first commit

2016-12-02 17:19:11 -02:00 · 2016-12-02 17:19:11 -02:00 · f40a84879c
commit f40a84879c
parent 985a5c928c
551 changed files with 72374 additions and 24 deletions
--- a/dvwa/vulnerabilities/sqli_blind/cookie-input.php
+++ b/dvwa/vulnerabilities/sqli_blind/cookie-input.php
@ -0,0 +1,31 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ] = 'Blind SQL Injection Cookie Input' . $page[ 'title_separator' ].$page[ 'title' ];
+
+if( isset( $_POST[ 'id' ] ) ) {
+	setcookie( 'id', $_POST[ 'id' ]);
+	$page[ 'body' ] .= "Cookie ID set!<br /><br /><br />";
+	$page[ 'body' ] .= "<script>window.opener.location.reload(true);</script>";
+}
+
+$page[ 'body' ] .= "
+<form action=\"#\" method=\"POST\">
+	<input type=\"text\" size=\"15\" name=\"id\">
+	<input type=\"submit\" name=\"Submit\" value=\"Submit\">
+</form>
+<hr />
+<br />
+
+<button onclick=\"self.close();\">Close</button>";
+
+dvwaSourceHtmlEcho( $page );
+
+?>
+
+
--- a/dvwa/vulnerabilities/sqli_blind/help/help.php
+++ b/dvwa/vulnerabilities/sqli_blind/help/help.php
@ -0,0 +1,62 @@
+<div class="body_padded">
+	<h1>Help - SQL Injection (Blind)</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>When an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect.
+			Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message,
+			they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible.
+			An attacker can still steal data by asking a series of True and False questions through SQL statements, and monitoring how the web application response
+			(valid entry retunred or 404 header set).</p>
+
+		<p>"time based" injection method is often used when there is no visible feedback in how the page different in its response (hence its a blind attack).
+		 	This means the attacker will wait to see how long the page takes to response back. If it takes longer than normal, their query was successful.</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Find the version of the SQL database software through a blind SQL attack.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>The SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able
+			to execute any SQL query they wish.</p>
+		<pre>Spoiler: <span class="spoiler">?id=1' AND sleep 5&Submit=Submit</span>.</pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The medium level uses a form of SQL injection protection, with the function of
+			"<?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.mysql-real-escape-string.php', 'mysql_real_escape_string()' ); ?>".
+			However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.</p>
+
+		<p>The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form.</p>
+		<pre>Spoiler: <span class="spoiler">?id=1 AND sleep 3&Submit=Submit</span>.</pre>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>This is very similar to the low level, however this time the attacker is inputting the value in a different manner.
+			The input values are being set on a different page, rather than a GET request.</p>
+		<pre>Spoiler: <span class="spoiler">ID: 1' AND sleep 10&Submit=Submit</span>.
+			Spoiler: <span class="spoiler">Should be able to cut out the middle man.</span>.</pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer,
+			and has distinguish which sections are code, and the rest is data.</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Blind_SQL_Injection' ); ?></p>
+</div>
--- a/dvwa/vulnerabilities/sqli_blind/index.php
+++ b/dvwa/vulnerabilities/sqli_blind/index.php
@ -0,0 +1,99 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: SQL Injection (Blind)' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'sqli_blind';
+$page[ 'help_button' ]   = 'sqli_blind';
+$page[ 'source_button' ] = 'sqli_blind';
+
+dvwaDatabaseConnect();
+
+$method            = 'GET';
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		$method = 'POST';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli_blind/source/{$vulnerabilityFile}";
+
+// Is PHP function magic_quotee enabled?
+$WarningHtml = '';
+if( ini_get( 'magic_quotes_gpc' ) == true ) {
+	$WarningHtml .= "<div class=\"warning\">The PHP function \"<em>Magic Quotes</em>\" is enabled.</div>";
+}
+// Is PHP function safe_mode enabled?
+if( ini_get( 'safe_mode' ) == true ) {
+	$WarningHtml .= "<div class=\"warning\">The PHP function \"<em>Safe mode</em>\" is enabled.</div>";
+}
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: SQL Injection (Blind)</h1>
+
+	{$WarningHtml}
+
+	<div class=\"vulnerable_code_area\">";
+if( $vulnerabilityFile == 'high.php' ) {
+	$page[ 'body' ] .= "Click <a href=\"#\" onClick=\"javascript:popUp('cookie-input.php');return false;\">here to change your ID</a>.";
+}
+else {
+	$page[ 'body' ] .= "
+		<form action=\"#\" method=\"{$method}\">
+			<p>
+				User ID:";
+	if( $vulnerabilityFile == 'medium.php' ) {
+		$page[ 'body' ] .= "\n				<select name=\"id\">";
+		$query  = "SELECT COUNT(*) FROM users;";
+		$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
+		$num    = mysql_result( $result, 0 );
+		$i      = 0;
+		while( $i < $num ) { $i++; $page[ 'body' ] .= "<option value=\"{$i}\">{$i}</option>"; }
+		$page[ 'body' ] .= "</select>";
+	}
+	else
+		$page[ 'body' ] .= "\n				<input type=\"text\" size=\"15\" name=\"id\">";
+
+	$page[ 'body' ] .= "\n				<input type=\"submit\" name=\"Submit\" value=\"Submit\">
+			</p>\n";
+
+	if( $vulnerabilityFile == 'impossible.php' )
+		$page[ 'body' ] .= "			" . tokenField();
+
+	$page[ 'body' ] .= "
+		</form>";
+}
+$page[ 'body' ] .= "
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'http://www.securiteam.com/securityreviews/5DP0N1P76E.html' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Blind_SQL_Injection' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://bobby-tables.com/' ) . "</li>
+	</ul>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>
--- a/dvwa/vulnerabilities/sqli_blind/source/high.php
+++ b/dvwa/vulnerabilities/sqli_blind/source/high.php
@ -0,0 +1,33 @@
+<?php
+
+if( isset( $_COOKIE[ 'id' ] ) ) {
+	// Get input
+	$id = $_COOKIE[ 'id' ];
+
+	// Check database
+	$getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
+	$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
+
+	// Get results
+	$num = @mysql_numrows( $result ); // The '@' character suppresses errors
+	if( $num > 0 ) {
+		// Feedback for end user
+		$html .= '<pre>User ID exists in the database.</pre>';
+	}
+	else {
+		// Might sleep a random amount
+		if( rand( 0, 5 ) == 3 ) {
+			sleep( rand( 2, 4 ) );
+		}
+
+		// User wasn't found, so the page wasn't!
+		header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
+
+		// Feedback for end user
+		$html .= '<pre>User ID is MISSING from the database.</pre>';
+	}
+
+	mysql_close();
+}
+
+?>
--- a/dvwa/vulnerabilities/sqli_blind/source/impossible.php
+++ b/dvwa/vulnerabilities/sqli_blind/source/impossible.php
@ -0,0 +1,35 @@
+<?php
+
+if( isset( $_GET[ 'Submit' ] ) ) {
+	// Check Anti-CSRF token
+	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+
+	// Get input
+	$id = $_GET[ 'id' ];
+
+	// Was a number entered?
+	if(is_numeric( $id )) {
+		// Check the database
+		$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
+		$data->bindParam( ':id', $id, PDO::PARAM_INT );
+		$data->execute();
+
+		// Get results
+		if( $data->rowCount() == 1 ) {
+			// Feedback for end user
+			$html .= '<pre>User ID exists in the database.</pre>';
+		}
+		else {
+			// User wasn't found, so the page wasn't!
+			header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
+
+			// Feedback for end user
+			$html .= '<pre>User ID is MISSING from the database.</pre>';
+		}
+	}
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>
--- a/dvwa/vulnerabilities/sqli_blind/source/low.php
+++ b/dvwa/vulnerabilities/sqli_blind/source/low.php
@ -0,0 +1,28 @@
+<?php
+
+if( isset( $_GET[ 'Submit' ] ) ) {
+	// Get input
+	$id = $_GET[ 'id' ];
+
+	// Check database
+	$getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+	$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
+
+	// Get results
+	$num = @mysql_numrows( $result ); // The '@' character suppresses errors
+	if( $num > 0 ) {
+		// Feedback for end user
+		$html .= '<pre>User ID exists in the database.</pre>';
+	}
+	else {
+		// User wasn't found, so the page wasn't!
+		header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
+
+		// Feedback for end user
+		$html .= '<pre>User ID is MISSING from the database.</pre>';
+	}
+
+	mysql_close();
+}
+
+?>
--- a/dvwa/vulnerabilities/sqli_blind/source/medium.php
+++ b/dvwa/vulnerabilities/sqli_blind/source/medium.php
@ -0,0 +1,26 @@
+<?php
+
+if( isset( $_POST[ 'Submit' ]  ) ) {
+	// Get input
+	$id = $_POST[ 'id' ];
+	$id = mysql_real_escape_string( $id );
+
+	// Check database
+	$getid  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
+	$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
+
+	// Get results
+	$num = @mysql_numrows( $result ); // The '@' character suppresses errors
+	if( $num > 0 ) {
+		// Feedback for end user
+		$html .= '<pre>User ID exists in the database.</pre>';
+	}
+	else {
+		// Feedback for end user
+		$html .= '<pre>User ID is MISSING from the database.</pre>';
+	}
+
+	//mysql_close();
+}
+
+?>