Skip to content

Instantly share code, notes, and snippets.

@wjddnjs33
Created Jul 19, 2021
Embed
What would you like to do?
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Post Write</title>
<link rel='stylesheet' href='test.css'>
</head>
<bodiy>
<h1>Post Create!</h1>
<article id="Write_a_post">
<section class="container">
<form action="process_create.php" method="POST">
<h2>Please enter the title</h2>
<blockquote>
<p>
<input style='height:30px; width:600px;' type='text' name='title' placeholder='Title'>
<input style='heightL30px; width:600px;' type='text' name='pin' placeholder='Admin Pin'>
</p>
</blockquote>
<br>
<h2>Please enter the Contents</h2>
<blockquote>
<p><textarea style='height:500px; width:1000px;' name='description' placeholder='Contents'></textarea></p>
</blockquote>
<blockquote>
<p><input type='submit' value='Create'></p>
</blockquote>
</form>
</section>
</article>
</form>
</body>
</html>
<?php
session_start();
if($_SESSION['userid']){
?> <script>
location.replace("post.php");
</script>
<?php
}
?>
<!doctype html>
<html>
<head>
<meta charset='utf-8'>
<title>Login</title>
<link href="u.css" rel="stylesheet">
</head>
</html>
<body>
<input id="rotated" type="checkbox" name="rotated"><label for="rotated">Welcome to PY_World!</label>
<form method="POST" name='forname'>
<h3 data-text="Choose Your Language">Login-V3</h3>
<label data-text="Login">
<center><input type="text" name="id" style='color:black' placeholder='id'></center>
</label>
<label data-text="Register">
<input type='password' name='pw' style='color:black' placeholder='password'>
</label>
<label>
<input type='submit' style='color:black' value="Login" formaction="login.php">
</label>
<!-- Hidden Parameter : Level -->
</form>
</body>
<?php
session_start();
$conn = new mysqli("localhost", "root", "122121", "project");
$id = addslashes($_POST['id']);
$pw = $_POST['pw'];
$Level = '1'.$_POST['Level'];
$hash_pw = hash("sha256","$pw");
$Add_String = $id.$pw.$Level;
if(preg_match("/select|and|or|limit|union|\'|\=|\"|\>|\<|\\s/i",$Add_String)){
?> <script>
alert("SQLI Danger!!");
history.back();
</script>
<?php
}else{
$sql = $conn->prepare("SELECT * FROM users where id = ? and pw = ? and Level = $Level;");
$sql->bind_param("ss", $id, $hash_pw);
$sql->execute();
$result = $sql->get_result();
$row = $result->fetch_assoc();
if($row['id']){
$_SESSION['userid'] = $row['id'];
if(isset($_SESSION['userid'])){
?> <script>
alert("Login Success");
location.replace("post.php");
</script>
<?php
}
else{
echo "Login Fail";
}
?>
<?php
}else{
?> <script>
alert("Incorrect id or pw");
history.back();
</script>
<?php
}
}
?>
<?php
session_start();
session_unset();
$result = session_destroy();
if($result){
?><script>
location.replace("index.php");
</script>
<?php
}
?>
<?php
// mysql connect
session_start();
$conn = mysqli_connect("localhost", "root", "122121", "post");
$sql = "SELECT * FROM POST";
$result = mysqli_query($conn, $sql);
$list = '';
if($_SESSION['userid']){
while($row = mysqli_fetch_array($result)){
$list = $list."<li><a href=\"post_select.php?id={$row['_id']}\">{$row['title']}</a></li>";
}
}
else{
?> <script>
alert("Permission denied");
location.replace("index.php");
</script>
<?php
}
?>
<!DOCTYPE HTML>
<html>
<head>
<link rel='stylesheet' href='test.css'>
<meta charset='utf-8'>
</head>
</html>
<a href="#main" class="skip-link">Skip to main content</a>
<header>
<div class="container">
<h1>
<?php
$connect = mysqli_connect('localhost', 'root', '122121', 'project') or die ("connect fail");
$query ="select * from board order by id desc";
$result = $connect->query($query);
$total = mysqli_num_rows($result);
session_start();
if(isset($_SESSION['userid'])) {
echo $_SESSION['userid'];?>님 안녕하세요
<form action='Logout.php' method='POST'>
<input type='submit' value='Logout'>
</form>
<br/>
<?php
}
else {
?> <button onclick="location.href='./index.html'">로그인</button>
<br />
<?php
}
?>
</h1>
<h2><pre>Welcome to the vulnerable site. This site has many vulnerabilities.
So please hack it. If I find something I haven't found, I'll give you a small gift.</pre>
</h2>
<a href="conn.html" class="link-github">
<span>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" aria-hidden="true" focusable="false">
<path d="M32 12.408l-11.056-1.607-4.944-10.018-4.944 10.018-11.056 1.607 8 7.798-1.889 11.011 9.889-5.199 9.889 5.199-1.889-11.011 8-7.798z"></path>
</svg>
</span>
Star on Webshell</a>
</div>
</header>
<nav>
<ul>
<li>
<a href="#about">About</a>
</li>
<li>
<a href="create.html">Write a post</a>
</li>
<li>
<a href="#View_Post">View Post</a>
</li>
<li>
<a href="#File">File</a>
</li>
<li>
<a href="select.html">Search specific posts</a>
</li>
<li>
<a href="#">Resources</a>
</li>
</ul>
</nav>
<main id="main" tabIndex="-1">
<div class="container">
<article id="about">
<section class="container">
<h2>Welcome to the PY World?</h2>
<blockquote>
<p>This site is a vulnerable site designed to study web hacking. However, don't do automated tools and scanners, DOS, and DDOS attacks as this can overload your web server.
</p>
</blockquote>
</section>
<section class="container">
<h2>Vulnerabilities that arise</h2>
<p>
In this server, we will continue to develop various vulnerabilities in the future.
We are new to web development, so we ask for your understanding. Thank you.
</p>
<p>List of vulnerabilities that occur</p>
<ul>
<li>SQLI</li>
<li>XSS</li>
<li>SSRF</li>
<li>SSTI</li>
<li>LFI</li>
<li>RFI</li>
<li>RCE</li>
<li>PHP Object Injection</li>
<li>Race Condition</li>
<li>CSRF</li>
<li>Nosql Injection</li>
</ul>
<p>
More vulnerabilities as above will be added in the future, and various vulnerabilities will be added.
</p>
</section>
</article>
<article id="View_Post">
<section class="container">
<h2>View Post</h2>
</section>
<section class="container">
<blockquote>
<ol>
<?=$list?>
<ol>
</blockquote>
</section>
</article>
</div>
</main>
<aside class="profile" aria-labelledby="profile-title">
<div class="container">
<h4 id="profile-title">Server information</h4>
<ul>
<li class="OS">
<span>OS : </span>
<span>Ubuntu 20.04.1 </span></li>
<li class="server">
<span>Server : </span>
<span>Apache/2.4.41 </span></li>
<li class="PHP">
<span>Language : </span>
<span>PHP 7.2.33-1</span>
</li>
<li class="DB">
<span>Database : </span>
<span>8.0.21-0ubuntu0.20.04.4 for Linux on x86_64 (Ubuntu)</span>
</li>
</ul>
</div>
</aside>
<article id="File">
<section>
<aside id="styles">
<div class="container">
<h2> File Download</h2>
<blockquote>
<a href="download.php?org_filename=flag.txt&real_filename=index.php">index.php</a>
</blockquote>
</div>
</aside>
</section>
</article>
<footer class="page-footer">
<div class="container">
<ul>
<li>
<a href="https://open.kakao.com/o/sqOCydkc" class="link-twittercontact">Open Kakao</a>
</li>
<li>
<a href="https://p00y.tistory.com" class="link-github">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" aria-hidden="true" focusable="false">
<path d="M32 12.408l-11.056-1.607-4.944-10.018-4.944 10.018-11.056 1.607 8 7.798-1.889 11.011 9.889-5.199 9.889 5.199-1.889-11.011 8-7.798z"></path>
</svg>
Star on Tistory</a>
</li>
</ul>
</div>
</footer>
<?php
// mysql connect
session_start();
$conn = new mysqli("localhost", "root", "122121", "post");
$pin = $_POST['pin'];
$title = $_POST['title'];
$title = htmlentities($title);
$content = $_POST['description'];
$content = htmlentities($content);
$Add_String = $title.$content;
$sql = $conn->prepare("INSERT INTO POST(title, description) VALUES(?,?)");
$sql->bind_param("ss", $title, $content);
if($pin == "qwer3626@"){
if($_SESSION['userid']){
if($title){
$sql->execute();
$sql->close();
$conn->close();
?>
<script>
alert("Success!");
location.replace("post.php");
</script>
<?php
}else{
?> <script>
alert("Please enter the Title");
history.back();
</script>
<?php
}
}else{
?> <script nonce=nonce-EDNnf03nceIOfn39fn3e9h3sdfa>
alert("Permission denied");
location.replace("index.html");
</script>
<?php
}
}else{
?> <script>
alert("You are not Admin");
location.replace("post.php");
</script>
<?php
}
?>
<?php
// mysql connect
session_start();
$rand = mt_rand(4721, 9999999);
$nonce = hash("sha256",$rand);
$conn = new mysqli("127.0.0.1", "root", "122121", "post");
header("Content-Security-Policy: default-src 'nonce-{$nonce}'");
$id = $_GET['id'];
if($_SESSION['userid']){
if(preg_match("/union|select|information|\+|in|group|concat|and|or|sleep|\'|\=|\>|\<|\"|_/i",$id)){
?> <script nonce=<?=$nonce?>>
alert("Danger SQLI!!");
location.replace("select.html");
</script>
<?php
}else{
$sql = $conn->prepare("SELECT * FROM POST where _id = ?");
$sql->bind_param("i", $id);
$sql->execute();
$result = $sql->get_result();
while($row = $result->fetch_assoc()){
$ID = $row['id'];
$content = $row['description'];
$title = $row['title'];
}
}
}else{
?> <script nonce=<?=$nonce?>>
alert("Permission denied");
location.replace("index.html");
</script>
<?php
}
?>
<!DOCTYPE html>
<head>
<html>
<link rel='stylesheet' href='test.css'>
</html>
</head>
<body>
<h1>Query : SELECT * FROM where id = <?=$id?></h1>
<br>
<div class='container'>
<article>
<section class="container">
<form action="process_create.php" method="POST">
<h2>Title</h2>
<blockquote>
<p>
<h3><?=$title?></h3>
</p>
</blockquote>
<br>
<h2>Contents</h2>
<blockquote>
<div style='height:400px; width:500px;'>
<h3><?=$content?></h3>
</div>
</blockquote>
</form>
<form action="delete.php" method='POST'>
<input type='text' name='pin' placeholder='Admin Pin'>
<input type='hidden' value='<?=$id?>' name='id'>
<input type='submit' value='Remove'>
<form>
</section>
</article>
</div>
</body>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Select</title>
<link rel='stylesheet' href='test.css'>
</head>
<body>
<h1>Post Select</h1>
<article>
<article>
<section class="container">
<form action="post_select.php" method="GET">
<h2>Please enter the ID</h2>
<blockquote>
<p>
<input style='height:30px; width:600px;' type='text' name='id' placeholder='ID'>
</p>
</blockquote>
<br>
<blockquote>
<p><input type='submit' value='Select'></p>
</blockquote>
</form>
</section>
<article>
</article>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment