Skip to content

Commit

Permalink
new vulnerabilities added with some existing code fixes
Browse files Browse the repository at this point in the history 
XPATH
 - item note found in the first page
Session Flaws
 - minor change in the static content
SSTI
 - minor change in the static content
CSRF
 - minor fix
IDOR
 - minnor fix
Missing functional access
 - minnor fix
Stored XSS
 - minor changes

New
 - Formula Injection
 - PHP Object Injection
  • Loading branch information
@s4n7h0
s4n7h0 committed Dec 20, 2015
1 parent 2da8195 commit 8092b5c
Show file tree
Hide file tree
Showing 26 changed files with 358 additions and 95 deletions.
4 changes: 3 additions & 1 deletion README.md
View file
Expand Up @@ -4,14 +4,16 @@ XVWA is a badly coded web application written in PHP/MySQL that helps security e


![Image of XVWA Home Page]
(https://pbs.twimg.com/media/CRm5t-pUAAA6SAf.png:large)
(https://pbs.twimg.com/media/CWsFq1SVEAACsCh.png:large)

XVWA is designed to understand following security issues.

+ SQL Injection – Error Based
+ SQL Injection – Blind
+ OS Command Injection
+ XPATH Injection
+ Formula Injection
+ PHP Object Injection
+ Unrestricted File Upload
+ Reflected Cross Site Scripting
+ Stored Cross Site Scripting
Expand Down
4 changes: 3 additions & 1 deletion config.php
View file
Expand Up @@ -5,5 +5,7 @@
$user = 'root';
$pass = '';
$conn = mysql_connect($host,$user,$pass);
$conn1 = new mysqli($host, $user, $pass, $dbname);
$conn = mysql_select_db($dbname);
$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>
4 changes: 0 additions & 4 deletions css/shop-item.css
View file
Expand Up @@ -8,10 +8,6 @@ body {
padding-top: 70px; /* Required padding for .navbar-fixed-top. Remove if using .navbar-static-top. Change if height of navigation changes. */
}

.thumbnail img {
width: 100%;
}

.ratings {
padding-right: 10px;
padding-left: 10px;
Expand Down
2 changes: 1 addition & 1 deletion header.php
View file
@@ -1,4 +1,4 @@

<link rel="icon" type="image/png" href="/xvwa/img/xvwa-logo-1.png" />
<div class="container">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
Expand Down
4 changes: 3 additions & 1 deletion home.html
View file
Expand Up @@ -4,7 +4,7 @@
-->
<div class="caption-full">
<h4><a href="#">Xtreme Vulnerable Web Application (XVWA)</a></h4>

<center><img src="img/xvwa-logo.png"></center>
<p align="justify">
XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.
</p>
Expand All @@ -15,6 +15,8 @@ <h4><a href="#">Xtreme Vulnerable Web Application (XVWA)</a></h4>
<li>SQL Injection – Blind</li>
<li>OS Command Injection</li>
<li>XPATH Injection </li>
<li>Formula Injection </li>
<li>PHP Object Injection </li>
<li>Unrestricted File Upload</li>
<li>Reflected Cross Site Scripting</li>
<li>Stored Cross Site Scripting </li>
Expand Down
Binary file removed img/Product_basket.png
View file
Binary file not shown.
Binary file removed img/product-300x300.png
View file
Binary file not shown.
Binary file added img/xvwa-logo-1.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img/xvwa-logo.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion index.php
View file
Expand Up @@ -17,7 +17,7 @@

<!-- Custom CSS -->
<link href="css/shop-item.css" rel="stylesheet">

<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
Expand Down
3 changes: 1 addition & 2 deletions login.php
View file
Expand Up @@ -4,9 +4,8 @@
$password = md5($_POST['password']);
$ActiveUser = '';
include_once('config.php');
$conn = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$sql = "select username from users where username=:username and password=:password";
$stmt = $conn->prepare($sql);
$stmt = $conn1->prepare($sql);
$stmt->bindParam(':username',$uname);
$stmt->bindParam(':password',$password);
$stmt->execute();
Expand Down
20 changes: 9 additions & 11 deletions setup/home.php
View file
Expand Up @@ -20,13 +20,13 @@
</div>
<?php
//include(dirname(__FILE__).DIRECTORY_SEPARATOR.'..'.DIRECTORY_SEPARATOR.'/xvwa/config.php');

include('../config.php');
function cleanup($conn,$XVWA_WEBROOT){
// clean the database
$tables = array('comments','caffaine','users');
for($i=0;$i<count($tables);$i++){
$sql = 'DROP TABLE '. $tables[$i].';';
$sqlexec = mysql_query($sql,$conn);
$sqlexec = mysql_query($sql);
}
// clean extra files
$files = glob($_SERVER['DOCUMENT_ROOT'].'/'.$XVWA_WEBROOT.'/xvwa/img/uploads/*');
Expand All @@ -46,14 +46,12 @@ function cleanup($conn,$XVWA_WEBROOT){
die("<li class=\"cross\">Connection Failed. Check the configuration file.".mysql_error()."</li>");
}else{
//connection successfull.
$dbselect=mysql_select_db($dbname,$conn);
if($dbselect){
cleanup($conn,$XVWA_WEBROOT);
echo "<li class=\"tick\">Connected to database sucessfully.</li>";
// creating comment tables
$table_comment=mysql_query('CREATE TABLE comments(id int not null primary key auto_increment,user varchar(30),comment varchar(100),date varchar(30))',$conn);
$table_comment=mysql_query('CREATE TABLE comments(id int not null primary key auto_increment,user varchar(30),comment varchar(100),date varchar(30))');
if($table_comment){
$insert_comment=mysql_query('INSERT INTO comments (id,user,comment,date) VALUES (\'1\', \'admin\', \'Keep posting your comments here \', \'10 Aug 2015\');',$conn);
$insert_comment=mysql_query('INSERT INTO comments (id,user,comment,date) VALUES (\'1\', \'admin\', \'Keep posting your comments here \', \'10 Aug 2015\');');
if($insert_comment){
echo "<li class=\"tick\">Table comments sucessfully.</li>";
}else{
Expand All @@ -64,7 +62,7 @@ function cleanup($conn,$XVWA_WEBROOT){
}

//creating product_caffe table
$table_product=mysql_query('CREATE TABLE caffaine(itemid int not null primary key auto_increment, itemcode varchar(15),itemdisplay varchar(500),itemname varchar(50),itemdesc varchar(1000),categ varchar(200),price varchar(20))',$conn);
$table_product=mysql_query('CREATE TABLE caffaine(itemid int not null primary key auto_increment, itemcode varchar(15),itemdisplay varchar(500),itemname varchar(50),itemdesc varchar(1000),categ varchar(200),price varchar(20))');
if($table_product){
$itemcode = array('XVWA0987','XVWA3876','XVWA4589','XVWA7619','XVWA5642','XVWA7569','XVWA3671','XVWA1672','XVWA4276','XVWA9680');
$itemname = array('Affogato','Americano','Bicerin','Café Bombón','Café au lait','Caffé corretto','Caffé latte','Café mélange','Cafe mocha','Cappuccino');
Expand All @@ -74,7 +72,7 @@ function cleanup($conn,$XVWA_WEBROOT){
for($i = 0; $i<count($itemcode); $i++){
$pic = $XVWA_WEBROOT.'/xvwa/img/'.$itemcode[$i].'.png';
$sql = 'INSERT into caffaine(itemcode,itemdisplay,itemname,itemdesc,categ,price) VALUES (\''.$itemcode[$i].'\',\''.$pic.'\',\''.$itemname[$i].'\',\''.$itemdesc[$i].'\',\''.$categ[$i].'\',\''.$itemprice[$i].'\');';
$insert_product=mysql_query($sql,$conn);
$insert_product=mysql_query($sql);
}
if($insert_product){
echo "<li class=\"tick\">Table products created sucessfully.</li>";
Expand All @@ -85,13 +83,13 @@ function cleanup($conn,$XVWA_WEBROOT){
echo "<li class=\"cross\">Failed to use/select database. Check the configuration file.".mysql_error()."</li>";
}
//creating user table
$table_user=mysql_query("CREATE table users(uid int not null primary key auto_increment, username varchar(20),password varchar(50))",$conn);
$table_user=mysql_query("CREATE table users(uid int not null primary key auto_increment, username varchar(20),password varchar(50))");
if($table_user){
$uname = array('admin','xvwa','user');
$pwd = array('21232f297a57a5a743894a0e4a801fc3','570992ec4b5ad7a313f5dc8fd0825395','25890deab1075e916c06b9e1efc2e25f');
for($i=0;$i<count($uname);$i++){
$sql = "INSERT INTO users (username,password) values ('".$uname[$i]."','".$pwd[$i]."')";
$insert_user=mysql_query($sql,$conn);
$insert_user=mysql_query($sql);
}
if($insert_user){
echo "<li class=\"tick\">Table users created sucessfully.</li>";
Expand All @@ -102,7 +100,7 @@ function cleanup($conn,$XVWA_WEBROOT){
echo "<li class=\"cross\">Failed to use/select database. Check the configuration file.".mysql_error()."</li>";
}

}


echo "<br><li class=\"tick\">Setup finished</li>";

Expand Down
2 changes: 2 additions & 0 deletions sidepanel.php
View file
Expand Up @@ -10,6 +10,8 @@
<a href="/xvwa/vulnerabilities/sqli_blind/" class="list-group-item">SQL Injection (Blind)</a>
<a href="/xvwa/vulnerabilities/cmdi/" class="list-group-item">OS Command Injection</a>
<a href="/xvwa/vulnerabilities/xpath/" class="list-group-item">XPATH Injection</a>
<a href="/xvwa/vulnerabilities/formula_injection/" class="list-group-item">Formula Injection</a>
<a href="/xvwa/vulnerabilities/php_object_injection/" class="list-group-item">PHP Object Injection</a>
<a href="/xvwa/vulnerabilities/fileupload/" class="list-group-item">Unrestricted File Upload</a>
<a href="/xvwa/vulnerabilities/reflected_xss/" class="list-group-item">XSS - Reflected</a>
<a href="/xvwa/vulnerabilities/stored_xss/" class="list-group-item">XSS - Stored</a>
Expand Down
31 changes: 17 additions & 14 deletions vulnerabilities/csrf/home.php
View file
Expand Up @@ -26,27 +26,30 @@
</div>
</form>
<?php
if($_session['user']){
$password = $_GET['passwd'];
$confirm = $_GET['confirm'];
if(!empty($submit)){
$current_user = isset($_SESSION['user']) ? $_SESSION['user'] : '' ;
$password = isset($_GET['passwd']) ? $_GET['passwd'] : '' ;
$confirm = isset($_GET['confirm']) ? $_GET['confirm'] : '' ;
include('../../config.php');
if($current_user){
if(isset($_GET['submit'])){
if(empty($password) && empty($password)){
echo "Passwords can not be blank !! Try Again ";
}else if($password != $confirm){
echo "Passwords dont match !! Try Again";
echo "Passwords don't match !! Try Again";
}else{
echo ucfirst(($_SESSION['user']));
//include(dirname(__FILE__).DIRECTORY_SEPARATOR.'..'.DIRECTORY_SEPARATOR.'xvwa/config.php');
$conn = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $conn->prepare("UPDATE users set password=:pass where username=:user");
$stmt = $conn1->prepare("UPDATE users set password=:pass where username=:user");
$stmt->bindParam(':pass', md5($password));
$stmt->bindParam(':user', $_SESSION['user']);
$stmt->execute();
echo $stmt->rowCount() . " records UPDATED successfully";
$stmt->bindParam(':user', $current_user);
$stmt->execute();
if($stmt->rowCount() > 0){
echo "<b>Password Changed successfully<br></b>";
}else{
echo "<b>Invalid user<br></b>";
}
}
}
}else{
echo "<b> You are not logged in. </b>";
}
?>
</p>
Expand Down
10 changes: 4 additions & 6 deletions vulnerabilities/fileupload/home.php
View file
Expand Up @@ -66,14 +66,12 @@
//uploading file
$path = $_SERVER['DOCUMENT_ROOT'].'/xvwa/img/uploads/';
$path = $path . basename( $_FILES['image']['name']);
$rpath = '/xvwa/img/uploads/'.basename( $_FILES['image']['name']);
$rpath = $_SERVER['DOCUMENT_ROOT'].'/xvwa/img/uploads/'.basename( $_FILES['image']['name']);
if(!move_uploaded_file($_FILES['image']['tmp_name'], $path)) {
echo "There was an error uploading the file, please try again!";
}else{
$conn = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $conn->prepare("INSERT INTO caffaine (itemcode, itemname, itemdisplay, itemdesc, categ, price) VALUES (:itemcode, :itemname, :itemdisplay, :itemdesc, :categ, :price)");

$stmt = $conn1->prepare("INSERT INTO caffaine (itemcode, itemname, itemdisplay, itemdesc, categ, price) VALUES (:itemcode, :itemname, :itemdisplay, :itemdesc, :categ, :price)");
$stmt->bindParam(':itemcode', $itemcode);
$stmt->bindParam(':itemname', $itemname);
$stmt->bindParam(':itemdisplay', $rpath);
Expand All @@ -82,7 +80,7 @@
$stmt->bindParam(':price', $price);
$stmt->execute();
$sql = "select itemname,itemdisplay,itemdesc,categ,price from caffaine where itemcode = :itemcode";
$stmt = $conn->prepare($sql);
$stmt = $conn1->prepare($sql);
$stmt->bindParam(':itemcode',$itemcode);
$stmt->execute();
echo "<h4>Item Uploaded Successfully !!</h4><br>";
Expand Down
13 changes: 13 additions & 0 deletions vulnerabilities/formula_injection/export.php
View file
@@ -0,0 +1,13 @@
<?php
header('Content-Type: text/csv; charset=utf-8');
header('Content-Disposition: attachment; filename=xvwa-export.csv');

$output = fopen('php://output', 'w');

fputcsv($output, array('itemcode', 'itemname', 'categ','price'));

include('../../config.php');
$rows = mysql_query('SELECT itemcode,itemname,categ,price from caffaine');

while ($row = mysql_fetch_assoc($rows)) fputcsv($output, $row);
?>
63 changes: 63 additions & 0 deletions vulnerabilities/formula_injection/home.php
View file
@@ -0,0 +1,63 @@


<div class="thumbnail">

<div class="caption-full">
<h4><a href="#">CSV Formula Injection</a></h4>

<p align="justify">
CSV Formula injection is also known as CSV Excel Macro Injection. This happens when the application does not validate the content of CSV file. Applications that allows to export/download data in CSV or excel format usually vulnerable to such attacks. </p>
<p>Read more about CVS Formula Injection <br>
<strong><a target="_blank" href="https://www.owasp.org/index.php/CSV_Excel_Macro_Injection">https://www.owasp.org/index.php/CSV_Excel_Macro_Injection</a></p></strong>

</div>

</div>

<div class="well">

<p>
<form method='post' action='export.php'>
<div class="form-group">
<label></label>
<div class="form-group" align="right">
<button class="btn btn-primary" name="action" value="export" type="submit">Export to CSV</button>
</div>
<div>
<br>
<?php



include('../../config.php');

if($conn){
$stmt = $conn1->prepare("SELECT itemcode,itemname,categ,price from caffaine");
$stmt->execute();
echo "<table class='table table-striped'>";
echo "<tr><th>Item Code</th><th>Item Name</th><th>Category</th><th>Price</th></tr>";
while($rows=$stmt->fetch(PDO::FETCH_NUM)){
echo "<tr>";
echo "<td>".htmlspecialchars($rows[0])."</td>";
echo "<td>".htmlspecialchars($rows[1])."</td>";
echo "<td>".htmlspecialchars($rows[2])."</td>";
echo "<td>$".htmlspecialchars($rows[3])."</td>";
echo "</tr>";
}
}
echo "</table>";

#$action = isset($_POST['action']) ? $_POST['action'] : '';



?>
</div>
<hr>
</div>
</form>
</p>

</div>

<?php include_once('../../about.html'); ?>
72 changes: 72 additions & 0 deletions vulnerabilities/formula_injection/index.php
View file
@@ -0,0 +1,72 @@
<?php session_start(); ?>
<!DOCTYPE html>
<html lang="en">

<head>

<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">

<title>XVWA - Xtreme Vulnerable Web Application </title>

<!-- Bootstrap Core CSS -->
<link href="../../css/bootstrap.min.css" rel="stylesheet">

<!-- Custom CSS -->
<link href="../../css/shop-item.css" rel="stylesheet">

<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->

</head>

<body>

<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<?php include("../../header.php") ?>
<!-- /.container -->
</nav>

<!-- Page Content -->
<div class="container">

<div class="row">

<div class="col-md-3">
<?php include("../../sidepanel.php") ?>
</div>

<div class="col-md-9">

<?php
include('home.php');

?>

</div>

</div>

</div>
<!-- /.container -->

<?php include("../../footer.html") ?>
<!-- /.container -->

<!-- jQuery -->
<script src="../../js/jquery.js"></script>

<!-- Bootstrap Core JavaScript -->
<script src="../../js/bootstrap.min.js"></script>

</body>

</html>

0 comments on commit 8092b5c

Please sign in to comment.