Created a new page to allow users to update their profile.

2026-02-21 11:18:06 +00:00 · 2021-08-19 17:03:59 +01:00
parent 154abf4f87
commit 112d161612
5 changed files with 122 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,5 @@ modules/**/Gemfile.lock
 modules/generators/network/pcap/files/packet.pcap
 lib/resources/images/scenario
 Gemfile.lock
+.vagrant
+rgloader
--- a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp
+++ b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp
@@ -108,6 +108,12 @@ class commando::install {
 			content => template('commando/profile.php.erb')
 		}

+		# update profile page
+		file{ "$docroot/update_profile.php":
+			ensure => file,
+			content => template('commando/update_profile.php.erb')
+		}
+
 		# connection file
 		file{ "$docroot/connect.php":
 			ensure => file,
--- a/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb
+++ b/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb
@@ -63,14 +63,18 @@ if(!isset($_SESSION['username'])){
      if ($user == $admin_uname) {
        ?>
      <div id="sucess">
+        <?php echo $_SESSION['updated']?>
        Well Done, you have logged into an admin account!<br />
        This account had default Log-in Credentials! Keep hunting!<br />
-        Heres a flag: <div id="flag"><%= @default_login_flag %></div>
+        Here is a flag: <div id="flag"><%= @default_login_flag %></div>
      </div>
        <?php
      }
      ?>
-      <a href="login.php">Logout</a>
+      <nav class="nav">
+        <a href="login.php" class="btn btn-secondary-outline">Logout</a>
+        <a href="update_profile.php" class="btn btn-secondary-outline">Update Profile</a>
+      </nav>
  </div>

  <%# This is taken from: https://getbootstrap.com/docs/4.0/getting-started/introduction/%>
@@ -79,6 +83,6 @@ if(!isset($_SESSION['username'])){
  <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
-
+  </div>
  </body>
  </html>
--- a/modules/vulnerabilities/unix/webapp/commando/templates/update_profile.php.erb
+++ b/modules/vulnerabilities/unix/webapp/commando/templates/update_profile.php.erb
@@ -0,0 +1,94 @@
+<?php
+include('connect.php');
+if(!isset($_SESSION['username'])){
+ header("Location:login.php");
+}
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+<% $page_title = "Update-Profile" %>
+<%= scope.function_template(['commando/subtemplates/header.html.erb']) %>
+
+<body>
+<%= scope.function_template(['commando/subtemplates/nav.html.erb']) %>
+<div class="container">
+  <div class="row">
+    <div id="pp-holder">
+      <img src="images/icon.png" alt="avi" id="pp">
+    </div>
+  </div>
+
+  <div id="details">
+    <h3>Update User Details:</h3>
+    <?php
+      $user = $_SESSION['username'];
+      $info="SELECT  * FROM <%= @user_table_name %> WHERE Username='$user'";
+      $result=mysqli_query($conn2, $info);
+      $id = 0;
+      while ($row=mysqli_fetch_assoc($result)){
+        $id = $row['ID']; ?>
+    <form method="POST" action="<?php echo $_SERVER['SCRIPT_NAME'];?>">
+      <div class="form-group">
+        <label for="name">Name:</label>
+        <input type="text" id="name" class="form-control" name="name" maxlength="15" placeholder="<?php echo $row['name'];?>">
+      </div>
+      <div class="form-group">
+        <label for="address">Address:</label>
+        <input type="text" id="address" name="address" size="55" placeholder="<?php echo $row['address'];?>">
+      </div>
+      <div class="form-group">
+        <label for="mobile">Mobile:</label>
+        <input type="text" id="mobile" name="mobile" maxlength="30" placeholder="<?php echo $row['mobile'];?>">
+      </div>
+      <div class="form-group">
+        <label for="email">E-Mail:</label>
+        <input type="text" id="email" name="email" size="55" placeholder="<?php echo $row['email'];?>">
+      </div>
+      <input type="submit" name="submit" value="Save">
+    </form>
+    <?php
+      }
+      if (isset($_POST['submit']) && (!empty($_POST['name']) || !empty($_POST['address']) || !empty($_POST['mobile']) || !empty($_POST['email']))){
+          $statement="UPDATE <%= @user_table_name %> SET ";
+          $hasFirst= false;
+            if (!empty($_POST['name'])) {
+              $statement .= "name = '" . $_POST['name'] . "' ";
+              $hasFirst = true;
+            }
+            if (!empty($_POST['address'])) {
+              if ($hasFirst == true) {
+                $statement .= " , ";
+              }
+              $statement .= "address = '" . $_POST['address'] . "' ";
+              $hasFirst = true;
+            }
+            if (!empty($_POST['mobile'])) {
+              if ($hasFirst == true) {
+                $statement .= " , ";
+              }
+              $statement .= "mobile = '" . $_POST['mobile'] . "' ";
+              $hasFirst = true;
+            }
+            if (!empty($_POST['email'])) {
+              if ($hasFirst == true) {
+                $statement .= " , ";
+              }
+              $statement .= "email = '" . $_POST['email'] . "' ";
+            }
+          $statement .= " WHERE ID = $id";
+      }
+      $result=mysqli_query($conn2, $statement);
+      if($result) {
+        $_SESSION['updated'] = true;
+        header('Location: profile.php');
+      }
+  ?>
+    <nav class="nav">
+      <a href="login.php" class="btn btn-secondary-outline">Logout</a>
+      <a href="profile.php" class="btn btn-secondary-outline">Back</a>
+    </nav>
+  </div>
+</div>
+</body>
+</html>
--- a/scenarios/security_audit/rand_webapp.xml
+++ b/scenarios/security_audit/rand_webapp.xml
@@ -98,19 +98,19 @@
    </build>
  </system>

-  <system>
-    <system_name>kali</system_name>
-    <base distro="Kali" name="MSF"/>
+<!--  <system>-->
+<!--    <system_name>kali</system_name>-->
+<!--    <base distro="Kali" name="MSF"/>-->

-    <utility module_path=".*/kali_web"/>
-		<utility module_path=".*/metasploit_framework"/>
-		<utility module_path=".*/handy_cli_tools"/>
-		<utility module_path=".*/nmap"/>
+<!--    <utility module_path=".*/kali_web"/>-->
+<!--		<utility module_path=".*/metasploit_framework"/>-->
+<!--		<utility module_path=".*/handy_cli_tools"/>-->
+<!--		<utility module_path=".*/nmap"/>-->

-    <network type="private_network">
-        <input into="IP_address">
-          <datastore access="next">IP_addresses</datastore>
-        </input>
-    </network>
-  </system>
+<!--    <network type="private_network">-->
+<!--        <input into="IP_address">-->
+<!--          <datastore access="next">IP_addresses</datastore>-->
+<!--        </input>-->
+<!--    </network>-->
+<!--  </system>-->
 </scenario>