This repository has been archived by the owner on Sep 4, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
security.php
128 lines (105 loc) · 4.37 KB
/
security.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<?php
define( 'DVWA_WEB_PAGE_TO_ROOT', '' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
$page = dvwaPageNewGrab();
$page[ 'title' ] = 'DVWA Security' . $page[ 'title_separator' ].$page[ 'title' ];
$page[ 'page_id' ] = 'security';
$securityHtml = '';
if( isset( $_POST['seclev_submit'] ) ) {
// Anti-CSRF
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'security.php' );
$securityLevel = '';
switch( $_POST[ 'security' ] ) {
case 'low':
$securityLevel = 'low';
break;
case 'medium':
$securityLevel = 'medium';
break;
case 'high':
$securityLevel = 'high';
break;
default:
$securityLevel = 'Impossible';
break;
}
dvwaSecurityLevelSet( $securityLevel );
dvwaMessagePush( "安全等级已设为 {$securityLevel}" );
dvwaPageReload();
}
if( isset( $_GET['phpids'] ) ) {
switch( $_GET[ 'phpids' ] ) {
case 'on':
dvwaPhpIdsEnabledSet( true );
dvwaMessagePush( "PHPIDS已开启" );
break;
case 'off':
dvwaPhpIdsEnabledSet( false );
dvwaMessagePush( "PHPIDS已关闭" );
break;
}
dvwaPageReload();
}
$securityOptionsHtml = '';
$securityLevelHtml = '';
foreach( array( 'low', 'medium', 'high', 'Impossible' ) as $securityLevel ) {
$selected = '';
if( $securityLevel == dvwaSecurityLevelGet() ) {
$selected = ' selected="selected"';
$securityLevelHtml = "<p>安全等级已设为: <em>$securityLevel</em>.<p>";
}
$securityOptionsHtml .= "<option value=\"{$securityLevel}\"{$selected}>" . ucfirst($securityLevel) . "</option>";
}
$phpIdsHtml = 'PHPIDS已经: ';
// Able to write to the PHPIDS log file?
$WarningHtml = '';
if( dvwaPhpIdsIsEnabled() ) {
$phpIdsHtml .= '<em>开启</em>. [<a href="?phpids=off">关闭PHPIDS</a>]';
# Only check if PHPIDS is enabled
if( !is_writable( $PHPIDSPath ) ) {
$WarningHtml .= "<div class=\"warning\"><em>无法写入PHPID日志文件</em>: ${PHPIDSPath}</div>";
}
}
else {
$phpIdsHtml .= '<em>关闭</em>. [<a href="?phpids=on">开启PHPIDS</a>]';
}
// Anti-CSRF
generateSessionToken();
$page[ 'body' ] .= "
<div class=\"body_padded\">
<h1>DVWA 安全等级设置 <img src=\"" . DVWA_WEB_PAGE_TO_ROOT . "dvwa/images/lock.png\" /></h1>
<br />
<h2>安全等级</h2>
{$securityHtml}
<form action=\"#\" method=\"POST\">
{$securityLevelHtml}
<p>您可以将安全级别设置为低、中、高或困难。安全等级为DVWA的漏洞级别:</p>
<ol>
<li> low(低) - 这个等级是完全可以轻易地利用漏洞 <em>没有任何安全性可言</em>. 它的用途是作为web应用程序漏洞如何通过糟糕的代码实践表现出来的示例,并作为传授或学习基本利用漏洞技术的平台.</li>
<li> Medium(中)- 此设置主要是给一个实例如 <em>安全技术不过关的用户</em>, 开发人员已尝试保护应用程序,但失败。它还对用户提出了挑战,要求他们改进其利用漏洞技术.</li>
<li> High(高) - 此选项是中等难度的扩展,混合了 <em>更难的或替代性的错误</em> 错误做法来尝试保护代码。该漏洞可能不允许相同程度的利用,类似于各种CTF竞赛.</li>
<li> Impossible(困难) - 这个级别应该对<em>所有漏洞都是安全的</em>。它用于比较易受攻击的源代码和安全源代码。
在DVWA v1.9之前,该级别称为“高”<br />
.</li>
</ol>
<select name=\"security\">
{$securityOptionsHtml}
</select>
<input type=\"submit\" value=\"提交\" name=\"seclev_submit\">
" . tokenField() . "
</form>
<br />
<hr />
<br />
<h2>PHPIDS</h2>
{$WarningHtml}
<p>" . dvwaExternalLinkUrlGet( 'https://github.com/PHPIDS/PHPIDS', 'PHPIDS' ) . " v" . dvwaPhpIdsVersionGet() . " (PHP入侵检测系统)是基于PHP的web应用程序的安全层.</p>
<p>PHPIDS的工作原理是根据潜在恶意代码黑名单过滤任何用户提供的输入。它在DVWA中用作Web应用程序防火墙(WAF)如何帮助提高安全性以及在某些情况下如何规避WAF的实例.</p>
<p>您可以在会话期间在此站点上启用PHPIDS.</p>
<p>{$phpIdsHtml}</p>
[<a href=\"?test=%22><script>eval(window.name)</script>\">模拟攻击</a>] -
[<a href=\"ids_log.php\">查看IDs日志</a>]
</div>";
dvwaHtmlEcho( $page );
?>