public
Created

XSS Vulnerable Application

  • Download Gist
index.php
PHP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
<?php
echo "
<html>
<head>
<link rel='shortcut icon' href='data:image/vnd.microsoft.icon;base64,AAABAAEAEBAAAAAAAABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8p0/7/KdP+/ynT/v8q0/7/KdT+/yrT/v8p1P7/KtP+/ynT/v8q0/7/KdP+/yrT/v8p0/7/KtP+/wAAAP8AAAAUJLrf/ynT/v8p0/7/KdP+/yrT/v8p0/7/AAAA/wAAAP8p0/7/KtP+/ynT/v8q0/7/KdP+/yKw0/8AAAAJAAAAAAAAAP8p0/7/KdP+/yrT/v8p1P7/KtP+/xJfcv8SX3L/KdP+/yrT/v8p0/7/KtP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAQYI/ynT/v8p0/7/KtP+/ynT/v8AAAD/AAAA/ynT/v8q0/7/KdP+/yrT/v8CDQ//AAAAAAAAAAAAAAAAAAAAAAAAAP8p0/7/KtP+/ynU/v8q0/7/Jsnx/wAAAP8aiqb/KtP+/ynT/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8q0/7/KdP+/yrT/v8p0v3/AAAA/xyTsf8p0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4q0/7/AAAA/wAAAP8p1P7/KtP+/wAAAP8AAAD/KdP+/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/xBYav8AAAD/KdP+/ynT/v8AAAD/DERS/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0ozvf/AAAA/wAAAP8AAAD/AAAA/yrT/v8AAACpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8p0/7/KdP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFHCL/KdT+/ynT/v8dlbT/AAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/yrU/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/BBkf/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAIYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAgAEAAIABAADAAwAAwAMAAOAHAADgBwAA8A8AAPgPAAD4HwAA/D8AAPw/AAD+fwAA/38AAA=='>
<link rel='icon' href='data:image/vnd.microsoft.icon;base64,AAABAAEAEBAAAAAAAABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8p0/7/KdP+/ynT/v8q0/7/KdT+/yrT/v8p1P7/KtP+/ynT/v8q0/7/KdP+/yrT/v8p0/7/KtP+/wAAAP8AAAAUJLrf/ynT/v8p0/7/KdP+/yrT/v8p0/7/AAAA/wAAAP8p0/7/KtP+/ynT/v8q0/7/KdP+/yKw0/8AAAAJAAAAAAAAAP8p0/7/KdP+/yrT/v8p1P7/KtP+/xJfcv8SX3L/KdP+/yrT/v8p0/7/KtP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAQYI/ynT/v8p0/7/KtP+/ynT/v8AAAD/AAAA/ynT/v8q0/7/KdP+/yrT/v8CDQ//AAAAAAAAAAAAAAAAAAAAAAAAAP8p0/7/KtP+/ynU/v8q0/7/Jsnx/wAAAP8aiqb/KtP+/ynT/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8q0/7/KdP+/yrT/v8p0v3/AAAA/xyTsf8p0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4q0/7/AAAA/wAAAP8p1P7/KtP+/wAAAP8AAAD/KdP+/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/xBYav8AAAD/KdP+/ynT/v8AAAD/DERS/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0ozvf/AAAA/wAAAP8AAAD/AAAA/yrT/v8AAACpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8p0/7/KdP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFHCL/KdT+/ynT/v8dlbT/AAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/yrU/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/BBkf/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAIYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAgAEAAIABAADAAwAAwAMAAOAHAADgBwAA8A8AAPgPAAD4HwAA/D8AAPw/AAD+fwAA/38AAA=='>
<title>Password Cross-Site Scripting</title>
</head>
<body>
";
session_start();
if(isset($_POST['username']) and isset($_POST['password'])){
$connection = mysql_connect('localhost','sqli','sqli');
mysql_select_db('stuff',$connection);
$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($_POST[username])."' && password='".mysql_real_escape_string($_POST[password])."';";
$response = mysql_query($query,$connection);
if($response and mysql_num_rows($response) != 0){
$row = mysql_fetch_assoc($response);
$_SESSION['authed'] = $row['username'];
}
else{
echo "bad creds for $_GET[username]";
}
}
if(isset($_POST['logout'])){
unset($_SESSION['authed']);
}
if(isset($_SESSION['authed'])){
echo "
<strong>You authed as $_SESSION[authed]</strong><br>here are some secrets
<br>
<form method='post' action='index.php'>
<input type='submit' name='logout' value='Logout'>
</form>
";
 
}
else{
echo "
<h2>Log Into Secret Application</h2>
<form method='POST' action='index.php' autocomplete=\"on\">
username:<input type='text' id='username' name='username' value='' autocomplete='on'><br>
password:<input type='password' id='password' name='password' value='' autocomplete=\"on\"><br>
<input type='submit' name='login' value='Log In'>
</form>
<br>
";
}
echo "
<br>
come play with <a href='reflections.php'>reflections</a>
</body>
</html>
";
 
?>
reflections.php
PHP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
<?php
echo "
<html>
<head>
<link rel='shortcut icon' href='data:image/vnd.microsoft.icon;base64,AAABAAEAEBAAAAAAAABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8p0/7/KdP+/ynT/v8q0/7/KdT+/yrT/v8p1P7/KtP+/ynT/v8q0/7/KdP+/yrT/v8p0/7/KtP+/wAAAP8AAAAUJLrf/ynT/v8p0/7/KdP+/yrT/v8p0/7/AAAA/wAAAP8p0/7/KtP+/ynT/v8q0/7/KdP+/yKw0/8AAAAJAAAAAAAAAP8p0/7/KdP+/yrT/v8p1P7/KtP+/xJfcv8SX3L/KdP+/yrT/v8p0/7/KtP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAQYI/ynT/v8p0/7/KtP+/ynT/v8AAAD/AAAA/ynT/v8q0/7/KdP+/yrT/v8CDQ//AAAAAAAAAAAAAAAAAAAAAAAAAP8p0/7/KtP+/ynU/v8q0/7/Jsnx/wAAAP8aiqb/KtP+/ynT/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8q0/7/KdP+/yrT/v8p0v3/AAAA/xyTsf8p0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4q0/7/AAAA/wAAAP8p1P7/KtP+/wAAAP8AAAD/KdP+/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/xBYav8AAAD/KdP+/ynT/v8AAAD/DERS/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0ozvf/AAAA/wAAAP8AAAD/AAAA/yrT/v8AAACpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8p0/7/KdP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFHCL/KdT+/ynT/v8dlbT/AAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/yrU/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/BBkf/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAIYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAgAEAAIABAADAAwAAwAMAAOAHAADgBwAA8A8AAPgPAAD4HwAA/D8AAPw/AAD+fwAA/38AAA=='>
<link rel='icon' href='data:image/vnd.microsoft.icon;base64,AAABAAEAEBAAAAAAAABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8p0/7/KdP+/ynT/v8q0/7/KdT+/yrT/v8p1P7/KtP+/ynT/v8q0/7/KdP+/yrT/v8p0/7/KtP+/wAAAP8AAAAUJLrf/ynT/v8p0/7/KdP+/yrT/v8p0/7/AAAA/wAAAP8p0/7/KtP+/ynT/v8q0/7/KdP+/yKw0/8AAAAJAAAAAAAAAP8p0/7/KdP+/yrT/v8p1P7/KtP+/xJfcv8SX3L/KdP+/yrT/v8p0/7/KtP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAQYI/ynT/v8p0/7/KtP+/ynT/v8AAAD/AAAA/ynT/v8q0/7/KdP+/yrT/v8CDQ//AAAAAAAAAAAAAAAAAAAAAAAAAP8p0/7/KtP+/ynU/v8q0/7/Jsnx/wAAAP8aiqb/KtP+/ynT/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8q0/7/KdP+/yrT/v8p0v3/AAAA/xyTsf8p0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4q0/7/AAAA/wAAAP8p1P7/KtP+/wAAAP8AAAD/KdP+/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/xBYav8AAAD/KdP+/ynT/v8AAAD/DERS/wAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0ozvf/AAAA/wAAAP8AAAD/AAAA/yrT/v8AAACpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ynT/v8p0/7/KdP+/ynT/v8AAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFHCL/KdT+/ynT/v8dlbT/AAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/yrU/v8q0/7/AAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/BBkf/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAIYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAgAEAAIABAADAAwAAwAMAAOAHAADgBwAA8A8AAPgPAAD4HwAA/D8AAPw/AAD+fwAA/38AAA=='>
<title>Password Cross-Site Scripting</title>
</head>
<body>
";
session_start();
if(isset($_SESSION['authed'])){
echo "
<strong>You authed as $_SESSION[authed]</strong>
<br>
<form method='post' action='index.php'>
<input type='submit' name='logout' value='Logout'>
</form>
";
 
}
else{
echo "
you aren't authed. Go <a href='index.php'>here</a> if you wanna change that<br>
";
}
echo "
<br>
<form name='input' action='reflections.php' method='POST'>
<strong>mirror:</strong><textarea name='reflector' onchange='document.forms[\"input\"].submit()'></textarea>
</form>
<strong>reflection:</strong>
<div style=\"height:300px;width:500px;background-color:grey;\" id='relection' name='reflection'>
";
if(isset($_POST['reflector'])){
$_SESSION['reflector'] = $_POST['reflector'];
}
if(isset($_SESSION['reflector'])){
echo $_SESSION['reflector'];
}
echo "
</div>
</body>
</html>
";
 
?>

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.