marvin/guestbook-vulnerable.php

## guestbook-vulnerable.php
<?php

$sDataFile = 'guestbook.dat';
$sLogFile  = 'adminlog.dat';

touch($sDataFile);
touch($sLogFile);

if (isset($_GET['logfile'])) show_logfile($sLogFile);

session_start();

if (!isset($_SESSION['sUser'])) $_SESSION['sUser'] = 'Gast';

$sAction = (isset($_GET['action'])) ? $_GET['action'] : '';

switch ($sAction) {

    case 'login':
    $_SESSION['sUser'] = 'Admin';
    break;

    case 'logout':
    $_SESSION['sUser'] = 'Gast';
    break;

    case 'cmd':
    $r = fopen($sLogFile, 'a');
    fputs($r, $_SESSION['sUser'] . " hat den Befehl ausgef&uuml;hrt\n");
    fclose($r);
    break;

    case 'addentry':
    if (ini_get('magic_quotes_gpc') == '1')
        $_POST['entry'] = stripslashes($_POST['entry']);
    $r = fopen($sDataFile, 'a');
    fputs($r, '<div>' . $_POST['entry'] . '</div>');
    fclose($r);
    break;

    case 'reset':
    file_put_contents($sDataFile, '');
    file_put_contents($sLogFile, '');
}

$sLoginLogout = ($_SESSION['sUser'] == 'Admin') ? 'logout' : 'login';

function show_logfile($sLogFile)
{
    echo '[url="?logfile=1"]Aktualisieren[/url]<pre>';
    echo file_get_contents($sLogFile);
    echo '</pre>';
    die();
}

?>
Benutzer: <?php echo $_SESSION['sUser']; ?>
 ([url="?action=<?php echo $sLoginLogout; ?>"]<?php echo $sLoginLogout; ?>[/url])

[url="?action=cmd"]Befehl ausf&uuml;hren[/url]
<hr/>
Eintr&auml;ge:
<pre><?php echo file_get_contents($sDataFile); ?></pre>
<form action="?action=addentry" method="post">
    <textarea name="entry" cols="30"></textarea>

    <input type="submit" value="Eintrag abschicken"/>
</form>
<hr/>
Logfile:

<iframe src="?logfile=1"></iframe>


[url="?action=reset"]Zur&uuml;cksetzen[/url]
	<?php

	$sDataFile = 'guestbook.dat';
	$sLogFile = 'adminlog.dat';

	touch($sDataFile);
	touch($sLogFile);

	if (isset($_GET['logfile'])) show_logfile($sLogFile);

	session_start();

	if (!isset($_SESSION['sUser'])) $_SESSION['sUser'] = 'Gast';

	$sAction = (isset($_GET['action'])) ? $_GET['action'] : '';

	switch ($sAction) {

	case 'login':
	$_SESSION['sUser'] = 'Admin';
	break;

	case 'logout':
	$_SESSION['sUser'] = 'Gast';
	break;

	case 'cmd':
	$r = fopen($sLogFile, 'a');
	fputs($r, $_SESSION['sUser'] . " hat den Befehl ausgeführt\n");
	fclose($r);
	break;

	case 'addentry':
	if (ini_get('magic_quotes_gpc') == '1')
	$_POST['entry'] = stripslashes($_POST['entry']);
	$r = fopen($sDataFile, 'a');
	fputs($r, '<div>' . $_POST['entry'] . '</div>');
	fclose($r);
	break;

	case 'reset':
	file_put_contents($sDataFile, '');
	file_put_contents($sLogFile, '');
	}

	$sLoginLogout = ($_SESSION['sUser'] == 'Admin') ? 'logout' : 'login';

	function show_logfile($sLogFile)
	{
	echo '[url="?logfile=1"]Aktualisieren[/url]<pre>';
	echo file_get_contents($sLogFile);
	echo '</pre>';
	die();
	}

	?>
	Benutzer: <?php echo $_SESSION['sUser']; ?>
	([url="?action=<?php echo $sLoginLogout; ?>"]<?php echo $sLoginLogout; ?>[/url])

	[url="?action=cmd"]Befehl ausführen[/url]
	<hr/>
	Einträge:
	<pre><?php echo file_get_contents($sDataFile); ?></pre>
	<form action="?action=addentry" method="post">
	<textarea name="entry" cols="30"></textarea>

	<input type="submit" value="Eintrag abschicken"/>
	</form>
	<hr/>
	Logfile:

	<iframe src="?logfile=1"></iframe>


	[url="?action=reset"]Zurücksetzen[/url]