '&';
|
|
||||||
|
|
||||||
// Cut the last '&'
|
|
||||||
$req=substr($req,0,strlen($req)-1);
|
|
||||||
return $req;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function CheckCaptcha($key, $response) {
|
||||||
|
|
||||||
|
try {
|
||||||
/**
|
$url = 'https://www.google.com/recaptcha/api/siteverify';
|
||||||
* Submits an HTTP POST to a reCAPTCHA server
|
$dat = array(
|
||||||
* @param string $host
|
'secret' => $key,
|
||||||
* @param string $path
|
'response' => urlencode($response),
|
||||||
* @param array $data
|
'remoteip' => urlencode($_SERVER['REMOTE_ADDR'])
|
||||||
* @param int port
|
|
||||||
* @return array response
|
|
||||||
*/
|
|
||||||
function _recaptcha_http_post($host, $path, $data, $port = 80) {
|
|
||||||
|
|
||||||
$req = _recaptcha_qsencode ($data);
|
|
||||||
|
|
||||||
$http_request = "POST $path HTTP/1.0\r\n";
|
|
||||||
$http_request .= "Host: $host\r\n";
|
|
||||||
$http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n";
|
|
||||||
$http_request .= "Content-Length: " . strlen($req) . "\r\n";
|
|
||||||
$http_request .= "User-Agent: reCAPTCHA/PHP\r\n";
|
|
||||||
$http_request .= "\r\n";
|
|
||||||
$http_request .= $req;
|
|
||||||
|
|
||||||
$response = '';
|
|
||||||
if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) {
|
|
||||||
die ('Could not open socket');
|
|
||||||
}
|
|
||||||
|
|
||||||
fwrite($fs, $http_request);
|
|
||||||
|
|
||||||
while ( !feof($fs) )
|
|
||||||
$response .= fgets($fs, 1160); // One TCP-IP packet
|
|
||||||
fclose($fs);
|
|
||||||
$response = explode("\r\n\r\n", $response, 2);
|
|
||||||
|
|
||||||
return $response;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the challenge HTML (javascript and non-javascript version).
|
|
||||||
* This is called from the browser, and the resulting reCAPTCHA HTML widget
|
|
||||||
* is embedded within the HTML form it was called from.
|
|
||||||
* @param string $pubkey A public key for reCAPTCHA
|
|
||||||
* @param string $error The error given by reCAPTCHA (optional, default is null)
|
|
||||||
* @param boolean $use_ssl Should the request be made over ssl? (optional, default is false)
|
|
||||||
|
|
||||||
* @return string - The HTML to be embedded in the user's form.
|
|
||||||
*/
|
|
||||||
function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false)
|
|
||||||
{
|
|
||||||
|
|
||||||
# commented out to deal with error in DVWA - ethicalhack3r
|
|
||||||
#if ($pubkey == null || $pubkey == '') {
|
|
||||||
# die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create' target='_blank'>https://www.google.com/recaptcha/admin/create</a>");
|
|
||||||
#}
|
|
||||||
|
|
||||||
if ($use_ssl) {
|
|
||||||
$server = RECAPTCHA_API_SECURE_SERVER;
|
|
||||||
} else {
|
|
||||||
$server = RECAPTCHA_API_SERVER;
|
|
||||||
}
|
|
||||||
|
|
||||||
$errorpart = "";
|
|
||||||
if ($error) {
|
|
||||||
$errorpart = "&error=" . $error;
|
|
||||||
}
|
|
||||||
return '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>
|
|
||||||
|
|
||||||
<noscript>
|
|
||||||
<iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br/>
|
|
||||||
<textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
|
|
||||||
<input type="hidden" name="recaptcha_response_field" value="manual_challenge"/>
|
|
||||||
</noscript>';
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A ReCaptchaResponse is returned from recaptcha_check_answer()
|
|
||||||
*/
|
|
||||||
class ReCaptchaResponse {
|
|
||||||
var $is_valid;
|
|
||||||
var $error;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Calls an HTTP POST function to verify if the user's guess was correct
|
|
||||||
* @param string $privkey
|
|
||||||
* @param string $remoteip
|
|
||||||
* @param string $challenge
|
|
||||||
* @param string $response
|
|
||||||
* @param array $extra_params an array of extra variables to post to the server
|
|
||||||
* @return ReCaptchaResponse
|
|
||||||
*/
|
|
||||||
function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array())
|
|
||||||
{
|
|
||||||
if ($privkey == null || $privkey == '') {
|
|
||||||
die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create' target='_blank'>https://www.google.com/recaptcha/admin/create</a>");
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($remoteip == null || $remoteip == '') {
|
|
||||||
die ("For security reasons, you must pass the remote ip to reCAPTCHA");
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
//discard spam submissions
|
|
||||||
if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) {
|
|
||||||
$recaptcha_response = new ReCaptchaResponse();
|
|
||||||
$recaptcha_response->is_valid = false;
|
|
||||||
$recaptcha_response->error = 'incorrect-captcha-sol';
|
|
||||||
return $recaptcha_response;
|
|
||||||
}
|
|
||||||
|
|
||||||
$response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
|
|
||||||
array (
|
|
||||||
'privatekey' => $privkey,
|
|
||||||
'remoteip' => $remoteip,
|
|
||||||
'challenge' => $challenge,
|
|
||||||
'response' => $response
|
|
||||||
) + $extra_params
|
|
||||||
);
|
);
|
||||||
|
|
||||||
$answers = explode ("\n", $response [1]);
|
$opt = array(
|
||||||
$recaptcha_response = new ReCaptchaResponse();
|
'http' => array(
|
||||||
|
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
|
||||||
|
'method' => 'POST',
|
||||||
|
'content' => http_build_query($dat)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
if (trim ($answers [0]) == 'true') {
|
$context = stream_context_create($opt);
|
||||||
$recaptcha_response->is_valid = true;
|
$result = file_get_contents($url, false, $context);
|
||||||
}
|
|
||||||
else {
|
|
||||||
$recaptcha_response->is_valid = false;
|
|
||||||
$recaptcha_response->error = $answers [1];
|
|
||||||
}
|
|
||||||
return $recaptcha_response;
|
|
||||||
|
|
||||||
}
|
return json_decode($result)->success;
|
||||||
|
|
||||||
/**
|
} catch (Exception $e) {
|
||||||
* gets a URL where the user can sign up for reCAPTCHA. If your application
|
return null;
|
||||||
* has a configuration page where you enter a key, you should provide a link
|
|
||||||
* using this function.
|
|
||||||
* @param string $domain The domain where the page is hosted
|
|
||||||
* @param string $appname The name of your application
|
|
||||||
*/
|
|
||||||
function recaptcha_get_signup_url ($domain = null, $appname = null) {
|
|
||||||
return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname));
|
|
||||||
}
|
|
||||||
|
|
||||||
function _recaptcha_aes_pad($val) {
|
|
||||||
$block_size = 16;
|
|
||||||
$numpad = $block_size - (strlen ($val) % $block_size);
|
|
||||||
return str_pad($val, strlen ($val) + $numpad, chr($numpad));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Mailhide related code */
|
|
||||||
|
|
||||||
function _recaptcha_aes_encrypt($val,$ky) {
|
|
||||||
if (! function_exists ("mcrypt_encrypt")) {
|
|
||||||
die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed.");
|
|
||||||
}
|
|
||||||
$mode=MCRYPT_MODE_CBC;
|
|
||||||
$enc=MCRYPT_RIJNDAEL_128;
|
|
||||||
$val=_recaptcha_aes_pad($val);
|
|
||||||
return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function _recaptcha_mailhide_urlbase64 ($x) {
|
|
||||||
return strtr(base64_encode ($x), '+/', '-_');
|
|
||||||
}
|
|
||||||
|
|
||||||
/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */
|
|
||||||
function recaptcha_mailhide_url($pubkey, $privkey, $email) {
|
|
||||||
if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) {
|
|
||||||
die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " .
|
|
||||||
"you can do so at <a href='http://www.google.com/recaptcha/mailhide/apikey' target='_blank'>http://www.google.com/recaptcha/mailhide/apikey</a>");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
$ky = pack('H*', $privkey);
|
|
||||||
$cryptmail = _recaptcha_aes_encrypt ($email, $ky);
|
|
||||||
|
|
||||||
return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
function recaptcha_get_html($pubKey){
|
||||||
* gets the parts of the email to expose to the user.
|
return "
|
||||||
* eg, given johndoe@example,com return ["john", "example.com"].
|
<script src='https://www.google.com/recaptcha/api.js'></script>
|
||||||
* the email is then displayed as john...@example.com
|
<br /> <div class='g-recaptcha' data-theme='dark' data-sitekey='" . $pubKey . "'></div>
|
||||||
*/
|
";
|
||||||
function _recaptcha_mailhide_email_parts ($email) {
|
|
||||||
$arr = preg_split("/@/", $email );
|
|
||||||
|
|
||||||
if (strlen ($arr[0]) <= 4) {
|
|
||||||
$arr[0] = substr ($arr[0], 0, 1);
|
|
||||||
} else if (strlen ($arr[0]) <= 6) {
|
|
||||||
$arr[0] = substr ($arr[0], 0, 3);
|
|
||||||
} else {
|
|
||||||
$arr[0] = substr ($arr[0], 0, 4);
|
|
||||||
}
|
|
||||||
return $arr;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets html to display an email address given a public an private key.
|
|
||||||
* to get a key, go to:
|
|
||||||
*
|
|
||||||
* http://www.google.com/recaptcha/mailhide/apikey
|
|
||||||
*/
|
|
||||||
function recaptcha_mailhide_html($pubkey, $privkey, $email) {
|
|
||||||
$emailparts = _recaptcha_mailhide_email_parts ($email);
|
|
||||||
$url = recaptcha_mailhide_url ($pubkey, $privkey, $email);
|
|
||||||
|
|
||||||
return htmlentities($emailparts[0]) . "<a href='" . htmlentities ($url) .
|
|
||||||
"' onclick=\"window.open('" . htmlentities ($url) . "', '', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300'); return false;\" title=\"Reveal this e-mail address\">...</a>@" . htmlentities ($emailparts [1]);
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -12,8 +12,8 @@ if( !defined( 'DVWA_WEB_PAGE_TO_ROOT' ) ) {
|
|||||||
|
|
||||||
echo "2.) My name is Sherlock Holmes. It is my business to know what other people don't know.\n\n<br /><br />\n";
|
echo "2.) My name is Sherlock Holmes. It is my business to know what other people don't know.\n\n<br /><br />\n";
|
||||||
|
|
||||||
$line3 = "3.) Romeo, Romeo! wherefore art thou Romeo?";
|
$line3 = "3.) Romeo, Romeo! Wherefore art thou Romeo?";
|
||||||
$line3 = "--LINE MISSING--";
|
$line3 = "--LINE HIDDEN ;)--";
|
||||||
echo $line3 . "\n\n<br /><br />\n";
|
echo $line3 . "\n\n<br /><br />\n";
|
||||||
|
|
||||||
$line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu";
|
$line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu";
|
||||||
|
@ -13,14 +13,14 @@ $page[ 'body' ] .= "
|
|||||||
<div class=\"body_padded\">
|
<div class=\"body_padded\">
|
||||||
<h1>Welcome to Damn Vulnerable Web Application!</h1>
|
<h1>Welcome to Damn Vulnerable Web Application!</h1>
|
||||||
<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.</p>
|
<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.</p>
|
||||||
<p>The aim of DVWA is to <em>practice some of the most common web vulnerability</em>, with <em>various difficultly levels</em>, with a simple straightforward interface.</p>
|
<p>The aim of DVWA is to <em>practice some of the most common web vulnerabilities</em>, with <em>various levels of difficultly</em>, with a simple straightforward interface.</p>
|
||||||
<hr />
|
<hr />
|
||||||
<br />
|
<br />
|
||||||
|
|
||||||
<h2>General Instructions</h2>
|
<h2>General Instructions</h2>
|
||||||
<p>It is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.</p>
|
<p>It is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.</p>
|
||||||
<p>Please note, there are <em>both documented and undocumented vulnerability</em> with this software. This is intentional. You are encouraged to try and discover as many issues as possible.</p>
|
<p>Please note, there are <em>both documented and undocumented vulnerability</em> with this software. This is intentional. You are encouraged to try and discover as many issues as possible.</p>
|
||||||
<p>DVWA also includes a Web Application Firewall (WAF), PHPIDS, which can be enabled at any stage to further increase the difficulty. This will demonstrate how adding another layer of security may block certain malicious actions. Note, there are also various public methods at bypassing these protections (so this can be see an as extension for more advance users)!</p>
|
<p>DVWA also includes a Web Application Firewall (WAF), PHPIDS, which can be enabled at any stage to further increase the difficulty. This will demonstrate how adding another layer of security may block certain malicious actions. Note, there are also various public methods at bypassing these protections (so this can be seen as an extension for more advanced users)!</p>
|
||||||
<p>There is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.</p>
|
<p>There is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.</p>
|
||||||
<hr />
|
<hr />
|
||||||
<br />
|
<br />
|
||||||
|
@ -13,26 +13,26 @@ if( isset( $_POST[ 'Login' ] ) ) {
|
|||||||
|
|
||||||
$user = $_POST[ 'username' ];
|
$user = $_POST[ 'username' ];
|
||||||
$user = stripslashes( $user );
|
$user = stripslashes( $user );
|
||||||
$user = mysql_real_escape_string( $user );
|
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
$pass = $_POST[ 'password' ];
|
$pass = $_POST[ 'password' ];
|
||||||
$pass = stripslashes( $pass );
|
$pass = stripslashes( $pass );
|
||||||
$pass = mysql_real_escape_string( $pass );
|
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass = md5( $pass );
|
$pass = md5( $pass );
|
||||||
|
|
||||||
$query = ("SELECT table_schema, table_name, create_time
|
$query = ("SELECT table_schema, table_name, create_time
|
||||||
FROM information_schema.tables
|
FROM information_schema.tables
|
||||||
WHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'
|
WHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'
|
||||||
LIMIT 1");
|
LIMIT 1");
|
||||||
$result = @mysql_query( $query );
|
$result = @mysqli_query($GLOBALS["___mysqli_ston"], $query );
|
||||||
if( mysql_num_rows( $result ) != 1 ) {
|
if( mysqli_num_rows( $result ) != 1 ) {
|
||||||
dvwaMessagePush( "First time using DVWA.<br />Need to run 'setup.php'." );
|
dvwaMessagePush( "First time using DVWA.<br />Need to run 'setup.php'." );
|
||||||
dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' );
|
dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
|
$query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
|
||||||
$result = @mysql_query( $query ) or die( '<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>' );
|
$result = @mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '.<br />Try <a href="setup.php">installing again</a>.</pre>' );
|
||||||
if( $result && mysql_num_rows( $result ) == 1 ) { // Login Successful...
|
if( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful...
|
||||||
dvwaMessagePush( "You have logged in as '{$user}'" );
|
dvwaMessagePush( "You have logged in as '{$user}'" );
|
||||||
dvwaLogin( $user );
|
dvwaLogin( $user );
|
||||||
dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' );
|
dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' );
|
||||||
@ -120,7 +120,7 @@ echo "
|
|||||||
|
|
||||||
<div id=\"footer\">
|
<div id=\"footer\">
|
||||||
|
|
||||||
<p>" . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)' ) . " is a RandomStorm OpenSource project.</p>
|
<p>" . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)' ) . "</p>
|
||||||
|
|
||||||
</div> <!--<div id=\"footer\"> -->
|
</div> <!--<div id=\"footer\"> -->
|
||||||
|
|
||||||
|
@ -62,8 +62,17 @@ foreach( array( 'low', 'medium', 'high', 'impossible' ) as $securityLevel ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$phpIdsHtml = 'PHPIDS is currently: ';
|
$phpIdsHtml = 'PHPIDS is currently: ';
|
||||||
|
|
||||||
|
// Able to write to the PHPIDS log file?
|
||||||
|
$WarningHtml = '';
|
||||||
|
|
||||||
if( dvwaPhpIdsIsEnabled() ) {
|
if( dvwaPhpIdsIsEnabled() ) {
|
||||||
$phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">Disable PHPIDS</a>]';
|
$phpIdsHtml .= '<em>enabled</em>. [<a href="?phpids=off">Disable PHPIDS</a>]';
|
||||||
|
|
||||||
|
# Only check if PHPIDS is enabled
|
||||||
|
if( !is_writable( $PHPIDSPath ) ) {
|
||||||
|
$WarningHtml .= "<div class=\"warning\"><em>Cannot write to the PHPIDS log file</em>: ${PHPIDSPath}</div>";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]';
|
$phpIdsHtml .= '<em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]';
|
||||||
@ -72,13 +81,6 @@ else {
|
|||||||
// Anti-CSRF
|
// Anti-CSRF
|
||||||
generateSessionToken();
|
generateSessionToken();
|
||||||
|
|
||||||
// Able to write to the PHPIDS log file?
|
|
||||||
$WarningHtml = '';
|
|
||||||
if( !is_writable( $PHPIDSPath ) ) {
|
|
||||||
$WarningHtml .= "<div class=\"warning\"><em>Cannot write to the PHPIDS log file</em>: ${PHPIDSPath}</div>";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
<div class=\"body_padded\">
|
<div class=\"body_padded\">
|
||||||
<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>
|
<h1>DVWA Security <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>
|
||||||
@ -96,7 +98,7 @@ $page[ 'body' ] .= "
|
|||||||
<li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li>
|
<li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li>
|
||||||
<li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li>
|
<li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li>
|
||||||
<li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br />
|
<li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br />
|
||||||
Priority to DVWA v1.9, this level was known as 'high'.</li>
|
Prior to DVWA v1.9, this level was known as 'high'.</li>
|
||||||
</ol>
|
</ol>
|
||||||
<select name=\"security\">
|
<select name=\"security\">
|
||||||
{$securityOptionsHtml}
|
{$securityOptionsHtml}
|
||||||
|
@ -34,8 +34,8 @@ $page[ 'body' ] .= "
|
|||||||
<div class=\"body_padded\">
|
<div class=\"body_padded\">
|
||||||
<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>
|
<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>
|
||||||
|
|
||||||
<p>Click on the 'Create / Reset Database' button below to create or reset your database.</br>
|
<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />
|
||||||
If you get an error make sure you have the correct user credentials in: <em>" . realpath( getcwd() ) . "/config/config.inc.php</em></p>
|
If you get an error make sure you have the correct user credentials in: <em>" . realpath( getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "</em></p>
|
||||||
|
|
||||||
<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />
|
<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />
|
||||||
You can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>
|
You can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>
|
||||||
@ -56,13 +56,29 @@ $page[ 'body' ] .= "
|
|||||||
{$phpURLFopen}<br />
|
{$phpURLFopen}<br />
|
||||||
{$phpMagicQuotes}<br />
|
{$phpMagicQuotes}<br />
|
||||||
{$phpGD}<br />
|
{$phpGD}<br />
|
||||||
|
{$phpMySQL}<br />
|
||||||
|
{$phpPDO}<br />
|
||||||
|
<br />
|
||||||
|
{$MYSQL_USER}<br />
|
||||||
|
{$MYSQL_PASS}<br />
|
||||||
|
{$MYSQL_DB}<br />
|
||||||
|
{$MYSQL_SERVER}<br />
|
||||||
<br />
|
<br />
|
||||||
{$DVWARecaptcha}<br />
|
{$DVWARecaptcha}<br />
|
||||||
<br />
|
<br />
|
||||||
{$DVWAUploadsWrite}<br />
|
{$DVWAUploadsWrite}<br />
|
||||||
{$DVWAPHPWrite}<br />
|
{$DVWAPHPWrite}<br />
|
||||||
<br />
|
<br />
|
||||||
|
<br />
|
||||||
|
{$bakWritable}
|
||||||
|
<br />
|
||||||
<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />
|
<i><span class=\"failure\">Status in red</span>, indicate there will be an issue when trying to complete some modules.</i><br />
|
||||||
|
<br />
|
||||||
|
If you see disabled on either <i>allow_url_fopen</i> or <i>allow_url_include</i>, set the following in your php.ini file and restart Apache.<br />
|
||||||
|
<pre><code>allow_url_fopen = On
|
||||||
|
allow_url_include = On</code></pre>
|
||||||
|
These are only required for the file inclusion labs so unless you want to play with those, you can ignore them.
|
||||||
|
|
||||||
<br /><br /><br />
|
<br /><br /><br />
|
||||||
|
|
||||||
<!-- Create db button -->
|
<!-- Create db button -->
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds.
|
This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds.
|
||||||
The idea of this is to try and confuse any timing predictions.</p>
|
The idea of this is to try and confuse any timing predictions.</p>
|
||||||
|
|
||||||
<p>Using a <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/', 'CAPTCHA' ); ?> form could have a similar effect as a CSRF token.</p>
|
<p>Using a <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA', 'CAPTCHA' ); ?> form could have a similar effect as a CSRF token.</p>
|
||||||
|
|
||||||
<br />
|
<br />
|
||||||
|
|
||||||
|
@ -7,21 +7,22 @@ if( isset( $_GET[ 'Login' ] ) ) {
|
|||||||
// Sanitise username input
|
// Sanitise username input
|
||||||
$user = $_GET[ 'username' ];
|
$user = $_GET[ 'username' ];
|
||||||
$user = stripslashes( $user );
|
$user = stripslashes( $user );
|
||||||
$user = mysql_real_escape_string( $user );
|
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Sanitise password input
|
// Sanitise password input
|
||||||
$pass = $_GET[ 'password' ];
|
$pass = $_GET[ 'password' ];
|
||||||
$pass = stripslashes( $pass );
|
$pass = stripslashes( $pass );
|
||||||
$pass = mysql_real_escape_string( $pass );
|
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass = md5( $pass );
|
$pass = md5( $pass );
|
||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
if( $result && mysql_num_rows( $result ) == 1 ) {
|
if( $result && mysqli_num_rows( $result ) == 1 ) {
|
||||||
// Get users details
|
// Get users details
|
||||||
$avatar = mysql_result( $result, 0, "avatar" );
|
$row = mysqli_fetch_assoc( $result );
|
||||||
|
$avatar = $row["avatar"];
|
||||||
|
|
||||||
// Login successful
|
// Login successful
|
||||||
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
||||||
@ -33,7 +34,7 @@ if( isset( $_GET[ 'Login' ] ) ) {
|
|||||||
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate Anti-CSRF token
|
// Generate Anti-CSRF token
|
||||||
|
@ -1,18 +1,18 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
if( isset( $_POST[ 'Login' ] ) ) {
|
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
|
||||||
// Check Anti-CSRF token
|
// Check Anti-CSRF token
|
||||||
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
|
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
|
||||||
|
|
||||||
// Sanitise username input
|
// Sanitise username input
|
||||||
$user = $_POST[ 'username' ];
|
$user = $_POST[ 'username' ];
|
||||||
$user = stripslashes( $user );
|
$user = stripslashes( $user );
|
||||||
$user = mysql_real_escape_string( $user );
|
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Sanitise password input
|
// Sanitise password input
|
||||||
$pass = $_POST[ 'password' ];
|
$pass = $_POST[ 'password' ];
|
||||||
$pass = stripslashes( $pass );
|
$pass = stripslashes( $pass );
|
||||||
$pass = mysql_real_escape_string( $pass );
|
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass = md5( $pass );
|
$pass = md5( $pass );
|
||||||
|
|
||||||
// Default values
|
// Default values
|
||||||
@ -32,14 +32,21 @@ if( isset( $_POST[ 'Login' ] ) ) {
|
|||||||
//$html .= "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
|
//$html .= "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
|
||||||
|
|
||||||
// Calculate when the user would be allowed to login again
|
// Calculate when the user would be allowed to login again
|
||||||
$last_login = $row[ 'last_login' ];
|
$last_login = strtotime( $row[ 'last_login' ] );
|
||||||
$last_login = strtotime( $last_login );
|
$timeout = $last_login + ($lockout_time * 60);
|
||||||
$timeout = strtotime( "{$last_login} +{$lockout_time} minutes" );
|
$timenow = time();
|
||||||
$timenow = strtotime( "now" );
|
|
||||||
|
/*
|
||||||
|
print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
|
||||||
|
print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
|
||||||
|
print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
|
||||||
|
*/
|
||||||
|
|
||||||
// Check to see if enough time has passed, if it hasn't locked the account
|
// Check to see if enough time has passed, if it hasn't locked the account
|
||||||
if( $timenow > $timeout )
|
if( $timenow < $timeout ) {
|
||||||
$account_locked = true;
|
$account_locked = true;
|
||||||
|
// print "The account is locked<br />";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check the database (if username matches the password)
|
// Check the database (if username matches the password)
|
||||||
@ -70,8 +77,7 @@ if( isset( $_POST[ 'Login' ] ) ) {
|
|||||||
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
|
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
|
||||||
$data->bindParam( ':user', $user, PDO::PARAM_STR );
|
$data->bindParam( ':user', $user, PDO::PARAM_STR );
|
||||||
$data->execute();
|
$data->execute();
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
// Login failed
|
// Login failed
|
||||||
sleep( rand( 2, 4 ) );
|
sleep( rand( 2, 4 ) );
|
||||||
|
|
||||||
|
@ -10,11 +10,12 @@ if( isset( $_GET[ 'Login' ] ) ) {
|
|||||||
|
|
||||||
// Check the database
|
// Check the database
|
||||||
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
if( $result && mysql_num_rows( $result ) == 1 ) {
|
if( $result && mysqli_num_rows( $result ) == 1 ) {
|
||||||
// Get users details
|
// Get users details
|
||||||
$avatar = mysql_result( $result, 0, "avatar" );
|
$row = mysqli_fetch_assoc( $result );
|
||||||
|
$avatar = $row["avatar"];
|
||||||
|
|
||||||
// Login successful
|
// Login successful
|
||||||
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
||||||
@ -25,7 +26,7 @@ if( isset( $_GET[ 'Login' ] ) ) {
|
|||||||
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -3,20 +3,21 @@
|
|||||||
if( isset( $_GET[ 'Login' ] ) ) {
|
if( isset( $_GET[ 'Login' ] ) ) {
|
||||||
// Sanitise username input
|
// Sanitise username input
|
||||||
$user = $_GET[ 'username' ];
|
$user = $_GET[ 'username' ];
|
||||||
$user = mysql_real_escape_string( $user );
|
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Sanitise password input
|
// Sanitise password input
|
||||||
$pass = $_GET[ 'password' ];
|
$pass = $_GET[ 'password' ];
|
||||||
$pass = mysql_real_escape_string( $pass );
|
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass = md5( $pass );
|
$pass = md5( $pass );
|
||||||
|
|
||||||
// Check the database
|
// Check the database
|
||||||
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
if( $result && mysql_num_rows( $result ) == 1 ) {
|
if( $result && mysqli_num_rows( $result ) == 1 ) {
|
||||||
// Get users details
|
// Get users details
|
||||||
$avatar = mysql_result( $result, 0, "avatar" );
|
$row = mysqli_fetch_assoc( $result );
|
||||||
|
$avatar = $row["avatar"];
|
||||||
|
|
||||||
// Login successful
|
// Login successful
|
||||||
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
$html .= "<p>Welcome to the password protected area {$user}</p>";
|
||||||
@ -28,7 +29,7 @@ if( isset( $_GET[ 'Login' ] ) ) {
|
|||||||
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
$html .= "<pre><br />Username and/or password incorrect.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
<tr>
|
<tr>
|
||||||
<td><div id="code">
|
<td><div id="code">
|
||||||
<h3>About</h3>
|
<h3>About</h3>
|
||||||
<p>A <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/', 'CAPTCHA' ); ?> is a program that can tell whether its user is a human or a computer. You've probably seen
|
<p>A <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA', 'CAPTCHA' ); ?> is a program that can tell whether its user is a human or a computer. You've probably seen
|
||||||
them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from
|
them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from
|
||||||
"bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots
|
"bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots
|
||||||
cannot navigate sites protected by CAPTCHAs.</p>
|
cannot navigate sites protected by CAPTCHAs.</p>
|
||||||
@ -58,5 +58,5 @@
|
|||||||
|
|
||||||
<br />
|
<br />
|
||||||
|
|
||||||
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/' ); ?></p>
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ); ?></p>
|
||||||
</div>
|
</div>
|
||||||
|
@ -36,8 +36,8 @@ require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/captcha/source/{$vulnerabi
|
|||||||
// Check if we have a reCAPTCHA key
|
// Check if we have a reCAPTCHA key
|
||||||
$WarningHtml = '';
|
$WarningHtml = '';
|
||||||
if( $_DVWA[ 'recaptcha_public_key' ] == "" ) {
|
if( $_DVWA[ 'recaptcha_public_key' ] == "" ) {
|
||||||
$WarningHtml = "<div class=\"warning\"><em>reCAPTCHA API key missing</em> from config file: " . realpath( dirname( dirname( getcwd() ) ) . "/config/config.inc.php" ) . "</div>";
|
$WarningHtml = "<div class=\"warning\"><em>reCAPTCHA API key missing</em> from config file: " . realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "</div>";
|
||||||
$html = "<em>Please register for a key</em> from reCAPTCHA: " . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create');
|
$html = "<em>Please register for a key</em> from reCAPTCHA: " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/admin/create' );
|
||||||
$hide_form = true;
|
$hide_form = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -87,7 +87,7 @@ $page[ 'body' ] .= "
|
|||||||
|
|
||||||
<h2>More Information</h2>
|
<h2>More Information</h2>
|
||||||
<ul>
|
<ul>
|
||||||
<li>" . dvwaExternalLinkUrlGet( 'http://www.captcha.net/' ) . "</li>
|
<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ) . "</li>
|
||||||
<li>" . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . "</li>
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . "</li>
|
||||||
<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)' ) . "</li>
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)' ) . "</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
@ -9,39 +9,44 @@ if( isset( $_POST[ 'Change' ] ) ) {
|
|||||||
$pass_conf = $_POST[ 'password_conf' ];
|
$pass_conf = $_POST[ 'password_conf' ];
|
||||||
|
|
||||||
// Check CAPTCHA from 3rd party
|
// Check CAPTCHA from 3rd party
|
||||||
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
|
$resp = recaptcha_check_answer(
|
||||||
$_SERVER[ 'REMOTE_ADDR' ],
|
$_DVWA[ 'recaptcha_private_key' ],
|
||||||
$_POST[ 'recaptcha_challenge_field' ],
|
$_POST['g-recaptcha-response']
|
||||||
$_POST[ 'recaptcha_response_field' ] );
|
);
|
||||||
|
|
||||||
// Did the CAPTCHA fail?
|
if (
|
||||||
if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) {
|
$resp ||
|
||||||
|
(
|
||||||
|
$_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
|
||||||
|
&& $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
|
||||||
|
)
|
||||||
|
){
|
||||||
|
// CAPTCHA was correct. Do both new passwords match?
|
||||||
|
if ($pass_new == $pass_conf) {
|
||||||
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
|
// Update database
|
||||||
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
|
||||||
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
|
// Feedback for user
|
||||||
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
|
|
||||||
|
} else {
|
||||||
|
// Ops. Password mismatch
|
||||||
|
$html .= "<pre>Both passwords must match.</pre>";
|
||||||
|
$hide_form = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
// What happens when the CAPTCHA was entered incorrectly
|
// What happens when the CAPTCHA was entered incorrectly
|
||||||
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
// CAPTCHA was correct. Do both new passwords match?
|
|
||||||
if( $pass_new == $pass_conf ) {
|
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
|
||||||
$pass_new = md5( $pass_new );
|
|
||||||
|
|
||||||
// Update database
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
|
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
|
||||||
|
|
||||||
// Feedback for user
|
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
// Ops. Password mismatch
|
|
||||||
$html .= "<pre>Both passwords must match.</pre>";
|
|
||||||
$hide_form = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
mysql_close();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate Anti-CSRF token
|
// Generate Anti-CSRF token
|
||||||
|
@ -10,27 +10,27 @@ if( isset( $_POST[ 'Change' ] ) ) {
|
|||||||
// Get input
|
// Get input
|
||||||
$pass_new = $_POST[ 'password_new' ];
|
$pass_new = $_POST[ 'password_new' ];
|
||||||
$pass_new = stripslashes( $pass_new );
|
$pass_new = stripslashes( $pass_new );
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
$pass_conf = $_POST[ 'password_conf' ];
|
$pass_conf = $_POST[ 'password_conf' ];
|
||||||
$pass_conf = stripslashes( $pass_conf );
|
$pass_conf = stripslashes( $pass_conf );
|
||||||
$pass_conf = mysql_real_escape_string( $pass_conf );
|
$pass_conf = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_conf ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_conf = md5( $pass_conf );
|
$pass_conf = md5( $pass_conf );
|
||||||
|
|
||||||
$pass_curr = $_POST[ 'password_current' ];
|
$pass_curr = $_POST[ 'password_current' ];
|
||||||
$pass_curr = stripslashes( $pass_curr );
|
$pass_curr = stripslashes( $pass_curr );
|
||||||
$pass_curr = mysql_real_escape_string( $pass_curr );
|
$pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_curr = md5( $pass_curr );
|
$pass_curr = md5( $pass_curr );
|
||||||
|
|
||||||
// Check CAPTCHA from 3rd party
|
// Check CAPTCHA from 3rd party
|
||||||
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
|
$resp = recaptcha_check_answer(
|
||||||
$_SERVER[ 'REMOTE_ADDR' ],
|
$_DVWA[ 'recaptcha_private_key' ],
|
||||||
$_POST[ 'recaptcha_challenge_field' ],
|
$_POST['g-recaptcha-response']
|
||||||
$_POST[ 'recaptcha_response_field' ] );
|
);
|
||||||
|
|
||||||
// Did the CAPTCHA fail?
|
// Did the CAPTCHA fail?
|
||||||
if( !$resp->is_valid ) {
|
if( !$resp ) {
|
||||||
// What happens when the CAPTCHA was entered incorrectly
|
// What happens when the CAPTCHA was entered incorrectly
|
||||||
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
|
@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
|
|||||||
$pass_conf = $_POST[ 'password_conf' ];
|
$pass_conf = $_POST[ 'password_conf' ];
|
||||||
|
|
||||||
// Check CAPTCHA from 3rd party
|
// Check CAPTCHA from 3rd party
|
||||||
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
|
$resp = recaptcha_check_answer(
|
||||||
$_SERVER[ 'REMOTE_ADDR' ],
|
$_DVWA[ 'recaptcha_private_key'],
|
||||||
$_POST[ 'recaptcha_challenge_field' ],
|
$_POST['g-recaptcha-response']
|
||||||
$_POST[ 'recaptcha_response_field' ] );
|
);
|
||||||
|
|
||||||
// Did the CAPTCHA fail?
|
// Did the CAPTCHA fail?
|
||||||
if( !$resp->is_valid ) {
|
if( !$resp ) {
|
||||||
// What happens when the CAPTCHA was entered incorrectly
|
// What happens when the CAPTCHA was entered incorrectly
|
||||||
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
@ -53,12 +53,12 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
|
|||||||
// Check to see if both password match
|
// Check to see if both password match
|
||||||
if( $pass_new == $pass_conf ) {
|
if( $pass_new == $pass_conf ) {
|
||||||
// They do!
|
// They do!
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Feedback for the end user
|
// Feedback for the end user
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
@ -69,7 +69,7 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
|
|||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
|
|||||||
$pass_conf = $_POST[ 'password_conf' ];
|
$pass_conf = $_POST[ 'password_conf' ];
|
||||||
|
|
||||||
// Check CAPTCHA from 3rd party
|
// Check CAPTCHA from 3rd party
|
||||||
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
|
$resp = recaptcha_check_answer(
|
||||||
$_SERVER[ 'REMOTE_ADDR' ],
|
$_DVWA[ 'recaptcha_private_key' ],
|
||||||
$_POST[ 'recaptcha_challenge_field' ],
|
$_POST['g-recaptcha-response']
|
||||||
$_POST[ 'recaptcha_response_field' ] );
|
);
|
||||||
|
|
||||||
// Did the CAPTCHA fail?
|
// Did the CAPTCHA fail?
|
||||||
if( !$resp->is_valid ) {
|
if( !$resp ) {
|
||||||
// What happens when the CAPTCHA was entered incorrectly
|
// What happens when the CAPTCHA was entered incorrectly
|
||||||
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
|
||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
@ -61,12 +61,12 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
|
|||||||
// Check to see if both password match
|
// Check to see if both password match
|
||||||
if( $pass_new == $pass_conf ) {
|
if( $pass_new == $pass_conf ) {
|
||||||
// They do!
|
// They do!
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Feedback for the end user
|
// Feedback for the end user
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
@ -77,7 +77,7 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
|
|||||||
$hide_form = false;
|
$hide_form = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
52
dvwa/vulnerabilities/csp/help/help.php
Normal file
52
dvwa/vulnerabilities/csp/help/help.php
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
<div class="body_padded">
|
||||||
|
<h1>Help - Content Security Policy (CSP) Bypass</h1>
|
||||||
|
|
||||||
|
<div id="code">
|
||||||
|
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
|
||||||
|
<tr>
|
||||||
|
<td><div id="code">
|
||||||
|
<h3>About</h3>
|
||||||
|
<p>Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers.</p>
|
||||||
|
<p>None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented.</p>
|
||||||
|
|
||||||
|
<br /><hr /><br />
|
||||||
|
|
||||||
|
<h3>Objective</h3>
|
||||||
|
<p>Bypass Content Security Policy (CSP) and execute JavaScript in the page.</p>
|
||||||
|
|
||||||
|
<br /><hr /><br />
|
||||||
|
|
||||||
|
<h3>Low Level</h3>
|
||||||
|
<p>Examine the policy to find all the sources that can be used to host external script files.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.</span></pre>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<h3>Medium Level</h3>
|
||||||
|
<p>The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">Examine the nonce and see how it varies (or doesn't).</span></pre>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<h3>High Level</h3>
|
||||||
|
<p>The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead</span></pre>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<h3>Impossible Level</h3>
|
||||||
|
<p>
|
||||||
|
This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts.
|
||||||
|
</p>
|
||||||
|
</div></td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ); ?></p>
|
||||||
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src"); ?></p>
|
||||||
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ); ?></p>
|
||||||
|
</div>
|
57
dvwa/vulnerabilities/csp/index.php
Normal file
57
dvwa/vulnerabilities/csp/index.php
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
|
||||||
|
|
||||||
|
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
|
||||||
|
|
||||||
|
$page = dvwaPageNewGrab();
|
||||||
|
$page[ 'title' ] = 'Vulnerability: Content Security Policy (CSP) Bypass' . $page[ 'title_separator' ].$page[ 'title' ];
|
||||||
|
$page[ 'page_id' ] = 'csp';
|
||||||
|
$page[ 'help_button' ] = 'csp';
|
||||||
|
$page[ 'source_button' ] = 'csp';
|
||||||
|
|
||||||
|
dvwaDatabaseConnect();
|
||||||
|
|
||||||
|
$vulnerabilityFile = '';
|
||||||
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
|
case 'low':
|
||||||
|
$vulnerabilityFile = 'low.php';
|
||||||
|
break;
|
||||||
|
case 'medium':
|
||||||
|
$vulnerabilityFile = 'medium.php';
|
||||||
|
break;
|
||||||
|
case 'high':
|
||||||
|
$vulnerabilityFile = 'high.php';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vulnerabilityFile = 'impossible.php';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$page[ 'body' ] = <<<EOF
|
||||||
|
<div class="body_padded">
|
||||||
|
<h1>Vulnerability: Content Security Policy (CSP) Bypass</h1>
|
||||||
|
|
||||||
|
<div class="vulnerable_code_area">
|
||||||
|
EOF;
|
||||||
|
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csp/source/{$vulnerabilityFile}";
|
||||||
|
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
</div>
|
||||||
|
EOF;
|
||||||
|
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
<h2>More Information</h2>
|
||||||
|
<ul>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . "</li>
|
||||||
|
</ul>
|
||||||
|
<p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p>
|
||||||
|
</div>\n";
|
||||||
|
|
||||||
|
dvwaHtmlEcho( $page );
|
||||||
|
|
||||||
|
?>
|
19
dvwa/vulnerabilities/csp/source/high.js
Normal file
19
dvwa/vulnerabilities/csp/source/high.js
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
function clickButton() {
|
||||||
|
var s = document.createElement("script");
|
||||||
|
s.src = "source/jsonp.php?callback=solveSum";
|
||||||
|
document.body.appendChild(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
function solveSum(obj) {
|
||||||
|
if ("answer" in obj) {
|
||||||
|
document.getElementById("answer").innerHTML = obj['answer'];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var solve_button = document.getElementById ("solve");
|
||||||
|
|
||||||
|
if (solve_button) {
|
||||||
|
solve_button.addEventListener("click", function() {
|
||||||
|
clickButton();
|
||||||
|
});
|
||||||
|
}
|
22
dvwa/vulnerabilities/csp/source/high.php
Normal file
22
dvwa/vulnerabilities/csp/source/high.php
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
<?php
|
||||||
|
$headerCSP = "Content-Security-Policy: script-src 'self';";
|
||||||
|
|
||||||
|
header($headerCSP);
|
||||||
|
|
||||||
|
?>
|
||||||
|
<?php
|
||||||
|
if (isset ($_POST['include'])) {
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
" . $_POST['include'] . "
|
||||||
|
";
|
||||||
|
}
|
||||||
|
$page[ 'body' ] .= '
|
||||||
|
<form name="csp" method="POST">
|
||||||
|
<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
|
||||||
|
<p>1+2+3+4+5=<span id="answer"></span></p>
|
||||||
|
<input type="button" id="solve" value="Solve the sum" />
|
||||||
|
</form>
|
||||||
|
|
||||||
|
<script src="source/high.js"></script>
|
||||||
|
';
|
||||||
|
|
19
dvwa/vulnerabilities/csp/source/impossible.js
Normal file
19
dvwa/vulnerabilities/csp/source/impossible.js
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
function clickButton() {
|
||||||
|
var s = document.createElement("script");
|
||||||
|
s.src = "source/jsonp_impossible.php";
|
||||||
|
document.body.appendChild(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
function solveSum(obj) {
|
||||||
|
if ("answer" in obj) {
|
||||||
|
document.getElementById("answer").innerHTML = obj['answer'];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var solve_button = document.getElementById ("solve");
|
||||||
|
|
||||||
|
if (solve_button) {
|
||||||
|
solve_button.addEventListener("click", function() {
|
||||||
|
clickButton();
|
||||||
|
});
|
||||||
|
}
|
23
dvwa/vulnerabilities/csp/source/impossible.php
Normal file
23
dvwa/vulnerabilities/csp/source/impossible.php
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$headerCSP = "Content-Security-Policy: script-src 'self';";
|
||||||
|
|
||||||
|
header($headerCSP);
|
||||||
|
|
||||||
|
?>
|
||||||
|
<?php
|
||||||
|
if (isset ($_POST['include'])) {
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
" . $_POST['include'] . "
|
||||||
|
";
|
||||||
|
}
|
||||||
|
$page[ 'body' ] .= '
|
||||||
|
<form name="csp" method="POST">
|
||||||
|
<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
|
||||||
|
<p>1+2+3+4+5=<span id="answer"></span></p>
|
||||||
|
<input type="button" id="solve" value="Solve the sum" />
|
||||||
|
</form>
|
||||||
|
|
||||||
|
<script src="source/impossible.js"></script>
|
||||||
|
';
|
||||||
|
|
13
dvwa/vulnerabilities/csp/source/jsonp.php
Normal file
13
dvwa/vulnerabilities/csp/source/jsonp.php
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
<?php
|
||||||
|
header("Content-Type: application/json; charset=UTF-8");
|
||||||
|
|
||||||
|
if (array_key_exists ("callback", $_GET)) {
|
||||||
|
$callback = $_GET['callback'];
|
||||||
|
} else {
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
|
$outp = array ("answer" => "15");
|
||||||
|
|
||||||
|
echo $callback . "(".json_encode($outp).")";
|
||||||
|
?>
|
7
dvwa/vulnerabilities/csp/source/jsonp_impossible.php
Normal file
7
dvwa/vulnerabilities/csp/source/jsonp_impossible.php
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
<?php
|
||||||
|
header("Content-Type: application/json; charset=UTF-8");
|
||||||
|
|
||||||
|
$outp = array ("answer" => "15");
|
||||||
|
|
||||||
|
echo "solveSum (".json_encode($outp).")";
|
||||||
|
?>
|
22
dvwa/vulnerabilities/csp/source/low.php
Normal file
22
dvwa/vulnerabilities/csp/source/low.php
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
|
||||||
|
|
||||||
|
header($headerCSP);
|
||||||
|
|
||||||
|
# https://pastebin.com/raw/R570EE00
|
||||||
|
|
||||||
|
?>
|
||||||
|
<?php
|
||||||
|
if (isset ($_POST['include'])) {
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
<script src='" . $_POST['include'] . "'></script>
|
||||||
|
";
|
||||||
|
}
|
||||||
|
$page[ 'body' ] .= '
|
||||||
|
<form name="csp" method="POST">
|
||||||
|
<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
|
||||||
|
<input size="50" type="text" name="include" value="" id="include" />
|
||||||
|
<input type="submit" value="Include" />
|
||||||
|
</form>
|
||||||
|
';
|
25
dvwa/vulnerabilities/csp/source/medium.php
Normal file
25
dvwa/vulnerabilities/csp/source/medium.php
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
|
||||||
|
|
||||||
|
header($headerCSP);
|
||||||
|
|
||||||
|
// Disable XSS protections so that inline alert boxes will work
|
||||||
|
header ("X-XSS-Protection: 0");
|
||||||
|
|
||||||
|
# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
|
||||||
|
|
||||||
|
?>
|
||||||
|
<?php
|
||||||
|
if (isset ($_POST['include'])) {
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
" . $_POST['include'] . "
|
||||||
|
";
|
||||||
|
}
|
||||||
|
$page[ 'body' ] .= '
|
||||||
|
<form name="csp" method="POST">
|
||||||
|
<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
|
||||||
|
<input size="50" type="text" name="include" value="" id="include" />
|
||||||
|
<input type="submit" value="Include" />
|
||||||
|
</form>
|
||||||
|
';
|
@ -11,12 +11,12 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
// Do the passwords match?
|
// Do the passwords match?
|
||||||
if( $pass_new == $pass_conf ) {
|
if( $pass_new == $pass_conf ) {
|
||||||
// They do!
|
// They do!
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update the database
|
// Update the database
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Feedback for the user
|
// Feedback for the user
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
@ -26,7 +26,7 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
$html .= "<pre>Passwords did not match.</pre>";
|
$html .= "<pre>Passwords did not match.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate Anti-CSRF token
|
// Generate Anti-CSRF token
|
||||||
|
@ -11,7 +11,7 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
|
|
||||||
// Sanitise current password input
|
// Sanitise current password input
|
||||||
$pass_curr = stripslashes( $pass_curr );
|
$pass_curr = stripslashes( $pass_curr );
|
||||||
$pass_curr = mysql_real_escape_string( $pass_curr );
|
$pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_curr = md5( $pass_curr );
|
$pass_curr = md5( $pass_curr );
|
||||||
|
|
||||||
// Check that the current password is correct
|
// Check that the current password is correct
|
||||||
@ -24,7 +24,7 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
|
if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
|
||||||
// It does!
|
// It does!
|
||||||
$pass_new = stripslashes( $pass_new );
|
$pass_new = stripslashes( $pass_new );
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update database with new password
|
// Update database with new password
|
||||||
|
@ -8,12 +8,12 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
// Do the passwords match?
|
// Do the passwords match?
|
||||||
if( $pass_new == $pass_conf ) {
|
if( $pass_new == $pass_conf ) {
|
||||||
// They do!
|
// They do!
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update the database
|
// Update the database
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Feedback for the user
|
// Feedback for the user
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
@ -23,7 +23,7 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
$html .= "<pre>Passwords did not match.</pre>";
|
$html .= "<pre>Passwords did not match.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
if( isset( $_GET[ 'Change' ] ) ) {
|
if( isset( $_GET[ 'Change' ] ) ) {
|
||||||
// Checks to see where the request came from
|
// Checks to see where the request came from
|
||||||
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) {
|
if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
|
||||||
// Get input
|
// Get input
|
||||||
$pass_new = $_GET[ 'password_new' ];
|
$pass_new = $_GET[ 'password_new' ];
|
||||||
$pass_conf = $_GET[ 'password_conf' ];
|
$pass_conf = $_GET[ 'password_conf' ];
|
||||||
@ -10,12 +10,12 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
// Do the passwords match?
|
// Do the passwords match?
|
||||||
if( $pass_new == $pass_conf ) {
|
if( $pass_new == $pass_conf ) {
|
||||||
// They do!
|
// They do!
|
||||||
$pass_new = mysql_real_escape_string( $pass_new );
|
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$pass_new = md5( $pass_new );
|
$pass_new = md5( $pass_new );
|
||||||
|
|
||||||
// Update the database
|
// Update the database
|
||||||
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
|
||||||
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Feedback for the user
|
// Feedback for the user
|
||||||
$html .= "<pre>Password Changed.</pre>";
|
$html .= "<pre>Password Changed.</pre>";
|
||||||
@ -30,7 +30,7 @@ if( isset( $_GET[ 'Change' ] ) ) {
|
|||||||
$html .= "<pre>That request didn't look correct.</pre>";
|
$html .= "<pre>That request didn't look correct.</pre>";
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -7,15 +7,16 @@ $page[ 'body' ] .= "
|
|||||||
<h3>File 3</h3>
|
<h3>File 3</h3>
|
||||||
<hr />
|
<hr />
|
||||||
Welcome back <em>" . dvwaCurrentUser() . "</em><br />
|
Welcome back <em>" . dvwaCurrentUser() . "</em><br />
|
||||||
Your IP address is: <em>";
|
Your IP address is: <em>{$_SERVER[ 'REMOTE_ADDR' ]}</em><br />";
|
||||||
if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER ))
|
if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) {
|
||||||
$page[ 'body' ] .= $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
|
$page[ 'body' ] .= "Forwarded for: <em>" . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
|
||||||
else
|
$page[ 'body' ] .= "</em><br />";
|
||||||
$page[ 'body' ] .= "**Missing Header**";
|
}
|
||||||
$page[ 'body' ] .= "</em><br />
|
$page[ 'body' ] .= "Your user-agent address is: <em>{$_SERVER[ 'HTTP_USER_AGENT' ]}</em><br />";
|
||||||
Your user-agent address is: <em>{$_SERVER[ 'HTTP_USER_AGENT' ]}</em><br />
|
if( array_key_exists( 'HTTP_REFERER', $_SERVER )) {
|
||||||
You came form: <em>{$_SERVER[ 'HTTP_REFERER' ]}</em><br />
|
$page[ 'body' ] .= "You came from: <em>{$_SERVER[ 'HTTP_REFERER' ]}</em><br />";
|
||||||
I'm hosted at: <em>{$_SERVER[ 'HTTP_HOST' ]}</em><br /><br />
|
}
|
||||||
|
$page[ 'body' ] .= "I'm hosted at: <em>{$_SERVER[ 'HTTP_HOST' ]}</em><br /><br />
|
||||||
[<em><a href=\"?page=include.php\">back</a></em>]
|
[<em><a href=\"?page=include.php\">back</a></em>]
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
<br /><hr /><br />
|
<br /><hr /><br />
|
||||||
|
|
||||||
<h3>Objective</h3>
|
<h3>Objective</h3>
|
||||||
<p>Read all five famous quotes from '<a href="../hackable/flags/fi.php">../hackable/flags/fi.php</a>' using only the file inclusion.</p>
|
<p>Read all <u>five</u> famous quotes from '<a href="../hackable/flags/fi.php">../hackable/flags/fi.php</a>' using only the file inclusion.</p>
|
||||||
|
|
||||||
<br /><hr /><br />
|
<br /><hr /><br />
|
||||||
|
|
||||||
|
52
dvwa/vulnerabilities/javascript/help/help.php
Normal file
52
dvwa/vulnerabilities/javascript/help/help.php
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
<div class="body_padded">
|
||||||
|
<h1>Help - Client Side JavaScript</h1>
|
||||||
|
|
||||||
|
<div id="code" style="padding: 3px; border: 2px #C0C0C0 solid;>">
|
||||||
|
<h3>About</h3>
|
||||||
|
<p>The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.</p>
|
||||||
|
|
||||||
|
<hr />
|
||||||
|
|
||||||
|
<h3>Objective</h3>
|
||||||
|
<p>Simply submit the phrase "success" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.</p>
|
||||||
|
|
||||||
|
<hr />
|
||||||
|
<h3>Low Level</h3>
|
||||||
|
<p>All the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">Change the phrase to success and then use the function generate_token() to update the token.</span></pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>Medium Level</h3>
|
||||||
|
<p>
|
||||||
|
The JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way.
|
||||||
|
</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">The file uses the setTimeout function to run the do_elsesomething function which generates the token.</span></pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>High Level</h3>
|
||||||
|
<p>
|
||||||
|
The JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission.
|
||||||
|
</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">If it helps, two packers have been used, the first is from <a href="https://www.danstools.com/javascript-obfuscate/index.php">Dan's Tools</a> and the second is the <a href="https://javascriptobfuscator.herokuapp.com/">JavaScript Obfuscator Tool</a>.</span></pre>
|
||||||
|
<pre>Spoiler 2: <span class="spoiler">This deobfuscation tool seems to work the best on this code <a href="http://deobfuscatejavascript.com/">deobfuscate javascript</a>.</span></pre>
|
||||||
|
<pre>Spoiler 3: <span class="spoiler">This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.</pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>Impossible Level</h3>
|
||||||
|
<p>You can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.</p>
|
||||||
|
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<p>Reference:</p>
|
||||||
|
<ul>
|
||||||
|
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=8UqHCrGdxOM' )?></li>
|
||||||
|
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' )?></li>
|
||||||
|
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' )?></li>
|
||||||
|
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/playlist?list=PLC9K7uaDMdAUNktlDTxsmj6rJBf4Q9TR5' )?></li>
|
||||||
|
</ul>
|
||||||
|
</div>
|
123
dvwa/vulnerabilities/javascript/index.php
Normal file
123
dvwa/vulnerabilities/javascript/index.php
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
|
||||||
|
|
||||||
|
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
|
||||||
|
|
||||||
|
$page = dvwaPageNewGrab();
|
||||||
|
$page[ 'title' ] = 'Vulnerability: JavaScript Attacks' . $page[ 'title_separator' ].$page[ 'title' ];
|
||||||
|
$page[ 'page_id' ] = 'javascript';
|
||||||
|
$page[ 'help_button' ] = 'javascript';
|
||||||
|
$page[ 'source_button' ] = 'javascript';
|
||||||
|
|
||||||
|
dvwaDatabaseConnect();
|
||||||
|
|
||||||
|
$vulnerabilityFile = '';
|
||||||
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
|
case 'low':
|
||||||
|
$vulnerabilityFile = 'low.php';
|
||||||
|
break;
|
||||||
|
case 'medium':
|
||||||
|
$vulnerabilityFile = 'medium.php';
|
||||||
|
break;
|
||||||
|
case 'high':
|
||||||
|
$vulnerabilityFile = 'high.php';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vulnerabilityFile = 'impossible.php';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$message = "";
|
||||||
|
// Check whwat was sent in to see if it was what was expected
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
|
if (array_key_exists ("phrase", $_POST) && array_key_exists ("token", $_POST)) {
|
||||||
|
|
||||||
|
$phrase = $_POST['phrase'];
|
||||||
|
$token = $_POST['token'];
|
||||||
|
|
||||||
|
if ($phrase == "success") {
|
||||||
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
|
case 'low':
|
||||||
|
if ($token == md5(str_rot13("success"))) {
|
||||||
|
$message = "<p style='color:red'>Well done!</p>";
|
||||||
|
} else {
|
||||||
|
$message = "<p>Invalid token.</p>";
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case 'medium':
|
||||||
|
if ($token == strrev("XXsuccessXX")) {
|
||||||
|
$message = "<p style='color:red'>Well done!</p>";
|
||||||
|
} else {
|
||||||
|
$message = "<p>Invalid token.</p>";
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case 'high':
|
||||||
|
if ($token == hash("sha256", hash("sha256", "XX" . strrev("success")) . "ZZ")) {
|
||||||
|
$message = "<p style='color:red'>Well done!</p>";
|
||||||
|
} else {
|
||||||
|
$message = "<p>Invalid token.</p>";
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vulnerabilityFile = 'impossible.php';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$message = "<p>You got the phrase wrong.</p>";
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$message = "<p>Missing phrase or token.</p>";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $_COOKIE[ 'security' ] == "impossible" ) {
|
||||||
|
$page[ 'body' ] = <<<EOF
|
||||||
|
<div class="body_padded">
|
||||||
|
<h1>Vulnerability: JavaScript Attacks</h1>
|
||||||
|
|
||||||
|
<div class="vulnerable_code_area">
|
||||||
|
<p>
|
||||||
|
You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level.
|
||||||
|
</p>
|
||||||
|
EOF;
|
||||||
|
} else {
|
||||||
|
$page[ 'body' ] = <<<EOF
|
||||||
|
<div class="body_padded">
|
||||||
|
<h1>Vulnerability: JavaScript Attacks</h1>
|
||||||
|
|
||||||
|
<div class="vulnerable_code_area">
|
||||||
|
<p>
|
||||||
|
Submit the word "success" to win.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
$message
|
||||||
|
|
||||||
|
<form name="low_js" method="post">
|
||||||
|
<input type="hidden" name="token" value="" id="token" />
|
||||||
|
<label for="phrase">Phrase</label> <input type="text" name="phrase" value="ChangeMe" id="phrase" />
|
||||||
|
<input type="submit" id="send" name="send" value="Submit" />
|
||||||
|
</form>
|
||||||
|
EOF;
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/javascript/source/{$vulnerabilityFile}";
|
||||||
|
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
</div>
|
||||||
|
EOF;
|
||||||
|
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
<h2>More Information</h2>
|
||||||
|
<ul>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . "</li>
|
||||||
|
</ul>
|
||||||
|
<p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p>
|
||||||
|
</div>\n";
|
||||||
|
|
||||||
|
dvwaHtmlEcho( $page );
|
||||||
|
|
||||||
|
?>
|
1
dvwa/vulnerabilities/javascript/source/high.js
Normal file
1
dvwa/vulnerabilities/javascript/source/high.js
Normal file
File diff suppressed because one or more lines are too long
5
dvwa/vulnerabilities/javascript/source/high.php
Normal file
5
dvwa/vulnerabilities/javascript/source/high.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
<script src="/vulnerabilities/javascript/source/high.js"></script>
|
||||||
|
EOF;
|
||||||
|
?>
|
540
dvwa/vulnerabilities/javascript/source/high_unobfuscated.js
Normal file
540
dvwa/vulnerabilities/javascript/source/high_unobfuscated.js
Normal file
@ -0,0 +1,540 @@
|
|||||||
|
/**
|
||||||
|
* [js-sha256]{@link https://github.com/emn178/js-sha256}
|
||||||
|
*
|
||||||
|
* @version 0.9.0
|
||||||
|
* @author Chen, Yi-Cyuan [emn178@gmail.com]
|
||||||
|
* @copyright Chen, Yi-Cyuan 2014-2017
|
||||||
|
* @license MIT
|
||||||
|
*/
|
||||||
|
/*jslint bitwise: true */
|
||||||
|
(function () {
|
||||||
|
'use strict';
|
||||||
|
|
||||||
|
var ERROR = 'input is invalid type';
|
||||||
|
var WINDOW = typeof window === 'object';
|
||||||
|
var root = WINDOW ? window : {};
|
||||||
|
if (root.JS_SHA256_NO_WINDOW) {
|
||||||
|
WINDOW = false;
|
||||||
|
}
|
||||||
|
var WEB_WORKER = !WINDOW && typeof self === 'object';
|
||||||
|
var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;
|
||||||
|
if (NODE_JS) {
|
||||||
|
root = global;
|
||||||
|
} else if (WEB_WORKER) {
|
||||||
|
root = self;
|
||||||
|
}
|
||||||
|
var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports;
|
||||||
|
var AMD = typeof define === 'function' && define.amd;
|
||||||
|
var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';
|
||||||
|
var HEX_CHARS = '0123456789abcdef'.split('');
|
||||||
|
var EXTRA = [-2147483648, 8388608, 32768, 128];
|
||||||
|
var SHIFT = [24, 16, 8, 0];
|
||||||
|
var K = [
|
||||||
|
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
|
||||||
|
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
|
||||||
|
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
|
||||||
|
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
|
||||||
|
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
|
||||||
|
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
|
||||||
|
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
|
||||||
|
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
|
||||||
|
];
|
||||||
|
var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer'];
|
||||||
|
|
||||||
|
var blocks = [];
|
||||||
|
|
||||||
|
if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) {
|
||||||
|
Array.isArray = function (obj) {
|
||||||
|
return Object.prototype.toString.call(obj) === '[object Array]';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {
|
||||||
|
ArrayBuffer.isView = function (obj) {
|
||||||
|
return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
var createOutputMethod = function (outputType, is224) {
|
||||||
|
return function (message) {
|
||||||
|
return new Sha256(is224, true).update(message)[outputType]();
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
var createMethod = function (is224) {
|
||||||
|
var method = createOutputMethod('hex', is224);
|
||||||
|
if (NODE_JS) {
|
||||||
|
method = nodeWrap(method, is224);
|
||||||
|
}
|
||||||
|
method.create = function () {
|
||||||
|
return new Sha256(is224);
|
||||||
|
};
|
||||||
|
method.update = function (message) {
|
||||||
|
return method.create().update(message);
|
||||||
|
};
|
||||||
|
for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
|
||||||
|
var type = OUTPUT_TYPES[i];
|
||||||
|
method[type] = createOutputMethod(type, is224);
|
||||||
|
}
|
||||||
|
return method;
|
||||||
|
};
|
||||||
|
|
||||||
|
var nodeWrap = function (method, is224) {
|
||||||
|
var crypto = eval("require('crypto')");
|
||||||
|
var Buffer = eval("require('buffer').Buffer");
|
||||||
|
var algorithm = is224 ? 'sha224' : 'sha256';
|
||||||
|
var nodeMethod = function (message) {
|
||||||
|
if (typeof message === 'string') {
|
||||||
|
return crypto.createHash(algorithm).update(message, 'utf8').digest('hex');
|
||||||
|
} else {
|
||||||
|
if (message === null || message === undefined) {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
} else if (message.constructor === ArrayBuffer) {
|
||||||
|
message = new Uint8Array(message);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (Array.isArray(message) || ArrayBuffer.isView(message) ||
|
||||||
|
message.constructor === Buffer) {
|
||||||
|
return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex');
|
||||||
|
} else {
|
||||||
|
return method(message);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
return nodeMethod;
|
||||||
|
};
|
||||||
|
|
||||||
|
var createHmacOutputMethod = function (outputType, is224) {
|
||||||
|
return function (key, message) {
|
||||||
|
return new HmacSha256(key, is224, true).update(message)[outputType]();
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
var createHmacMethod = function (is224) {
|
||||||
|
var method = createHmacOutputMethod('hex', is224);
|
||||||
|
method.create = function (key) {
|
||||||
|
return new HmacSha256(key, is224);
|
||||||
|
};
|
||||||
|
method.update = function (key, message) {
|
||||||
|
return method.create(key).update(message);
|
||||||
|
};
|
||||||
|
for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
|
||||||
|
var type = OUTPUT_TYPES[i];
|
||||||
|
method[type] = createHmacOutputMethod(type, is224);
|
||||||
|
}
|
||||||
|
return method;
|
||||||
|
};
|
||||||
|
|
||||||
|
function Sha256(is224, sharedMemory) {
|
||||||
|
if (sharedMemory) {
|
||||||
|
blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] =
|
||||||
|
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
|
||||||
|
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
|
||||||
|
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
|
||||||
|
this.blocks = blocks;
|
||||||
|
} else {
|
||||||
|
this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
|
||||||
|
}
|
||||||
|
|
||||||
|
if (is224) {
|
||||||
|
this.h0 = 0xc1059ed8;
|
||||||
|
this.h1 = 0x367cd507;
|
||||||
|
this.h2 = 0x3070dd17;
|
||||||
|
this.h3 = 0xf70e5939;
|
||||||
|
this.h4 = 0xffc00b31;
|
||||||
|
this.h5 = 0x68581511;
|
||||||
|
this.h6 = 0x64f98fa7;
|
||||||
|
this.h7 = 0xbefa4fa4;
|
||||||
|
} else { // 256
|
||||||
|
this.h0 = 0x6a09e667;
|
||||||
|
this.h1 = 0xbb67ae85;
|
||||||
|
this.h2 = 0x3c6ef372;
|
||||||
|
this.h3 = 0xa54ff53a;
|
||||||
|
this.h4 = 0x510e527f;
|
||||||
|
this.h5 = 0x9b05688c;
|
||||||
|
this.h6 = 0x1f83d9ab;
|
||||||
|
this.h7 = 0x5be0cd19;
|
||||||
|
}
|
||||||
|
|
||||||
|
this.block = this.start = this.bytes = this.hBytes = 0;
|
||||||
|
this.finalized = this.hashed = false;
|
||||||
|
this.first = true;
|
||||||
|
this.is224 = is224;
|
||||||
|
}
|
||||||
|
|
||||||
|
Sha256.prototype.update = function (message) {
|
||||||
|
if (this.finalized) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
var notString, type = typeof message;
|
||||||
|
if (type !== 'string') {
|
||||||
|
if (type === 'object') {
|
||||||
|
if (message === null) {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
} else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) {
|
||||||
|
message = new Uint8Array(message);
|
||||||
|
} else if (!Array.isArray(message)) {
|
||||||
|
if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
}
|
||||||
|
notString = true;
|
||||||
|
}
|
||||||
|
var code, index = 0, i, length = message.length, blocks = this.blocks;
|
||||||
|
|
||||||
|
while (index < length) {
|
||||||
|
if (this.hashed) {
|
||||||
|
this.hashed = false;
|
||||||
|
blocks[0] = this.block;
|
||||||
|
blocks[16] = blocks[1] = blocks[2] = blocks[3] =
|
||||||
|
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
|
||||||
|
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
|
||||||
|
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (notString) {
|
||||||
|
for (i = this.start; index < length && i < 64; ++index) {
|
||||||
|
blocks[i >> 2] |= message[index] << SHIFT[i++ & 3];
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
for (i = this.start; index < length && i < 64; ++index) {
|
||||||
|
code = message.charCodeAt(index);
|
||||||
|
if (code < 0x80) {
|
||||||
|
blocks[i >> 2] |= code << SHIFT[i++ & 3];
|
||||||
|
} else if (code < 0x800) {
|
||||||
|
blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
} else if (code < 0xd800 || code >= 0xe000) {
|
||||||
|
blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
} else {
|
||||||
|
code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff));
|
||||||
|
blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
this.lastByteIndex = i;
|
||||||
|
this.bytes += i - this.start;
|
||||||
|
if (i >= 64) {
|
||||||
|
this.block = blocks[16];
|
||||||
|
this.start = i - 64;
|
||||||
|
this.hash();
|
||||||
|
this.hashed = true;
|
||||||
|
} else {
|
||||||
|
this.start = i;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (this.bytes > 4294967295) {
|
||||||
|
this.hBytes += this.bytes / 4294967296 << 0;
|
||||||
|
this.bytes = this.bytes % 4294967296;
|
||||||
|
}
|
||||||
|
return this;
|
||||||
|
};
|
||||||
|
|
||||||
|
Sha256.prototype.finalize = function () {
|
||||||
|
if (this.finalized) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
this.finalized = true;
|
||||||
|
var blocks = this.blocks, i = this.lastByteIndex;
|
||||||
|
blocks[16] = this.block;
|
||||||
|
blocks[i >> 2] |= EXTRA[i & 3];
|
||||||
|
this.block = blocks[16];
|
||||||
|
if (i >= 56) {
|
||||||
|
if (!this.hashed) {
|
||||||
|
this.hash();
|
||||||
|
}
|
||||||
|
blocks[0] = this.block;
|
||||||
|
blocks[16] = blocks[1] = blocks[2] = blocks[3] =
|
||||||
|
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
|
||||||
|
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
|
||||||
|
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
|
||||||
|
}
|
||||||
|
blocks[14] = this.hBytes << 3 | this.bytes >>> 29;
|
||||||
|
blocks[15] = this.bytes << 3;
|
||||||
|
this.hash();
|
||||||
|
};
|
||||||
|
|
||||||
|
Sha256.prototype.hash = function () {
|
||||||
|
var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6,
|
||||||
|
h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc;
|
||||||
|
|
||||||
|
for (j = 16; j < 64; ++j) {
|
||||||
|
// rightrotate
|
||||||
|
t1 = blocks[j - 15];
|
||||||
|
s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3);
|
||||||
|
t1 = blocks[j - 2];
|
||||||
|
s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10);
|
||||||
|
blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
bc = b & c;
|
||||||
|
for (j = 0; j < 64; j += 4) {
|
||||||
|
if (this.first) {
|
||||||
|
if (this.is224) {
|
||||||
|
ab = 300032;
|
||||||
|
t1 = blocks[0] - 1413257819;
|
||||||
|
h = t1 - 150054599 << 0;
|
||||||
|
d = t1 + 24177077 << 0;
|
||||||
|
} else {
|
||||||
|
ab = 704751109;
|
||||||
|
t1 = blocks[0] - 210244248;
|
||||||
|
h = t1 - 1521486534 << 0;
|
||||||
|
d = t1 + 143694565 << 0;
|
||||||
|
}
|
||||||
|
this.first = false;
|
||||||
|
} else {
|
||||||
|
s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));
|
||||||
|
s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));
|
||||||
|
ab = a & b;
|
||||||
|
maj = ab ^ (a & c) ^ bc;
|
||||||
|
ch = (e & f) ^ (~e & g);
|
||||||
|
t1 = h + s1 + ch + K[j] + blocks[j];
|
||||||
|
t2 = s0 + maj;
|
||||||
|
h = d + t1 << 0;
|
||||||
|
d = t1 + t2 << 0;
|
||||||
|
}
|
||||||
|
s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10));
|
||||||
|
s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7));
|
||||||
|
da = d & a;
|
||||||
|
maj = da ^ (d & b) ^ ab;
|
||||||
|
ch = (h & e) ^ (~h & f);
|
||||||
|
t1 = g + s1 + ch + K[j + 1] + blocks[j + 1];
|
||||||
|
t2 = s0 + maj;
|
||||||
|
g = c + t1 << 0;
|
||||||
|
c = t1 + t2 << 0;
|
||||||
|
s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10));
|
||||||
|
s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7));
|
||||||
|
cd = c & d;
|
||||||
|
maj = cd ^ (c & a) ^ da;
|
||||||
|
ch = (g & h) ^ (~g & e);
|
||||||
|
t1 = f + s1 + ch + K[j + 2] + blocks[j + 2];
|
||||||
|
t2 = s0 + maj;
|
||||||
|
f = b + t1 << 0;
|
||||||
|
b = t1 + t2 << 0;
|
||||||
|
s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10));
|
||||||
|
s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7));
|
||||||
|
bc = b & c;
|
||||||
|
maj = bc ^ (b & d) ^ cd;
|
||||||
|
ch = (f & g) ^ (~f & h);
|
||||||
|
t1 = e + s1 + ch + K[j + 3] + blocks[j + 3];
|
||||||
|
t2 = s0 + maj;
|
||||||
|
e = a + t1 << 0;
|
||||||
|
a = t1 + t2 << 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
this.h0 = this.h0 + a << 0;
|
||||||
|
this.h1 = this.h1 + b << 0;
|
||||||
|
this.h2 = this.h2 + c << 0;
|
||||||
|
this.h3 = this.h3 + d << 0;
|
||||||
|
this.h4 = this.h4 + e << 0;
|
||||||
|
this.h5 = this.h5 + f << 0;
|
||||||
|
this.h6 = this.h6 + g << 0;
|
||||||
|
this.h7 = this.h7 + h << 0;
|
||||||
|
};
|
||||||
|
|
||||||
|
Sha256.prototype.hex = function () {
|
||||||
|
this.finalize();
|
||||||
|
|
||||||
|
var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
|
||||||
|
h6 = this.h6, h7 = this.h7;
|
||||||
|
|
||||||
|
var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] +
|
||||||
|
HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] +
|
||||||
|
HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] +
|
||||||
|
HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] +
|
||||||
|
HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] +
|
||||||
|
HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] +
|
||||||
|
HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F];
|
||||||
|
if (!this.is224) {
|
||||||
|
hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] +
|
||||||
|
HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] +
|
||||||
|
HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] +
|
||||||
|
HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F];
|
||||||
|
}
|
||||||
|
return hex;
|
||||||
|
};
|
||||||
|
|
||||||
|
Sha256.prototype.toString = Sha256.prototype.hex;
|
||||||
|
|
||||||
|
Sha256.prototype.digest = function () {
|
||||||
|
this.finalize();
|
||||||
|
|
||||||
|
var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
|
||||||
|
h6 = this.h6, h7 = this.h7;
|
||||||
|
|
||||||
|
var arr = [
|
||||||
|
(h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF,
|
||||||
|
(h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF,
|
||||||
|
(h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF,
|
||||||
|
(h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF,
|
||||||
|
(h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF,
|
||||||
|
(h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF,
|
||||||
|
(h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF
|
||||||
|
];
|
||||||
|
if (!this.is224) {
|
||||||
|
arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF);
|
||||||
|
}
|
||||||
|
return arr;
|
||||||
|
};
|
||||||
|
|
||||||
|
Sha256.prototype.array = Sha256.prototype.digest;
|
||||||
|
|
||||||
|
Sha256.prototype.arrayBuffer = function () {
|
||||||
|
this.finalize();
|
||||||
|
|
||||||
|
var buffer = new ArrayBuffer(this.is224 ? 28 : 32);
|
||||||
|
var dataView = new DataView(buffer);
|
||||||
|
dataView.setUint32(0, this.h0);
|
||||||
|
dataView.setUint32(4, this.h1);
|
||||||
|
dataView.setUint32(8, this.h2);
|
||||||
|
dataView.setUint32(12, this.h3);
|
||||||
|
dataView.setUint32(16, this.h4);
|
||||||
|
dataView.setUint32(20, this.h5);
|
||||||
|
dataView.setUint32(24, this.h6);
|
||||||
|
if (!this.is224) {
|
||||||
|
dataView.setUint32(28, this.h7);
|
||||||
|
}
|
||||||
|
return buffer;
|
||||||
|
};
|
||||||
|
|
||||||
|
function HmacSha256(key, is224, sharedMemory) {
|
||||||
|
var i, type = typeof key;
|
||||||
|
if (type === 'string') {
|
||||||
|
var bytes = [], length = key.length, index = 0, code;
|
||||||
|
for (i = 0; i < length; ++i) {
|
||||||
|
code = key.charCodeAt(i);
|
||||||
|
if (code < 0x80) {
|
||||||
|
bytes[index++] = code;
|
||||||
|
} else if (code < 0x800) {
|
||||||
|
bytes[index++] = (0xc0 | (code >> 6));
|
||||||
|
bytes[index++] = (0x80 | (code & 0x3f));
|
||||||
|
} else if (code < 0xd800 || code >= 0xe000) {
|
||||||
|
bytes[index++] = (0xe0 | (code >> 12));
|
||||||
|
bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
|
||||||
|
bytes[index++] = (0x80 | (code & 0x3f));
|
||||||
|
} else {
|
||||||
|
code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff));
|
||||||
|
bytes[index++] = (0xf0 | (code >> 18));
|
||||||
|
bytes[index++] = (0x80 | ((code >> 12) & 0x3f));
|
||||||
|
bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
|
||||||
|
bytes[index++] = (0x80 | (code & 0x3f));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
key = bytes;
|
||||||
|
} else {
|
||||||
|
if (type === 'object') {
|
||||||
|
if (key === null) {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
} else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) {
|
||||||
|
key = new Uint8Array(key);
|
||||||
|
} else if (!Array.isArray(key)) {
|
||||||
|
if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
throw new Error(ERROR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (key.length > 64) {
|
||||||
|
key = (new Sha256(is224, true)).update(key).array();
|
||||||
|
}
|
||||||
|
|
||||||
|
var oKeyPad = [], iKeyPad = [];
|
||||||
|
for (i = 0; i < 64; ++i) {
|
||||||
|
var b = key[i] || 0;
|
||||||
|
oKeyPad[i] = 0x5c ^ b;
|
||||||
|
iKeyPad[i] = 0x36 ^ b;
|
||||||
|
}
|
||||||
|
|
||||||
|
Sha256.call(this, is224, sharedMemory);
|
||||||
|
|
||||||
|
this.update(iKeyPad);
|
||||||
|
this.oKeyPad = oKeyPad;
|
||||||
|
this.inner = true;
|
||||||
|
this.sharedMemory = sharedMemory;
|
||||||
|
}
|
||||||
|
HmacSha256.prototype = new Sha256();
|
||||||
|
|
||||||
|
HmacSha256.prototype.finalize = function () {
|
||||||
|
Sha256.prototype.finalize.call(this);
|
||||||
|
if (this.inner) {
|
||||||
|
this.inner = false;
|
||||||
|
var innerHash = this.array();
|
||||||
|
Sha256.call(this, this.is224, this.sharedMemory);
|
||||||
|
this.update(this.oKeyPad);
|
||||||
|
this.update(innerHash);
|
||||||
|
Sha256.prototype.finalize.call(this);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
var exports = createMethod();
|
||||||
|
exports.sha256 = exports;
|
||||||
|
exports.sha224 = createMethod(true);
|
||||||
|
exports.sha256.hmac = createHmacMethod();
|
||||||
|
exports.sha224.hmac = createHmacMethod(true);
|
||||||
|
|
||||||
|
if (COMMON_JS) {
|
||||||
|
module.exports = exports;
|
||||||
|
} else {
|
||||||
|
root.sha256 = exports.sha256;
|
||||||
|
root.sha224 = exports.sha224;
|
||||||
|
if (AMD) {
|
||||||
|
define(function () {
|
||||||
|
return exports;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})();
|
||||||
|
|
||||||
|
function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}
|
||||||
|
|
||||||
|
function token_part_3(t, y="ZZ") {
|
||||||
|
document.getElementById("token").value=sha256(document.getElementById("token").value+y)
|
||||||
|
}
|
||||||
|
|
||||||
|
function token_part_2(e="YY") {
|
||||||
|
document.getElementById("token").value=sha256(e+document.getElementById("token").value)
|
||||||
|
}
|
||||||
|
|
||||||
|
function token_part_1(a,b) {
|
||||||
|
document.getElementById("token").value=do_something(document.getElementById("phrase").value)
|
||||||
|
}
|
||||||
|
|
||||||
|
document.getElementById("phrase").value="";
|
||||||
|
|
||||||
|
setTimeout(function(){token_part_2("XX")},300);
|
||||||
|
|
||||||
|
document.getElementById("send").addEventListener("click", token_part_3);
|
||||||
|
|
||||||
|
token_part_1("ABCD", 44);
|
24
dvwa/vulnerabilities/javascript/source/low.php
Normal file
24
dvwa/vulnerabilities/javascript/source/low.php
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
<?php
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
<script>
|
||||||
|
|
||||||
|
/*
|
||||||
|
MD5 code from here
|
||||||
|
https://github.com/blueimp/JavaScript-MD5
|
||||||
|
*/
|
||||||
|
|
||||||
|
!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<<t|n>>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<<r%32,n[14+(r+64>>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e<n.length;e+=16)i=l,a=g,d=v,h=m,g=f(g=f(g=f(g=f(g=c(g=c(g=c(g=c(g=u(g=u(g=u(g=u(g=o(g=o(g=o(g=o(g,v=o(v,m=o(m,l=o(l,g,v,m,n[e],7,-680876936),g,v,n[e+1],12,-389564586),l,g,n[e+2],17,606105819),m,l,n[e+3],22,-1044525330),v=o(v,m=o(m,l=o(l,g,v,m,n[e+4],7,-176418897),g,v,n[e+5],12,1200080426),l,g,n[e+6],17,-1473231341),m,l,n[e+7],22,-45705983),v=o(v,m=o(m,l=o(l,g,v,m,n[e+8],7,1770035416),g,v,n[e+9],12,-1958414417),l,g,n[e+10],17,-42063),m,l,n[e+11],22,-1990404162),v=o(v,m=o(m,l=o(l,g,v,m,n[e+12],7,1804603682),g,v,n[e+13],12,-40341101),l,g,n[e+14],17,-1502002290),m,l,n[e+15],22,1236535329),v=u(v,m=u(m,l=u(l,g,v,m,n[e+1],5,-165796510),g,v,n[e+6],9,-1069501632),l,g,n[e+11],14,643717713),m,l,n[e],20,-373897302),v=u(v,m=u(m,l=u(l,g,v,m,n[e+5],5,-701558691),g,v,n[e+10],9,38016083),l,g,n[e+15],14,-660478335),m,l,n[e+4],20,-405537848),v=u(v,m=u(m,l=u(l,g,v,m,n[e+9],5,568446438),g,v,n[e+14],9,-1019803690),l,g,n[e+3],14,-187363961),m,l,n[e+8],20,1163531501),v=u(v,m=u(m,l=u(l,g,v,m,n[e+13],5,-1444681467),g,v,n[e+2],9,-51403784),l,g,n[e+7],14,1735328473),m,l,n[e+12],20,-1926607734),v=c(v,m=c(m,l=c(l,g,v,m,n[e+5],4,-378558),g,v,n[e+8],11,-2022574463),l,g,n[e+11],16,1839030562),m,l,n[e+14],23,-35309556),v=c(v,m=c(m,l=c(l,g,v,m,n[e+1],4,-1530992060),g,v,n[e+4],11,1272893353),l,g,n[e+7],16,-155497632),m,l,n[e+10],23,-1094730640),v=c(v,m=c(m,l=c(l,g,v,m,n[e+13],4,681279174),g,v,n[e],11,-358537222),l,g,n[e+3],16,-722521979),m,l,n[e+6],23,76029189),v=c(v,m=c(m,l=c(l,g,v,m,n[e+9],4,-640364487),g,v,n[e+12],11,-421815835),l,g,n[e+15],16,530742520),m,l,n[e+2],23,-995338651),v=f(v,m=f(m,l=f(l,g,v,m,n[e],6,-198630844),g,v,n[e+7],10,1126891415),l,g,n[e+14],15,-1416354905),m,l,n[e+5],21,-57434055),v=f(v,m=f(m,l=f(l,g,v,m,n[e+12],6,1700485571),g,v,n[e+3],10,-1894986606),l,g,n[e+10],15,-1051523),m,l,n[e+1],21,-2054922799),v=f(v,m=f(m,l=f(l,g,v,m,n[e+8],6,1873313359),g,v,n[e+15],10,-30611744),l,g,n[e+6],15,-1560198380),m,l,n[e+13],21,1309151649),v=f(v,m=f(m,l=f(l,g,v,m,n[e+4],6,-145523070),g,v,n[e+11],10,-1120210379),l,g,n[e+2],15,718787259),m,l,n[e+9],21,-343485551),l=t(l,i),g=t(g,a),v=t(v,d),m=t(m,h);return[l,g,v,m]}function a(n){var t,r="",e=32*n.length;for(t=0;t<e;t+=8)r+=String.fromCharCode(n[t>>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t+=1)r[t]=0;var e=8*n.length;for(t=0;t<e;t+=8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t%32;return r}function h(n){return a(i(d(n),8*n.length))}function l(n,t){var r,e,o=d(n),u=[],c=[];for(u[15]=c[15]=void 0,o.length>16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r<n.length;r+=1)t=n.charCodeAt(r),e+="0123456789abcdef".charAt(t>>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);
|
||||||
|
|
||||||
|
function rot13(inp) {
|
||||||
|
return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});
|
||||||
|
}
|
||||||
|
|
||||||
|
function generate_token() {
|
||||||
|
var phrase = document.getElementById("phrase").value;
|
||||||
|
document.getElementById("token").value = md5(rot13(phrase));
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_token();
|
||||||
|
</script>
|
||||||
|
EOF;
|
||||||
|
?>
|
1
dvwa/vulnerabilities/javascript/source/medium.js
Normal file
1
dvwa/vulnerabilities/javascript/source/medium.js
Normal file
@ -0,0 +1 @@
|
|||||||
|
function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething("XX")},300);function do_elsesomething(e){document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")}
|
5
dvwa/vulnerabilities/javascript/source/medium.php
Normal file
5
dvwa/vulnerabilities/javascript/source/medium.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
<script src="/vulnerabilities/javascript/source/medium.js"></script>
|
||||||
|
EOF;
|
||||||
|
?>
|
@ -51,7 +51,7 @@ $page[ 'body' ] .= "
|
|||||||
|
|
||||||
<div class=\"vulnerable_code_area\">";
|
<div class=\"vulnerable_code_area\">";
|
||||||
if( $vulnerabilityFile == 'high.php' ) {
|
if( $vulnerabilityFile == 'high.php' ) {
|
||||||
$page[ 'body' ] .= "Click <a href=\"#\" onClick=\"javascript:popUp('session-input.php');return false;\">here to change your ID</a>.";
|
$page[ 'body' ] .= "Click <a href=\"#\" onclick=\"javascript:popUp('session-input.php');return false;\">here to change your ID</a>.";
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
@ -60,11 +60,8 @@ else {
|
|||||||
User ID:";
|
User ID:";
|
||||||
if( $vulnerabilityFile == 'medium.php' ) {
|
if( $vulnerabilityFile == 'medium.php' ) {
|
||||||
$page[ 'body' ] .= "\n <select name=\"id\">";
|
$page[ 'body' ] .= "\n <select name=\"id\">";
|
||||||
$query = "SELECT COUNT(*) FROM users;";
|
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
for( $i = 1; $i < $number_of_rows + 1 ; $i++ ) { $page[ 'body' ] .= "<option value=\"{$i}\">{$i}</option>"; }
|
||||||
$num = mysql_result( $result, 0 );
|
|
||||||
$i = 0;
|
|
||||||
while( $i < $num ) { $i++; $page[ 'body' ] .= "<option value=\"{$i}\">{$i}</option>"; }
|
|
||||||
$page[ 'body' ] .= "</select>";
|
$page[ 'body' ] .= "</select>";
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -6,24 +6,19 @@ if( isset( $_SESSION [ 'id' ] ) ) {
|
|||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
|
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
|
||||||
$result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = mysql_numrows( $result );
|
while( $row = mysqli_fetch_assoc( $result ) ) {
|
||||||
$i = 0;
|
|
||||||
while( $i < $num ) {
|
|
||||||
// Get values
|
// Get values
|
||||||
$first = mysql_result( $result, $i, "first_name" );
|
$first = $row["first_name"];
|
||||||
$last = mysql_result( $result, $i, "last_name" );
|
$last = $row["last_name"];
|
||||||
|
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
||||||
|
|
||||||
// Increase loop count
|
|
||||||
$i++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -6,24 +6,19 @@ if( isset( $_REQUEST[ 'Submit' ] ) ) {
|
|||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
|
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = mysql_numrows( $result );
|
while( $row = mysqli_fetch_assoc( $result ) ) {
|
||||||
$i = 0;
|
|
||||||
while( $i < $num ) {
|
|
||||||
// Get values
|
// Get values
|
||||||
$first = mysql_result( $result, $i, "first_name" );
|
$first = $row["first_name"];
|
||||||
$last = mysql_result( $result, $i, "last_name" );
|
$last = $row["last_name"];
|
||||||
|
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
||||||
|
|
||||||
// Increase loop count
|
|
||||||
$i++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
mysqli_close($GLOBALS["___mysqli_ston"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -3,28 +3,29 @@
|
|||||||
if( isset( $_POST[ 'Submit' ] ) ) {
|
if( isset( $_POST[ 'Submit' ] ) ) {
|
||||||
// Get input
|
// Get input
|
||||||
$id = $_POST[ 'id' ];
|
$id = $_POST[ 'id' ];
|
||||||
$id = mysql_real_escape_string( $id );
|
|
||||||
|
|
||||||
// Check database
|
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
|
||||||
|
|
||||||
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
|
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = mysql_numrows( $result );
|
while( $row = mysqli_fetch_assoc( $result ) ) {
|
||||||
$i = 0;
|
|
||||||
while( $i < $num ) {
|
|
||||||
// Display values
|
// Display values
|
||||||
$first = mysql_result( $result, $i, "first_name" );
|
$first = $row["first_name"];
|
||||||
$last = mysql_result( $result, $i, "last_name" );
|
$last = $row["last_name"];
|
||||||
|
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
|
||||||
|
|
||||||
// Increase loop count
|
|
||||||
$i++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//mysql_close();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This is used later on in the index.php page
|
||||||
|
// Setting it here so we can close the database connection in here like in the rest of the source scripts
|
||||||
|
$query = "SELECT COUNT(*) FROM users;";
|
||||||
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
$number_of_rows = mysqli_fetch_row( $result )[0];
|
||||||
|
|
||||||
|
mysqli_close($GLOBALS["___mysqli_ston"]);
|
||||||
?>
|
?>
|
||||||
|
@ -51,7 +51,7 @@ $page[ 'body' ] .= "
|
|||||||
|
|
||||||
<div class=\"vulnerable_code_area\">";
|
<div class=\"vulnerable_code_area\">";
|
||||||
if( $vulnerabilityFile == 'high.php' ) {
|
if( $vulnerabilityFile == 'high.php' ) {
|
||||||
$page[ 'body' ] .= "Click <a href=\"#\" onClick=\"javascript:popUp('cookie-input.php');return false;\">here to change your ID</a>.";
|
$page[ 'body' ] .= "Click <a href=\"#\" onclick=\"javascript:popUp('cookie-input.php');return false;\">here to change your ID</a>.";
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
@ -61,8 +61,8 @@ else {
|
|||||||
if( $vulnerabilityFile == 'medium.php' ) {
|
if( $vulnerabilityFile == 'medium.php' ) {
|
||||||
$page[ 'body' ] .= "\n <select name=\"id\">";
|
$page[ 'body' ] .= "\n <select name=\"id\">";
|
||||||
$query = "SELECT COUNT(*) FROM users;";
|
$query = "SELECT COUNT(*) FROM users;";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
$num = mysql_result( $result, 0 );
|
$num = mysqli_fetch_row( $result )[0];
|
||||||
$i = 0;
|
$i = 0;
|
||||||
while( $i < $num ) { $i++; $page[ 'body' ] .= "<option value=\"{$i}\">{$i}</option>"; }
|
while( $i < $num ) { $i++; $page[ 'body' ] .= "<option value=\"{$i}\">{$i}</option>"; }
|
||||||
$page[ 'body' ] .= "</select>";
|
$page[ 'body' ] .= "</select>";
|
||||||
|
@ -6,10 +6,10 @@ if( isset( $_COOKIE[ 'id' ] ) ) {
|
|||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
|
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
|
||||||
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
|
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
|
||||||
if( $num > 0 ) {
|
if( $num > 0 ) {
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= '<pre>User ID exists in the database.</pre>';
|
$html .= '<pre>User ID exists in the database.</pre>';
|
||||||
@ -27,7 +27,7 @@ if( isset( $_COOKIE[ 'id' ] ) ) {
|
|||||||
$html .= '<pre>User ID is MISSING from the database.</pre>';
|
$html .= '<pre>User ID is MISSING from the database.</pre>';
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -6,10 +6,10 @@ if( isset( $_GET[ 'Submit' ] ) ) {
|
|||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
|
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
|
||||||
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
|
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
|
||||||
if( $num > 0 ) {
|
if( $num > 0 ) {
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= '<pre>User ID exists in the database.</pre>';
|
$html .= '<pre>User ID exists in the database.</pre>';
|
||||||
@ -22,7 +22,7 @@ if( isset( $_GET[ 'Submit' ] ) ) {
|
|||||||
$html .= '<pre>User ID is MISSING from the database.</pre>';
|
$html .= '<pre>User ID is MISSING from the database.</pre>';
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_close();
|
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@ -3,14 +3,14 @@
|
|||||||
if( isset( $_POST[ 'Submit' ] ) ) {
|
if( isset( $_POST[ 'Submit' ] ) ) {
|
||||||
// Get input
|
// Get input
|
||||||
$id = $_POST[ 'id' ];
|
$id = $_POST[ 'id' ];
|
||||||
$id = mysql_real_escape_string( $id );
|
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Check database
|
// Check database
|
||||||
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
|
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
|
||||||
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
|
||||||
|
|
||||||
// Get results
|
// Get results
|
||||||
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
|
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
|
||||||
if( $num > 0 ) {
|
if( $num > 0 ) {
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
$html .= '<pre>User ID exists in the database.</pre>';
|
$html .= '<pre>User ID exists in the database.</pre>';
|
||||||
|
@ -34,7 +34,7 @@
|
|||||||
|
|
||||||
<h3>High Level</h3>
|
<h3>High Level</h3>
|
||||||
<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
|
<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
|
||||||
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file includion</span>.</pre>
|
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file inclusion</span>.</pre>
|
||||||
|
|
||||||
<br />
|
<br />
|
||||||
|
|
||||||
|
@ -33,12 +33,12 @@ require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/upload/source/{$vulnerabil
|
|||||||
|
|
||||||
// Check if folder is writeable
|
// Check if folder is writeable
|
||||||
$WarningHtml = '';
|
$WarningHtml = '';
|
||||||
if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) {
|
if( !is_writable( $PHPUploadPath ) ) {
|
||||||
$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "<br /><em>Folder is not writable.</em></div>";
|
$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: {$PHPUploadPath}<br /><em>Folder is not writable.</em></div>";
|
||||||
}
|
}
|
||||||
// Is PHP-GD installed?
|
// Is PHP-GD installed?
|
||||||
if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) {
|
if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) {
|
||||||
$WarningHtml .= "<div class=\"warning\">The PHP module <em>PHP-GD is not installed</em>.</div>";
|
$WarningHtml .= "<div class=\"warning\">The PHP module <em>GD is not installed</em>.</div>";
|
||||||
}
|
}
|
||||||
|
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
@ -48,7 +48,7 @@ $page[ 'body' ] .= "
|
|||||||
{$WarningHtml}
|
{$WarningHtml}
|
||||||
|
|
||||||
<div class=\"vulnerable_code_area\">
|
<div class=\"vulnerable_code_area\">
|
||||||
<form enctype=\"multipart/form-data\" action=\"#\" method=\"POST\" />
|
<form enctype=\"multipart/form-data\" action=\"#\" method=\"POST\">
|
||||||
<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\" />
|
<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\" />
|
||||||
Choose an image to upload:<br /><br />
|
Choose an image to upload:<br /><br />
|
||||||
<input name=\"uploaded\" type=\"file\" /><br />
|
<input name=\"uploaded\" type=\"file\" /><br />
|
||||||
|
@ -12,44 +12,67 @@ $id = $_GET[ 'id' ];
|
|||||||
$security = $_GET[ 'security' ];
|
$security = $_GET[ 'security' ];
|
||||||
|
|
||||||
|
|
||||||
if( $id == 'fi' ) {
|
switch ($id) {
|
||||||
|
case "fi" :
|
||||||
$vuln = 'File Inclusion';
|
$vuln = 'File Inclusion';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'brute' ) {
|
case "brute" :
|
||||||
$vuln = 'Brute Force';
|
$vuln = 'Brute Force';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'csrf' ) {
|
case "csrf" :
|
||||||
$vuln = 'CSRF';
|
$vuln = 'CSRF';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'exec' ) {
|
case "exec" :
|
||||||
$vuln = 'Command Injection';
|
$vuln = 'Command Injection';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'sqli' ) {
|
case "sqli" :
|
||||||
$vuln = 'SQL Injection';
|
$vuln = 'SQL Injection';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'sqli_blind' ) {
|
case "sqli_blind" :
|
||||||
$vuln = 'SQL Injection (Blind)';
|
$vuln = 'SQL Injection (Blind)';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'upload' ) {
|
case "upload" :
|
||||||
$vuln = 'File Upload';
|
$vuln = 'File Upload';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'xss_r' ) {
|
case "xss_r" :
|
||||||
$vuln = 'XSS (Reflected)';
|
$vuln = 'Reflected XSS';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'captcha' ) {
|
case "xss_s" :
|
||||||
$vuln = 'Insecure CAPTCHA';
|
$vuln = 'Stored XSS';
|
||||||
}
|
break;
|
||||||
else {
|
case "weak_id" :
|
||||||
$vuln = 'XSS (Stored)';
|
$vuln = 'Weak Session IDs';
|
||||||
|
break;
|
||||||
|
case "javascript" :
|
||||||
|
$vuln = 'JavaScript';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vuln = "Unknown Vulnerability";
|
||||||
}
|
}
|
||||||
|
|
||||||
$source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.php" );
|
$source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.php" );
|
||||||
$source = str_replace( array( '$html .=' ), array( 'echo' ), $source );
|
$source = str_replace( array( '$html .=' ), array( 'echo' ), $source );
|
||||||
|
|
||||||
|
$js_html = "";
|
||||||
|
if (file_exists (DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js")) {
|
||||||
|
$js_source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js" );
|
||||||
|
$js_html = "
|
||||||
|
<h2>vulnerabilities/{$id}/source/{$security}.js</h2>
|
||||||
|
<div id=\"code\">
|
||||||
|
<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
|
||||||
|
<tr>
|
||||||
|
<td><div id=\"code\">" . highlight_string( $js_source, true ) . "</div></td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
";
|
||||||
|
}
|
||||||
|
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
<div class=\"body_padded\">
|
<div class=\"body_padded\">
|
||||||
<h1>{$vuln} Source</h1>
|
<h1>{$vuln} Source</h1>
|
||||||
|
|
||||||
|
<h2>vulnerabilities/{$id}/source/{$security}.php</h2>
|
||||||
<div id=\"code\">
|
<div id=\"code\">
|
||||||
<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
|
<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
|
||||||
<tr>
|
<tr>
|
||||||
@ -57,6 +80,7 @@ $page[ 'body' ] .= "
|
|||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</div>
|
</div>
|
||||||
|
{$js_html}
|
||||||
<br /> <br />
|
<br /> <br />
|
||||||
|
|
||||||
<form>
|
<form>
|
||||||
|
@ -26,32 +26,42 @@ $impsrc = @file_get_contents("./{$id}/source/impossible.php");
|
|||||||
$impsrc = str_replace( array( '$html .=' ), array( 'echo' ), $impsrc);
|
$impsrc = str_replace( array( '$html .=' ), array( 'echo' ), $impsrc);
|
||||||
$impsrc = highlight_string( $impsrc, true );
|
$impsrc = highlight_string( $impsrc, true );
|
||||||
|
|
||||||
if( $id == 'fi' ) {
|
switch ($id) {
|
||||||
|
case "javascript" :
|
||||||
|
$vuln = 'JavaScript';
|
||||||
|
break;
|
||||||
|
case "fi" :
|
||||||
$vuln = 'File Inclusion';
|
$vuln = 'File Inclusion';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'brute' ) {
|
case "brute" :
|
||||||
$vuln = 'Brute Force';
|
$vuln = 'Brute Force';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'csrf' ) {
|
case "csrf" :
|
||||||
$vuln = 'CSRF';
|
$vuln = 'CSRF';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'exec' ) {
|
case "exec" :
|
||||||
$vuln = 'Command Injection';
|
$vuln = 'Command Injection';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'sqli' ) {
|
case "sqli" :
|
||||||
$vuln = 'SQL Injection';
|
$vuln = 'SQL Injection';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'sqli_blind' ) {
|
case "sqli_blind" :
|
||||||
$vuln = 'SQL Injection (Blind)';
|
$vuln = 'SQL Injection (Blind)';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'upload' ) {
|
case "upload" :
|
||||||
$vuln = 'File Upload';
|
$vuln = 'File Upload';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'xss_r' ) {
|
case "xss_r" :
|
||||||
$vuln = 'Reflected XSS';
|
$vuln = 'Reflected XSS';
|
||||||
}
|
break;
|
||||||
elseif( $id == 'xss_s' ) {
|
case "xss_s" :
|
||||||
$vuln = 'Stored XSS';
|
$vuln = 'Stored XSS';
|
||||||
|
break;
|
||||||
|
case "weak_id" :
|
||||||
|
$vuln = 'Weak Session IDs';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vuln = "Unknown Vulnerability";
|
||||||
}
|
}
|
||||||
|
|
||||||
$page[ 'body' ] .= "
|
$page[ 'body' ] .= "
|
||||||
@ -92,7 +102,7 @@ $page[ 'body' ] .= "
|
|||||||
<br /> <br />
|
<br /> <br />
|
||||||
|
|
||||||
<form>
|
<form>
|
||||||
<input type=\"button\" value=\"<-- Back\" onClick=\"history.go(-1);return true;\">
|
<input type=\"button\" value=\"<-- Back\" onclick=\"history.go(-1);return true;\">
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
</div>\n";
|
</div>\n";
|
||||||
|
39
dvwa/vulnerabilities/weak_id/help/help.php
Normal file
39
dvwa/vulnerabilities/weak_id/help/help.php
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
<div class="body_padded">
|
||||||
|
<h1>Help - Weak Session IDs</h1>
|
||||||
|
|
||||||
|
<div id="code">
|
||||||
|
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
|
||||||
|
<tr>
|
||||||
|
<td><div id="code">
|
||||||
|
<h3>About</h3>
|
||||||
|
<p>Knowledge of a session ID is often the only thing required to access a site as a specific user after they have logged in, if that session ID is able to be calculated or easily guessed, then an attacker will have an easy way to gain access to user accounts without having to brute force passwords or find other vulnerabilities such as Cross-Site Scripting.</p>
|
||||||
|
|
||||||
|
<p><hr /></p>
|
||||||
|
|
||||||
|
<h3>Objective</h3>
|
||||||
|
<p>This module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users.</p>
|
||||||
|
|
||||||
|
<p><hr /></p>
|
||||||
|
|
||||||
|
<h3>Low Level</h3>
|
||||||
|
<p>The cookie value should be very obviously predictable.</p>
|
||||||
|
|
||||||
|
<h3>Medium Level</h3>
|
||||||
|
<p>The value looks a little more random than on low but if you collect a few you should start to see a pattern.</p>
|
||||||
|
|
||||||
|
<h3>High Level</h3>
|
||||||
|
<p>First work out what format the value is in and then try to work out what is being used as the input to generate the values.</p>
|
||||||
|
<p>Extra flags are also being added to the cookie, this does not affect the challenge but highlights extra protections that can be added to protect the cookies.</p>
|
||||||
|
|
||||||
|
|
||||||
|
<h3>Impossible Level</h3>
|
||||||
|
<p>The cookie value should not be predictable at this level but feel free to try.</p>
|
||||||
|
<p>As well as the extra flags, the cookie is being tied to the domain and the path of the challenge.</p>
|
||||||
|
</div></td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management' ); ?></p>
|
||||||
|
</div>
|
60
dvwa/vulnerabilities/weak_id/index.php
Normal file
60
dvwa/vulnerabilities/weak_id/index.php
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
|
||||||
|
|
||||||
|
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
|
||||||
|
|
||||||
|
$page = dvwaPageNewGrab();
|
||||||
|
$page[ 'title' ] = 'Vulnerability: Weak Session IDs' . $page[ 'title_separator' ].$page[ 'title' ];
|
||||||
|
$page[ 'page_id' ] = 'weak_id';
|
||||||
|
$page[ 'help_button' ] = 'weak_id';
|
||||||
|
$page[ 'source_button' ] = 'weak_id';
|
||||||
|
dvwaDatabaseConnect();
|
||||||
|
|
||||||
|
$method = 'GET';
|
||||||
|
$vulnerabilityFile = '';
|
||||||
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
|
case 'low':
|
||||||
|
$vulnerabilityFile = 'low.php';
|
||||||
|
break;
|
||||||
|
case 'medium':
|
||||||
|
$vulnerabilityFile = 'medium.php';
|
||||||
|
break;
|
||||||
|
case 'high':
|
||||||
|
$vulnerabilityFile = 'high.php';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vulnerabilityFile = 'impossible.php';
|
||||||
|
$method = 'POST';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/weak_id/source/{$vulnerabilityFile}";
|
||||||
|
|
||||||
|
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
<div class="body_padded">
|
||||||
|
<h1>Vulnerability: Weak Session IDs</h1>
|
||||||
|
<p>
|
||||||
|
This page will set a new cookie called dvwaSession each time the button is clicked.<br />
|
||||||
|
</p>
|
||||||
|
<form method="post">
|
||||||
|
<input type="submit" value="Generate" />
|
||||||
|
</form>
|
||||||
|
$html
|
||||||
|
|
||||||
|
EOF;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Maybe display this, don't think it is needed though
|
||||||
|
if (isset ($cookie_value)) {
|
||||||
|
$page[ 'body' ] .= <<<EOF
|
||||||
|
The new cookie value is $cookie_value
|
||||||
|
EOF;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
dvwaHtmlEcho( $page );
|
||||||
|
|
||||||
|
?>
|
14
dvwa/vulnerabilities/weak_id/source/high.php
Normal file
14
dvwa/vulnerabilities/weak_id/source/high.php
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$html = "";
|
||||||
|
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
|
if (!isset ($_SESSION['last_session_id_high'])) {
|
||||||
|
$_SESSION['last_session_id_high'] = 0;
|
||||||
|
}
|
||||||
|
$_SESSION['last_session_id_high']++;
|
||||||
|
$cookie_value = md5($_SESSION['last_session_id_high']);
|
||||||
|
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], false, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
9
dvwa/vulnerabilities/weak_id/source/impossible.php
Normal file
9
dvwa/vulnerabilities/weak_id/source/impossible.php
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$html = "";
|
||||||
|
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
|
$cookie_value = sha1(mt_rand() . time() . "Impossible");
|
||||||
|
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true);
|
||||||
|
}
|
||||||
|
?>
|
13
dvwa/vulnerabilities/weak_id/source/low.php
Normal file
13
dvwa/vulnerabilities/weak_id/source/low.php
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$html = "";
|
||||||
|
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
|
if (!isset ($_SESSION['last_session_id'])) {
|
||||||
|
$_SESSION['last_session_id'] = 0;
|
||||||
|
}
|
||||||
|
$_SESSION['last_session_id']++;
|
||||||
|
$cookie_value = $_SESSION['last_session_id'];
|
||||||
|
setcookie("dvwaSession", $cookie_value);
|
||||||
|
}
|
||||||
|
?>
|
9
dvwa/vulnerabilities/weak_id/source/medium.php
Normal file
9
dvwa/vulnerabilities/weak_id/source/medium.php
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
$html = "";
|
||||||
|
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
|
$cookie_value = time();
|
||||||
|
setcookie("dvwaSession", $cookie_value);
|
||||||
|
}
|
||||||
|
?>
|
58
dvwa/vulnerabilities/xss_d/help/help.php
Normal file
58
dvwa/vulnerabilities/xss_d/help/help.php
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
<div class="body_padded">
|
||||||
|
<h1>Help - Cross Site Scripting (DOM Based)</h1>
|
||||||
|
|
||||||
|
<div id="code">
|
||||||
|
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
|
||||||
|
<tr>
|
||||||
|
<td><div id="code">
|
||||||
|
<h3>About</h3>
|
||||||
|
<p>"Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
|
||||||
|
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script,
|
||||||
|
to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output,
|
||||||
|
without validating or encoding it.</p>
|
||||||
|
|
||||||
|
<p>An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted,
|
||||||
|
and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other
|
||||||
|
sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.</p>
|
||||||
|
|
||||||
|
<p>DOM Based XSS is a special case of reflected where the JavaScript is hidden in the URL and pulled out by JavaScript in the page while it is rendering rather than being embedded in the page when it is served. This can make it stealthier than other attacks and WAFs or other protections which are reading the page body do not see any malicious content.</p>
|
||||||
|
|
||||||
|
<p><hr /></p>
|
||||||
|
|
||||||
|
<h3>Objective</h3>
|
||||||
|
<p>Run your own JavaScript in another user's browser, use this to steal the cookie of a logged in user.</p>
|
||||||
|
|
||||||
|
<p><hr /></p>
|
||||||
|
|
||||||
|
<h3>Low Level</h3>
|
||||||
|
<p>Low level will not check the requested input, before including it to be used in the output text.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler"><?=htmlentities ("/vulnerabilities/xss_d/?default=English<script>alert(1)</script>")?></span>.</pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>Medium Level</h3>
|
||||||
|
<p>The developer has tried to add a simple pattern matching to remove any references to "<script" to disable any JavaScript. Find a way to run JavaScript without using the script tags.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">You must first break out of the select block then you can add an image with an onerror event:<br />
|
||||||
|
<?=htmlentities ("/vulnerabilities/xss_d/?default=English>/option></select><img src='x' onerror='alert(1)'>");?></span>.</pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>High Level</h3>
|
||||||
|
<p>The developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server.</p>
|
||||||
|
<pre>Spoiler: <span class="spoiler">The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page.<br />
|
||||||
|
<?=htmlentities ("/vulnerabilities/xss_d/?default=English#<script>alert(1)</script>")?></span>.</pre>
|
||||||
|
|
||||||
|
<p><br /></p>
|
||||||
|
|
||||||
|
<h3>Impossible Level</h3>
|
||||||
|
<p>The contents taken from the URL are encoded by default by most browsers which prevents any injected JavaScript from being executed.</p>
|
||||||
|
</div></td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<br />
|
||||||
|
|
||||||
|
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' ); ?></p>
|
||||||
|
</div>
|
79
dvwa/vulnerabilities/xss_d/index.php
Normal file
79
dvwa/vulnerabilities/xss_d/index.php
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
|
||||||
|
|
||||||
|
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
|
||||||
|
|
||||||
|
$page = dvwaPageNewGrab();
|
||||||
|
$page[ 'title' ] = 'Vulnerability: DOM Based Cross Site Scripting (XSS)' . $page[ 'title_separator' ].$page[ 'title' ];
|
||||||
|
$page[ 'page_id' ] = 'xss_d';
|
||||||
|
$page[ 'help_button' ] = 'xss_d';
|
||||||
|
$page[ 'source_button' ] = 'xss_d';
|
||||||
|
|
||||||
|
dvwaDatabaseConnect();
|
||||||
|
|
||||||
|
$vulnerabilityFile = '';
|
||||||
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
|
case 'low':
|
||||||
|
$vulnerabilityFile = 'low.php';
|
||||||
|
break;
|
||||||
|
case 'medium':
|
||||||
|
$vulnerabilityFile = 'medium.php';
|
||||||
|
break;
|
||||||
|
case 'high':
|
||||||
|
$vulnerabilityFile = 'high.php';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$vulnerabilityFile = 'impossible.php';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/xss_d/source/{$vulnerabilityFile}";
|
||||||
|
|
||||||
|
# For the impossible level, don't decode the querystring
|
||||||
|
$decodeURI = "decodeURI";
|
||||||
|
if ($vulnerabilityFile == 'impossible.php') {
|
||||||
|
$decodeURI = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
$page[ 'body' ] = <<<EOF
|
||||||
|
<div class="body_padded">
|
||||||
|
<h1>Vulnerability: DOM Based Cross Site Scripting (XSS)</h1>
|
||||||
|
|
||||||
|
<div class="vulnerable_code_area">
|
||||||
|
|
||||||
|
<p>Please choose a language:</p>
|
||||||
|
|
||||||
|
<form name="XSS" method="GET">
|
||||||
|
<select name="default">
|
||||||
|
<script>
|
||||||
|
if (document.location.href.indexOf("default=") >= 0) {
|
||||||
|
var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
|
||||||
|
document.write("<option value='" + lang + "'>" + $decodeURI(lang) + "</option>");
|
||||||
|
document.write("<option value='' disabled='disabled'>----</option>");
|
||||||
|
}
|
||||||
|
|
||||||
|
document.write("<option value='English'>English</option>");
|
||||||
|
document.write("<option value='French'>French</option>");
|
||||||
|
document.write("<option value='Spanish'>Spanish</option>");
|
||||||
|
document.write("<option value='German'>German</option>");
|
||||||
|
</script>
|
||||||
|
</select>
|
||||||
|
<input type="submit" value="Select" />
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
EOF;
|
||||||
|
|
||||||
|
$page[ 'body' ] .= "
|
||||||
|
<h2>More Information</h2>
|
||||||
|
<ul>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' ) . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)' ) . "</li>
|
||||||
|
<li>" . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/blog/articles/dom-xss-explained/' ) . "</li>
|
||||||
|
</ul>
|
||||||
|
</div>\n";
|
||||||
|
|
||||||
|
dvwaHtmlEcho( $page );
|
||||||
|
|
||||||
|
?>
|
20
dvwa/vulnerabilities/xss_d/source/high.php
Normal file
20
dvwa/vulnerabilities/xss_d/source/high.php
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
// Is there any input?
|
||||||
|
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
|
||||||
|
|
||||||
|
# White list the allowable languages
|
||||||
|
switch ($_GET['default']) {
|
||||||
|
case "French":
|
||||||
|
case "English":
|
||||||
|
case "German":
|
||||||
|
case "Spanish":
|
||||||
|
# ok
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
header ("location: ?default=English");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
5
dvwa/vulnerabilities/xss_d/source/impossible.php
Normal file
5
dvwa/vulnerabilities/xss_d/source/impossible.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
# Don't need to do anything, protction handled on the client side
|
||||||
|
|
||||||
|
?>
|
5
dvwa/vulnerabilities/xss_d/source/low.php
Normal file
5
dvwa/vulnerabilities/xss_d/source/low.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
# No protections, anything goes
|
||||||
|
|
||||||
|
?>
|
14
dvwa/vulnerabilities/xss_d/source/medium.php
Normal file
14
dvwa/vulnerabilities/xss_d/source/medium.php
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
// Is there any input?
|
||||||
|
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
|
||||||
|
$default = $_GET['default'];
|
||||||
|
|
||||||
|
# Do not allow script tags
|
||||||
|
if (stripos ($default, "<script") !== false) {
|
||||||
|
header ("location: ?default=English");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
header ("X-XSS-Protection: 0");
|
||||||
|
|
||||||
// Is there any input?
|
// Is there any input?
|
||||||
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
||||||
// Get input
|
// Get input
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
header ("X-XSS-Protection: 0");
|
||||||
|
|
||||||
// Is there any input?
|
// Is there any input?
|
||||||
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
||||||
// Feedback for end user
|
// Feedback for end user
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
header ("X-XSS-Protection: 0");
|
||||||
|
|
||||||
// Is there any input?
|
// Is there any input?
|
||||||
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
|
||||||
// Get input
|
// Get input
|
||||||
|
@ -13,6 +13,11 @@ $page[ 'source_button' ] = 'xss_s';
|
|||||||
|
|
||||||
dvwaDatabaseConnect();
|
dvwaDatabaseConnect();
|
||||||
|
|
||||||
|
if (array_key_exists ("btnClear", $_POST)) {
|
||||||
|
$query = "TRUNCATE guestbook;";
|
||||||
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
}
|
||||||
|
|
||||||
$vulnerabilityFile = '';
|
$vulnerabilityFile = '';
|
||||||
switch( $_COOKIE[ 'security' ] ) {
|
switch( $_COOKIE[ 'security' ] ) {
|
||||||
case 'low':
|
case 'low':
|
||||||
@ -36,7 +41,7 @@ $page[ 'body' ] .= "
|
|||||||
<h1>Vulnerability: Stored Cross Site Scripting (XSS)</h1>
|
<h1>Vulnerability: Stored Cross Site Scripting (XSS)</h1>
|
||||||
|
|
||||||
<div class=\"vulnerable_code_area\">
|
<div class=\"vulnerable_code_area\">
|
||||||
<form method=\"post\" name=\"guestform\" onsubmit=\"return validate_form(this)\">
|
<form method=\"post\" name=\"guestform\" \">
|
||||||
<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">
|
<table width=\"550\" border=\"0\" cellpadding=\"2\" cellspacing=\"1\">
|
||||||
<tr>
|
<tr>
|
||||||
<td width=\"100\">Name *</td>
|
<td width=\"100\">Name *</td>
|
||||||
@ -48,7 +53,10 @@ $page[ 'body' ] .= "
|
|||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td width=\"100\"> </td>
|
<td width=\"100\"> </td>
|
||||||
<td><input name=\"btnSign\" type=\"submit\" value=\"Sign Guestbook\" onClick=\"return checkForm();\"></td>
|
<td>
|
||||||
|
<input name=\"btnSign\" type=\"submit\" value=\"Sign Guestbook\" onclick=\"return validateGuestbookForm(this.form);\" />
|
||||||
|
<input name=\"btnClear\" type=\"submit\" value=\"Clear Guestbook\" onClick=\"return confirmClearGuestbook();\" />
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</table>\n";
|
</table>\n";
|
||||||
|
|
||||||
|
@ -7,16 +7,16 @@ if( isset( $_POST[ 'btnSign' ] ) ) {
|
|||||||
|
|
||||||
// Sanitize message input
|
// Sanitize message input
|
||||||
$message = strip_tags( addslashes( $message ) );
|
$message = strip_tags( addslashes( $message ) );
|
||||||
$message = mysql_real_escape_string( $message );
|
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$message = htmlspecialchars( $message );
|
$message = htmlspecialchars( $message );
|
||||||
|
|
||||||
// Sanitize name input
|
// Sanitize name input
|
||||||
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
|
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
|
||||||
$name = mysql_real_escape_string( $name );
|
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
//mysql_close();
|
//mysql_close();
|
||||||
}
|
}
|
||||||
|
@ -10,12 +10,12 @@ if( isset( $_POST[ 'btnSign' ] ) ) {
|
|||||||
|
|
||||||
// Sanitize message input
|
// Sanitize message input
|
||||||
$message = stripslashes( $message );
|
$message = stripslashes( $message );
|
||||||
$message = mysql_real_escape_string( $message );
|
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$message = htmlspecialchars( $message );
|
$message = htmlspecialchars( $message );
|
||||||
|
|
||||||
// Sanitize name input
|
// Sanitize name input
|
||||||
$name = stripslashes( $name );
|
$name = stripslashes( $name );
|
||||||
$name = mysql_real_escape_string( $name );
|
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$name = htmlspecialchars( $name );
|
$name = htmlspecialchars( $name );
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
|
@ -7,14 +7,14 @@ if( isset( $_POST[ 'btnSign' ] ) ) {
|
|||||||
|
|
||||||
// Sanitize message input
|
// Sanitize message input
|
||||||
$message = stripslashes( $message );
|
$message = stripslashes( $message );
|
||||||
$message = mysql_real_escape_string( $message );
|
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Sanitize name input
|
// Sanitize name input
|
||||||
$name = mysql_real_escape_string( $name );
|
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
//mysql_close();
|
//mysql_close();
|
||||||
}
|
}
|
||||||
|
@ -7,16 +7,16 @@ if( isset( $_POST[ 'btnSign' ] ) ) {
|
|||||||
|
|
||||||
// Sanitize message input
|
// Sanitize message input
|
||||||
$message = strip_tags( addslashes( $message ) );
|
$message = strip_tags( addslashes( $message ) );
|
||||||
$message = mysql_real_escape_string( $message );
|
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
$message = htmlspecialchars( $message );
|
$message = htmlspecialchars( $message );
|
||||||
|
|
||||||
// Sanitize name input
|
// Sanitize name input
|
||||||
$name = str_replace( '<script>', '', $name );
|
$name = str_replace( '<script>', '', $name );
|
||||||
$name = mysql_real_escape_string( $name );
|
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
|
||||||
|
|
||||||
// Update database
|
// Update database
|
||||||
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
|
||||||
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
|
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
|
||||||
|
|
||||||
//mysql_close();
|
//mysql_close();
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user