From 8cde8a25ec77f3ca30cb43124daf58e98af79f2a Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Thu, 8 Oct 2015 21:43:05 +0100 Subject: [PATCH] Improved IIS support & setup system checks --- CHANGELOG.md | 8 ++++++- README.md | 7 +++--- about.php | 15 ++++++------ dvwa/includes/DBMS/MySQL.php | 18 +++++++------- dvwa/includes/dvwaPage.inc.php | 39 ++++++++++++++++++------------- hackable/flags/fi.php | 4 ++-- setup.php | 11 +++++++-- vulnerabilities/captcha/index.php | 4 ++-- vulnerabilities/fi/help/help.php | 2 +- vulnerabilities/upload/index.php | 6 ++--- 10 files changed, 67 insertions(+), 47 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8f38d8b7..082effb76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ DAMN VULNERABLE WEB APPLICATION ======================= +v1.10 (*Not Yet Released) +====== + ++ Improved IIS support. (@g0tmi1k) ++ Improved setup system check. (@g0tmi1k) + v1.9 (2015-10-05) ====== @@ -32,7 +38,7 @@ v1.9 (2015-10-05) + Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k) + Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k) + Updated README and documentation. (@g0tmi1k) -+ Various code cleanups in the core PHP files+CSS. (@g0tmi1k) ++ Various code cleanups in the core PHP files + CSS. (@g0tmi1k) + Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k) v1.8 (2013-05-01) diff --git a/README.md b/README.md index 1736317db..9a137301b 100644 --- a/README.md +++ b/README.md @@ -42,9 +42,9 @@ along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.o DVWA is available either as a package that will run on your own web server or as a Live CD: - + DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA` + DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.9.zip) - Released 2015-10-05 + DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08 + + DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA` - - - @@ -68,8 +68,7 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_: -`apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd` - +`apt-get -y install apache2 mysql-server php5 php5-mysql php5-gd` ### Database Setup @@ -160,7 +159,7 @@ With: ## Links -Homepage: http://www.dvwa.co.uk +Homepage: http://www.dvwa.co.uk/ Project Home: https://github.com/RandomStorm/DVWA diff --git a/about.php b/about.php index 4beb3a631..a556fe12b 100644 --- a/about.php +++ b/about.php @@ -11,7 +11,7 @@ $page[ 'body' ] .= "
-

About

+

About

Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

The official documentation for DVWA can be found here.

@@ -28,16 +28,16 @@

Credits

\n"; dvwaHtmlEcho( $page ); + exit; ?> diff --git a/dvwa/includes/DBMS/MySQL.php b/dvwa/includes/DBMS/MySQL.php index f68e836c3..7a54a74d7 100644 --- a/dvwa/includes/DBMS/MySQL.php +++ b/dvwa/includes/DBMS/MySQL.php @@ -7,7 +7,7 @@ */ if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ) ) { - dvwaMessagePush( "Could not connect to the database.
Please check the config file." ); + dvwaMessagePush( "Could not connect to the MySQL service.
Please check the config file." ); dvwaPageReload(); } @@ -15,13 +15,13 @@ // Create database $drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};"; if( !@mysql_query( $drop_db ) ) { - dvwaMessagePush( "Could not drop existing database
SQL: ".mysql_error() ); + dvwaMessagePush( "Could not drop existing database
SQL: " . mysql_error() ); dvwaPageReload(); } $create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};"; if( !@mysql_query( $create_db ) ) { - dvwaMessagePush( "Could not create database
SQL: ".mysql_error() ); + dvwaMessagePush( "Could not create database
SQL: " . mysql_error() ); dvwaPageReload(); } dvwaMessagePush( "Database has been created." ); @@ -35,7 +35,7 @@ $create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));"; if( !mysql_query( $create_tb ) ) { - dvwaMessagePush( "Table could not be created
SQL: ".mysql_error() ); + dvwaMessagePush( "Table could not be created
SQL: " . mysql_error() ); dvwaPageReload(); } dvwaMessagePush( "'users' table was created." ); @@ -43,9 +43,9 @@ // Insert some data into users // Get the base directory for the avatar media... -$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ]; +$baseUrl = 'http://' . $_SERVER[ 'SERVER_NAME' ] . $_SERVER[ 'PHP_SELF' ]; $stripPos = strpos( $baseUrl, 'setup.php' ); -$baseUrl = substr( $baseUrl, 0, $stripPos ).'hackable/users/'; +$baseUrl = substr( $baseUrl, 0, $stripPos ) . 'hackable/users/'; $insert = "INSERT INTO users VALUES ('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'), @@ -54,7 +54,7 @@ ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'), ('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');"; if( !mysql_query( $insert ) ) { - dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: ".mysql_error() ); + dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: " . mysql_error() ); dvwaPageReload(); } dvwaMessagePush( "Data inserted into 'users' table." ); @@ -63,7 +63,7 @@ // Create guestbook table $create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));"; if( !mysql_query( $create_tb_guestbook ) ) { - dvwaMessagePush( "Table could not be created
SQL: ".mysql_error() ); + dvwaMessagePush( "Table could not be created
SQL: " . mysql_error() ); dvwaPageReload(); } dvwaMessagePush( "'guestbook' table was created." ); @@ -72,7 +72,7 @@ // Insert data into 'guestbook' $insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');"; if( !mysql_query( $insert ) ) { - dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: ".mysql_error() ); + dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: " . mysql_error() ); dvwaPageReload(); } dvwaMessagePush( "Data inserted into 'guestbook' table." ); diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php index 88ff699b0..d2478e7d9 100644 --- a/dvwa/includes/dvwaPage.inc.php +++ b/dvwa/includes/dvwaPage.inc.php @@ -1,7 +1,7 @@ ' . ( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) -$phpSafeMode = 'PHP function safe_mode: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$phpMagicQuotes = 'PHP function magic_quotes_gpc: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 -$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI -$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI -$phpGD = 'PHP module php-gd: Installed' : 'failure">Missing' ) . ''; // File Upload +$PHPUploadPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "hackable" . DIRECTORY_SEPARATOR . "uploads" ) . DIRECTORY_SEPARATOR; +$PHPIDSPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "external" . DIRECTORY_SEPARATOR . "phpids" . DIRECTORY_SEPARATOR . dvwaPhpIdsVersionGet() . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "IDS" . DIRECTORY_SEPARATOR . "tmp" . DIRECTORY_SEPARATOR . "phpids_log.txt" ); + +$phpDisplayErrors = 'PHP function display_errors: ' . ( ini_get( 'display_errors' ) ? 'Enabled (Easy Mode!)' : 'Disabled' ); // Verbose error messages (e.g. full path disclosure) +$phpSafeMode = 'PHP function safe_mode: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpMagicQuotes = 'PHP function magic_quotes_gpc: Enabled' : 'success">Disabled' ) . ''; // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0 +$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI +$phpGD = 'PHP module gd: Installed' : 'failure">Missing' ) . ''; // File Upload +$phpMySQL = 'PHP module mysql: Installed' : 'failure">Missing' ) . ''; // Core DVWA +$phpPDO = 'PHP module pdo_mysql: Installed' : 'failure">Missing' ) . ''; // SQLi $DVWARecaptcha = 'reCAPTCHA key: ' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . ''; -$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': Yes)' : 'failure">No' ) . ''; // File Upload -$DVWAPHPWrite = 'Writable file ' . $PHPIDSPath . ': Yes' : 'failure">No' ) . ''; // PHPIDS +$DVWAUploadsWrite = '[User: ' . get_current_user() . '] Writable folder ' . $PHPUploadPath . ': Yes' : 'failure">No' ) . ''; // File Upload +$DVWAPHPWrite = '[User: ' . get_current_user() . '] Writable file ' . $PHPIDSPath . ': Yes' : 'failure">No' ) . ''; // PHPIDS + +$DVWAOS = 'Operating system: ' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . ''; +$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF -$DVWAOS = 'Operating system: ' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . ''; -$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF +$MYSQL_USER = 'MySQL username: ' . $_DVWA[ 'db_user' ] . ''; +$MYSQL_PASS = 'MySQL password: ' . ( ($_DVWA[ 'db_password' ] != "" ) ? '******' : '*blank*' ) . ''; +$MYSQL_DB = 'MySQL database: ' . $_DVWA[ 'db_database' ] . ''; +$MYSQL_SERVER = 'MySQL host: ' . $_DVWA[ 'db_server' ] . ''; // -- END (Setup Functions) ?> diff --git a/hackable/flags/fi.php b/hackable/flags/fi.php index a9a29c42a..71e0ffeee 100644 --- a/hackable/flags/fi.php +++ b/hackable/flags/fi.php @@ -12,8 +12,8 @@ echo "2.) My name is Sherlock Holmes. It is my business to know what other people don't know.\n\n

\n"; -$line3 = "3.) Romeo, Romeo! wherefore art thou Romeo?"; -$line3 = "--LINE MISSING--"; +$line3 = "3.) Romeo, Romeo! Wherefore art thou Romeo?"; +$line3 = "--LINE HIDDEN ;)--"; echo $line3 . "\n\n

\n"; $line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu"; diff --git a/setup.php b/setup.php index 9faffc6fd..bc42166d2 100644 --- a/setup.php +++ b/setup.php @@ -34,8 +34,8 @@

Database Setup

-

Click on the 'Create / Reset Database' button below to create or reset your database.
- If you get an error make sure you have the correct user credentials in: " . realpath( getcwd() ) . "/config/config.inc.php

+

Click on the 'Create / Reset Database' button below to create or reset your database.
+ If you get an error make sure you have the correct user credentials in: " . realpath( getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "

If the database already exists, it will be cleared and the data will be reset.
You can also use this to reset the administrator credentials (\"admin // password\") at any stage.

@@ -56,6 +56,13 @@ {$phpURLFopen}
{$phpMagicQuotes}
{$phpGD}
+ {$phpMySQL}
+ {$phpPDO}
+
+ {$MYSQL_USER}
+ {$MYSQL_PASS}
+ {$MYSQL_DB}
+ {$MYSQL_SERVER}

{$DVWARecaptcha}

diff --git a/vulnerabilities/captcha/index.php b/vulnerabilities/captcha/index.php index d02db91d5..3c7112fde 100644 --- a/vulnerabilities/captcha/index.php +++ b/vulnerabilities/captcha/index.php @@ -36,8 +36,8 @@ // Check if we have a reCAPTCHA key $WarningHtml = ''; if( $_DVWA[ 'recaptcha_public_key' ] == "" ) { - $WarningHtml = "
reCAPTCHA API key missing from config file: " . realpath( dirname( dirname( getcwd() ) ) . "/config/config.inc.php" ) . "
"; - $html = "Please register for a key from reCAPTCHA: " . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create'); + $WarningHtml = "
reCAPTCHA API key missing from config file: " . realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "
"; + $html = "Please register for a key from reCAPTCHA: " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/admin/create' ); $hide_form = true; } diff --git a/vulnerabilities/fi/help/help.php b/vulnerabilities/fi/help/help.php index 997577e1b..c02dfaf8e 100644 --- a/vulnerabilities/fi/help/help.php +++ b/vulnerabilities/fi/help/help.php @@ -20,7 +20,7 @@

Objective

-

Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion.

+

Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion.



diff --git a/vulnerabilities/upload/index.php b/vulnerabilities/upload/index.php index 442a7b04c..fd3766e11 100644 --- a/vulnerabilities/upload/index.php +++ b/vulnerabilities/upload/index.php @@ -33,12 +33,12 @@ // Check if folder is writeable $WarningHtml = ''; -if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) { - $WarningHtml .= "
Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "
Folder is not writable.
"; +if( !is_writable( $PHPUploadPath ) ) { + $WarningHtml .= "
Incorrect folder permissions: {$PHPUploadPath}
Folder is not writable.
"; } // Is PHP-GD installed? if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) { - $WarningHtml .= "
The PHP module PHP-GD is not installed.
"; + $WarningHtml .= "
The PHP module GD is not installed.
"; } $page[ 'body' ] .= "