diff --git a/lib/objects/system.rb b/lib/objects/system.rb index 30dbd4b2f..1012fe9eb 100644 --- a/lib/objects/system.rb +++ b/lib/objects/system.rb @@ -208,37 +208,42 @@ class System datastore_access = datastore_variablename_and_access_type['access'] datastore_variablename = datastore_variablename_and_access_type['variablename'] datastore_retrieved = [] - if datastore_access == 'first' - datastore_retrieved = [$datastore[datastore_variablename].first] - elsif datastore_access == 'next' - last_accessed = $datastore_iterators[datastore_variablename] - # first use? start at beginning - if last_accessed == nil - index_to_access = 0 + begin + if datastore_access == 'first' + datastore_retrieved = [$datastore[datastore_variablename].first] + elsif datastore_access == 'next' + last_accessed = $datastore_iterators[datastore_variablename] + # first use? start at beginning + if last_accessed == nil + index_to_access = 0 + else + index_to_access = last_accessed + 1 + end + $datastore_iterators[datastore_variablename] = index_to_access + datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] + elsif datastore_access == 'previous' + last_accessed = $datastore_iterators[datastore_variablename] + # first use? start at end + if last_accessed == nil + index_to_access = $datastore[datastore_variablename].size - 1 + else + index_to_access = last_accessed - 1 + end + $datastore_iterators[datastore_variablename] = index_to_access + datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] + elsif datastore_access.to_s == datastore_access.to_i.to_s + # Test for a valid element key (integer) + index_to_access = datastore_access.to_i + $datastore_iterators[datastore_variablename] = index_to_access + datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] + elsif datastore_access == "all" + datastore_retrieved = $datastore[datastore_variablename] else - index_to_access = last_accessed + 1 + Print.err "Error: invalid access value (#{datastore_access})" + raise 'failed' end - $datastore_iterators[datastore_variablename] = index_to_access - datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] - elsif datastore_access == 'previous' - last_accessed = $datastore_iterators[datastore_variablename] - # first use? start at end - if last_accessed == nil - index_to_access = $datastore[datastore_variablename].size - 1 - else - index_to_access = last_accessed - 1 - end - $datastore_iterators[datastore_variablename] = index_to_access - datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] - elsif datastore_access.to_s == datastore_access.to_i.to_s - # Test for a valid element key (integer) - index_to_access = datastore_access.to_i - $datastore_iterators[datastore_variablename] = index_to_access - datastore_retrieved = [$datastore[datastore_variablename][index_to_access]] - elsif datastore_access == "all" - datastore_retrieved = $datastore[datastore_variablename] - else - Print.err "Error: invalid access value (#{datastore_access})" + rescue NoMethodError, SyntaxError => err + Print.err "Error accessing element (#{datastore_access}) from datastore (#{datastore_variablename}): #{err}" raise 'failed' end if datastore_retrieved && datastore_retrieved != [nil] @@ -457,4 +462,4 @@ class System modules_to_add end -end \ No newline at end of file +end diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/hbauthentication.pp b/modules/generators/structured_content/hackerbot_config/hbauthentication/hbauthentication.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/manifests/.no_puppet b/modules/generators/structured_content/hackerbot_config/hbauthentication/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_local/local.rb b/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_local/local.rb new file mode 100644 index 000000000..91be58494 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_local/local.rb @@ -0,0 +1,35 @@ +#!/usr/bin/ruby +require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb' + +class HB < HackerbotConfigGenerator + + attr_accessor :server_ip + + def initialize + super + self.module_name = 'Hackerbot Config Generator Authentication' + self.title = 'Authentication' + + self.local_dir = File.expand_path('../../',__FILE__) + self.templates_path = "#{self.local_dir}/templates/" + self.config_template_path = "#{self.local_dir}/templates/lab.xml.erb" + self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb" + + self.server_ip = [] + end + + def get_options_array + super + [['--server_ip', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--server_ip' + self.server_ip << arg; + end + end + +end + +HB.new.run diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_metadata.xml b/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_metadata.xml new file mode 100644 index 000000000..c3a3043ba --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_metadata.xml @@ -0,0 +1,40 @@ + + + + Hackerbot config for a authentication lab + Z. Cliffe Schreuders + GPLv3 + Generates a config file for a hackerbot for an integrity lab. + Topics covered: . + + hackerbot_config + linux + + accounts + flags + root_password + + + + + + + vagrant + + + + + + + + + + + puppet + + + hackerbot + + diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/labsheet.html.erb new file mode 100644 index 000000000..72dab611a --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/labsheet.html.erb @@ -0,0 +1,29 @@ + + + <%= self.title %> + + + + + +
+ + <%= self.html_rendered %> + +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/license.md.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/license.md.erb new file mode 100644 index 000000000..8e89ace31 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/shared/license.md.erb @@ -0,0 +1,4 @@ +## License +This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB). + +Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version. diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/intro.md.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/intro.md.erb new file mode 100644 index 000000000..b248f5ca6 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/intro.md.erb @@ -0,0 +1,300 @@ +# Authentication + +## Getting started +### VMs in this lab + +==Start these VMs== (if you haven't already): +- hackerbot_server (leave it running, you don't log into this) +- desktop (you can sudo to get superuser access) +- server (<%= $server_ip %>, you can ssh to this machine, but you don't have superuser access) +- kali_cracker (user: root, password: toor, you will use this to crack the hashes you find) + +### Your login details for the "desktop" and "server" VMs +User: <%= $main_user %> +Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) + +You won't login to the hackerbot_server, but the VM needs to be running to complete the lab. + +### For marks in the module +1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Follow the link on the module page to submit your flags. +2. **You need to document the work and your solutions in a Log Book**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Log Book Questions". The Log Book will be submitted later in the semester. + +## Meet Hackerbot! +![small-right](images/skullandusb.svg) + +This exercise involves interacting with Hackerbot, a chatbot who will attack your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you. + +**On the desktop VM:** + +==Open Pidgin and send some messages to Hackerbot:== + +- Try asking Hackerbot some questions +- Send "help" +- Send "list" +- Send "hello" + +> If Hackerbot seems to be waiting or halted, simply say 'hi' + +Work through the below exercises, completing the Hackerbot challenges as noted. + +--- + +## Introduction to authentication + +Authentication plays the important role of verifying an identity. For example, when someone gets into an airplane, sits down at a computer, picks up a mobile device, or uses a website, authentication is what is used to confirm that the person is who they claim to be. Authentication is an important first step *before* deciding how the system should act and what to allow. + +## Identity: users and groups + +Most computer systems have the concept of a user account. Although some devices such as mobile phones typically only have one user account, most modern computers can support having multiple users, each with their own identity. For example, a computer can have a separate account for each person that uses it, and if configured to do so may enable each user to have their own account preferences, and access to different resources. + +On Unix/Linux systems every user account is identified by a user ID number (UID), which is a 32-bit integer (whole number), and can have one or more user names, which are human readable strings of text. + +**On the desktop VM:** + +Open a terminal console. + +Assuming you have already logged in, you have already authenticated yourself on this system. + +==Log Book Question: When and how did you authenticate yourself?== + +Use these commands to find out about your current identity (or more accurately the identity of the software you are interacting with): + +```bash +whoami + +groups + +id +``` + +==Make a note of your UID and username.== + +Note that your account is also a member of one or more groups. A primary group, and a list of other groups. Some Linux systems, such as Debian, create a new seperate primary group for each user, others such as openSUSE have a shared group (named "users") that all normal users are a member of. Similar to the relationship between user names and UIDs, each group has a group name, and a group ID (GID). + +Information about user accounts is stored in the /etc/passwd file, which typically all users can read. + +==View the /etc/passwd file:== + +```bash +less /etc/passwd +``` + +==Find the line that describes your user account.== + +This line defines the username, password (well, it used to be stored here... we will come back to this), UID, primary group GID, full name, home directory, and shell for your account. + +Confirm this matches the information you recorded earlier. + +==Find the line that describes the root user account.== + +==Where is the root user's home directory?== + +> Press 'q' to quit less. + +==View the /etc/group file:== + +```bash +less /etc/group +``` + +Groups are defined in this file, along with which users are members. + +==Which users are members of the audio group?== + +Remember, primary groups do not appear in this file; for example, on openSUSE the "users" group, which all normal users are a member of, may not appear in the /etc/group file. + +The "su" program can be used to run a program (usually a shell; that is, a command prompt) as another user, effectively enabling users to switch between user accounts at the command prompt. + +==Change your identity to root==. Run: + +```bash +su - +``` + +Enter the root password. + +Use these commands to ==find out about your new identity:== + +```bash +whoami + +groups + +id +``` + +==What is the UID of root? What does this mean about this user?== + +==Lab Book Question: What gives this user special privileges: the name of the account, or the UID?== + +==Use the useradd command to create a new user account "fred"== + +> Hint: refer to the man page for useradd, by running "man useradd". + +==Set a password for the user fred.== + +> Hint: `sudo passwd fred` + +==Change identity to fred.== + +> Hint: `su - fred` + +==Run:(after su)== + +```bash +id +``` + +==Compare the result to the previous output.== + +==How does this compare to your other normal user account? What is different, and what about it is the same?== + +Run the single command "id" as root: + +```bash +sudo id +``` + +==Log Book Question: What is the difference between sudo and su? Which is most likely protect against accidental damage and also log the commands used?== + +## Users and SSH + +==Log in to the server via ssh:== + +```bash +ssh <%= $main_user %>@<%= $server_ip %> +``` + +==Display details of all users logged on to the system:== + +```bash +who +``` + +==List all the processes run by all users:== + +```bash +ps -eo user,comm +``` + +==List all the processes running as root:== + +```bash +ps -o user,comm -u root +``` + +==Run a command to list all the processes running as *your* normal user.== + +==Lab Book Question: How is this server authenticating users? What user accounts exist?== + +## Passwords, hashes and salt + +Given that important security decisions are made based on the user accounts, it is important to authenticate users, to ensure that the subjects are associated with the correct identity. + +==What are the kinds of factors that can be used to verify a user's identity? Hint: for example, "something they have".== + +==Which category of authentication factors is a password considered to be?== + +Originally passwords were stored "in the clear" (not enciphered). For example, Multics stored passwords in a file, and once at MIT a software bug caused the password file to be copied to the motd file (message of the day), which was printed every time anyone logged into the system. A solution is not to store the password in the clear. Instead a hash can be computed, using a one way hash function, and stored. When the user enters a password, a new hash is computed and compared to the original. + +On Linux, the command "shasum" can be used to check the integrity of files (hash functions have many uses), and works on the same principle. We can use it to generate a hash for any given string, for example a password: + +```bash +shasum +``` + +> Type "hello" without the quotes. Press Ctrl-D (which indicates "EOF"; that is, end of input). + +Repeat the above, with the same password ("hello"), and with a slight difference ("hello."). + +Are the outputs the same? + +Are the different hashes similar? + +Is this good? Why? + +Which one-way hash function does the shasum program use? Would this be a good option for hashing passwords? + +For password authentication, the hash still needs to be stored. On Unix, password hashes were once stored in the world-readable file /etc/passwd, now they are typically stored in /etc/shadow, which only root (the superuser) can access. + +==View the shadow file:== + +```bash +sudo less /etc/shadow +``` + +The format of the shadow file is: + +> username:**password**:last-changed(since 1-1-1970):days-until-may-change:days-until-must-change:days-warning-notice:days-since-expired-account-disabled:date-disable:reserved-field + +==Find the hash of your user account's password.== + +> Exit less ("q"). + +Use the passwd command to ==change your password:== + +```bash +passwd +``` + +> When prompted, enter a new password of your choosing. + +View the shadow file, and confirm that the stored password has changed. + +With reference to the shadow file, and the man page for crypt (Hint: "man crypt"), ==answer these Log Book questions==: + +- On Linux, the password hash stored in /etc/shadow has a prefix that specifies the hash function used.\ + > ==What hash function is used for your password?== + > Hint: the `hash-identifier` command line tool may also help. + +- ==When was the root password last changed?== + +- ==Do any accounts have a setting that will force a password change at a specific date?== + +A salt is a random string, used as further input into a one-way hash function (concatenated to the password). The salt is typically stored along with the hash. As a result the same password will have different hashes, so long as the salt is different. + +Why is that a good thing? + +What kind of attack does a salt defend against? + +What is the current salt for your account? Hint: it is stored after the second "\$". + +## Password weaknesses + +The strength of a password depends on its entropy: its degree of randomness. If a user chooses a word from a dictionary, it would not take long to attempt every dictionary word until finding one that results in the same hash. + +Try your hand at cracking passwords using the Kali virtual machine. + +**On your desktop VM:** +Add some new users with these passwords: +> hello +> +> hellothere +> +> password1 + +**On your Kali VM:** +==Use John the Ripper (or Johnny a GUI for the John the Ripper) to crack the passwords.== +> Hint: `man john`, on the Kali Linux system. +> You will need to combine the passwd and shadow files (manually or with the kali `unshadow` command.) +> Tip: you can make a copy of the passwd and shadow files on the desktop (to your <%= $main_user %> home directory), then from the Kali VM scp them over (`ssh <%= $main_user %>@DESKTOP_IP:FILENAME .`), run unshadow, then start cracking them with your software of choice. + +==Log Book Questions:== +- Which passwords are cracked the fastest? + +- How long did they take? + + +## Conclusion + +At this point you have: + +- Applied authentication concepts to Unix/Linux + +- Experimented with user accounts and identity + +- Experimented with one-way hash functions, salts, and password storage + +- Cracked passwords with low entropy using dictionary attacks + +Well done! diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/lab.xml.erb new file mode 100644 index 000000000..de2fb6409 --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/lab.xml.erb @@ -0,0 +1,161 @@ +<% + require 'json' + require 'securerandom' + require 'digest/sha1' + require 'fileutils' + require 'erb' + + if self.accounts.empty? + abort('Sorry, you need to provide an account') + end + + $first_account = JSON.parse(self.accounts.first) + + $main_user = $first_account['username'].to_s + $main_user_pass = $first_account['password'].to_s + + $server_ip = self.server_ip.first + $root_password = self.root_password + $flags = self.flags + + REQUIRED_FLAGS = 2 + while $flags.length < REQUIRED_FLAGS + $flags << "flag{#{SecureRandom.hex}}" + Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!" + end + + def get_binding + binding + end +%> + + + + + + Hackerbot + + config/AIML + + + sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash + + + + + Hi there. Today I'm your boss of sorts. I need you to test the security of our server. Help out and I'll give you some flags. + + + When you are ready, simply say 'ready'. + 'Ready'? + Ok, I'll do what I can to move things along... + Moving things along to the next one... + Ok, I'll do what I can to back things up... + Ok, backing up. + Ok, skipping it along. + Let me see what I can do to goto that attack. + That was the last one for now. You can rest easy, until next time... (End.) + That was the last one. Game over? + You are back to the beginning! + This is where it all began. + Doing my thing... + Here we go... + ... + .... + Let me know when you are 'ready', if you want to move on say 'next', or 'previous' and I'll move things along. + Say 'ready', 'next', or 'previous'. + + + I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*' + Say "The answer is *X*". + There is no question to answer + Correct + Incorrect + That's not possible. + Wouldn't you like to know. + + + Oh no. Failed to get shell... You need to let us in. + + + + Authentication + <%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %> +
+<%= File.read self.templates_path + 'resources.md.erb' %> + +<%= File.read self.templates_path + 'license.md.erb' %> + +Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>) +
+ + true + + + + + + <% $newuser = "user#{SecureRandom.hex(2)}" -%> + + Add a user to the system, named "<%= $newuser %>". + grep <%= $newuser %> /etc/shadow; echo $? + + + 0 + :) Well done! <%= $flags.pop %> + + + + 1 + :( It looks like you forgot to create the user? + + + :( User not found + + + + + + + Add the new <%= $newuser %> user to the 'users' group. + id <%= $newuser %> | grep users; echo $? + + + 0 + :) Well done! <%= $flags.pop %> + + + + 1 + :( It looks like you forgot to add the user to the group? + + + :( Group not found + + + + + + + Crack the passwords of the users on the desktop VM (with a uid HIGHER than 1001), and use those credentials to SSH to the server, where you will find flags (ssh username@<%= $server_ip %> for each username you crack the password for.) This is the end. + + + .* + :) + + + + .* + :) + + + + :) + + + + + + diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/labsheet.html.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/labsheet.html.erb new file mode 100644 index 000000000..0bb7cc90a --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/labsheet.html.erb @@ -0,0 +1,114 @@ + + + <%= self.title %> + + + + + +
+ <%= self.html_TOC_rendered %> +
+ +
+ <%= self.html_rendered %> +
+ + + diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/license.md.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/license.md.erb new file mode 100644 index 000000000..c11478e8e --- /dev/null +++ b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/license.md.erb @@ -0,0 +1,6 @@ +## License +This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB). + +Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version. + +![small](images/leedsbeckett-logo.png) diff --git a/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/resources.md.erb b/modules/generators/structured_content/hackerbot_config/hbauthentication/templates/resources.md.erb new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/structured_content/hackerbot_config/integrity_protection/secgen_metadata.xml b/modules/generators/structured_content/hackerbot_config/integrity_protection/secgen_metadata.xml index a748298ff..bb040ff7e 100644 --- a/modules/generators/structured_content/hackerbot_config/integrity_protection/secgen_metadata.xml +++ b/modules/generators/structured_content/hackerbot_config/integrity_protection/secgen_metadata.xml @@ -29,10 +29,7 @@ - - - - + @@ -41,4 +38,4 @@ hackerbot - \ No newline at end of file + diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/kali_forensic.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/kali_forensic.pp new file mode 100644 index 000000000..b84aee99a --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/kali_forensic.pp @@ -0,0 +1 @@ +include kali_forensic::install diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/manifests/install.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/manifests/install.pp new file mode 100644 index 000000000..d7f7ed569 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/manifests/install.pp @@ -0,0 +1,5 @@ +class kali_forensic::install{ + package { ['kali-linux-forensic']: + ensure => 'installed', + } +} diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/secgen_metadata.xml b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/secgen_metadata.xml new file mode 100644 index 000000000..c3ec2b3ff --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/secgen_metadata.xml @@ -0,0 +1,25 @@ + + + + Kali Linux Metapackage: kali-linux-forensic + Z. Cliffe Schreuders + GPLv3 + Installs a collection of software onto Kali. + kali-linux-forensic + If you are doing forensics work, you don’t want your analysis system to contain a bunch of unnecessary tools. To the rescue comes the kali-linux-forensic metapackage, which only contains the forensics tools in Kali. + Installation Size: 3.1 GB + + attack_tools + linux + + + Kali Light.* + attack + desktop + + + update + + diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/kali_full.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/kali_full.pp new file mode 100644 index 000000000..f21676bc1 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/kali_full.pp @@ -0,0 +1 @@ +include kali_full::install diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/manifests/install.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/manifests/install.pp new file mode 100644 index 000000000..dfb110de6 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/manifests/install.pp @@ -0,0 +1,5 @@ +class kali_full::install{ + package { ['kali-linux-full']: + ensure => 'installed', + } +} diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/secgen_metadata.xml b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/secgen_metadata.xml new file mode 100644 index 000000000..aad49a1ea --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_full/secgen_metadata.xml @@ -0,0 +1,25 @@ + + + + Kali Linux Metapackage: kali-linux-full + Z. Cliffe Schreuders + GPLv3 + Installs a collection of software onto Kali. + kali-linux-full + When you download a Kali Linux ISO, you are essentially downloading an installation that has the kali-linux-full metapackage installed. This package includes all of the tools you are familiar with in Kali. + Installation Size: 9.0 GB + + attack_tools + linux + + + Kali Light.* + attack + desktop + + + update + + diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/kali_pwtools.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/kali_pwtools.pp new file mode 100644 index 000000000..9c6c591e5 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/kali_pwtools.pp @@ -0,0 +1 @@ +include kali_pwtools::install diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/manifests/install.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/manifests/install.pp new file mode 100644 index 000000000..cfdc535fa --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/manifests/install.pp @@ -0,0 +1,5 @@ +class kali_pwtools::install{ + package { ['kali-linux-pwtools']: + ensure => 'installed', + } +} diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/secgen_metadata.xml b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/secgen_metadata.xml new file mode 100644 index 000000000..204aab2b0 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/secgen_metadata.xml @@ -0,0 +1,25 @@ + + + + Kali Linux Metapackage: kali-linux-pwtools + Z. Cliffe Schreuders + GPLv3 + Installs a collection of software onto Kali. + kali-linux-pwtools + The kali-linux-pwtools metapackage contains over 40 different password cracking utilities as well as the GPU tools contained in kali-linux-gpu. + Installation Size: 6.0 GB + + attack_tools + linux + + + Kali Light.* + attack + desktop + + + update + + diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/kali_top10.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/kali_top10.pp new file mode 100644 index 000000000..2bf2404df --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/kali_top10.pp @@ -0,0 +1 @@ +include kali_top10::install diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/manifests/install.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/manifests/install.pp new file mode 100644 index 000000000..b45b4a3d4 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/manifests/install.pp @@ -0,0 +1,5 @@ +class kali_top10::install{ + package { ['kali-linux-top10']: + ensure => 'installed', + } +} diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/secgen_metadata.xml b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/secgen_metadata.xml new file mode 100644 index 000000000..bac3c97b4 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/secgen_metadata.xml @@ -0,0 +1,25 @@ + + + + Kali Linux Metapackage: kali-linux-top10 + Z. Cliffe Schreuders + GPLv3 + Installs a collection of software onto Kali. + kali-linux-top10 + In Kali Linux, we have a sub-menu called “Top 10 Security Tools”. The kali-linux-top10 metapackage will install all of these tools for you in one fell swoop. + Installation Size: 3.5 GB + + attack_tools + linux + + + Kali Light.* + attack + desktop + + + update + + diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/kali_web.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/kali_web.pp new file mode 100644 index 000000000..00df4deed --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/kali_web.pp @@ -0,0 +1 @@ +include kali_web::install diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/manifests/install.pp b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/manifests/install.pp new file mode 100644 index 000000000..9b0c523c2 --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/manifests/install.pp @@ -0,0 +1,5 @@ +class kali_web::install{ + package { ['kali-linux-web']: + ensure => 'installed', + } +} diff --git a/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/secgen_metadata.xml b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/secgen_metadata.xml new file mode 100644 index 000000000..62a788d0a --- /dev/null +++ b/modules/utilities/unix/attack_tools/kali_metapackages/kali_web/secgen_metadata.xml @@ -0,0 +1,25 @@ + + + + Kali Linux Metapackage: kali-linux-web + Z. Cliffe Schreuders + GPLv3 + Installs a collection of software onto Kali. + kali-linux-web + Web application assessments are very common in the field of penetration testing and for this reason, Kali includes the kali-linux-web metapackage containing dozens of tools related to web application hacking. + Installation Size: 4.9 GB + + attack_tools + linux + + + Kali Light.* + attack + desktop + + + update + + diff --git a/modules/utilities/unix/web_browsers/iceweasel/secgen_metadata.xml b/modules/utilities/unix/web_browsers/iceweasel/secgen_metadata.xml index 52b300346..929c0cd11 100644 --- a/modules/utilities/unix/web_browsers/iceweasel/secgen_metadata.xml +++ b/modules/utilities/unix/web_browsers/iceweasel/secgen_metadata.xml @@ -3,10 +3,10 @@ - Iceweasel Web Browser + Iceweasel/Firefox Web Browser Thomas Shaw MIT - Installs Iceweasel Web Browser + Installs Firefox Web Browser web_browser linux @@ -35,6 +35,6 @@ update - desktop_environment + desktop diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/.gitignore b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/.gitignore index 319a2c383..723dba7b5 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/.gitignore +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/.gitignore @@ -1,2 +1,5 @@ config/config.inc.php -Dockerfile \ No newline at end of file +Dockerfile + +# Vim swap files +.*swp diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/README.md b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/README.md index 9c90823db..4908c787d 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/README.md +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/README.md @@ -12,7 +12,7 @@ Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your h ### Disclaimer -We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it. +We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA, it is not our responsibility, it is the responsibility of the person/s who uploaded and installed it. - - - @@ -37,8 +37,8 @@ along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.o ## Download and install as a docker container - [dockerhub page](https://hub.docker.com/r/vulnerables/web-dvwa/) `docker run --rm -it -p 80:80 vulnerables/web-dvwa` - -Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here. + +Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here. ## Download @@ -74,7 +74,7 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_: -`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php` +`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php` ### Database Setup @@ -84,30 +84,36 @@ If you receive an error while trying to create your database, make sure your dat The variables are set to the following by default: -```php +```php $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = 'p@ssw0rd'; $_DVWA[ 'db_database' ] = 'dvwa'; -``` - -Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands: - -```mysql -mysql> create database dvwa; -Query OK, 1 row affected (0.00 sec) - -mysql> grant all on dvwa.* to dvwa@localhost identified by 'xxx'; -Query OK, 0 rows affected, 1 warning (0.01 sec) - -mysql> flush privileges; -Query OK, 0 rows affected (0.00 sec) - - -``` - +``` + +Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands: + +```mysql +mysql> create database dvwa; +Query OK, 1 row affected (0.00 sec) + +mysql> grant all on dvwa.* to dvwa@localhost identified by 'SuperSecretPassword99'; +Query OK, 0 rows affected, 1 warning (0.01 sec) + +mysql> flush privileges; +Query OK, 0 rows affected (0.00 sec) +``` + +You will then need to update the config file, the new entries will look like this: + +```php +$_DVWA[ 'db_user' ] = 'dvwa'; +$_DVWA[ 'db_password' ] = 'SuperSecretPassword99'; +$_DVWA[ 'db_database' ] = 'dvwa'; +``` + ### Other Configuration -Depending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis. +Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis. **Folder Permissions**: @@ -143,7 +149,7 @@ https://github.com/ethicalhack3r/DVWA/issues +Q. SQL Injection won't work on PHP v5.2.6. --A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work. +-A.If you are using PHP v5.2.6 or above, you will need to do the following in order for SQL injection and other vulnerabilities to work. In `.htaccess`: @@ -171,6 +177,12 @@ With: -A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator. ++Q. Why can't the database connect on CentOS? + +-A. You may be running into problems with SELinux. Either disable SELinux or run this command to allow the webserver to talk to the database: +``` +setsebool -P httpd_can_network_connect_db 1 +``` - - - diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/config/config.inc.php.dist b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/config/config.inc.php.dist index a03dd25fd..41d9ce582 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/config/config.inc.php.dist +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/config/config.inc.php.dist @@ -25,7 +25,7 @@ $_DVWA[ 'db_port '] = '5432'; # ReCAPTCHA settings # Used for the 'Insecure CAPTCHA' module -# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create +# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin $_DVWA[ 'recaptcha_public_key' ] = ''; $_DVWA[ 'recaptcha_private_key' ] = ''; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/DBMS/MySQL.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/DBMS/MySQL.php index 3af6617eb..c39061288 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/DBMS/MySQL.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/DBMS/MySQL.php @@ -47,17 +47,14 @@ dvwaMessagePush( "'users' table was created." ); // Insert some data into users -// Get the base directory for the avatar media... -$baseUrl = 'http://' . $_SERVER[ 'SERVER_NAME' ] . $_SERVER[ 'PHP_SELF' ]; -$stripPos = strpos( $baseUrl, 'setup.php' ); -$baseUrl = substr( $baseUrl, 0, $stripPos ) . 'hackable/users/'; +$avatarUrl = '/hackable/users/'; $insert = "INSERT INTO users VALUES - ('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'), - ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'), - ('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'), - ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'), - ('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');"; + ('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'), + ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'), + ('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'), + ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'), + ('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');"; if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) { dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); dvwaPageReload(); diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/dvwaPage.inc.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/dvwaPage.inc.php index 114e7fd49..2ded275de 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/dvwaPage.inc.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/dvwaPage.inc.php @@ -208,6 +208,8 @@ function dvwaHtmlEcho( $pPage ) { $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' ); $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' ); } $menuBlocks[ 'meta' ] = array(); @@ -229,7 +231,7 @@ function dvwaHtmlEcho( $pPage ) { foreach( $menuBlock as $menuItem ) { $selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : ''; $fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ]; - $menuBlockHtml .= "
  • {$menuItem[ 'name' ]}
    • \n"; + $menuBlockHtml .= "
  • {$menuItem[ 'name' ]}
    • \n"; } $menuHtml .= ""; } @@ -328,6 +330,7 @@ function dvwaHtmlEcho( $pPage ) {

    Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "

    +
    @@ -425,13 +428,13 @@ function dvwaExternalLinkUrlGet( $pLink,$text=null ) { function dvwaButtonHelpHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } function dvwaButtonSourceHtmlGet( $pId ) { $security = dvwaSecurityLevelGet(); - return ""; + return ""; } diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/add_event_listeners.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/add_event_listeners.js new file mode 100644 index 000000000..5d9a82fd6 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/add_event_listeners.js @@ -0,0 +1,24 @@ +// These functions need to be called after the content they reference +// has been added to the page otherwise they will fail. + +function addEventListeners() { + var source_button = document.getElementById ("source_button"); + + if (source_button) { + source_button.addEventListener("click", function() { + var url=source_button.dataset.sourceUrl; + popUp (url); + }); + } + + var help_button = document.getElementById ("help_button"); + + if (help_button) { + help_button.addEventListener("click", function() { + var url=help_button.dataset.helpUrl; + popUp (url); + }); + } +} + +addEventListeners(); diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/dvwaPage.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/dvwaPage.js index 6be637c0b..0775a9db2 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/dvwaPage.js +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/dvwaPage.js @@ -3,7 +3,8 @@ function popUp(URL) { day = new Date(); id = day.getTime(); - eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=500,height=300,left = 540,top = 250');"); + window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250'); + //eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');"); } /* Form validation */ diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/external/recaptcha/recaptchalib.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/external/recaptcha/recaptchalib.php old mode 100755 new mode 100644 index 4fc5a9f61..eef481847 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/external/recaptcha/recaptchalib.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/external/recaptcha/recaptchalib.php @@ -1,279 +1,45 @@ $value ) - $req .= $key . '=' . urlencode( stripslashes($value) ) . '&'; - - // Cut the last '&' - $req=substr($req,0,strlen($req)-1); - return $req; +function recaptcha_check_answer($key, $response){ + return CheckCaptcha($key, $response); } +function CheckCaptcha($key, $response) { + try { + $url = 'https://www.google.com/recaptcha/api/siteverify'; + $dat = array( + 'secret' => $key, + 'response' => urlencode($response), + 'remoteip' => urlencode($_SERVER['REMOTE_ADDR']) + ); -/** - * Submits an HTTP POST to a reCAPTCHA server - * @param string $host - * @param string $path - * @param array $data - * @param int port - * @return array response - */ -function _recaptcha_http_post($host, $path, $data, $port = 80) { + $opt = array( + 'http' => array( + 'header' => "Content-type: application/x-www-form-urlencoded\r\n", + 'method' => 'POST', + 'content' => http_build_query($dat) + ) + ); - $req = _recaptcha_qsencode ($data); + $context = stream_context_create($opt); + $result = file_get_contents($url, false, $context); - $http_request = "POST $path HTTP/1.0\r\n"; - $http_request .= "Host: $host\r\n"; - $http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n"; - $http_request .= "Content-Length: " . strlen($req) . "\r\n"; - $http_request .= "User-Agent: reCAPTCHA/PHP\r\n"; - $http_request .= "\r\n"; - $http_request .= $req; + return json_decode($result)->success; - $response = ''; - if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) { - die ('Could not open socket'); - } - - fwrite($fs, $http_request); - - while ( !feof($fs) ) - $response .= fgets($fs, 1160); // One TCP-IP packet - fclose($fs); - $response = explode("\r\n\r\n", $response, 2); - - return $response; -} - - - -/** - * Gets the challenge HTML (javascript and non-javascript version). - * This is called from the browser, and the resulting reCAPTCHA HTML widget - * is embedded within the HTML form it was called from. - * @param string $pubkey A public key for reCAPTCHA - * @param string $error The error given by reCAPTCHA (optional, default is null) - * @param boolean $use_ssl Should the request be made over ssl? (optional, default is false) - - * @return string - The HTML to be embedded in the user's form. - */ -function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false) -{ - - # commented out to deal with error in DVWA - ethicalhack3r - #if ($pubkey == null || $pubkey == '') { - # die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); - #} - - if ($use_ssl) { - $server = RECAPTCHA_API_SECURE_SERVER; - } else { - $server = RECAPTCHA_API_SERVER; - } - - $errorpart = ""; - if ($error) { - $errorpart = "&error=" . $error; - } - return ' - - '; -} - - - - -/** - * A ReCaptchaResponse is returned from recaptcha_check_answer() - */ -class ReCaptchaResponse { - var $is_valid; - var $error; -} - - -/** - * Calls an HTTP POST function to verify if the user's guess was correct - * @param string $privkey - * @param string $remoteip - * @param string $challenge - * @param string $response - * @param array $extra_params an array of extra variables to post to the server - * @return ReCaptchaResponse - */ -function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array()) -{ - if ($privkey == null || $privkey == '') { - die ("To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create"); + } catch (Exception $e) { + return null; } - if ($remoteip == null || $remoteip == '') { - die ("For security reasons, you must pass the remote ip to reCAPTCHA"); - } - - - - //discard spam submissions - if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) { - $recaptcha_response = new ReCaptchaResponse(); - $recaptcha_response->is_valid = false; - $recaptcha_response->error = 'incorrect-captcha-sol'; - return $recaptcha_response; - } - - $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify", - array ( - 'privatekey' => $privkey, - 'remoteip' => $remoteip, - 'challenge' => $challenge, - 'response' => $response - ) + $extra_params - ); - - $answers = explode ("\n", $response [1]); - $recaptcha_response = new ReCaptchaResponse(); - - if (trim ($answers [0]) == 'true') { - $recaptcha_response->is_valid = true; - } - else { - $recaptcha_response->is_valid = false; - $recaptcha_response->error = $answers [1]; - } - return $recaptcha_response; - } -/** - * gets a URL where the user can sign up for reCAPTCHA. If your application - * has a configuration page where you enter a key, you should provide a link - * using this function. - * @param string $domain The domain where the page is hosted - * @param string $appname The name of your application - */ -function recaptcha_get_signup_url ($domain = null, $appname = null) { - return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname)); +function recaptcha_get_html($pubKey){ + return " + +
    + "; } -function _recaptcha_aes_pad($val) { - $block_size = 16; - $numpad = $block_size - (strlen ($val) % $block_size); - return str_pad($val, strlen ($val) + $numpad, chr($numpad)); -} - -/* Mailhide related code */ - -function _recaptcha_aes_encrypt($val,$ky) { - if (! function_exists ("mcrypt_encrypt")) { - die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed."); - } - $mode=MCRYPT_MODE_CBC; - $enc=MCRYPT_RIJNDAEL_128; - $val=_recaptcha_aes_pad($val); - return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"); -} - - -function _recaptcha_mailhide_urlbase64 ($x) { - return strtr(base64_encode ($x), '+/', '-_'); -} - -/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */ -function recaptcha_mailhide_url($pubkey, $privkey, $email) { - if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) { - die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " . - "you can do so at http://www.google.com/recaptcha/mailhide/apikey"); - } - - - $ky = pack('H*', $privkey); - $cryptmail = _recaptcha_aes_encrypt ($email, $ky); - - return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail); -} - -/** - * gets the parts of the email to expose to the user. - * eg, given johndoe@example,com return ["john", "example.com"]. - * the email is then displayed as john...@example.com - */ -function _recaptcha_mailhide_email_parts ($email) { - $arr = preg_split("/@/", $email ); - - if (strlen ($arr[0]) <= 4) { - $arr[0] = substr ($arr[0], 0, 1); - } else if (strlen ($arr[0]) <= 6) { - $arr[0] = substr ($arr[0], 0, 3); - } else { - $arr[0] = substr ($arr[0], 0, 4); - } - return $arr; -} - -/** - * Gets html to display an email address given a public an private key. - * to get a key, go to: - * - * http://www.google.com/recaptcha/mailhide/apikey - */ -function recaptcha_mailhide_html($pubkey, $privkey, $email) { - $emailparts = _recaptcha_mailhide_email_parts ($email); - $url = recaptcha_mailhide_url ($pubkey, $privkey, $email); - - return htmlentities($emailparts[0]) . "...@" . htmlentities ($emailparts [1]); - -} - - ?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/help/help.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/help/help.php index ebe4c6821..11701dcd9 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/help/help.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/help/help.php @@ -44,7 +44,7 @@ This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds. The idea of this is to try and confuse any timing predictions.

    -

    Using a form could have a similar effect as a CSRF token.

    +

    Using a form could have a similar effect as a CSRF token.


    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/source/impossible.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/source/impossible.php index fb245b7c3..0816216d6 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/source/impossible.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/source/impossible.php @@ -1,6 +1,6 @@

    About

    -

    A is a program that can tell whether its user is a human or a computer. You've probably seen +

    A is a program that can tell whether its user is a human or a computer. You've probably seen them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs.

    @@ -58,5 +58,5 @@
    -

    Reference:

    +

    Reference:

    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/index.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/index.php index 3c7112fde..056e3c4c6 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/index.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/index.php @@ -87,7 +87,7 @@ $page[ 'body' ] .= "

    More Information

    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/high.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/high.php index ee48662ff..01f2787f5 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/high.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/high.php @@ -9,21 +9,20 @@ if( isset( $_POST[ 'Change' ] ) ) { $pass_conf = $_POST[ 'password_conf' ]; // Check CAPTCHA from 3rd party - $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], - $_SERVER[ 'REMOTE_ADDR' ], - $_POST[ 'recaptcha_challenge_field' ], - $_POST[ 'recaptcha_response_field' ] ); + $resp = recaptcha_check_answer( + $_DVWA[ 'recaptcha_private_key' ], + $_POST['g-recaptcha-response'] + ); - // Did the CAPTCHA fail? - if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) { - // What happens when the CAPTCHA was entered incorrectly - $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; - $hide_form = false; - return; - } - else { + if ( + $resp || + ( + $_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3' + && $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA' + ) + ){ // CAPTCHA was correct. Do both new passwords match? - if( $pass_new == $pass_conf ) { + if ($pass_new == $pass_conf) { $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); @@ -33,12 +32,18 @@ if( isset( $_POST[ 'Change' ] ) ) { // Feedback for user $html .= "
    Password Changed.
    "; - } - else { + + } else { // Ops. Password mismatch $html .= "
    Both passwords must match.
    "; $hide_form = false; } + + } else { + // What happens when the CAPTCHA was entered incorrectly + $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; + $hide_form = false; + return; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/impossible.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/impossible.php index b16e8a1e8..8dcce3456 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/impossible.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/impossible.php @@ -24,13 +24,13 @@ if( isset( $_POST[ 'Change' ] ) ) { $pass_curr = md5( $pass_curr ); // Check CAPTCHA from 3rd party - $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], - $_SERVER[ 'REMOTE_ADDR' ], - $_POST[ 'recaptcha_challenge_field' ], - $_POST[ 'recaptcha_response_field' ] ); + $resp = recaptcha_check_answer( + $_DVWA[ 'recaptcha_private_key' ], + $_POST['g-recaptcha-response'] + ); // Did the CAPTCHA fail? - if( !$resp->is_valid ) { + if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/low.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/low.php index 71b9feef0..181297493 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/low.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/low.php @@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) { $pass_conf = $_POST[ 'password_conf' ]; // Check CAPTCHA from 3rd party - $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], - $_SERVER[ 'REMOTE_ADDR' ], - $_POST[ 'recaptcha_challenge_field' ], - $_POST[ 'recaptcha_response_field' ] ); + $resp = recaptcha_check_answer( + $_DVWA[ 'recaptcha_private_key'], + $_POST['g-recaptcha-response'] + ); // Did the CAPTCHA fail? - if( !$resp->is_valid ) { + if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/medium.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/medium.php index d4bdc8113..d655b3649 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/medium.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/medium.php @@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) { $pass_conf = $_POST[ 'password_conf' ]; // Check CAPTCHA from 3rd party - $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], - $_SERVER[ 'REMOTE_ADDR' ], - $_POST[ 'recaptcha_challenge_field' ], - $_POST[ 'recaptcha_response_field' ] ); + $resp = recaptcha_check_answer( + $_DVWA[ 'recaptcha_private_key' ], + $_POST['g-recaptcha-response'] + ); // Did the CAPTCHA fail? - if( !$resp->is_valid ) { + if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "

    The CAPTCHA was incorrect. Please try again.
    "; $hide_form = false; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/help/help.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/help/help.php new file mode 100644 index 000000000..739b3f5b4 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/help/help.php @@ -0,0 +1,52 @@ +
    +

    Help - Content Security Policy (CSP) Bypass

    + +
    + + + + +
    +

    About

    +

    Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers.

    +

    None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented.

    + +

    + +

    Objective

    +

    Bypass Content Security Policy (CSP) and execute JavaScript in the page.

    + +

    + +

    Low Level

    +

    Examine the policy to find all the sources that can be used to host external script files.

    + 
    Spoiler: Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.
    + +
    + +

    Medium Level

    +

    The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.

    + 
    Spoiler: Examine the nonce and see how it varies (or doesn't).
    + +
    + +

    High Level

    +

    The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.

    + 
    Spoiler: The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead
    + +
    + +

    Impossible Level

    +

    + This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts. +

    +
    + +
    + +
    + +

    Reference:

    +

    Reference:

    +

    Reference:

    +
    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/index.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/index.php new file mode 100644 index 000000000..aa189ff07 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/index.php @@ -0,0 +1,57 @@ + +

    Vulnerability: Content Security Policy (CSP) Bypass

    + +
    +EOF; + +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csp/source/{$vulnerabilityFile}"; + +$page[ 'body' ] .= << +EOF; + +$page[ 'body' ] .= " +

    More Information

    +
      +
    • " . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . "
      • +
    +

    Module developed by Digininja.

    +
    \n"; + +dvwaHtmlEcho( $page ); + +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.js new file mode 100644 index 000000000..a4b10cfd4 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.js @@ -0,0 +1,19 @@ +function clickButton() { + var s = document.createElement("script"); + s.src = "source/jsonp.php?callback=solveSum"; + document.body.appendChild(s); +} + +function solveSum(obj) { + if ("answer" in obj) { + document.getElementById("answer").innerHTML = obj['answer']; + } +} + +var solve_button = document.getElementById ("solve"); + +if (solve_button) { + solve_button.addEventListener("click", function() { + clickButton(); + }); +} diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.php new file mode 100644 index 000000000..18e1bf0fa --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.php @@ -0,0 +1,22 @@ + + +

    The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.

    +

    1+2+3+4+5=

    + + + + +'; + diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.js new file mode 100644 index 000000000..11b56aa57 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.js @@ -0,0 +1,19 @@ +function clickButton() { + var s = document.createElement("script"); + s.src = "source/jsonp_impossible.php"; + document.body.appendChild(s); +} + +function solveSum(obj) { + if ("answer" in obj) { + document.getElementById("answer").innerHTML = obj['answer']; + } +} + +var solve_button = document.getElementById ("solve"); + +if (solve_button) { + solve_button.addEventListener("click", function() { + clickButton(); + }); +} diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.php new file mode 100644 index 000000000..320fd2f12 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.php @@ -0,0 +1,23 @@ + + +

    Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.

    The CSP settings only allow external JavaScript on the local server and no inline code.

    +

    1+2+3+4+5=

    + + + + +'; + diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp.php new file mode 100644 index 000000000..fcfc53522 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp.php @@ -0,0 +1,13 @@ + "15"); + +echo $callback . "(".json_encode($outp).")"; +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp_impossible.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp_impossible.php new file mode 100644 index 000000000..090a38b8b --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp_impossible.php @@ -0,0 +1,7 @@ + "15"); + +echo "solveSum (".json_encode($outp).")"; +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/low.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/low.php new file mode 100644 index 000000000..ea25c7213 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/low.php @@ -0,0 +1,22 @@ + + +"; +} +$page[ 'body' ] .= ' +
    +

    You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:

    + + +
    +'; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/medium.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/medium.php new file mode 100644 index 000000000..0fd03209e --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/medium.php @@ -0,0 +1,25 @@ +alert(1) + +?> + +

    Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.

    + + + +'; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/help/help.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/help/help.php new file mode 100644 index 000000000..a679d2e41 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/help/help.php @@ -0,0 +1,52 @@ +
    +

    Help - Client Side JavaScript

    + +
    +

    About

    +

    The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.

    + +
    + +

    Objective

    +

    Simply submit the phrase "success" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.

    + +
    +

    Low Level

    +

    All the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.

    + 
    Spoiler: Change the phrase to success and then use the function generate_token() to update the token.
    + +


    + +

    Medium Level

    +

    + The JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way. +

    + 
    Spoiler: The file uses the setTimeout function to run the do_elsesomething function which generates the token.
    + +


    + +

    High Level

    +

    + The JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission. +

    + 
    Spoiler: If it helps, two packers have been used, the first is from Dan's Tools and the second is the JavaScript Obfuscator Tool.
    + 
    Spoiler 2: This deobfuscation tool seems to work the best on this code deobfuscate javascript.
    + 
    Spoiler 3: This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.
    + +


    + +

    Impossible Level

    +

    You can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.

    + +
    + +
    + +

    Reference:

    + +
    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/index.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/index.php new file mode 100644 index 000000000..1e5b5802c --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/index.php @@ -0,0 +1,123 @@ +Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + case 'medium': + if ($token == strrev("XXsuccessXX")) { + $message = "

    Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + case 'high': + if ($token == hash("sha256", hash("sha256", "XX" . strrev("success")) . "ZZ")) { + $message = "

    Well done!

    "; + } else { + $message = "

    Invalid token.

    "; + } + break; + default: + $vulnerabilityFile = 'impossible.php'; + break; + } + } else { + $message = "

    You got the phrase wrong.

    "; + } + } else { + $message = "

    Missing phrase or token.

    "; + } +} + +if ( $_COOKIE[ 'security' ] == "impossible" ) { +$page[ 'body' ] = << +

    Vulnerability: JavaScript Attacks

    + +
    +

    + You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level. +

    +EOF; +} else { +$page[ 'body' ] = << +

    Vulnerability: JavaScript Attacks

    + +
    +

    + Submit the word "success" to win. +

    + + $message + +
    + + + +
    +EOF; +} + +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/javascript/source/{$vulnerabilityFile}"; + +$page[ 'body' ] .= << +EOF; + +$page[ 'body' ] .= " +

    More Information

    +
      +
    • " . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . "
      • +
    • " . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . "
      • +
    +

    Module developed by Digininja.

    +
    \n"; + +dvwaHtmlEcho( $page ); + +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.js new file mode 100644 index 000000000..30c3833ad --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.js @@ -0,0 +1 @@ +var a=['fromCharCode','toString','replace','BeJ','\x5cw+','Lyg','SuR','(w(){\x273M\x203L\x27;q\x201l=\x273K\x203I\x203J\x20T\x27;q\x201R=1c\x202I===\x271n\x27;q\x20Y=1R?2I:{};p(Y.3N){1R=1O}q\x202L=!1R&&1c\x202M===\x271n\x27;q\x202o=!Y.2S&&1c\x202d===\x271n\x27&&2d.2Q&&2d.2Q.3S;p(2o){Y=3R}z\x20p(2L){Y=2M}q\x202G=!Y.3Q&&1c\x202g===\x271n\x27&&2g.X;q\x202s=1c\x202l===\x27w\x27&&2l.3P;q\x201y=!Y.3H&&1c\x20Z!==\x272T\x27;q\x20m=\x273G\x27.3z(\x27\x27);q\x202w=[-3y,3x,3v,3w];q\x20U=[24,16,8,0];q\x20K=[3A,3B,3F,3E,3D,3C,3T,3U,4d,4c,4b,49,4a,4e,4f,4j,4i,4h,3u,48,47,3Z,3Y,3X,3V,3W,40,41,46,45,43,42,4k,3f,38,36,39,37,34,33,2Y,31,2Z,35,3t,3n,3m,3l,3o,3p,3s,3r,3q,3k,3j,3d,3a,3c,3b,3e,3h,3g,3i,4g];q\x201E=[\x271e\x27,\x2727\x27,\x271G\x27,\x272R\x27];q\x20l=[];p(Y.2S||!1z.1K){1z.1K=w(1x){A\x204C.Q.2U.1I(1x)===\x27[1n\x201z]\x27}}p(1y&&(Y.50||!Z.1N)){Z.1N=w(1x){A\x201c\x201x===\x271n\x27&&1x.1w&&1x.1w.1J===Z}}q\x202m=w(1X,x){A\x20w(s){A\x20O\x20N(x,1d).S(s)[1X]()}};q\x202a=w(x){q\x20P=2m(\x271e\x27,x);p(2o){P=2P(P,x)}P.1T=w(){A\x20O\x20N(x)};P.S=w(s){A\x20P.1T().S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2m(T,x)}A\x20P};q\x202P=w(P,x){q\x201S=2O(\x222N(\x271S\x27)\x22);q\x201Y=2O(\x222N(\x271w\x27).1Y\x22);q\x202n=x?\x271H\x27:\x271q\x27;q\x202z=w(s){p(1c\x20s===\x272p\x27){A\x201S.2x(2n).S(s,\x274S\x27).1G(\x271e\x27)}z{p(s===2q||s===2T){1u\x20O\x201t(1l)}z\x20p(s.1J===Z){s=O\x202r(s)}}p(1z.1K(s)||Z.1N(s)||s.1J===1Y){A\x201S.2x(2n).S(O\x201Y(s)).1G(\x271e\x27)}z{A\x20P(s)}};A\x202z};q\x202k=w(1X,x){A\x20w(G,s){A\x20O\x201P(G,x,1d).S(s)[1X]()}};q\x202f=w(x){q\x20P=2k(\x271e\x27,x);P.1T=w(G){A\x20O\x201P(G,x)};P.S=w(G,s){A\x20P.1T(G).S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2k(T,x)}A\x20P};w\x20N(x,1v){p(1v){l[0]=l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0;k.l=l}z{k.l=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}p(x){k.C=4I;k.B=4H;k.E=4l;k.F=4U;k.J=4J;k.I=4K;k.H=4L;k.D=4T}z{k.C=4X;k.B=4W;k.E=4Y;k.F=4Z;k.J=4V;k.I=4O;k.H=4F;k.D=4s}k.1C=k.1A=k.L=k.2i=0;k.1U=k.1L=1O;k.2j=1d;k.x=x}N.Q.S=w(s){p(k.1U){A}q\x202h,T=1c\x20s;p(T!==\x272p\x27){p(T===\x271n\x27){p(s===2q){1u\x20O\x201t(1l)}z\x20p(1y&&s.1J===Z){s=O\x202r(s)}z\x20p(!1z.1K(s)){p(!1y||!Z.1N(s)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}2h=1d}q\x20r,M=0,i,W=s.W,l=k.l;4t(M>2]|=s[M]<>2]|=r<>2]|=(2t|(r>>6))<>2]|=(R|(r&V))<=2E){l[i>>2]|=(2D|(r>>12))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<>2]|=(2X|(r>>18))<>2]|=(R|((r>>12)&V))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<=1k){k.1C=l[16];k.1A=i-1k;k.1W();k.1L=1d}z{k.1A=i}}p(k.L>4r){k.2i+=k.L/2H<<0;k.L=k.L%2H}A\x20k};N.Q.1s=w(){p(k.1U){A}k.1U=1d;q\x20l=k.l,i=k.2u;l[16]=k.1C;l[i>>2]|=2w[i&3];k.1C=l[16];p(i>=4q){p(!k.1L){k.1W()}l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}l[14]=k.2i<<3|k.L>>>29;l[15]=k.L<<3;k.1W()};N.Q.1W=w(){q\x20a=k.C,b=k.B,c=k.E,d=k.F,e=k.J,f=k.I,g=k.H,h=k.D,l=k.l,j,1a,1b,1j,v,1f,1h,1B,1Z,1V,1D;1g(j=16;j<1k;++j){v=l[j-15];1a=((v>>>7)|(v<<25))^((v>>>18)|(v<<14))^(v>>>3);v=l[j-2];1b=((v>>>17)|(v<<15))^((v>>>19)|(v<<13))^(v>>>10);l[j]=l[j-16]+1a+l[j-7]+1b<<0}1D=b&c;1g(j=0;j<1k;j+=4){p(k.2j){p(k.x){1B=4m;v=l[0]-4n;h=v-4o<<0;d=v+4p<<0}z{1B=4v;v=l[0]-4w;h=v-4G<<0;d=v+4D<<0}k.2j=1O}z{1a=((a>>>2)|(a<<30))^((a>>>13)|(a<<19))^((a>>>22)|(a<<10));1b=((e>>>6)|(e<<26))^((e>>>11)|(e<<21))^((e>>>25)|(e<<7));1B=a&b;1j=1B^(a&c)^1D;1h=(e&f)^(~e&g);v=h+1b+1h+K[j]+l[j];1f=1a+1j;h=d+v<<0;d=v+1f<<0}1a=((d>>>2)|(d<<30))^((d>>>13)|(d<<19))^((d>>>22)|(d<<10));1b=((h>>>6)|(h<<26))^((h>>>11)|(h<<21))^((h>>>25)|(h<<7));1Z=d&a;1j=1Z^(d&b)^1B;1h=(h&e)^(~h&f);v=g+1b+1h+K[j+1]+l[j+1];1f=1a+1j;g=c+v<<0;c=v+1f<<0;1a=((c>>>2)|(c<<30))^((c>>>13)|(c<<19))^((c>>>22)|(c<<10));1b=((g>>>6)|(g<<26))^((g>>>11)|(g<<21))^((g>>>25)|(g<<7));1V=c&d;1j=1V^(c&a)^1Z;1h=(g&h)^(~g&e);v=f+1b+1h+K[j+2]+l[j+2];1f=1a+1j;f=b+v<<0;b=v+1f<<0;1a=((b>>>2)|(b<<30))^((b>>>13)|(b<<19))^((b>>>22)|(b<<10));1b=((f>>>6)|(f<<26))^((f>>>11)|(f<<21))^((f>>>25)|(f<<7));1D=b&c;1j=1D^(b&d)^1V;1h=(f&g)^(~f&h);v=e+1b+1h+K[j+3]+l[j+3];1f=1a+1j;e=a+v<<0;a=v+1f<<0}k.C=k.C+a<<0;k.B=k.B+b<<0;k.E=k.E+c<<0;k.F=k.F+d<<0;k.J=k.J+e<<0;k.I=k.I+f<<0;k.H=k.H+g<<0;k.D=k.D+h<<0};N.Q.1e=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x201e=m[(C>>28)&o]+m[(C>>24)&o]+m[(C>>20)&o]+m[(C>>16)&o]+m[(C>>12)&o]+m[(C>>8)&o]+m[(C>>4)&o]+m[C&o]+m[(B>>28)&o]+m[(B>>24)&o]+m[(B>>20)&o]+m[(B>>16)&o]+m[(B>>12)&o]+m[(B>>8)&o]+m[(B>>4)&o]+m[B&o]+m[(E>>28)&o]+m[(E>>24)&o]+m[(E>>20)&o]+m[(E>>16)&o]+m[(E>>12)&o]+m[(E>>8)&o]+m[(E>>4)&o]+m[E&o]+m[(F>>28)&o]+m[(F>>24)&o]+m[(F>>20)&o]+m[(F>>16)&o]+m[(F>>12)&o]+m[(F>>8)&o]+m[(F>>4)&o]+m[F&o]+m[(J>>28)&o]+m[(J>>24)&o]+m[(J>>20)&o]+m[(J>>16)&o]+m[(J>>12)&o]+m[(J>>8)&o]+m[(J>>4)&o]+m[J&o]+m[(I>>28)&o]+m[(I>>24)&o]+m[(I>>20)&o]+m[(I>>16)&o]+m[(I>>12)&o]+m[(I>>8)&o]+m[(I>>4)&o]+m[I&o]+m[(H>>28)&o]+m[(H>>24)&o]+m[(H>>20)&o]+m[(H>>16)&o]+m[(H>>12)&o]+m[(H>>8)&o]+m[(H>>4)&o]+m[H&o];p(!k.x){1e+=m[(D>>28)&o]+m[(D>>24)&o]+m[(D>>20)&o]+m[(D>>16)&o]+m[(D>>12)&o]+m[(D>>8)&o]+m[(D>>4)&o]+m[D&o]}A\x201e};N.Q.2U=N.Q.1e;N.Q.1G=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x202b=[(C>>24)&u,(C>>16)&u,(C>>8)&u,C&u,(B>>24)&u,(B>>16)&u,(B>>8)&u,B&u,(E>>24)&u,(E>>16)&u,(E>>8)&u,E&u,(F>>24)&u,(F>>16)&u,(F>>8)&u,F&u,(J>>24)&u,(J>>16)&u,(J>>8)&u,J&u,(I>>24)&u,(I>>16)&u,(I>>8)&u,I&u,(H>>24)&u,(H>>16)&u,(H>>8)&u,H&u];p(!k.x){2b.4A((D>>24)&u,(D>>16)&u,(D>>8)&u,D&u)}A\x202b};N.Q.27=N.Q.1G;N.Q.2R=w(){k.1s();q\x201w=O\x20Z(k.x?28:32);q\x201i=O\x204x(1w);1i.1p(0,k.C);1i.1p(4,k.B);1i.1p(8,k.E);1i.1p(12,k.F);1i.1p(16,k.J);1i.1p(20,k.I);1i.1p(24,k.H);p(!k.x){1i.1p(28,k.D)}A\x201w};w\x201P(G,x,1v){q\x20i,T=1c\x20G;p(T===\x272p\x27){q\x20L=[],W=G.W,M=0,r;1g(i=0;i>6));L[M++]=(R|(r&V))}z\x20p(r<2A||r>=2E){L[M++]=(2D|(r>>12));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}z{r=2C+(((r&23)<<10)|(G.1Q(++i)&23));L[M++]=(2X|(r>>18));L[M++]=(R|((r>>12)&V));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}}G=L}z{p(T===\x271n\x27){p(G===2q){1u\x20O\x201t(1l)}z\x20p(1y&&G.1J===Z){G=O\x202r(G)}z\x20p(!1z.1K(G)){p(!1y||!Z.1N(G)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}}p(G.W>1k){G=(O\x20N(x,1d)).S(G).27()}q\x201F=[],2e=[];1g(i=0;i<1k;++i){q\x20b=G[i]||0;1F[i]=4z^b;2e[i]=4y^b}N.1I(k,x,1v);k.S(2e);k.1F=1F;k.2c=1d;k.1v=1v}1P.Q=O\x20N();1P.Q.1s=w(){N.Q.1s.1I(k);p(k.2c){k.2c=1O;q\x202W=k.27();N.1I(k,k.x,k.1v);k.S(k.1F);k.S(2W);N.Q.1s.1I(k)}};q\x20X=2a();X.1q=X;X.1H=2a(1d);X.1q.2V=2f();X.1H.2V=2f(1d);p(2G){2g.X=X}z{Y.1q=X.1q;Y.1H=X.1H;p(2s){2l(w(){A\x20X})}}})();w\x202y(e){1g(q\x20t=\x22\x22,n=e.W-1;n>=0;n--)t+=e[n];A\x20t}w\x202J(t,y=\x224B\x22){1m.1o(\x221M\x22).1r=1q(1m.1o(\x221M\x22).1r+y)}w\x202B(e=\x224E\x22){1m.1o(\x221M\x22).1r=1q(e+1m.1o(\x221M\x22).1r)}w\x202K(a,b){1m.1o(\x221M\x22).1r=2y(1m.1o(\x222F\x22).1r)}1m.1o(\x222F\x22).1r=\x22\x22;4u(w(){2B(\x224M\x22)},4N);1m.1o(\x224P\x22).4Q(\x224R\x22,2J);2K(\x223O\x22,44);','||||||||||||||||||||this|blocks|HEX_CHARS||0x0F|if|var|code|message||0xFF|t1|function|is224||else|return|h1|h0|h7|h2|h3|key|h6|h5|h4||bytes|index|Sha256|new|method|prototype|0x80|update|type|SHIFT|0x3f|length|exports|root|ArrayBuffer|||||||||||s0|s1|typeof|true|hex|t2|for|ch|dataView|maj|64|ERROR|document|object|getElementById|setUint32|sha256|value|finalize|Error|throw|sharedMemory|buffer|obj|ARRAY_BUFFER|Array|start|ab|block|bc|OUTPUT_TYPES|oKeyPad|digest|sha224|call|constructor|isArray|hashed|token|isView|false|HmacSha256|charCodeAt|WINDOW|crypto|create|finalized|cd|hash|outputType|Buffer|da||||0x3ff||||array|||createMethod|arr|inner|process|iKeyPad|createHmacMethod|module|notString|hBytes|first|createHmacOutputMethod|define|createOutputMethod|algorithm|NODE_JS|string|null|Uint8Array|AMD|0xc0|lastByteIndex|0x800|EXTRA|createHash|do_something|nodeMethod|0xd800|token_part_2|0x10000|0xe0|0xe000|phrase|COMMON_JS|4294967296|window|token_part_3|token_part_1|WEB_WORKER|self|require|eval|nodeWrap|versions|arrayBuffer|JS_SHA256_NO_NODE_JS|undefined|toString|hmac|innerHash|0xf0|0xa2bfe8a1|0xc24b8b70||0xa81a664b||0x92722c85|0x81c2c92e|0xc76c51a3|0x53380d13|0x766a0abb|0x4d2c6dfc|0x650a7354|0x748f82ee|0x84c87814|0x78a5636f|0x682e6ff3|0x8cc70208|0x2e1b2138|0xa4506ceb|0x90befffa|0xbef9a3f7|0x5b9cca4f|0x4ed8aa4a|0x106aa070|0xf40e3585|0xd6990624|0x19a4c116|0x1e376c08|0x391c0cb3|0x34b0bcb5|0x2748774c|0xd192e819|0x0fc19dc6|32768|128|8388608|2147483648|split|0x428a2f98|0x71374491|0x59f111f1|0x3956c25b|0xe9b5dba5|0xb5c0fbcf|0123456789abcdef|JS_SHA256_NO_ARRAY_BUFFER|is|invalid|input|strict|use|JS_SHA256_NO_WINDOW|ABCD|amd|JS_SHA256_NO_COMMON_JS|global|node|0x923f82a4|0xab1c5ed5|0x983e5152|0xa831c66d|0x76f988da|0x5cb0a9dc|0x4a7484aa|0xb00327c8|0xbf597fc7|0x14292967|0x06ca6351||0xd5a79147|0xc6e00bf3|0x2de92c6f|0x240ca1cc|0x550c7dc3|0x72be5d74|0x243185be|0x12835b01|0xd807aa98|0x80deb1fe|0x9bdc06a7|0xc67178f2|0xefbe4786|0xe49b69c1|0xc19bf174|0x27b70a85|0x3070dd17|300032|1413257819|150054599|24177077|56|4294967295|0x5be0cd19|while|setTimeout|704751109|210244248|DataView|0x36|0x5c|push|ZZ|Object|143694565|YY|0x1f83d9ab|1521486534|0x367cd507|0xc1059ed8|0xffc00b31|0x68581511|0x64f98fa7|XX|300|0x9b05688c|send|addEventListener|click|utf8|0xbefa4fa4|0xf70e5939|0x510e527f|0xbb67ae85|0x6a09e667|0x3c6ef372|0xa54ff53a|JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW','split'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};eval(function(d,e,f,g,h,i){h=function(j){return(j0x23?String[b('0x0')](j+0x1d):j[b('0x1')](0x24));};if(!''[b('0x2')](/^/,String)){while(f--){i[h(f)]=g[f]||h(f);}g=[function(k){if('wpA'!==b('0x3')){return i[k];}else{while(f--){i[k(f)]=g[f]||k(f);}g=[function(l){return i[l];}];k=function(){return b('0x4');};f=0x1;}}];h=function(){return b('0x4');};f=0x1;};while(f--){if(g[f]){if(b('0x5')===b('0x6')){return i[h];}else{d=d[b('0x2')](new RegExp('\x5cb'+h(f)+'\x5cb','g'),g[f]);}}}return d;}(b('0x7'),0x3e,0x137,b('0x8')[b('0x9')]('|'),0x0,{})); diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.php new file mode 100644 index 000000000..756058f33 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.php @@ -0,0 +1,5 @@ + +EOF; +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high_unobfuscated.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high_unobfuscated.js new file mode 100644 index 000000000..3db08e8a5 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high_unobfuscated.js @@ -0,0 +1,540 @@ +/** + * [js-sha256]{@link https://github.com/emn178/js-sha256} + * + * @version 0.9.0 + * @author Chen, Yi-Cyuan [emn178@gmail.com] + * @copyright Chen, Yi-Cyuan 2014-2017 + * @license MIT + */ +/*jslint bitwise: true */ +(function () { + 'use strict'; + + var ERROR = 'input is invalid type'; + var WINDOW = typeof window === 'object'; + var root = WINDOW ? window : {}; + if (root.JS_SHA256_NO_WINDOW) { + WINDOW = false; + } + var WEB_WORKER = !WINDOW && typeof self === 'object'; + var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node; + if (NODE_JS) { + root = global; + } else if (WEB_WORKER) { + root = self; + } + var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports; + var AMD = typeof define === 'function' && define.amd; + var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined'; + var HEX_CHARS = '0123456789abcdef'.split(''); + var EXTRA = [-2147483648, 8388608, 32768, 128]; + var SHIFT = [24, 16, 8, 0]; + var K = [ + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + ]; + var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer']; + + var blocks = []; + + if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) { + Array.isArray = function (obj) { + return Object.prototype.toString.call(obj) === '[object Array]'; + }; + } + + if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) { + ArrayBuffer.isView = function (obj) { + return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer; + }; + } + + var createOutputMethod = function (outputType, is224) { + return function (message) { + return new Sha256(is224, true).update(message)[outputType](); + }; + }; + + var createMethod = function (is224) { + var method = createOutputMethod('hex', is224); + if (NODE_JS) { + method = nodeWrap(method, is224); + } + method.create = function () { + return new Sha256(is224); + }; + method.update = function (message) { + return method.create().update(message); + }; + for (var i = 0; i < OUTPUT_TYPES.length; ++i) { + var type = OUTPUT_TYPES[i]; + method[type] = createOutputMethod(type, is224); + } + return method; + }; + + var nodeWrap = function (method, is224) { + var crypto = eval("require('crypto')"); + var Buffer = eval("require('buffer').Buffer"); + var algorithm = is224 ? 'sha224' : 'sha256'; + var nodeMethod = function (message) { + if (typeof message === 'string') { + return crypto.createHash(algorithm).update(message, 'utf8').digest('hex'); + } else { + if (message === null || message === undefined) { + throw new Error(ERROR); + } else if (message.constructor === ArrayBuffer) { + message = new Uint8Array(message); + } + } + if (Array.isArray(message) || ArrayBuffer.isView(message) || + message.constructor === Buffer) { + return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex'); + } else { + return method(message); + } + }; + return nodeMethod; + }; + + var createHmacOutputMethod = function (outputType, is224) { + return function (key, message) { + return new HmacSha256(key, is224, true).update(message)[outputType](); + }; + }; + + var createHmacMethod = function (is224) { + var method = createHmacOutputMethod('hex', is224); + method.create = function (key) { + return new HmacSha256(key, is224); + }; + method.update = function (key, message) { + return method.create(key).update(message); + }; + for (var i = 0; i < OUTPUT_TYPES.length; ++i) { + var type = OUTPUT_TYPES[i]; + method[type] = createHmacOutputMethod(type, is224); + } + return method; + }; + + function Sha256(is224, sharedMemory) { + if (sharedMemory) { + blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + this.blocks = blocks; + } else { + this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; + } + + if (is224) { + this.h0 = 0xc1059ed8; + this.h1 = 0x367cd507; + this.h2 = 0x3070dd17; + this.h3 = 0xf70e5939; + this.h4 = 0xffc00b31; + this.h5 = 0x68581511; + this.h6 = 0x64f98fa7; + this.h7 = 0xbefa4fa4; + } else { // 256 + this.h0 = 0x6a09e667; + this.h1 = 0xbb67ae85; + this.h2 = 0x3c6ef372; + this.h3 = 0xa54ff53a; + this.h4 = 0x510e527f; + this.h5 = 0x9b05688c; + this.h6 = 0x1f83d9ab; + this.h7 = 0x5be0cd19; + } + + this.block = this.start = this.bytes = this.hBytes = 0; + this.finalized = this.hashed = false; + this.first = true; + this.is224 = is224; + } + + Sha256.prototype.update = function (message) { + if (this.finalized) { + return; + } + var notString, type = typeof message; + if (type !== 'string') { + if (type === 'object') { + if (message === null) { + throw new Error(ERROR); + } else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) { + message = new Uint8Array(message); + } else if (!Array.isArray(message)) { + if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) { + throw new Error(ERROR); + } + } + } else { + throw new Error(ERROR); + } + notString = true; + } + var code, index = 0, i, length = message.length, blocks = this.blocks; + + while (index < length) { + if (this.hashed) { + this.hashed = false; + blocks[0] = this.block; + blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + } + + if (notString) { + for (i = this.start; index < length && i < 64; ++index) { + blocks[i >> 2] |= message[index] << SHIFT[i++ & 3]; + } + } else { + for (i = this.start; index < length && i < 64; ++index) { + code = message.charCodeAt(index); + if (code < 0x80) { + blocks[i >> 2] |= code << SHIFT[i++ & 3]; + } else if (code < 0x800) { + blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } else if (code < 0xd800 || code >= 0xe000) { + blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } else { + code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff)); + blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3]; + blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3]; + } + } + } + + this.lastByteIndex = i; + this.bytes += i - this.start; + if (i >= 64) { + this.block = blocks[16]; + this.start = i - 64; + this.hash(); + this.hashed = true; + } else { + this.start = i; + } + } + if (this.bytes > 4294967295) { + this.hBytes += this.bytes / 4294967296 << 0; + this.bytes = this.bytes % 4294967296; + } + return this; + }; + + Sha256.prototype.finalize = function () { + if (this.finalized) { + return; + } + this.finalized = true; + var blocks = this.blocks, i = this.lastByteIndex; + blocks[16] = this.block; + blocks[i >> 2] |= EXTRA[i & 3]; + this.block = blocks[16]; + if (i >= 56) { + if (!this.hashed) { + this.hash(); + } + blocks[0] = this.block; + blocks[16] = blocks[1] = blocks[2] = blocks[3] = + blocks[4] = blocks[5] = blocks[6] = blocks[7] = + blocks[8] = blocks[9] = blocks[10] = blocks[11] = + blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0; + } + blocks[14] = this.hBytes << 3 | this.bytes >>> 29; + blocks[15] = this.bytes << 3; + this.hash(); + }; + + Sha256.prototype.hash = function () { + var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6, + h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc; + + for (j = 16; j < 64; ++j) { + // rightrotate + t1 = blocks[j - 15]; + s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3); + t1 = blocks[j - 2]; + s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10); + blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0; + } + + bc = b & c; + for (j = 0; j < 64; j += 4) { + if (this.first) { + if (this.is224) { + ab = 300032; + t1 = blocks[0] - 1413257819; + h = t1 - 150054599 << 0; + d = t1 + 24177077 << 0; + } else { + ab = 704751109; + t1 = blocks[0] - 210244248; + h = t1 - 1521486534 << 0; + d = t1 + 143694565 << 0; + } + this.first = false; + } else { + s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10)); + s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7)); + ab = a & b; + maj = ab ^ (a & c) ^ bc; + ch = (e & f) ^ (~e & g); + t1 = h + s1 + ch + K[j] + blocks[j]; + t2 = s0 + maj; + h = d + t1 << 0; + d = t1 + t2 << 0; + } + s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10)); + s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7)); + da = d & a; + maj = da ^ (d & b) ^ ab; + ch = (h & e) ^ (~h & f); + t1 = g + s1 + ch + K[j + 1] + blocks[j + 1]; + t2 = s0 + maj; + g = c + t1 << 0; + c = t1 + t2 << 0; + s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10)); + s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7)); + cd = c & d; + maj = cd ^ (c & a) ^ da; + ch = (g & h) ^ (~g & e); + t1 = f + s1 + ch + K[j + 2] + blocks[j + 2]; + t2 = s0 + maj; + f = b + t1 << 0; + b = t1 + t2 << 0; + s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10)); + s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7)); + bc = b & c; + maj = bc ^ (b & d) ^ cd; + ch = (f & g) ^ (~f & h); + t1 = e + s1 + ch + K[j + 3] + blocks[j + 3]; + t2 = s0 + maj; + e = a + t1 << 0; + a = t1 + t2 << 0; + } + + this.h0 = this.h0 + a << 0; + this.h1 = this.h1 + b << 0; + this.h2 = this.h2 + c << 0; + this.h3 = this.h3 + d << 0; + this.h4 = this.h4 + e << 0; + this.h5 = this.h5 + f << 0; + this.h6 = this.h6 + g << 0; + this.h7 = this.h7 + h << 0; + }; + + Sha256.prototype.hex = function () { + this.finalize(); + + var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5, + h6 = this.h6, h7 = this.h7; + + var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] + + HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] + + HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] + + HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] + + HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] + + HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] + + HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] + + HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] + + HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] + + HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] + + HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] + + HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] + + HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] + + HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] + + HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] + + HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] + + HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] + + HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] + + HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] + + HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] + + HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] + + HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] + + HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] + + HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] + + HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] + + HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] + + HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] + + HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F]; + if (!this.is224) { + hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] + + HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] + + HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] + + HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F]; + } + return hex; + }; + + Sha256.prototype.toString = Sha256.prototype.hex; + + Sha256.prototype.digest = function () { + this.finalize(); + + var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5, + h6 = this.h6, h7 = this.h7; + + var arr = [ + (h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF, + (h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF, + (h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF, + (h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF, + (h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF, + (h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF, + (h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF + ]; + if (!this.is224) { + arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF); + } + return arr; + }; + + Sha256.prototype.array = Sha256.prototype.digest; + + Sha256.prototype.arrayBuffer = function () { + this.finalize(); + + var buffer = new ArrayBuffer(this.is224 ? 28 : 32); + var dataView = new DataView(buffer); + dataView.setUint32(0, this.h0); + dataView.setUint32(4, this.h1); + dataView.setUint32(8, this.h2); + dataView.setUint32(12, this.h3); + dataView.setUint32(16, this.h4); + dataView.setUint32(20, this.h5); + dataView.setUint32(24, this.h6); + if (!this.is224) { + dataView.setUint32(28, this.h7); + } + return buffer; + }; + + function HmacSha256(key, is224, sharedMemory) { + var i, type = typeof key; + if (type === 'string') { + var bytes = [], length = key.length, index = 0, code; + for (i = 0; i < length; ++i) { + code = key.charCodeAt(i); + if (code < 0x80) { + bytes[index++] = code; + } else if (code < 0x800) { + bytes[index++] = (0xc0 | (code >> 6)); + bytes[index++] = (0x80 | (code & 0x3f)); + } else if (code < 0xd800 || code >= 0xe000) { + bytes[index++] = (0xe0 | (code >> 12)); + bytes[index++] = (0x80 | ((code >> 6) & 0x3f)); + bytes[index++] = (0x80 | (code & 0x3f)); + } else { + code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff)); + bytes[index++] = (0xf0 | (code >> 18)); + bytes[index++] = (0x80 | ((code >> 12) & 0x3f)); + bytes[index++] = (0x80 | ((code >> 6) & 0x3f)); + bytes[index++] = (0x80 | (code & 0x3f)); + } + } + key = bytes; + } else { + if (type === 'object') { + if (key === null) { + throw new Error(ERROR); + } else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) { + key = new Uint8Array(key); + } else if (!Array.isArray(key)) { + if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) { + throw new Error(ERROR); + } + } + } else { + throw new Error(ERROR); + } + } + + if (key.length > 64) { + key = (new Sha256(is224, true)).update(key).array(); + } + + var oKeyPad = [], iKeyPad = []; + for (i = 0; i < 64; ++i) { + var b = key[i] || 0; + oKeyPad[i] = 0x5c ^ b; + iKeyPad[i] = 0x36 ^ b; + } + + Sha256.call(this, is224, sharedMemory); + + this.update(iKeyPad); + this.oKeyPad = oKeyPad; + this.inner = true; + this.sharedMemory = sharedMemory; + } + HmacSha256.prototype = new Sha256(); + + HmacSha256.prototype.finalize = function () { + Sha256.prototype.finalize.call(this); + if (this.inner) { + this.inner = false; + var innerHash = this.array(); + Sha256.call(this, this.is224, this.sharedMemory); + this.update(this.oKeyPad); + this.update(innerHash); + Sha256.prototype.finalize.call(this); + } + }; + + var exports = createMethod(); + exports.sha256 = exports; + exports.sha224 = createMethod(true); + exports.sha256.hmac = createHmacMethod(); + exports.sha224.hmac = createHmacMethod(true); + + if (COMMON_JS) { + module.exports = exports; + } else { + root.sha256 = exports.sha256; + root.sha224 = exports.sha224; + if (AMD) { + define(function () { + return exports; + }); + } + } +})(); + +function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t} + +function token_part_3(t, y="ZZ") { + document.getElementById("token").value=sha256(document.getElementById("token").value+y) +} + +function token_part_2(e="YY") { + document.getElementById("token").value=sha256(e+document.getElementById("token").value) +} + +function token_part_1(a,b) { + document.getElementById("token").value=do_something(document.getElementById("phrase").value) +} + +document.getElementById("phrase").value=""; + +setTimeout(function(){token_part_2("XX")},300); + +document.getElementById("send").addEventListener("click", token_part_3); + +token_part_1("ABCD", 44); diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/impossible.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/impossible.php new file mode 100644 index 000000000..e69de29bb diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/low.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/low.php new file mode 100644 index 000000000..fc5542c9b --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/low.php @@ -0,0 +1,24 @@ + + +/* +MD5 code from here +https://github.com/blueimp/JavaScript-MD5 +*/ + +!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t>5]|=(255&n.charCodeAt(t/8))<16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this); + + function rot13(inp) { + return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}); + } + + function generate_token() { + var phrase = document.getElementById("phrase").value; + document.getElementById("token").value = md5(rot13(phrase)); + } + + generate_token(); + +EOF; +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.js b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.js new file mode 100644 index 000000000..f6c40a060 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.js @@ -0,0 +1 @@ +function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething("XX")},300);function do_elsesomething(e){document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")} diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.php new file mode 100644 index 000000000..a0e707108 --- /dev/null +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.php @@ -0,0 +1,5 @@ + +EOF; +?> diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/upload/help/help.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/upload/help/help.php index c4aee9884..997d947cd 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/upload/help/help.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/upload/help/help.php @@ -34,7 +34,7 @@

    High Level

    Once the file has been received from the client, the server will try to resize any image that was included in the request.

    - 
    Spoiler: need to link in another vulnerability, such as file includion.
    + 
    Spoiler: need to link in another vulnerability, such as file inclusion.

    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source.php index 090750f65..d0ef28445 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source.php @@ -43,6 +43,9 @@ switch ($id) { case "weak_id" : $vuln = 'Weak Session IDs'; break; + case "javascript" : + $vuln = 'JavaScript'; + break; default: $vuln = "Unknown Vulnerability"; } @@ -50,10 +53,26 @@ switch ($id) { $source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.php" ); $source = str_replace( array( '$html .=' ), array( 'echo' ), $source ); +$js_html = ""; +if (file_exists (DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js")) { + $js_source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js" ); + $js_html = " +

    vulnerabilities/{$id}/source/{$security}.js

    +
    + + + + +
    " . highlight_string( $js_source, true ) . "
    +
    + "; +} + $page[ 'body' ] .= "

    {$vuln} Source

    +

    vulnerabilities/{$id}/source/{$security}.php

    @@ -61,6 +80,7 @@ $page[ 'body' ] .= "
    + {$js_html}

    diff --git a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source_all.php b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source_all.php index 01d634b12..f1334704d 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source_all.php +++ b/modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source_all.php @@ -27,6 +27,9 @@ $impsrc = str_replace( array( '$html .=' ), array( 'echo' ), $impsrc); $impsrc = highlight_string( $impsrc, true ); switch ($id) { + case "javascript" : + $vuln = 'JavaScript'; + break; case "fi" : $vuln = 'File Inclusion'; break; diff --git a/modules/vulnerabilities/unix/web_training/dvwa/manifests/apache.pp b/modules/vulnerabilities/unix/web_training/dvwa/manifests/apache.pp index 066b3d7a8..b81a6222c 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/manifests/apache.pp +++ b/modules/vulnerabilities/unix/web_training/dvwa/manifests/apache.pp @@ -4,37 +4,72 @@ class dvwa::apache { $db_password = $secgen_parameters['db_password'][0] $docroot = '/var/www/dvwa' - package { ['php5', 'php5-gd', 'php5-mysql']: + # TODO: there is probably a better way to get the PHP module name + + if ($operatingsystem == 'Debian') { + case $operatingsystemrelease { + /^9.*/: { # do 9.x stretch stuff + $php_version = "php7.0" + package { 'mysql-server': + ensure => installed, + } + } + /^7.*/: { # do 7.x wheezy stuff + $php_version = "php" + package { 'mysql-server': + ensure => installed, + } + } + 'kali-rolling': { # do kali + $php_version = "php7.3" + } + default: { + $php_version = "php" + } + } + } else { + $php_version = "php" + } + + package { ['php', 'php-mysqli', 'php-gd', 'libapache2-mod-php']: ensure => installed, } class { '::apache': default_vhost => false, - default_mods => 'php', + default_mods => $php_version, overwrite_ports => false, - } + mpm_module => 'prefork', + } -> ::apache::vhost { 'dvwa': port => $port, docroot => $docroot, + + } -> + + exec { 'enable php module': + command => "a2enmod $php_version", + provider => shell, } - -# mysql::db { 'dvwa_database': -# user => 'dvwa_user', -# password => $db_password, -# host => 'localhost', -# grant => ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP'], -# } + mysql_user{ 'dvwa_user@localhost': ensure => present, password_hash => mysql_password($db_password) - } - - mysql_grant{'dvwa_user@localhost/dvwa_database.*': - user => 'dvwa_user@localhost', - table => 'dvwa_database.*', - privileges => ['ALL'], + } -> + + mysql::db { 'dvwa_database': + user => 'dvwa_user', + password => $db_password, + host => 'localhost', + grant => ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP'], } +# mysql_grant{'dvwa_user@localhost/dvwa_database.*': +# user => 'dvwa_user@localhost', +# table => 'dvwa_database.*', +# privileges => ['ALL'], +# } + } diff --git a/modules/vulnerabilities/unix/web_training/dvwa/secgen_metadata.xml b/modules/vulnerabilities/unix/web_training/dvwa/secgen_metadata.xml index eefe84168..ef192cfdb 100644 --- a/modules/vulnerabilities/unix/web_training/dvwa/secgen_metadata.xml +++ b/modules/vulnerabilities/unix/web_training/dvwa/secgen_metadata.xml @@ -15,11 +15,11 @@ port db_password - + 80 - + @@ -30,12 +30,12 @@ GPLv3 - + + .*/apache.* diff --git a/scenarios/examples/vulnerability_examples/dvwa.xml b/scenarios/examples/vulnerability_examples/dvwa.xml index 16b3cfc65..a68dba0e7 100644 --- a/scenarios/examples/vulnerability_examples/dvwa.xml +++ b/scenarios/examples/vulnerability_examples/dvwa.xml @@ -5,12 +5,29 @@ xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario"> - dvwa - + dvwa_stretch + + + dvwa_wheezy + + + + + + + + + dvwa_kali + + + + + + diff --git a/scenarios/labs/ads_1_authentication.xml b/scenarios/labs/ads_1_authentication.xml new file mode 100644 index 000000000..99ec73ab5 --- /dev/null +++ b/scenarios/labs/ads_1_authentication.xml @@ -0,0 +1,350 @@ + + + + + Authentication lab + Z. Cliffe Schreuders + A Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot. Topics covered: Protecting integrity with file attributes; Protecting integrity with read-only filesystems. + + ctf-lab + hackerbot-lab + lab-sheet + intermediate + + + desktop + + + + + 172.16.0.2 + + 172.16.0.3 + + 172.16.0.4 + + 172.16.0.5 + + + + + + + + mythical_creatures + + + + + + mythical_creatures + + + + + mythical_creatures + + + + + mythical_creatures + + + + + mythical_creatures + + + + + + + + + + + + + + + + + + usernames + + + tiaspbiqe2r + + + true + + + + + + usernames + + + weak_passwords + + + + + usernames + + + weak_passwords + + + + + usernames + + + weak_passwords + + + + + usernames + + + weak_passwords + + + + + + + + + + + + user_accounts_desktop + + + + + + usernames + + + user_accounts_desktop + + + true + + + + + + + + user_accounts_desktop + + + true + + + IP_addresses + + + + + + IP_addresses + + + user_accounts_desktop + + + + + + desktop_root_password + + + + + + IP_addresses + + + + + + server + + + + + + + + usernames + + + tiaspbiqe2r + + + false + + + + + + usernames + + + weak_passwords + + + flag + + + + + + + + usernames + + + weak_passwords + + + flag + + + + + + + + usernames + + + weak_passwords + + + flag + + + + + + + + usernames + + + weak_passwords + + + flag + + + + + + + + + + + user_accounts_server + + + + + + + + desktop_root_password + + + + + + IP_addresses + + + + + + hackerbot_server + + + + + + + + + + + + + + + user_accounts_desktop + + + desktop_root_password + + + IP_addresses + + + + + + + + IP_addresses + + + + + + + + + + + + kali_cracker + + + + {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]} + + + + + + + + + + kali_root_account + + + true + + + IP_addresses + + + + + + IP_addresses + + + + + diff --git a/scenarios/labs/websec_lab_env.xml b/scenarios/labs/websec_lab_env.xml new file mode 100644 index 000000000..b08478242 --- /dev/null +++ b/scenarios/labs/websec_lab_env.xml @@ -0,0 +1,53 @@ + + + + + Web security lab environment + Z. Cliffe Schreuders + An environment for web security labs. Debian Stretch desktop with Damn Vulnerable Web App server, and Kali Linux. + + lab-environment + + + kali + + + + 172.16.0.2 + 172.16.0.3 + 172.16.0.4 + + + + {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]} + + + + + + + + + + kali_root_account + + + true + + + http://127.0.0.1/login.php + + + + + + + + IP_addresses + + + + +