diff --git a/.gitignore b/.gitignore index 31d1a359f..d9aaa4f3a 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ modules/**/Gemfile.lock modules/generators/network/pcap/files/packet.pcap lib/resources/images/scenario Gemfile.lock +.vagrant +rgloader \ No newline at end of file diff --git a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp index 02b2da883..bb6c57011 100644 --- a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp +++ b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp @@ -108,6 +108,12 @@ class commando::install { content => template('commando/profile.php.erb') } + # update profile page + file{ "$docroot/update_profile.php": + ensure => file, + content => template('commando/update_profile.php.erb') + } + # connection file file{ "$docroot/connect.php": ensure => file, diff --git a/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb b/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb index 7b5523c2c..5eed94275 100644 --- a/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb +++ b/modules/vulnerabilities/unix/webapp/commando/templates/profile.php.erb @@ -63,14 +63,18 @@ if(!isset($_SESSION['username'])){ if ($user == $admin_uname) { ?>
+ Well Done, you have logged into an admin account!
This account had default Log-in Credentials! Keep hunting!
- Heres a flag:
<%= @default_login_flag %>
+ Here is a flag:
<%= @default_login_flag %>
- Logout + <%# This is taken from: https://getbootstrap.com/docs/4.0/getting-started/introduction/%> @@ -79,6 +83,6 @@ if(!isset($_SESSION['username'])){ - + diff --git a/modules/vulnerabilities/unix/webapp/commando/templates/update_profile.php.erb b/modules/vulnerabilities/unix/webapp/commando/templates/update_profile.php.erb new file mode 100644 index 000000000..f72d49faf --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/commando/templates/update_profile.php.erb @@ -0,0 +1,94 @@ + + + + +<% $page_title = "Update-Profile" %> +<%= scope.function_template(['commando/subtemplates/header.html.erb']) %> + + +<%= scope.function_template(['commando/subtemplates/nav.html.erb']) %> +
+
+
+ avi +
+
+ +
+

Update User Details:

+ WHERE Username='$user'"; + $result=mysqli_query($conn2, $info); + $id = 0; + while ($row=mysqli_fetch_assoc($result)){ + $id = $row['ID']; ?> +
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+ +
+ SET "; + $hasFirst= false; + if (!empty($_POST['name'])) { + $statement .= "name = '" . $_POST['name'] . "' "; + $hasFirst = true; + } + if (!empty($_POST['address'])) { + if ($hasFirst == true) { + $statement .= " , "; + } + $statement .= "address = '" . $_POST['address'] . "' "; + $hasFirst = true; + } + if (!empty($_POST['mobile'])) { + if ($hasFirst == true) { + $statement .= " , "; + } + $statement .= "mobile = '" . $_POST['mobile'] . "' "; + $hasFirst = true; + } + if (!empty($_POST['email'])) { + if ($hasFirst == true) { + $statement .= " , "; + } + $statement .= "email = '" . $_POST['email'] . "' "; + } + $statement .= " WHERE ID = $id"; + } + $result=mysqli_query($conn2, $statement); + if($result) { + $_SESSION['updated'] = true; + header('Location: profile.php'); + } + ?> + +
+
+ + diff --git a/scenarios/security_audit/rand_webapp.xml b/scenarios/security_audit/rand_webapp.xml index 56dbd8f62..a81347a99 100644 --- a/scenarios/security_audit/rand_webapp.xml +++ b/scenarios/security_audit/rand_webapp.xml @@ -98,19 +98,19 @@ - - kali - + + + - - - - + + + + - - - IP_addresses - - - + + + + + +