Fix bugs: CSRF redirects, generated setup URLs, redirects +

+ Brute - was missing the CSRF hidden input on high.
+ CSRF - Redirecting to the wrong pages
+ CSRF - Was checking the wrong value in places & not reading inputs in others
+ CSRF - Wasn't checking if the value was set
+ CSRF - Will display a message now when the CSRF value is incorrect
+ Setup - During setup, the URL could be incorrect if it didn't have `dvwa/` in the URL
+ Setup - Could be redirected to the wrong URL
+ Setup - Cleaner error message & menus
+ Setup - System check was using the wrong values
+ View Source All - Using wrong variable name

dvwa/includes/DBMS/MySQL.php

@@ -44,8 +44,8 @@
 // Insert some data into users
 // Get the base directory for the avatar media...
 $baseUrl  = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ];
-$stripPos = strpos( $baseUrl, 'dvwa/setup.php' );
-$baseUrl  = substr( $baseUrl, 0, $stripPos ).'dvwa/hackable/users/';
+$stripPos = strpos( $baseUrl, 'setup.php' );
+$baseUrl  = substr( $baseUrl, 0, $stripPos ).'hackable/users/';
 
 $insert = "INSERT INTO users VALUES
 	('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),

dvwa/includes/dvwaPage.inc.php

@@ -9,7 +9,6 @@
 
 // Include configs
 require_once DVWA_WEB_PAGE_TO_ROOT.'config/config.inc.php';
-
 require_once( 'dvwaPhpIds.inc.php' );
 
 // Declare the $html variable
@@ -252,7 +251,7 @@ function dvwaHtmlEcho( $pPage ) {
 
 	$systemInfoHtml = "";
 	if( dvwaIsLoggedIn() )
-		$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><b>Security Level:</b> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
+		$systemInfoHtml = "<div align=\"left\">{$userInfoHtml}<br /><em>Security Level:</em> {$securityLevelHtml}<br />{$phpIdsHtml}</div>";
 	if( $pPage[ 'source_button' ] ) {
 		$systemInfoHtml = dvwaButtonSourceHtmlGet( $pPage[ 'source_button' ] )." $systemInfoHtml";
 	}
@@ -440,25 +439,26 @@ function dvwaButtonSourceHtmlGet( $pId ) {
 	$DBMS_errorFunc = '';
 }
 
-$DBMS_connError = '
-	<div align="center">
-		<img src="'.DVWA_WEB_PAGE_TO_ROOT.'dvwa/images/logo.png" />
-		<pre>Unable to connect to the database.<br />'.$DBMS_errorFunc.'<br /><br /></pre>
-		Click <a href="'.DVWA_WEB_PAGE_TO_ROOT.'setup.php">here</a> to setup the database.
-	</div>';
+//$DBMS_connError = '
+//	<div align="center">
+//		<img src="'.DVWA_WEB_PAGE_TO_ROOT.'dvwa/images/logo.png" />
+//		<pre>Unable to connect to the database.<br />'.$DBMS_errorFunc.'<br /><br /></pre>
+//		Click <a href="'.DVWA_WEB_PAGE_TO_ROOT.'setup.php">here</a> to setup the database.
+//	</div>';
 
 function dvwaDatabaseConnect() {
 	global $_DVWA;
 	global $DBMS;
-	global $DBMS_connError;
+	//global $DBMS_connError;
 	global $db;
 
 	if( $DBMS == 'MySQL' ) {
 		if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] )
 		|| !@mysql_select_db( $_DVWA[ 'db_database' ] ) ) {
 			//die( $DBMS_connError );
-			dvwaMessagePush( $DBMS_connError );
-			dvwaRedirect( 'setup.php' );
+			dvwaLogout();
+			dvwaMessagePush( 'Unable to connect to the database.<br />'.$DBMS_errorFunc );
+			dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'setup.php' );
 		}
 		// MySQL PDO Prepared Statements (for impossible levels)
 		$db = new PDO('mysql:host='.$_DVWA[ 'db_server' ].';dbname='.$_DVWA[ 'db_database' ].';charset=utf8', $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ]);
@@ -511,20 +511,21 @@ function dvwaGuestbook() {
 
 // Token functions --
 function generateTokens() {  # Generate a brand new (CSRF) token
-	if( isset( $_SESSION[ 'user_token' ] ) ) {
-		destroyTokens( $_SESSION[ 'user_token' ] );
+	if( isset( $_SESSION[ 'session_token' ] ) ) {
+		destroyTokens( $_SESSION[ 'session_token' ] );
 	}
 	$_SESSION[ 'session_token' ] = md5( uniqid() );
 }
 
-function checkTokens( $user_token , $returnURL ) {  # Validate the given (CSRF) token
-	if( $user_token !== $_SESSION[ 'session_token' ] ) {
+function checkTokens( $user_token, $returnURL ) {  # Validate the given (CSRF) token
+	if( $user_token !== $_SESSION[ 'session_token' ] || !isset( $_SESSION[ 'session_token' ] ) ) {
+		dvwaMessagePush( 'CSRF token is incorrect' );
 		dvwaRedirect( $returnURL );
 	}
 }
 
-function destroyTokens( $user_token ) {  # Destroy any session with the name 'user_token'
-	unset( $_SESSION['user_token'] );
+function destroyTokens( $token ) {  # Destroy any session with the name 'session_token'
+	unset( $token );
 }
 
 function tokenField() {  # Return a field for the (CSRF) token
@@ -533,14 +534,16 @@ function tokenField() {  # Return a field for the (CSRF) token
 // -- END (Token functions)
 
 
+$PHPUploadPath    = realpath( getcwd() )."/hackable/uploads/";
+$PHPIDSPath       = realpath( getcwd() )."/external/phpids/0.6/lib/IDS/tmp/";
 $phpSafeMode      = 'PHP safe mode: <em>' . ( ini_get( 'safe_mode' )  ? 'Enabled' : 'Disabled' ) . '</em>';               // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
 $phpDisplayErrors = 'PHP display errors: <em>'.( ini_get( 'display_errors' )  ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' );  // Verbose error messages (e.g. full path disclosure)
-$phpURLInclude    = 'PHP allow URL Include: <em>'.( ini_get( 'allow_url_include' )  ? 'Enabled' : 'Disabled' ) . '</em>'; // RFI
+$phpURLInclude    = 'PHP allow URL include: <em>'.( ini_get( 'allow_url_include' )  ? 'Enabled' : 'Disabled' ) . '</em>'; // RFI
 $phpURLFopen      = 'PHP allow URL fopen: <em>'.( ini_get( 'allow_url_fopen' )  ? 'Enabled' : 'Disabled' ) . '</em>';     // RFI
 $phpMagicQuotes   = 'PHP magic quotes: <em>' . ( ini_get( 'magic_quotes_gpc' )  ? 'Enabled(*)' : 'Disabled' ) . '</em>';  // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
-$DVWARecaptcha    = 'reCAPTCHA key: <em>' . ( isset ( $_DVWA[ 'recaptcha_public_key' ] ) ? $_DVWA[ 'recaptcha_public_key' ] : 'Missing(*)' ) . '</em>';
-$DVWAUploadsWrite = 'Writable "/hackable/uploads/": <em>' . ( is_writable( realpath( dirname( dirname( getcwd() ) ) )."/hackable/uploads/" ) ? 'Yes' : 'No(*)' ) . '</em>';  // File Upload
-$DVWAPHPWrite     = 'Writable "/external/phpids/0.6/lib/IDS/tmp": <em>' . ( is_writable( realpath( dirname( dirname( getcwd() ) ) )."external/phpids/0.6/lib/IDS/tmp" ) ? 'Yes' : 'No(*)' ) . '</em>';  // PHPIDS
+$DVWARecaptcha    = 'reCAPTCHA key: <em>' . ( ( isset( $_DVWA[ 'recaptcha_public_key' ] ) && $_DVWA[ 'recaptcha_public_key' ] != '' ) ? $_DVWA[ 'recaptcha_public_key' ] : 'Missing(*)' ) . '</em>';
+$DVWAUploadsWrite = 'Writable '.$PHPUploadPath.': <em>' . ( is_writable( $PHPUploadPath ) ? 'Yes' : 'No(*)' ) . '</em>';  // File Upload
+$DVWAPHPWrite     = 'Writable '.$PHPIDSPath.': <em>' . ( is_writable( $PHPIDSPath ) ? 'Yes' : 'No(*)' ) . '</em>';  // PHPIDS
 $DVWAOS           = 'Operating system: <em>' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '</em>';
 
 ?>

login.php

@@ -1,7 +1,6 @@
 <?php
 
 define( 'DVWA_WEB_PAGE_TO_ROOT', '' );
-
 require_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/dvwaPage.inc.php';
 
 dvwaPageStartup( array( 'phpids' ) );
@@ -10,7 +9,7 @@
 
 if( isset( $_POST[ 'Login' ] ) ) {
 	// Anti-CSRF
-	checkTokens( $_REQUEST[ 'user_token' ], 'index.php' );
+	checkTokens( $_REQUEST[ 'user_token' ], 'login.php' );
 
 	$user = $_POST[ 'username' ];
 	$user = stripslashes( $user );
@@ -27,16 +26,16 @@
 				LIMIT 1");
 	$result = @mysql_query( $query );
 	if( mysql_num_rows( $result ) != 1 ) {
-		dvwaMessagePush( "First time.<br />Need to run 'setup.php'." );
-		dvwaRedirect( 'setup.php' );
+		dvwaMessagePush( "First time using DVWA.<br />Need to run 'setup.php'." );
+		dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'setup.php' );
 	}
 
 	$query  = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
 	$result = @mysql_query( $query ) or die( '<pre>' . mysql_error() . '.<br />Try <a href="setup.php">installing again</a>.</pre>' );
 	if( $result && mysql_num_rows( $result ) == 1 ) {    // Login Successful...
 		dvwaMessagePush( "You have logged in as '{$user}'" );
 		dvwaLogin( $user );
-		dvwaRedirect( 'index.php' );
+		dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.'index.php' );
 	}
 
     // Login failed

security.php

@@ -12,7 +12,7 @@
 $securityHtml = '';
 if( isset( $_POST['seclev_submit'] ) ) {
 	// Anti-CSRF
-	checkTokens( $_REQUEST[ 'user_token' ] , 'index.php' );
+	checkTokens( $_REQUEST[ 'user_token' ], 'security.php' );
 
 	$securityLevel = '';
 	switch( $_POST[ 'security' ] ) {

setup.php

@@ -11,7 +11,7 @@
 
 if( isset( $_POST[ 'create_db' ] ) ) {
 	// Anti-CSRF
-	checkTokens( $_REQUEST[ 'user_token' ] , 'index.php' );
+	checkTokens( $_REQUEST[ 'user_token' ], 'setup.php' );
 
 	if( $DBMS == 'MySQL' ) {
 		include_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/DBMS/MySQL.php';
@@ -67,6 +67,8 @@
 		<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">
 		".tokenField()."
 	</form>
+	<br />
+	<hr />
 </div>
 ";
 

vulnerabilities/brute/index.php

@@ -50,7 +50,7 @@
 			<input type=\"submit\" value=\"Login\" name=\"Login\">
 ";
 
-if( $vulnerabilityFile == 'impossible.php' )
+if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' )
 	$page[ 'body' ] .= "			" . tokenField();
 
 $page[ 'body' ] .= "

vulnerabilities/brute/source/high.php

@@ -2,7 +2,7 @@
 
 if( isset( $_GET[ 'Login' ] ) ) {
 	// Anti-CSRF
-	checkTokens( $_POST[ 'token' ] , "index.php");
+	checkTokens( $_REQUEST[ 'user_token' ], 'index.php');
 
 	// Sanitise username input
 	$user = $_GET[ 'username' ];
@@ -28,7 +28,7 @@
 	}
 	else {
 		// Login failed
-		sleep(3);
+		sleep( rand( 0, 3 ) );
 		$html .= "<pre><br />Username and/or password incorrect.</pre>";
 	}
 }

vulnerabilities/sqli/session-input.php

@@ -1,4 +1,5 @@
 <?php
+
 define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
 require_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/dvwaPage.inc.php';
 

vulnerabilities/sqli_blind/session-input.php → vulnerabilities/sqli_blind/cookie-input.php

@@ -1,4 +1,5 @@
 <?php
+
 define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
 require_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/dvwaPage.inc.php';
 

vulnerabilities/sqli_blind/index.php

@@ -53,7 +53,7 @@
 
 	<div class=\"vulnerable_code_area\">";
 if( $vulnerabilityFile == 'high.php' ){
-	$page[ 'body' ] .= "Click <a href=\"#\" onClick=\"javascript:popUp('session-input.php');return false;\">here to change your ID</a>.";
+	$page[ 'body' ] .= "Click <a href=\"#\" onClick=\"javascript:popUp('cookie-input.php');return false;\">here to change your ID</a>.";
 }
 else {
 	$page[ 'body' ] .= "

vulnerabilities/upload/source/high.php

@@ -2,7 +2,7 @@
 
 if( isset( $_POST[ 'Upload' ] ) ) {
 	// Anti-CSRF
-	checkTokens( $_POST[ 'token' ] , "index.php");
+	checkTokens( $_REQUEST[ 'user_token' ], 'index.php');
 
 	$target_path   = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
 	$target_path   = $target_path . basename( $_FILES[ 'uploaded' ][ 'name' ] );

vulnerabilities/view_source.php

@@ -60,7 +60,7 @@
 	<br /> <br />
 
 	<form>
-		<input type=\"button\" value=\"Compare Levels\" onclick=\"window.location.href='view_source_all.php?id=$id'\">
+		<input type=\"button\" value=\"Compare All Levels\" onclick=\"window.location.href='view_source_all.php?id=$id'\">
 	</form>
 </div>
 ";

vulnerabilities/view_source_all.php

@@ -62,7 +62,7 @@
 	<h3>Impossible {$vuln} Source</h3>
 	<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
 		<tr>
-			<td><div id=\"code\">{$imphsrc}</div></td>
+			<td><div id=\"code\">{$impsrc}</div></td>
 		</tr>
 	</table>
 	<br />