Improved IIS support & setup system checks

Author: g0tmi1k

CHANGELOG.md

@@ -1,6 +1,12 @@
 DAMN VULNERABLE WEB APPLICATION
 =======================
 
+v1.10 (*Not Yet Released)
+======
+
++ Improved IIS support. (@g0tmi1k)
++ Improved setup system check. (@g0tmi1k)
+
 v1.9 (2015-10-05)
 ======
 
@@ -32,7 +38,7 @@ v1.9 (2015-10-05)
 + Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k)
 + Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k)
 + Updated README and documentation. (@g0tmi1k)
-+ Various code cleanups in the core PHP files+CSS. (@g0tmi1k)
++ Various code cleanups in the core PHP files + CSS. (@g0tmi1k)
 + Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k)
 
 v1.8 (2013-05-01)

README.md

@@ -42,9 +42,9 @@ along with Damn Vulnerable Web Application (DVWA).  If not, see http://www.gnu.o
 
 DVWA is available either as a package that will run on your own web server or as a Live CD:
 
-  + DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA`
   + DVWA v1.9 Source (Stable) - \[1.3 MB\] [Download ZIP](https://github.com/RandomStorm/DVWA/archive/v1.9.zip) - Released 2015-10-05
   + DVWA v1.0.7 LiveCD - \[480 MB\] [Download ISO](http://www.dvwa.co.uk/DVWA-1.0.7.iso) - Released 2010-09-08
+  + DVWA Development Source (Latest) [Download ZIP](https://github.com/RandomStorm/DVWA/archive/master.zip) // `git clone https://github.com/RandomStorm/DVWA`
 
 - - -
 
@@ -68,8 +68,7 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then
 
 If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:
 
-`apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd`
-
+`apt-get -y install apache2 mysql-server php5 php5-mysql php5-gd`
 
 ### Database Setup
 
@@ -160,7 +159,7 @@ With:
 
 ## Links
 
-Homepage: http://www.dvwa.co.uk
+Homepage: http://www.dvwa.co.uk/
 
 Project Home: https://github.com/RandomStorm/DVWA
 

about.php

@@ -11,7 +11,7 @@
 
 $page[ 'body' ] .= "
 <div class=\"body_padded\">
-	<h1>About</h1>
+	<h2>About</h2>
 	<p>Version " . dvwaVersionGet() . " (Release date: " . dvwaReleaseDateGet() . ")</p>
 	<p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment</p>
 	<p>The official documentation for DVWA can be found <a href=\"docs/DVWA_v1.3.pdf\">here</a>.</p>
@@ -28,16 +28,16 @@
 
 	<h2>Credits</h2>
 	<ul>
+		<li>Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "</li>
 		<li>Craig</li>
+		<li>g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "</li>
 		<li>Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " / " . dvwaExternalLinkUrlGet( 'http://www.designnewcastle.co.uk/','www.designnewcastle.co.uk' ) . "</li>
-		<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "</li>
-		<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','http://tedi.heriyanto.net' ) . "</li>
-		<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "</li>
-		<li>RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "</li>
 		<li>Jason Jones: " . dvwaExternalLinkUrlGet( 'http://www.linux-ninja.com/','www.linux-ninja.com' ) . "</li>
-		<li>Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . "</li>
-		<li>g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . "</li>
+		<li>RandomStorm: " . dvwaExternalLinkUrlGet( 'https://www.randomstorm.com/','www.randomstorm.com' ) . "</li>
+		<li>Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://www.dewhurstsecurity.com/','www.dewhurstsecurity.com' ) . "</li>
 		<li>Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . "</li>
+		<li>Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','tedi.heriyanto.net' ) . "</li>
+		<li>Tom Mackenzie: " . dvwaExternalLinkUrlGet( 'https://www.tmacuk.co.uk/','www.tmacuk.co.uk' ) . "</li>
 	</ul>
 	<ul>
 		<li>PHPIDS - Copyright (c) 2007 " . dvwaExternalLinkUrlGet( 'https://github.com/PHPIDS/PHPIDS', 'PHPIDS group' ) . "</li>
@@ -55,6 +55,7 @@
 </div>\n";
 
 dvwaHtmlEcho( $page );
+
 exit;
 
 ?>

dvwa/includes/DBMS/MySQL.php

@@ -7,21 +7,21 @@
 */
 
 if( !@mysql_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ] ) ) {
-	dvwaMessagePush( "Could not connect to the database.<br/>Please check the config file." );
+	dvwaMessagePush( "Could not connect to the MySQL service.<br />Please check the config file." );
 	dvwaPageReload();
 }
 
 
 // Create database
 $drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};";
 if( !@mysql_query( $drop_db ) ) {
-	dvwaMessagePush( "Could not drop existing database<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Could not drop existing database<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 
 $create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};";
 if( !@mysql_query( $create_db ) ) {
-	dvwaMessagePush( "Could not create database<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Could not create database<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 dvwaMessagePush( "Database has been created." );
@@ -35,17 +35,17 @@
 
 $create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));";
 if( !mysql_query( $create_tb ) ) {
-	dvwaMessagePush( "Table could not be created<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Table could not be created<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 dvwaMessagePush( "'users' table was created." );
 
 
 // Insert some data into users
 // Get the base directory for the avatar media...
-$baseUrl  = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ];
+$baseUrl  = 'http://' . $_SERVER[ 'SERVER_NAME' ] . $_SERVER[ 'PHP_SELF' ];
 $stripPos = strpos( $baseUrl, 'setup.php' );
-$baseUrl  = substr( $baseUrl, 0, $stripPos ).'hackable/users/';
+$baseUrl  = substr( $baseUrl, 0, $stripPos ) . 'hackable/users/';
 
 $insert = "INSERT INTO users VALUES
 	('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),
@@ -54,7 +54,7 @@
 	('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'),
 	('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');";
 if( !mysql_query( $insert ) ) {
-	dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 dvwaMessagePush( "Data inserted into 'users' table." );
@@ -63,7 +63,7 @@
 // Create guestbook table
 $create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));";
 if( !mysql_query( $create_tb_guestbook ) ) {
-	dvwaMessagePush( "Table could not be created<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Table could not be created<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 dvwaMessagePush( "'guestbook' table was created." );
@@ -72,7 +72,7 @@
 // Insert data into 'guestbook'
 $insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');";
 if( !mysql_query( $insert ) ) {
-	dvwaMessagePush( "Data could not be inserted into 'guestbook' table<br />SQL: ".mysql_error() );
+	dvwaMessagePush( "Data could not be inserted into 'guestbook' table<br />SQL: " . mysql_error() );
 	dvwaPageReload();
 }
 dvwaMessagePush( "Data inserted into 'guestbook' table." );

dvwa/includes/dvwaPage.inc.php

@@ -1,7 +1,7 @@
 <?php
 
 if( !defined( 'DVWA_WEB_PAGE_TO_ROOT' ) ) {
-	define( 'DVWA System error- WEB_PAGE_TO_ROOT undefined' );
+	die( 'DVWA System error- WEB_PAGE_TO_ROOT undefined' );
 	exit;
 }
 
@@ -35,12 +35,12 @@
 
 // DVWA version
 function dvwaVersionGet() {
-	return '1.9';
+	return '1.10 *Development*';
 }
 
 // DVWA release date
 function dvwaReleaseDateGet() {
-	return '2015-09-19';
+	return '2015-10-08';
 }
 
 
@@ -540,23 +540,30 @@ function tokenField() {  # Return a field for the (CSRF) token
 
 
 // Setup Functions --
-$PHPUploadPath    = realpath( getcwd() ) . "/hackable/uploads/";
-$PHPIDSPath       = realpath( getcwd() ) . "/external/phpids/" . dvwaPhpIdsVersionGet() . "/lib/IDS/tmp/phpids_log.txt";
-
-$phpDisplayErrors = 'PHP function display_errors: <em>' . ( ini_get( 'display_errors' )  ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' );                // Verbose error messages (e.g. full path disclosure)
-$phpSafeMode      = 'PHP function safe_mode: <span class="' . ( ini_get( 'safe_mode' )  ? 'failure">Enabled' : 'success">Disabled' ) . '</span>';                 // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
-$phpMagicQuotes   = 'PHP function magic_quotes_gpc: <span class="' . ( ini_get( 'magic_quotes_gpc' )  ? 'failure">Enabled' : 'success">Disabled' ) . '</span>';   // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
-$phpURLInclude    = 'PHP function allow_url_include: <span class="' . ( ini_get( 'allow_url_include' )  ? 'success">Enabled' : 'failure">Disabled' ) . '</span>'; // RFI
-$phpURLFopen      = 'PHP function allow_url_fopen: <span class="' . ( ini_get( 'allow_url_fopen' )  ? 'success">Enabled' : 'failure">Disabled' ) . '</span>';     // RFI
-$phpGD            = 'PHP module php-gd: <span class="' . (  ( extension_loaded( 'gd' ) && function_exists( 'gd_info' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>';     // File Upload
+$PHPUploadPath    = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "hackable" . DIRECTORY_SEPARATOR . "uploads" ) . DIRECTORY_SEPARATOR;
+$PHPIDSPath       = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "external" . DIRECTORY_SEPARATOR . "phpids" . DIRECTORY_SEPARATOR . dvwaPhpIdsVersionGet() . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "IDS" . DIRECTORY_SEPARATOR . "tmp" . DIRECTORY_SEPARATOR . "phpids_log.txt" );
+
+$phpDisplayErrors = 'PHP function display_errors: <em>' . ( ini_get( 'display_errors' ) ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' );                                                  // Verbose error messages (e.g. full path disclosure)
+$phpSafeMode      = 'PHP function safe_mode: <span class="' . ( ini_get( 'safe_mode' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>';                                                   // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
+$phpMagicQuotes   = 'PHP function magic_quotes_gpc: <span class="' . ( ini_get( 'magic_quotes_gpc' ) ? 'failure">Enabled' : 'success">Disabled' ) . '</span>';                                     // DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0
+$phpURLInclude    = 'PHP function allow_url_include: <span class="' . ( ini_get( 'allow_url_include' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>';                                   // RFI
+$phpURLFopen      = 'PHP function allow_url_fopen: <span class="' . ( ini_get( 'allow_url_fopen' ) ? 'success">Enabled' : 'failure">Disabled' ) . '</span>';                                       // RFI
+$phpGD            = 'PHP module gd: <span class="' . ( ( extension_loaded( 'gd' ) && function_exists( 'gd_info' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>';                    // File Upload
+$phpMySQL         = 'PHP module mysql: <span class="' . ( ( extension_loaded( 'mysql' ) && function_exists( 'mysql' ) ) ? 'success">Installed' : 'failure">Missing' ) . '</span>';                // Core DVWA
+$phpPDO           = 'PHP module pdo_mysql: <span class="' . ( extension_loaded( 'pdo_mysql' ) ? 'success">Installed' : 'failure">Missing' ) . '</span>';                // SQLi
 
 $DVWARecaptcha    = 'reCAPTCHA key: <span class="' . ( ( isset( $_DVWA[ 'recaptcha_public_key' ] ) && $_DVWA[ 'recaptcha_public_key' ] != '' ) ? 'success">' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . '</span>';
 
-$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': <span class="' . ( is_writable( $PHPUploadPath ) ? 'success">Yes)' : 'failure">No' ) . '</span>'; // File Upload
-$DVWAPHPWrite     = 'Writable file ' . $PHPIDSPath . ': <span class="' . ( is_writable( $PHPIDSPath ) ? 'success">Yes' : 'failure">No' ) . '</span>';         // PHPIDS
+$DVWAUploadsWrite = '[User: ' . get_current_user() . '] Writable folder ' . $PHPUploadPath . ': <span class="' . ( is_writable( $PHPUploadPath ) ? 'success">Yes' : 'failure">No' ) . '</span>';                                     // File Upload
+$DVWAPHPWrite     = '[User: ' . get_current_user() . '] Writable file ' . $PHPIDSPath . ': <span class="' . ( is_writable( $PHPIDSPath ) ? 'success">Yes' : 'failure">No' ) . '</span>';                                              // PHPIDS
+
+$DVWAOS           = 'Operating system: <em>' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '</em>';
+$SERVER_NAME      = 'Web Server SERVER_NAME: <em>' . $_SERVER[ 'SERVER_NAME' ] . '</em>';                                                                                                          // CSRF
 
-$DVWAOS           = 'Operating system: <em>' . ( strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '</em>';
-$SERVER_NAME      = 'Web Server SERVER_NAME: <em>' . $_SERVER[ 'SERVER_NAME' ] . '</em>';   // CSRF
+$MYSQL_USER       = 'MySQL username: <em>' . $_DVWA[ 'db_user' ] . '</em>';
+$MYSQL_PASS       = 'MySQL password: <em>' . ( ($_DVWA[ 'db_password' ] != "" ) ? '******' : '*blank*' ) . '</em>';
+$MYSQL_DB         = 'MySQL database: <em>' . $_DVWA[ 'db_database' ] . '</em>';
+$MYSQL_SERVER     = 'MySQL host: <em>' . $_DVWA[ 'db_server' ] . '</em>';
 // -- END (Setup Functions)
 
 ?>

hackable/flags/fi.php

@@ -12,8 +12,8 @@
 
 echo "2.) My name is Sherlock Holmes. It is my business to know what other people don't know.\n\n<br /><br />\n";
 
-$line3 = "3.) Romeo, Romeo! wherefore art thou Romeo?";
-$line3 = "--LINE MISSING--";
+$line3 = "3.) Romeo, Romeo! Wherefore art thou Romeo?";
+$line3 = "--LINE HIDDEN ;)--";
 echo $line3 . "\n\n<br /><br />\n";
 
 $line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu";

setup.php

@@ -34,8 +34,8 @@
 <div class=\"body_padded\">
 	<h1>Database Setup <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/spanner.png\" /></h1>
 
-	<p>Click on the 'Create / Reset Database' button below to create or reset your database.</br>
-	If you get an error make sure you have the correct user credentials in: <em>" . realpath(  getcwd()  ) . "/config/config.inc.php</em></p>
+	<p>Click on the 'Create / Reset Database' button below to create or reset your database.<br />
+	If you get an error make sure you have the correct user credentials in: <em>" . realpath(  getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "</em></p>
 
 	<p>If the database already exists, <em>it will be cleared and the data will be reset</em>.<br />
 	You can also use this to reset the administrator credentials (\"<em>admin</em> // <em>password</em>\") at any stage.</p>
@@ -56,6 +56,13 @@
 	{$phpURLFopen}<br />
 	{$phpMagicQuotes}<br />
 	{$phpGD}<br />
+	{$phpMySQL}<br />
+	{$phpPDO}<br />
+	<br />
+	{$MYSQL_USER}<br />
+	{$MYSQL_PASS}<br />
+	{$MYSQL_DB}<br />
+	{$MYSQL_SERVER}<br />
 	<br />
 	{$DVWARecaptcha}<br />
 	<br />

vulnerabilities/captcha/index.php

@@ -36,8 +36,8 @@
 // Check if we have a reCAPTCHA key
 $WarningHtml = '';
 if( $_DVWA[ 'recaptcha_public_key' ] == "" ) {
-	$WarningHtml = "<div class=\"warning\"><em>reCAPTCHA API key missing</em> from config file: " . realpath( dirname( dirname( getcwd() ) ) . "/config/config.inc.php" ) . "</div>";
-	$html = "<em>Please register for a key</em> from reCAPTCHA: " . dvwaExternalLinkUrlGet('https://www.google.com/recaptcha/admin/create');
+	$WarningHtml = "<div class=\"warning\"><em>reCAPTCHA API key missing</em> from config file: " . realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "</div>";
+	$html = "<em>Please register for a key</em> from reCAPTCHA: " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/admin/create' );
 	$hide_form = true;
 }
 

vulnerabilities/fi/help/help.php

@@ -20,7 +20,7 @@
 		<br /><hr /><br />
 
 		<h3>Objective</h3>
-		<p>Read all five famous quotes from '<a href="../hackable/flags/fi.php">../hackable/flags/fi.php</a>' using only the file inclusion.</p>
+		<p>Read all <u>five</u> famous quotes from '<a href="../hackable/flags/fi.php">../hackable/flags/fi.php</a>' using only the file inclusion.</p>
 
 		<br /><hr /><br />
 

vulnerabilities/upload/index.php

@@ -33,12 +33,12 @@
 
 // Check if folder is writeable
 $WarningHtml = '';
-if( is_writable( realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" ) == false ) {
-	$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: " . realpath( dirname( dirname( getcwd() ) ) ) . "/hackable/uploads/" . "<br /><em>Folder is not writable.</em></div>";
+if( !is_writable( $PHPUploadPath ) ) {
+	$WarningHtml .= "<div class=\"warning\">Incorrect folder permissions: {$PHPUploadPath}<br /><em>Folder is not writable.</em></div>";
 }
 // Is PHP-GD installed?
 if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) {
-	$WarningHtml .= "<div class=\"warning\">The PHP module <em>PHP-GD is not installed</em>.</div>";
+	$WarningHtml .= "<div class=\"warning\">The PHP module <em>GD is not installed</em>.</div>";
 }
 
 $page[ 'body' ] .= "