digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab updates (and related modules)

Browse Source 
(cherry picked from commit 665b0589c8)
This commit is contained in:
Z. Cliffe Schreuders
2019-01-26 20:11:17 +00:00
committed by ts
parent 4ee93f7e49
commit 53bba11133
74 changed files with 2647 additions and 391 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
lib/objects/system.rb
View File

@@ -208,37 +208,42 @@ class System
datastore_access = datastore_variablename_and_access_type['access']
datastore_variablename = datastore_variablename_and_access_type['variablename']
datastore_retrieved = []
if datastore_access == 'first'
datastore_retrieved = [$datastore[datastore_variablename].first]
elsif datastore_access == 'next'
last_accessed = $datastore_iterators[datastore_variablename]
# first use? start at beginning
if last_accessed == nil
index_to_access = 0
begin
if datastore_access == 'first'
datastore_retrieved = [$datastore[datastore_variablename].first]
elsif datastore_access == 'next'
last_accessed = $datastore_iterators[datastore_variablename]
# first use? start at beginning
if last_accessed == nil
index_to_access = 0
else
index_to_access = last_accessed + 1
end
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access == 'previous'
last_accessed = $datastore_iterators[datastore_variablename]
# first use? start at end
if last_accessed == nil
index_to_access = $datastore[datastore_variablename].size - 1
else
index_to_access = last_accessed - 1
end
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access.to_s == datastore_access.to_i.to_s
# Test for a valid element key (integer)
index_to_access = datastore_access.to_i
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access == "all"
datastore_retrieved = $datastore[datastore_variablename]
else
index_to_access = last_accessed + 1
Print.err "Error: invalid access value (#{datastore_access})"
raise 'failed'
end
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access == 'previous'
last_accessed = $datastore_iterators[datastore_variablename]
# first use? start at end
if last_accessed == nil
index_to_access = $datastore[datastore_variablename].size - 1
else
index_to_access = last_accessed - 1
end
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access.to_s == datastore_access.to_i.to_s
# Test for a valid element key (integer)
index_to_access = datastore_access.to_i
$datastore_iterators[datastore_variablename] = index_to_access
datastore_retrieved = [$datastore[datastore_variablename][index_to_access]]
elsif datastore_access == "all"
datastore_retrieved = $datastore[datastore_variablename]
else
Print.err "Error: invalid access value (#{datastore_access})"
rescue NoMethodError, SyntaxError => err
Print.err "Error accessing element (#{datastore_access}) from datastore (#{datastore_variablename}): #{err}"
raise 'failed'
end
if datastore_retrieved && datastore_retrieved != [nil]
@@ -457,4 +462,4 @@ class System
modules_to_add
end
end
end

0
modules/generators/structured_content/hackerbot_config/hbauthentication/hbauthentication.pp Normal file
View File

0
modules/generators/structured_content/hackerbot_config/hbauthentication/manifests/.no_puppet Normal file
View File

35
modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/ruby
require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb'
class HB < HackerbotConfigGenerator
attr_accessor :server_ip
def initialize
super
self.module_name = 'Hackerbot Config Generator Authentication'
self.title = 'Authentication'
self.local_dir = File.expand_path('../../',__FILE__)
self.templates_path = "#{self.local_dir}/templates/"
self.config_template_path = "#{self.local_dir}/templates/lab.xml.erb"
self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb"
self.server_ip = []
end
def get_options_array
super + [['--server_ip', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--server_ip'
self.server_ip << arg;
end
end
end
HB.new.run

39
modules/generators/structured_content/hackerbot_config/hbauthentication/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,39 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Hackerbot config for a authentication lab</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Generates a config file for a hackerbot for an integrity lab.
Topics covered: .</description>
<type>hackerbot_config</type>
<platform>linux</platform>
<read_fact>accounts</read_fact>
<read_fact>flags</read_fact>
<read_fact>root_password</read_fact>
<!--TODO: require input, such as accounts, or fail?-->
<default_input into="accounts">
<generator type="account">
<input into="username">
<value>vagrant</value>
</input>
</generator>
</default_input>
<default_input into="flags">
<generator type="flag_generator"/>
</default_input>
<default_input into="root_password">
<value>puppet</value>
</default_input>
<output_type>hackerbot</output_type>
</generator>

29
modules/generators/structured_content/hackerbot_config/hbauthentication/shared/labsheet.html.erb Normal file
View File

@@ -0,0 +1,29 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
max-width: 980px;
margin: 0 auto;
padding: 45px;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
}
}
</style>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js"></script>
</body>
</html>

4
modules/generators/structured_content/hackerbot_config/hbauthentication/shared/license.md.erb Normal file
View File

@@ -0,0 +1,4 @@
## License
This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB).
Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version.

299
modules/generators/structured_content/hackerbot_config/hbauthentication/templates/intro.md.erb Normal file
View File

@@ -0,0 +1,299 @@
# Authentication
## Getting started
### VMs in this lab
==Start these VMs== (if you haven't already):
- hackerbot_server (leave it running, you don't log into this)
- desktop (you can sudo to get superuser access)
- server (<%= $server_ip %>, you can ssh to this machine, but you don't have superuser access)
- kali_cracker (you will use this to crack the hashes you find)
### Your login details for the "desktop" and "server" VMs
User: <%= $main_user %>
Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.
### For marks in the module
1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Follow the link on the module page to submit your flags.
2. **You need to document the work and your solutions in a Log Book**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Log Book Questions". The Log Book will be submitted later in the semester.
## Meet Hackerbot!
![small-right](images/skullandusb.svg)
This exercise involves interacting with Hackerbot, a chatbot who will attack your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.
**On the desktop VM:**
==Open Pidgin and send some messages to Hackerbot:==
- Try asking Hackerbot some questions
- Send "help"
- Send "list"
- Send "hello"
> If Hackerbot seems to be waiting or halted, simply say 'hi'
Work through the below exercises, completing the Hackerbot challenges as noted.
---
## Introduction to authentication
Authentication plays the important role of verifying an identity. For example, when someone gets into an airplane, sits down at a computer, picks up a mobile device, or uses a website, authentication is what is used to confirm that the person is who they claim to be. Authentication is an important first step *before* deciding how the system should act and what to allow.
## Identity: users and groups
Most computer systems have the concept of a user account. Although some devices such as mobile phones typically only have one user account, most modern computers can support having multiple users, each with their own identity. For example, a computer can have a separate account for each person that uses it, and if configured to do so may enable each user to have their own account preferences, and access to different resources.
On Unix/Linux systems every user account is identified by a user ID number (UID), which is a 32-bit integer (whole number), and can have one or more user names, which are human readable strings of text.
**On the desktop VM:**
Open a terminal console.
Assuming you have already logged in, you have already authenticated yourself on this system.
==Log Book Question: When and how did you authenticate yourself?==
Use these commands to find out about your current identity (or more accurately the identity of the software you are interacting with):
```bash
whoami
groups
id
```
==Make a note of your UID and username.==
Note that your account is also a member of one or more groups. A primary group, and a list of other groups. Some Linux systems, such as Debian, create a new seperate primary group for each user, others such as openSUSE have a shared group (named "users") that all normal users are a member of. Similar to the relationship between user names and UIDs, each group has a group name, and a group ID (GID).
Information about user accounts is stored in the /etc/passwd file, which typically all users can read.
==View the /etc/passwd file:==
```bash
less /etc/passwd
```
==Find the line that describes your user account.==
This line defines the username, password (well, it used to be stored here... we will come back to this), UID, primary group GID, full name, home directory, and shell for your account.
Confirm this matches the information you recorded earlier.
==Find the line that describes the root user account.==
==Where is the root user's home directory?==
> Press 'q' to quit less.
==View the /etc/group file:==
```bash
less /etc/group
```
Groups are defined in this file, along with which users are members.
==Which users are members of the audio group?==
Remember, primary groups do not appear in this file; for example, on openSUSE the "users" group, which all normal users are a member of, may not appear in the /etc/group file.
The "su" program can be used to run a program (usually a shell; that is, a command prompt) as another user, effectively enabling users to switch between user accounts at the command prompt.
==Change your identity to root==. Run:
```bash
su -
```
Enter the root password.
Use these commands to ==find out about your new identity:==
```bash
whoami
groups
id
```
==What is the UID of root? What does this mean about this user?==
==Lab Book Question: What gives this user special privileges: the name of the account, or the UID?==
==Use the useradd command to create a new user account "fred"==
> Hint: refer to the man page for useradd, by running "man useradd".
==Set a password for the user fred.==
> Hint: `sudo passwd fred`
==Change identity to fred.==
> Hint: `su - fred`
==Run:(after su)==
```bash
id
```
==Compare the result to the previous output.==
==How does this compare to your other normal user account? What is different, and what about it is the same?==
Run the single command "id" as root:
```bash
sudo id
```
==Log Book Question: What is the difference between sudo and su? Which is most likely protect against accidental damage and also log the commands used?==
## Users and SSH
==Log in to the server via ssh:==
```bash
ssh <%= $main_user %>@<%= $server_ip %>
```
==Display details of all users logged on to the system:==
```bash
who
```
==List all the processes run by all users:==
```bash
ps -eo user,comm
```
==List all the processes running as root:==
```bash
ps -o user,comm -u root
```
==Run a command to list all the processes running as *your* normal user.==
==Lab Book Question: How is this server authenticating users? What user accounts exist?==
## Passwords, hashes and salt
Given that important security decisions are made based on the user accounts, it is important to authenticate users, to ensure that the subjects are associated with the correct identity.
==What are the kinds of factors that can be used to verify a user's identity? Hint: for example, "something they have".==
==Which category of authentication factors is a password considered to be?==
Originally passwords were stored "in the clear" (not enciphered). For example, Multics stored passwords in a file, and once at MIT a software bug caused the password file to be copied to the motd file (message of the day), which was printed every time anyone logged into the system. A solution is not to store the password in the clear. Instead a hash can be computed, using a one way hash function, and stored. When the user enters a password, a new hash is computed and compared to the original.
On Linux, the command "shasum" can be used to check the integrity of files (hash functions have many uses), and works on the same principle. We can use it to generate a hash for any given string, for example a password:
```bash
shasum
```
> Type "hello" without the quotes. Press Ctrl-D (which indicates "EOF"; that is, end of input).
Repeat the above, with the same password ("hello"), and with a slight difference ("hello.").
Are the outputs the same?
Are the different hashes similar?
Is this good? Why?
Which one-way hash function does the shasum program use? Would this be a good option for hashing passwords?
For password authentication, the hash still needs to be stored. On Unix, password hashes were once stored in the world-readable file /etc/passwd, now they are typically stored in /etc/shadow, which only root (the superuser) can access.
==View the shadow file:==
```bash
sudo less /etc/shadow
```
The format of the shadow file is:
> username:**password**:last-changed(since 1-1-1970):days-until-may-change:days-until-must-change:days-warning-notice:days-since-expired-account-disabled:date-disable:reserved-field
==Find the hash of your user account's password.==
> Exit less ("q").
Use the passwd command to ==change your password:==
```bash
passwd
```
> When prompted, enter a new password of your choosing.
View the shadow file, and confirm that the stored password has changed.
With reference to the shadow file, and the man page for crypt (Hint: "man crypt"), ==answer these Log Book questions==:
- On Linux, the password hash stored in /etc/shadow has a prefix that specifies the hash function used.\
> ==What hash function is used for your password?==
> Hint: the `hash-identifier` command line tool may also help.
- ==When was the root password last changed?==
- ==Do any accounts have a setting that will force a password change at a specific date?==
A salt is a random string, used as further input into a one-way hash function (concatenated to the password). The salt is typically stored along with the hash. As a result the same password will have different hashes, so long as the salt is different.
Why is that a good thing?
What kind of attack does a salt defend against?
What is the current salt for your account? Hint: it is stored after the second "\$".
## Password weaknesses
The strength of a password depends on its entropy: its degree of randomness. If a user chooses a word from a dictionary, it would not take long to attempt every dictionary word until finding one that results in the same hash.
Try your hand at cracking passwords using the Kali virtual machine.
**On your desktop VM:**
Add some new users with these passwords:
> Hello
>
> hellothere
>
> password1
**On your Kali VM:**
==Use John the Ripper (or Johnny a GUI for the John the Ripper) to crack the passwords.==
> Hint: `man john`, on the Kali Linux system.
> You will need to combine the passwd and shadow files (manually or with the kali `unshadow` command.)
==Log Book Questions:==
- Which passwords are cracked the fastest?
- How long did they take?
## Conclusion
At this point you have:
- Applied authentication concepts to Unix/Linux
- Experimented with user accounts and identity
- Experimented with one-way hash functions, salts, and password storage
- Cracked passwords with low entropy using dictionary attacks
Well done!

161
modules/generators/structured_content/hackerbot_config/hbauthentication/templates/lab.xml.erb Normal file
View File

@@ -0,0 +1,161 @@
<%
require 'json'
require 'securerandom'
require 'digest/sha1'
require 'fileutils'
require 'erb'
if self.accounts.empty?
abort('Sorry, you need to provide an account')
end
$first_account = JSON.parse(self.accounts.first)
$main_user = $first_account['username'].to_s
$main_user_pass = $first_account['password'].to_s
$server_ip = self.server_ip.first
$root_password = self.root_password
$flags = self.flags
REQUIRED_FLAGS = 1
while $flags.length < REQUIRED_FLAGS
$flags << "flag{#{SecureRandom.hex}}"
Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!"
end
def get_binding
binding
end
%>
<?xml version="1.0"?>
<hackerbot
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/hackerbot">
<!--<hackerbot xmlns="http://www.github/cliffe/SecGen/hackerbotz"-->
<name>Hackerbot</name>
<AIML_chatbot_rules>config/AIML</AIML_chatbot_rules>
<!--Method for gaining shell access, can be overwritten per-attack-->
<get_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash</get_shell>
<messages>
<show_attack_numbers />
<greeting>Hi there. Today I'm your boss of sorts. I need you to test the security of our server. Help out and I'll give you some flags.</greeting>
<!--Must provide alternatives for each message-->
<say_ready>When you are ready, simply say 'ready'.</say_ready>
<say_ready>'Ready'?</say_ready>
<next>Ok, I'll do what I can to move things along...</next>
<next>Moving things along to the next one...</next>
<previous>Ok, I'll do what I can to back things up...</previous>
<previous>Ok, backing up.</previous>
<goto>Ok, skipping it along.</goto>
<goto>Let me see what I can do to goto that attack.</goto>
<last_attack>That was the last one for now. You can rest easy, until next time... (End.)</last_attack>
<last_attack>That was the last one. Game over?</last_attack>
<first_attack>You are back to the beginning!</first_attack>
<first_attack>This is where it all began.</first_attack>
<getting_shell>Doing my thing...</getting_shell>
<getting_shell>Here we go...</getting_shell>
<got_shell>...</got_shell>
<got_shell>....</got_shell>
<repeat>Let me know when you are 'ready', if you want to move on say 'next', or 'previous' and I'll move things along.</repeat>
<repeat>Say 'ready', 'next', or 'previous'.</repeat>
<!--Single responses:-->
<help>I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*'</help>
<say_answer>Say "The answer is *X*".</say_answer>
<no_quiz>There is no question to answer</no_quiz>
<correct_answer>Correct</correct_answer>
<incorrect_answer>Incorrect</incorrect_answer>
<invalid>That's not possible.</invalid>
<non_answer>Wouldn't you like to know.</non_answer>
<!--can be overwritten per-attack-->
<shell_fail_message>Oh no. Failed to get shell... You need to let us in.</shell_fail_message>
</messages>
<tutorial_info>
<title>Authentication</title>
<tutorial><%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %></tutorial>
<footer>
<%= File.read self.templates_path + 'resources.md.erb' %>
<%= File.read self.templates_path + 'license.md.erb' %>
Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>)
</footer>
<provide_tutorial>true</provide_tutorial>
</tutorial_info>
<attack>
<% $newuser = "user#{SecureRandom.hex(2)}" -%>
<prompt>Add a user to the system, named "<%= $newuser %>".</prompt>
<post_command>grep <%= $newuser %> /etc/shadow; echo $?</post_command>
<condition>
<output_matches>0</output_matches>
<message>:) Well done! <%= $flags.pop %></message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( It looks like you forgot to create the user?</message>
</condition>
<else_condition>
<message>:( User not found</message>
</else_condition>
</attack>
<attack>
<prompt>Add the new <%= $newuser %> user to the 'users' group.</prompt>
<post_command>id <%= $newuser %> | grep users; echo $?</post_command>
<condition>
<output_matches>0</output_matches>
<message>:) Well done! <%= $flags.pop %></message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( It looks like you forgot to add the user to the group?</message>
</condition>
<else_condition>
<message>:( Group not found</message>
</else_condition>
</attack>
<attack>
<prompt>Crack the passwords of the users on the desktop VM, and use those credentials to SSH to the server, where you will find flags (ssh username@<%= $server_ip %> for each username you crack the password for.) This is the end.</prompt>
<condition>
<output_matches>.*</output_matches>
<message>:)</message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>.*</output_matches>
<message>:)</message>
<trigger_next_attack />
</condition>
<else_condition>
<message>:)</message>
</else_condition>
</attack>
</hackerbot>

114
modules/generators/structured_content/hackerbot_config/hbauthentication/templates/labsheet.html.erb Normal file
View File

@@ -0,0 +1,114 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
max-width: 980px;
margin: 0 auto;
padding: 45px;
}
.markdown-body h4[id^='hackerbot']:after {
display: inline-block;
float: right;
content: url("images/skullandusb.svg");
width: 30px;
}
article {
float: right;
width: calc(100% - 300px);
}
.toc {
float: left;
font-size: smaller;
color: #1a1d22;
width: 300px;
position: fixed;
height: calc(100% - 56px);
overflow-y: scroll;
font-family: sans-serif;
margin-top: 50px;
}
.toc ul {
list-style-type: none;
padding: 0;
margin-left: 1em;
}
.toc li { /* Space between menu items*/
margin: 1em 0;
}
.toc a {
color: #1a1d22;
text-decoration: none;
}
.toc a:hover {
color: #6c036d;
text-decoration: none;
}
.toc a:visited {
color: #1a1d22;
text-decoration: none;
}
.markdown-body pre, .markdown-body code {
background-color: #570138;
color: whitesmoke;
}
.markdown-body img[alt="small-left"] {
max-width: 100px;
float: left;
}
.markdown-body img[alt="small-right"] {
max-width: 100px;
float: right;
}
.markdown-body img[alt="tiny-right"] {
max-width: 30px;
float: right;
}
.markdown-body img[alt="small"] {
max-width: 100px;
display: block;
margin-left: auto;
margin-right: auto;
padding: 15px;
}
mark {
background-color: white;
color: #5b29bd;
font-weight: bolder;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
min-width: 200px;
max-width: 980px;
}
.toc {
float: none;
width: 100%;
position: relative;
overflow: auto;
height: auto;
}
article {
float: none;
width: 100%;
}
}
</style>
<div class="toc">
<%= self.html_TOC_rendered %>
</div>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js?autoload=true&amp;skin=sunburst&amp;lang=css"></script>
</body>
</html>

6
modules/generators/structured_content/hackerbot_config/hbauthentication/templates/license.md.erb Normal file
View File

@@ -0,0 +1,6 @@
## License
This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB).
Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version.
![small](images/leedsbeckett-logo.png)

0
modules/generators/structured_content/hackerbot_config/hbauthentication/templates/resources.md.erb Normal file
View File

7
modules/generators/structured_content/hackerbot_config/integrity_protection/secgen_metadata.xml
View File

@@ -29,10 +29,7 @@
<default_input into="flags">
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
</default_input>
<default_input into="root_password">
@@ -41,4 +38,4 @@
<output_type>hackerbot</output_type>
</generator>
</generator>

1
modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/kali_forensic.pp Normal file
View File

@@ -0,0 +1 @@
include kali_forensic::install

5
modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/manifests/install.pp Normal file
View File

@@ -0,0 +1,5 @@
class kali_forensic::install{
package { ['kali-linux-forensic']:
ensure => 'installed',
}
}

25
modules/utilities/unix/attack_tools/kali_metapackages/kali_forensic/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Kali Linux Metapackage: kali-linux-forensic</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Installs a collection of software onto Kali.
kali-linux-forensic
If you are doing forensics work, you dont want your analysis system to contain a bunch of unnecessary tools. To the rescue comes the kali-linux-forensic metapackage, which only contains the forensics tools in Kali.
Installation Size: 3.1 GB</description>
<type>attack_tools</type>
<platform>linux</platform>
<requires>
<name>Kali Light.*</name>
<type>attack</type>
<type>desktop</type>
</requires>
<requires>
<type>update</type>
</requires>
</utility>

1
modules/utilities/unix/attack_tools/kali_metapackages/kali_full/kali_full.pp Normal file
View File

@@ -0,0 +1 @@
include kali_full::install

5
modules/utilities/unix/attack_tools/kali_metapackages/kali_full/manifests/install.pp Normal file
View File

@@ -0,0 +1,5 @@
class kali_full::install{
package { ['kali-linux-full']:
ensure => 'installed',
}
}

25
modules/utilities/unix/attack_tools/kali_metapackages/kali_full/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Kali Linux Metapackage: kali-linux-full</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Installs a collection of software onto Kali.
kali-linux-full
When you download a Kali Linux ISO, you are essentially downloading an installation that has the kali-linux-full metapackage installed. This package includes all of the tools you are familiar with in Kali.
Installation Size: 9.0 GB</description>
<type>attack_tools</type>
<platform>linux</platform>
<requires>
<name>Kali Light.*</name>
<type>attack</type>
<type>desktop</type>
</requires>
<requires>
<type>update</type>
</requires>
</utility>

1
modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/kali_pwtools.pp Normal file
View File

@@ -0,0 +1 @@
include kali_pwtools::install

5
modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/manifests/install.pp Normal file
View File

@@ -0,0 +1,5 @@
class kali_pwtools::install{
package { ['kali-linux-pwtools']:
ensure => 'installed',
}
}

25
modules/utilities/unix/attack_tools/kali_metapackages/kali_pwtools/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Kali Linux Metapackage: kali-linux-pwtools</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Installs a collection of software onto Kali.
kali-linux-pwtools
The kali-linux-pwtools metapackage contains over 40 different password cracking utilities as well as the GPU tools contained in kali-linux-gpu.
Installation Size: 6.0 GB</description>
<type>attack_tools</type>
<platform>linux</platform>
<requires>
<name>Kali Light.*</name>
<type>attack</type>
<type>desktop</type>
</requires>
<requires>
<type>update</type>
</requires>
</utility>

1
modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/kali_top10.pp Normal file
View File

@@ -0,0 +1 @@
include kali_top10::install

5
modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/manifests/install.pp Normal file
View File

@@ -0,0 +1,5 @@
class kali_top10::install{
package { ['kali-linux-top10']:
ensure => 'installed',
}
}

25
modules/utilities/unix/attack_tools/kali_metapackages/kali_top10/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Kali Linux Metapackage: kali-linux-top10</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Installs a collection of software onto Kali.
kali-linux-top10
In Kali Linux, we have a sub-menu called “Top 10 Security Tools”. The kali-linux-top10 metapackage will install all of these tools for you in one fell swoop.
Installation Size: 3.5 GB</description>
<type>attack_tools</type>
<platform>linux</platform>
<requires>
<name>Kali Light.*</name>
<type>attack</type>
<type>desktop</type>
</requires>
<requires>
<type>update</type>
</requires>
</utility>

1
modules/utilities/unix/attack_tools/kali_metapackages/kali_web/kali_web.pp Normal file
View File

@@ -0,0 +1 @@
include kali_web::install

5
modules/utilities/unix/attack_tools/kali_metapackages/kali_web/manifests/install.pp Normal file
View File

@@ -0,0 +1,5 @@
class kali_web::install{
package { ['kali-linux-web']:
ensure => 'installed',
}
}

25
modules/utilities/unix/attack_tools/kali_metapackages/kali_web/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Kali Linux Metapackage: kali-linux-web</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Installs a collection of software onto Kali.
kali-linux-web
Web application assessments are very common in the field of penetration testing and for this reason, Kali includes the kali-linux-web metapackage containing dozens of tools related to web application hacking.
Installation Size: 4.9 GB</description>
<type>attack_tools</type>
<platform>linux</platform>
<requires>
<name>Kali Light.*</name>
<type>attack</type>
<type>desktop</type>
</requires>
<requires>
<type>update</type>
</requires>
</utility>

90
modules/utilities/unix/labtainers/files/labtainer.files/trunk/setup_scripts/install-docker-debian.sh Executable file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
: <<'END'
This software was created by United States Government employees at
The Center for the Information Systems Studies and Research (CISR)
at the Naval Postgraduate School NPS. Please note that within the
United States, copyright protection is not available for any works
created by United States Government employees, pursuant to Title 17
United States Code Section 105. This software is in the public
domain and is not subject to copyright.
END
#
#Install Docker on a Debian system, along with other packages required by Labtainers
#
type sudo >/dev/null 2>&1 || { echo >&2 "Please install sudo. Aborting."; exit 1; }
sudo -v || { echo >&2 "Please make sure user is sudoer. Aborting."; exit 1; }
#needed packages for Docker install
sudo apt-get update
sudo apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common
#adds Docker<65>s official GPG Key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
#used to verify matching Key ID (optional)
#sudo apt-key fingerprint 0EBFCD88
#sets up stable repository
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
#installs Docker:Community Edition
sudo apt-get update
# SecGen change: repo is unauthenticated
sudo apt-get -y --allow-unauthenticated install docker-ce
#gives user access to docker commands
sudo groupadd docker
sudo usermod -aG docker $USER
#enables and starts docker
sudo systemctl start docker
sudo systemctl enable docker
#additional packages needed for labtainers
sudo apt-get -y install python-pip
sudo pip install --upgrade pip
sudo pip install netaddr parse python-dateutil
sudo apt-get -y install openssh-server
#---Checking if packages have been installed. If not, the system will not reboot and allow the user to investigate.
declare -a packagelist=("apt-transport-https" "ca-certificates" "curl" "gnupg2" "software-properties-common" "docker-ce" "python-pip" "openssh-server")
packagefail="false"
for i in "${packagelist[@]}"
do
#echo $i
packagecheck=$(dpkg -s $i 2> /dev/null | grep Status)
#echo $packagecheck
if [ "$packagecheck" != "Status: install ok installed" ]; then
if [ $i = docker-ce ];then
echo "ERROR: '$i' package did not install properly. Please check the terminal output above for any errors related to the pacakge installation. Run the install script two more times. If the issue persists, go to docker docs and follow the instructions for installing docker. (Make sure the instructions is CE and is for your Linux distribution,e.g., Ubuntu and Fedora.)"
else
echo "ERROR: '$i' package did not install properly. Please check the terminal output above for any errors related to the pacakge installation. Try installing the '$i' package individually by executing this in the command line: 'sudo apt-get install $i"
fi
packagefail="true"
#echo $packagefail
fi
done
pipcheck=$(pip list 2> /dev/null | grep -F netaddr)
#echo $pipcheck
if [ -z "$pipcheck" ]; then
echo "ERROR: 'netaddr' package did not install properly. Please check the terminal output for any errors related to the pacakge installation. Make sure 'python-pip' is installed and then try running this command: 'sudo -H pip install netaddr' "
packagefail="true"
#echo $packagefail
fi
pipcheck=$(pip list 2> /dev/null | grep -F parse)
#echo $pipcheck
if [ -z "$pipcheck" ]; then
echo "ERROR: 'parse' package did not install properly. Please check the terminal output for any errors related to the package installation. Make sure 'python-pip' is installed and then try running this command: 'sudo -H pip install parse' "
packagefail="true"
#echo $packagefail
fi
if [ $packagefail = "true" ]; then
exit 1
fi
exit 0
#Notes: The <20>-y<> after each install means that the user doesn<73>t need to press <20>y<EFBFBD> in between each package download. The install script is based on this page: https://docs.docker.com/engine/installation/linux/docker-ce/debian/

12
modules/utilities/unix/labtainers/manifests/config.pp Normal file
View File

@@ -0,0 +1,12 @@
class labtainers::config{
require labtainers::install
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$lab = $secgen_parameters['lab'][0]
exec { 'start lab':
command => "/opt/labtainers/labtainer-student/labtainer $lab",
provider => shell,
}
}

27
modules/utilities/unix/labtainers/manifests/install.pp Normal file
View File

@@ -0,0 +1,27 @@
class labtainers::install{
# $json_inputs = base64('decode', $::base64_inputs)
# $secgen_parameters = parsejson($json_inputs)
# $server_ip = $secgen_parameters['server_ip'][0]
# $port = $secgen_parameters['port'][0]
# these are also installed by the install script, but good to use puppet where possible
package { ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python-pip', 'openssh-server']:
ensure => 'installed',
} ->
file { '/opt/labtainers':
ensure => directory,
recurse => true,
source => 'puppet:///modules/labtainers/labtainer.files',
mode => '0766',
owner => 'root',
group => 'root',
} ->
exec { 'install script':
command => '/opt/labtainers/install-labtainer.sh',
provider => shell,
}
}

5
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/.gitignore vendored
View File

@@ -1,2 +1,5 @@
config/config.inc.php
Dockerfile
Dockerfile
# Vim swap files
.*swp

60
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/README.md
View File

@@ -12,7 +12,7 @@ Damn Vulnerable Web Application is damn vulnerable! **Do not upload it to your h
### Disclaimer
We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.
We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA, it is not our responsibility, it is the responsibility of the person/s who uploaded and installed it.
- - -
@@ -37,8 +37,8 @@ along with Damn Vulnerable Web Application (DVWA). If not, see http://www.gnu.o
## Download and install as a docker container
- [dockerhub page](https://hub.docker.com/r/vulnerables/web-dvwa/)
`docker run --rm -it -p 80:80 vulnerables/web-dvwa`
Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here.
Please ensure you are using aufs due to previous MySQL issues. Run `docker info` to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here.
## Download
@@ -74,7 +74,7 @@ Simply unzip dvwa.zip, place the unzipped files in your public html folder, then
If you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:
`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php`
`apt-get -y install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php`
### Database Setup
@@ -84,30 +84,36 @@ If you receive an error while trying to create your database, make sure your dat
The variables are set to the following by default:
```php
```php
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_database' ] = 'dvwa';
```
Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
```mysql
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)
mysql> grant all on dvwa.* to dvwa@localhost identified by 'xxx';
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
```
```
Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
```mysql
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)
mysql> grant all on dvwa.* to dvwa@localhost identified by 'SuperSecretPassword99';
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
```
You will then need to update the config file, the new entries will look like this:
```php
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'SuperSecretPassword99';
$_DVWA[ 'db_database' ] = 'dvwa';
```
### Other Configuration
Depending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
**Folder Permissions**:
@@ -143,7 +149,7 @@ https://github.com/ethicalhack3r/DVWA/issues
+Q. SQL Injection won't work on PHP v5.2.6.
-A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work.
-A.If you are using PHP v5.2.6 or above, you will need to do the following in order for SQL injection and other vulnerabilities to work.
In `.htaccess`:
@@ -171,6 +177,12 @@ With:
-A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator.
+Q. Why can't the database connect on CentOS?
-A. You may be running into problems with SELinux. Either disable SELinux or run this command to allow the webserver to talk to the database:
```
setsebool -P httpd_can_network_connect_db 1
```
- - -

2
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/config/config.inc.php.dist
View File

@@ -25,7 +25,7 @@ $_DVWA[ 'db_port '] = '5432';
# ReCAPTCHA settings
# Used for the 'Insecure CAPTCHA' module
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ] = '';
$_DVWA[ 'recaptcha_private_key' ] = '';

15
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/DBMS/MySQL.php
View File

@@ -47,17 +47,14 @@ dvwaMessagePush( "'users' table was created." );
// Insert some data into users
// Get the base directory for the avatar media...
$baseUrl = 'http://' . $_SERVER[ 'SERVER_NAME' ] . $_SERVER[ 'PHP_SELF' ];
$stripPos = strpos( $baseUrl, 'setup.php' );
$baseUrl = substr( $baseUrl, 0, $stripPos ) . 'hackable/users/';
$avatarUrl = '/hackable/users/';
$insert = "INSERT INTO users VALUES
('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg', NOW(), '0'),
('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg', NOW(), '0'),
('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg', NOW(), '0'),
('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg', NOW(), '0'),
('5','Bob','Smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg', NOW(), '0');";
('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'),
('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'),
('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'),
('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'),
('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');";
if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) {
dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
dvwaPageReload();

9
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/includes/dvwaPage.inc.php
View File

@@ -208,6 +208,8 @@ function dvwaHtmlEcho( $pPage ) {
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' );
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' );
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' );
$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' );
}
$menuBlocks[ 'meta' ] = array();
@@ -229,7 +231,7 @@ function dvwaHtmlEcho( $pPage ) {
foreach( $menuBlock as $menuItem ) {
$selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : '';
$fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ];
$menuBlockHtml .= "<li onclick=\"window.location='{$fixedUrl}'\" class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem[ 'name' ]}</a></li>\n";
$menuBlockHtml .= "<li class=\"{$selectedClass}\"><a href=\"{$fixedUrl}\">{$menuItem[ 'name' ]}</a></li>\n";
}
$menuHtml .= "<ul class=\"menuBlocks\">{$menuBlockHtml}</ul>";
}
@@ -328,6 +330,7 @@ function dvwaHtmlEcho( $pPage ) {
<div id=\"footer\">
<p>Damn Vulnerable Web Application (DVWA) v" . dvwaVersionGet() . "</p>
<script src='" . DVWA_WEB_PAGE_TO_ROOT . "/dvwa/js/add_event_listeners.js'></script>
</div>
@@ -425,13 +428,13 @@ function dvwaExternalLinkUrlGet( $pLink,$text=null ) {
function dvwaButtonHelpHtmlGet( $pId ) {
$security = dvwaSecurityLevelGet();
return "<input type=\"button\" value=\"View Help\" class=\"popup_button\" onclick=\"javascript:popUp( '" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_help.php?id={$pId}&security={$security}' )\">";
return "<input type=\"button\" value=\"View Help\" class=\"popup_button\" id='help_button' data-help-url='" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_help.php?id={$pId}&security={$security}' )\">";
}
function dvwaButtonSourceHtmlGet( $pId ) {
$security = dvwaSecurityLevelGet();
return "<input type=\"button\" value=\"View Source\" class=\"popup_button\" onclick=\"javascript:popUp( '" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_source.php?id={$pId}&security={$security}' )\">";
return "<input type=\"button\" value=\"View Source\" class=\"popup_button\" id='source_button' data-source-url='" . DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/view_source.php?id={$pId}&security={$security}' )\">";
}

24
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/add_event_listeners.js Normal file
View File

@@ -0,0 +1,24 @@
// These functions need to be called after the content they reference
// has been added to the page otherwise they will fail.
function addEventListeners() {
var source_button = document.getElementById ("source_button");
if (source_button) {
source_button.addEventListener("click", function() {
var url=source_button.dataset.sourceUrl;
popUp (url);
});
}
var help_button = document.getElementById ("help_button");
if (help_button) {
help_button.addEventListener("click", function() {
var url=help_button.dataset.helpUrl;
popUp (url);
});
}
}
addEventListeners();

3
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/dvwa/js/dvwaPage.js
View File

@@ -3,7 +3,8 @@
function popUp(URL) {
day = new Date();
id = day.getTime();
eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=500,height=300,left = 540,top = 250');");
window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');
//eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');");
}
/* Form validation */

290
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/external/recaptcha/recaptchalib.php vendored Executable file → Normal file
View File

@@ -1,279 +1,45 @@
<?php
/*
* This is a PHP library that handles calling reCAPTCHA.
* - Documentation and latest version
* http://recaptcha.net/plugins/php/
* - Get a reCAPTCHA API Key
* https://www.google.com/recaptcha/admin/create
* - Discussion group
* http://groups.google.com/group/recaptcha
*
* Copyright (c) 2007 reCAPTCHA -- http://recaptcha.net
* AUTHORS:
* Mike Crawford
* Ben Maurer
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* The reCAPTCHA server URL's
*/
define("RECAPTCHA_API_SERVER", "http://www.google.com/recaptcha/api");
define("RECAPTCHA_API_SECURE_SERVER", "https://www.google.com/recaptcha/api");
define("RECAPTCHA_VERIFY_SERVER", "www.google.com");
// new php7 captcha v2 implementation.
/**
* Encodes the given data into a query string format
* @param $data - array of string elements to be encoded
* @return string - encoded request
*/
function _recaptcha_qsencode ($data) {
$req = "";
foreach ( $data as $key => $value )
$req .= $key . '=' . urlencode( stripslashes($value) ) . '&';
// Cut the last '&'
$req=substr($req,0,strlen($req)-1);
return $req;
function recaptcha_check_answer($key, $response){
return CheckCaptcha($key, $response);
}
function CheckCaptcha($key, $response) {
try {
$url = 'https://www.google.com/recaptcha/api/siteverify';
$dat = array(
'secret' => $key,
'response' => urlencode($response),
'remoteip' => urlencode($_SERVER['REMOTE_ADDR'])
);
/**
* Submits an HTTP POST to a reCAPTCHA server
* @param string $host
* @param string $path
* @param array $data
* @param int port
* @return array response
*/
function _recaptcha_http_post($host, $path, $data, $port = 80) {
$opt = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($dat)
)
);
$req = _recaptcha_qsencode ($data);
$context = stream_context_create($opt);
$result = file_get_contents($url, false, $context);
$http_request = "POST $path HTTP/1.0\r\n";
$http_request .= "Host: $host\r\n";
$http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n";
$http_request .= "Content-Length: " . strlen($req) . "\r\n";
$http_request .= "User-Agent: reCAPTCHA/PHP\r\n";
$http_request .= "\r\n";
$http_request .= $req;
return json_decode($result)->success;
$response = '';
if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) {
die ('Could not open socket');
}
fwrite($fs, $http_request);
while ( !feof($fs) )
$response .= fgets($fs, 1160); // One TCP-IP packet
fclose($fs);
$response = explode("\r\n\r\n", $response, 2);
return $response;
}
/**
* Gets the challenge HTML (javascript and non-javascript version).
* This is called from the browser, and the resulting reCAPTCHA HTML widget
* is embedded within the HTML form it was called from.
* @param string $pubkey A public key for reCAPTCHA
* @param string $error The error given by reCAPTCHA (optional, default is null)
* @param boolean $use_ssl Should the request be made over ssl? (optional, default is false)
* @return string - The HTML to be embedded in the user's form.
*/
function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false)
{
# commented out to deal with error in DVWA - ethicalhack3r
#if ($pubkey == null || $pubkey == '') {
# die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create' target='_blank'>https://www.google.com/recaptcha/admin/create</a>");
#}
if ($use_ssl) {
$server = RECAPTCHA_API_SECURE_SERVER;
} else {
$server = RECAPTCHA_API_SERVER;
}
$errorpart = "";
if ($error) {
$errorpart = "&amp;error=" . $error;
}
return '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>
<noscript>
<iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br/>
<textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
<input type="hidden" name="recaptcha_response_field" value="manual_challenge"/>
</noscript>';
}
/**
* A ReCaptchaResponse is returned from recaptcha_check_answer()
*/
class ReCaptchaResponse {
var $is_valid;
var $error;
}
/**
* Calls an HTTP POST function to verify if the user's guess was correct
* @param string $privkey
* @param string $remoteip
* @param string $challenge
* @param string $response
* @param array $extra_params an array of extra variables to post to the server
* @return ReCaptchaResponse
*/
function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array())
{
if ($privkey == null || $privkey == '') {
die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create' target='_blank'>https://www.google.com/recaptcha/admin/create</a>");
} catch (Exception $e) {
return null;
}
if ($remoteip == null || $remoteip == '') {
die ("For security reasons, you must pass the remote ip to reCAPTCHA");
}
//discard spam submissions
if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) {
$recaptcha_response = new ReCaptchaResponse();
$recaptcha_response->is_valid = false;
$recaptcha_response->error = 'incorrect-captcha-sol';
return $recaptcha_response;
}
$response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
array (
'privatekey' => $privkey,
'remoteip' => $remoteip,
'challenge' => $challenge,
'response' => $response
) + $extra_params
);
$answers = explode ("\n", $response [1]);
$recaptcha_response = new ReCaptchaResponse();
if (trim ($answers [0]) == 'true') {
$recaptcha_response->is_valid = true;
}
else {
$recaptcha_response->is_valid = false;
$recaptcha_response->error = $answers [1];
}
return $recaptcha_response;
}
/**
* gets a URL where the user can sign up for reCAPTCHA. If your application
* has a configuration page where you enter a key, you should provide a link
* using this function.
* @param string $domain The domain where the page is hosted
* @param string $appname The name of your application
*/
function recaptcha_get_signup_url ($domain = null, $appname = null) {
return "https://www.google.com/recaptcha/admin/create?" . _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname));
function recaptcha_get_html($pubKey){
return "
<script src='https://www.google.com/recaptcha/api.js'></script>
<br /> <div class='g-recaptcha' data-theme='dark' data-sitekey='" . $pubKey . "'></div>
";
}
function _recaptcha_aes_pad($val) {
$block_size = 16;
$numpad = $block_size - (strlen ($val) % $block_size);
return str_pad($val, strlen ($val) + $numpad, chr($numpad));
}
/* Mailhide related code */
function _recaptcha_aes_encrypt($val,$ky) {
if (! function_exists ("mcrypt_encrypt")) {
die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed.");
}
$mode=MCRYPT_MODE_CBC;
$enc=MCRYPT_RIJNDAEL_128;
$val=_recaptcha_aes_pad($val);
return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
}
function _recaptcha_mailhide_urlbase64 ($x) {
return strtr(base64_encode ($x), '+/', '-_');
}
/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */
function recaptcha_mailhide_url($pubkey, $privkey, $email) {
if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) {
die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " .
"you can do so at <a href='http://www.google.com/recaptcha/mailhide/apikey' target='_blank'>http://www.google.com/recaptcha/mailhide/apikey</a>");
}
$ky = pack('H*', $privkey);
$cryptmail = _recaptcha_aes_encrypt ($email, $ky);
return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
}
/**
* gets the parts of the email to expose to the user.
* eg, given johndoe@example,com return ["john", "example.com"].
* the email is then displayed as john...@example.com
*/
function _recaptcha_mailhide_email_parts ($email) {
$arr = preg_split("/@/", $email );
if (strlen ($arr[0]) <= 4) {
$arr[0] = substr ($arr[0], 0, 1);
} else if (strlen ($arr[0]) <= 6) {
$arr[0] = substr ($arr[0], 0, 3);
} else {
$arr[0] = substr ($arr[0], 0, 4);
}
return $arr;
}
/**
* Gets html to display an email address given a public an private key.
* to get a key, go to:
*
* http://www.google.com/recaptcha/mailhide/apikey
*/
function recaptcha_mailhide_html($pubkey, $privkey, $email) {
$emailparts = _recaptcha_mailhide_email_parts ($email);
$url = recaptcha_mailhide_url ($pubkey, $privkey, $email);
return htmlentities($emailparts[0]) . "<a href='" . htmlentities ($url) .
"' onclick=\"window.open('" . htmlentities ($url) . "', '', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300'); return false;\" title=\"Reveal this e-mail address\">...</a>@" . htmlentities ($emailparts [1]);
}
?>

2
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/help/help.php
View File

@@ -44,7 +44,7 @@
This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds.
The idea of this is to try and confuse any timing predictions.</p>
<p>Using a <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/', 'CAPTCHA' ); ?> form could have a similar effect as a CSRF token.</p>
<p>Using a <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA', 'CAPTCHA' ); ?> form could have a similar effect as a CSRF token.</p>
<br />

2
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/brute/source/impossible.php
View File

@@ -1,6 +1,6 @@
<?php
if( isset( $_POST[ 'Login' ] ) ) {
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

4
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/help/help.php
View File

@@ -6,7 +6,7 @@
<tr>
<td><div id="code">
<h3>About</h3>
<p>A <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/', 'CAPTCHA' ); ?> is a program that can tell whether its user is a human or a computer. You've probably seen
<p>A <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA', 'CAPTCHA' ); ?> is a program that can tell whether its user is a human or a computer. You've probably seen
them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from
"bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots
cannot navigate sites protected by CAPTCHAs.</p>
@@ -58,5 +58,5 @@
<br />
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'http://www.captcha.net/' ); ?></p>
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ); ?></p>
</div>

2
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/index.php
View File

@@ -87,7 +87,7 @@ $page[ 'body' ] .= "
<h2>More Information</h2>
<ul>
<li>" . dvwaExternalLinkUrlGet( 'http://www.captcha.net/' ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)' ) . "</li>
</ul>

35
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/high.php
View File

@@ -9,21 +9,20 @@ if( isset( $_POST[ 'Change' ] ) ) {
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
$_SERVER[ 'REMOTE_ADDR' ],
$_POST[ 'recaptcha_challenge_field' ],
$_POST[ 'recaptcha_response_field' ] );
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
else {
if (
$resp ||
(
$_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
&& $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
)
){
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
if ($pass_new == $pass_conf) {
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
@@ -33,12 +32,18 @@ if( isset( $_POST[ 'Change' ] ) ) {
// Feedback for user
$html .= "<pre>Password Changed.</pre>";
}
else {
} else {
// Ops. Password mismatch
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
} else {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);

10
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/impossible.php
View File

@@ -24,13 +24,13 @@ if( isset( $_POST[ 'Change' ] ) ) {
$pass_curr = md5( $pass_curr );
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
$_SERVER[ 'REMOTE_ADDR' ],
$_POST[ 'recaptcha_challenge_field' ],
$_POST[ 'recaptcha_response_field' ] );
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp->is_valid ) {
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;

10
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/low.php
View File

@@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
$_SERVER[ 'REMOTE_ADDR' ],
$_POST[ 'recaptcha_challenge_field' ],
$_POST[ 'recaptcha_response_field' ] );
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key'],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp->is_valid ) {
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;

10
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/captcha/source/medium.php
View File

@@ -9,13 +9,13 @@ if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
$_SERVER[ 'REMOTE_ADDR' ],
$_POST[ 'recaptcha_challenge_field' ],
$_POST[ 'recaptcha_response_field' ] );
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp->is_valid ) {
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;

52
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/help/help.php Normal file
View File

@@ -0,0 +1,52 @@
<div class="body_padded">
<h1>Help - Content Security Policy (CSP) Bypass</h1>
<div id="code">
<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
<tr>
<td><div id="code">
<h3>About</h3>
<p>Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers.</p>
<p>None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented.</p>
<br /><hr /><br />
<h3>Objective</h3>
<p>Bypass Content Security Policy (CSP) and execute JavaScript in the page.</p>
<br /><hr /><br />
<h3>Low Level</h3>
<p>Examine the policy to find all the sources that can be used to host external script files.</p>
<pre>Spoiler: <span class="spoiler">Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.</span></pre>
<br />
<h3>Medium Level</h3>
<p>The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.</p>
<pre>Spoiler: <span class="spoiler">Examine the nonce and see how it varies (or doesn't).</span></pre>
<br />
<h3>High Level</h3>
<p>The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.</p>
<pre>Spoiler: <span class="spoiler">The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead</span></pre>
<br />
<h3>Impossible Level</h3>
<p>
This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts.
</p>
</div></td>
</tr>
</table>
</div>
<br />
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ); ?></p>
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src"); ?></p>
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ); ?></p>
</div>

57
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/index.php Normal file
View File

@@ -0,0 +1,57 @@
<?php
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
$page = dvwaPageNewGrab();
$page[ 'title' ] = 'Vulnerability: Content Security Policy (CSP) Bypass' . $page[ 'title_separator' ].$page[ 'title' ];
$page[ 'page_id' ] = 'csp';
$page[ 'help_button' ] = 'csp';
$page[ 'source_button' ] = 'csp';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch( $_COOKIE[ 'security' ] ) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
$vulnerabilityFile = 'high.php';
break;
default:
$vulnerabilityFile = 'impossible.php';
break;
}
$page[ 'body' ] = <<<EOF
<div class="body_padded">
<h1>Vulnerability: Content Security Policy (CSP) Bypass</h1>
<div class="vulnerable_code_area">
EOF;
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csp/source/{$vulnerabilityFile}";
$page[ 'body' ] .= <<<EOF
</div>
EOF;
$page[ 'body' ] .= "
<h2>More Information</h2>
<ul>
<li>" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . "</li>
</ul>
<p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p>
</div>\n";
dvwaHtmlEcho( $page );
?>

19
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.js Normal file
View File

@@ -0,0 +1,19 @@
function clickButton() {
var s = document.createElement("script");
s.src = "source/jsonp.php?callback=solveSum";
document.body.appendChild(s);
}
function solveSum(obj) {
if ("answer" in obj) {
document.getElementById("answer").innerHTML = obj['answer'];
}
}
var solve_button = document.getElementById ("solve");
if (solve_button) {
solve_button.addEventListener("click", function() {
clickButton();
});
}

22
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/high.php Normal file
View File

@@ -0,0 +1,22 @@
<?php
$headerCSP = "Content-Security-Policy: script-src 'self';";
header($headerCSP);
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
<p>1+2+3+4+5=<span id="answer"></span></p>
<input type="button" id="solve" value="Solve the sum" />
</form>
<script src="source/high.js"></script>
';

19
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.js Normal file
View File

@@ -0,0 +1,19 @@
function clickButton() {
var s = document.createElement("script");
s.src = "source/jsonp_impossible.php";
document.body.appendChild(s);
}
function solveSum(obj) {
if ("answer" in obj) {
document.getElementById("answer").innerHTML = obj['answer'];
}
}
var solve_button = document.getElementById ("solve");
if (solve_button) {
solve_button.addEventListener("click", function() {
clickButton();
});
}

23
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/impossible.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
$headerCSP = "Content-Security-Policy: script-src 'self';";
header($headerCSP);
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
<p>1+2+3+4+5=<span id="answer"></span></p>
<input type="button" id="solve" value="Solve the sum" />
</form>
<script src="source/impossible.js"></script>
';

13
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
header("Content-Type: application/json; charset=UTF-8");
if (array_key_exists ("callback", $_GET)) {
$callback = $_GET['callback'];
} else {
return "";
}
$outp = array ("answer" => "15");
echo $callback . "(".json_encode($outp).")";
?>

7
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/jsonp_impossible.php Normal file
View File

@@ -0,0 +1,7 @@
<?php
header("Content-Type: application/json; charset=UTF-8");
$outp = array ("answer" => "15");
echo "solveSum (".json_encode($outp).")";
?>

22
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/low.php Normal file
View File

@@ -0,0 +1,22 @@
<?php
$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
header($headerCSP);
# https://pastebin.com/raw/R570EE00
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
<script src='" . $_POST['include'] . "'></script>
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
<input size="50" type="text" name="include" value="" id="include" />
<input type="submit" value="Include" />
</form>
';

25
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/csp/source/medium.php Normal file
View File

@@ -0,0 +1,25 @@
<?php
$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
header($headerCSP);
// Disable XSS protections so that inline alert boxes will work
header ("X-XSS-Protection: 0");
# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
<input size="50" type="text" name="include" value="" id="include" />
<input type="submit" value="Include" />
</form>
';

52
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/help/help.php Normal file
View File

@@ -0,0 +1,52 @@
<div class="body_padded">
<h1>Help - Client Side JavaScript</h1>
<div id="code" style="padding: 3px; border: 2px #C0C0C0 solid;>">
<h3>About</h3>
<p>The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.</p>
<hr />
<h3>Objective</h3>
<p>Simply submit the phrase "success" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.</p>
<hr />
<h3>Low Level</h3>
<p>All the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.</p>
<pre>Spoiler: <span class="spoiler">Change the phrase to success and then use the function generate_token() to update the token.</span></pre>
<p><br /></p>
<h3>Medium Level</h3>
<p>
The JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way.
</p>
<pre>Spoiler: <span class="spoiler">The file uses the setTimeout function to run the do_elsesomething function which generates the token.</span></pre>
<p><br /></p>
<h3>High Level</h3>
<p>
The JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission.
</p>
<pre>Spoiler: <span class="spoiler">If it helps, two packers have been used, the first is from <a href="https://www.danstools.com/javascript-obfuscate/index.php">Dan's Tools</a> and the second is the <a href="https://javascriptobfuscator.herokuapp.com/">JavaScript Obfuscator Tool</a>.</span></pre>
<pre>Spoiler 2: <span class="spoiler">This deobfuscation tool seems to work the best on this code <a href="http://deobfuscatejavascript.com/">deobfuscate javascript</a>.</span></pre>
<pre>Spoiler 3: <span class="spoiler">This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.</pre>
<p><br /></p>
<h3>Impossible Level</h3>
<p>You can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.</p>
</div>
<br />
<p>Reference:</p>
<ul>
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=8UqHCrGdxOM' )?></li>
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' )?></li>
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' )?></li>
<li><?php echo dvwaExternalLinkUrlGet( 'https://www.youtube.com/playlist?list=PLC9K7uaDMdAUNktlDTxsmj6rJBf4Q9TR5' )?></li>
</ul>
</div>

123
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/index.php Normal file
View File

@@ -0,0 +1,123 @@
<?php
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
$page = dvwaPageNewGrab();
$page[ 'title' ] = 'Vulnerability: JavaScript Attacks' . $page[ 'title_separator' ].$page[ 'title' ];
$page[ 'page_id' ] = 'javascript';
$page[ 'help_button' ] = 'javascript';
$page[ 'source_button' ] = 'javascript';
dvwaDatabaseConnect();
$vulnerabilityFile = '';
switch( $_COOKIE[ 'security' ] ) {
case 'low':
$vulnerabilityFile = 'low.php';
break;
case 'medium':
$vulnerabilityFile = 'medium.php';
break;
case 'high':
$vulnerabilityFile = 'high.php';
break;
default:
$vulnerabilityFile = 'impossible.php';
break;
}
$message = "";
// Check whwat was sent in to see if it was what was expected
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (array_key_exists ("phrase", $_POST) && array_key_exists ("token", $_POST)) {
$phrase = $_POST['phrase'];
$token = $_POST['token'];
if ($phrase == "success") {
switch( $_COOKIE[ 'security' ] ) {
case 'low':
if ($token == md5(str_rot13("success"))) {
$message = "<p style='color:red'>Well done!</p>";
} else {
$message = "<p>Invalid token.</p>";
}
break;
case 'medium':
if ($token == strrev("XXsuccessXX")) {
$message = "<p style='color:red'>Well done!</p>";
} else {
$message = "<p>Invalid token.</p>";
}
break;
case 'high':
if ($token == hash("sha256", hash("sha256", "XX" . strrev("success")) . "ZZ")) {
$message = "<p style='color:red'>Well done!</p>";
} else {
$message = "<p>Invalid token.</p>";
}
break;
default:
$vulnerabilityFile = 'impossible.php';
break;
}
} else {
$message = "<p>You got the phrase wrong.</p>";
}
} else {
$message = "<p>Missing phrase or token.</p>";
}
}
if ( $_COOKIE[ 'security' ] == "impossible" ) {
$page[ 'body' ] = <<<EOF
<div class="body_padded">
<h1>Vulnerability: JavaScript Attacks</h1>
<div class="vulnerable_code_area">
<p>
You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level.
</p>
EOF;
} else {
$page[ 'body' ] = <<<EOF
<div class="body_padded">
<h1>Vulnerability: JavaScript Attacks</h1>
<div class="vulnerable_code_area">
<p>
Submit the word "success" to win.
</p>
$message
<form name="low_js" method="post">
<input type="hidden" name="token" value="" id="token" />
<label for="phrase">Phrase</label> <input type="text" name="phrase" value="ChangeMe" id="phrase" />
<input type="submit" id="send" name="send" value="Submit" />
</form>
EOF;
}
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/javascript/source/{$vulnerabilityFile}";
$page[ 'body' ] .= <<<EOF
</div>
EOF;
$page[ 'body' ] .= "
<h2>More Information</h2>
<ul>
<li>" . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . "</li>
<li>" . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . "</li>
</ul>
<p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p>
</div>\n";
dvwaHtmlEcho( $page );
?>

1
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.js Normal file
View File

File diff suppressed because one or more lines are too long

5
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$page[ 'body' ] .= <<<EOF
<script src="/vulnerabilities/javascript/source/high.js"></script>
EOF;
?>

540
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/high_unobfuscated.js Normal file
View File

@@ -0,0 +1,540 @@
/**
* [js-sha256]{@link https://github.com/emn178/js-sha256}
*
* @version 0.9.0
* @author Chen, Yi-Cyuan [emn178@gmail.com]
* @copyright Chen, Yi-Cyuan 2014-2017
* @license MIT
*/
/*jslint bitwise: true */
(function () {
'use strict';
var ERROR = 'input is invalid type';
var WINDOW = typeof window === 'object';
var root = WINDOW ? window : {};
if (root.JS_SHA256_NO_WINDOW) {
WINDOW = false;
}
var WEB_WORKER = !WINDOW && typeof self === 'object';
var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;
if (NODE_JS) {
root = global;
} else if (WEB_WORKER) {
root = self;
}
var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports;
var AMD = typeof define === 'function' && define.amd;
var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';
var HEX_CHARS = '0123456789abcdef'.split('');
var EXTRA = [-2147483648, 8388608, 32768, 128];
var SHIFT = [24, 16, 8, 0];
var K = [
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
];
var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer'];
var blocks = [];
if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) {
Array.isArray = function (obj) {
return Object.prototype.toString.call(obj) === '[object Array]';
};
}
if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {
ArrayBuffer.isView = function (obj) {
return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer;
};
}
var createOutputMethod = function (outputType, is224) {
return function (message) {
return new Sha256(is224, true).update(message)[outputType]();
};
};
var createMethod = function (is224) {
var method = createOutputMethod('hex', is224);
if (NODE_JS) {
method = nodeWrap(method, is224);
}
method.create = function () {
return new Sha256(is224);
};
method.update = function (message) {
return method.create().update(message);
};
for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
var type = OUTPUT_TYPES[i];
method[type] = createOutputMethod(type, is224);
}
return method;
};
var nodeWrap = function (method, is224) {
var crypto = eval("require('crypto')");
var Buffer = eval("require('buffer').Buffer");
var algorithm = is224 ? 'sha224' : 'sha256';
var nodeMethod = function (message) {
if (typeof message === 'string') {
return crypto.createHash(algorithm).update(message, 'utf8').digest('hex');
} else {
if (message === null || message === undefined) {
throw new Error(ERROR);
} else if (message.constructor === ArrayBuffer) {
message = new Uint8Array(message);
}
}
if (Array.isArray(message) || ArrayBuffer.isView(message) ||
message.constructor === Buffer) {
return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex');
} else {
return method(message);
}
};
return nodeMethod;
};
var createHmacOutputMethod = function (outputType, is224) {
return function (key, message) {
return new HmacSha256(key, is224, true).update(message)[outputType]();
};
};
var createHmacMethod = function (is224) {
var method = createHmacOutputMethod('hex', is224);
method.create = function (key) {
return new HmacSha256(key, is224);
};
method.update = function (key, message) {
return method.create(key).update(message);
};
for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
var type = OUTPUT_TYPES[i];
method[type] = createHmacOutputMethod(type, is224);
}
return method;
};
function Sha256(is224, sharedMemory) {
if (sharedMemory) {
blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] =
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
this.blocks = blocks;
} else {
this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
}
if (is224) {
this.h0 = 0xc1059ed8;
this.h1 = 0x367cd507;
this.h2 = 0x3070dd17;
this.h3 = 0xf70e5939;
this.h4 = 0xffc00b31;
this.h5 = 0x68581511;
this.h6 = 0x64f98fa7;
this.h7 = 0xbefa4fa4;
} else { // 256
this.h0 = 0x6a09e667;
this.h1 = 0xbb67ae85;
this.h2 = 0x3c6ef372;
this.h3 = 0xa54ff53a;
this.h4 = 0x510e527f;
this.h5 = 0x9b05688c;
this.h6 = 0x1f83d9ab;
this.h7 = 0x5be0cd19;
}
this.block = this.start = this.bytes = this.hBytes = 0;
this.finalized = this.hashed = false;
this.first = true;
this.is224 = is224;
}
Sha256.prototype.update = function (message) {
if (this.finalized) {
return;
}
var notString, type = typeof message;
if (type !== 'string') {
if (type === 'object') {
if (message === null) {
throw new Error(ERROR);
} else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) {
message = new Uint8Array(message);
} else if (!Array.isArray(message)) {
if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) {
throw new Error(ERROR);
}
}
} else {
throw new Error(ERROR);
}
notString = true;
}
var code, index = 0, i, length = message.length, blocks = this.blocks;
while (index < length) {
if (this.hashed) {
this.hashed = false;
blocks[0] = this.block;
blocks[16] = blocks[1] = blocks[2] = blocks[3] =
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
}
if (notString) {
for (i = this.start; index < length && i < 64; ++index) {
blocks[i >> 2] |= message[index] << SHIFT[i++ & 3];
}
} else {
for (i = this.start; index < length && i < 64; ++index) {
code = message.charCodeAt(index);
if (code < 0x80) {
blocks[i >> 2] |= code << SHIFT[i++ & 3];
} else if (code < 0x800) {
blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
} else if (code < 0xd800 || code >= 0xe000) {
blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
} else {
code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff));
blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
}
}
}
this.lastByteIndex = i;
this.bytes += i - this.start;
if (i >= 64) {
this.block = blocks[16];
this.start = i - 64;
this.hash();
this.hashed = true;
} else {
this.start = i;
}
}
if (this.bytes > 4294967295) {
this.hBytes += this.bytes / 4294967296 << 0;
this.bytes = this.bytes % 4294967296;
}
return this;
};
Sha256.prototype.finalize = function () {
if (this.finalized) {
return;
}
this.finalized = true;
var blocks = this.blocks, i = this.lastByteIndex;
blocks[16] = this.block;
blocks[i >> 2] |= EXTRA[i & 3];
this.block = blocks[16];
if (i >= 56) {
if (!this.hashed) {
this.hash();
}
blocks[0] = this.block;
blocks[16] = blocks[1] = blocks[2] = blocks[3] =
blocks[4] = blocks[5] = blocks[6] = blocks[7] =
blocks[8] = blocks[9] = blocks[10] = blocks[11] =
blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
}
blocks[14] = this.hBytes << 3 | this.bytes >>> 29;
blocks[15] = this.bytes << 3;
this.hash();
};
Sha256.prototype.hash = function () {
var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6,
h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc;
for (j = 16; j < 64; ++j) {
// rightrotate
t1 = blocks[j - 15];
s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3);
t1 = blocks[j - 2];
s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10);
blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0;
}
bc = b & c;
for (j = 0; j < 64; j += 4) {
if (this.first) {
if (this.is224) {
ab = 300032;
t1 = blocks[0] - 1413257819;
h = t1 - 150054599 << 0;
d = t1 + 24177077 << 0;
} else {
ab = 704751109;
t1 = blocks[0] - 210244248;
h = t1 - 1521486534 << 0;
d = t1 + 143694565 << 0;
}
this.first = false;
} else {
s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));
s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));
ab = a & b;
maj = ab ^ (a & c) ^ bc;
ch = (e & f) ^ (~e & g);
t1 = h + s1 + ch + K[j] + blocks[j];
t2 = s0 + maj;
h = d + t1 << 0;
d = t1 + t2 << 0;
}
s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10));
s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7));
da = d & a;
maj = da ^ (d & b) ^ ab;
ch = (h & e) ^ (~h & f);
t1 = g + s1 + ch + K[j + 1] + blocks[j + 1];
t2 = s0 + maj;
g = c + t1 << 0;
c = t1 + t2 << 0;
s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10));
s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7));
cd = c & d;
maj = cd ^ (c & a) ^ da;
ch = (g & h) ^ (~g & e);
t1 = f + s1 + ch + K[j + 2] + blocks[j + 2];
t2 = s0 + maj;
f = b + t1 << 0;
b = t1 + t2 << 0;
s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10));
s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7));
bc = b & c;
maj = bc ^ (b & d) ^ cd;
ch = (f & g) ^ (~f & h);
t1 = e + s1 + ch + K[j + 3] + blocks[j + 3];
t2 = s0 + maj;
e = a + t1 << 0;
a = t1 + t2 << 0;
}
this.h0 = this.h0 + a << 0;
this.h1 = this.h1 + b << 0;
this.h2 = this.h2 + c << 0;
this.h3 = this.h3 + d << 0;
this.h4 = this.h4 + e << 0;
this.h5 = this.h5 + f << 0;
this.h6 = this.h6 + g << 0;
this.h7 = this.h7 + h << 0;
};
Sha256.prototype.hex = function () {
this.finalize();
var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
h6 = this.h6, h7 = this.h7;
var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] +
HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] +
HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] +
HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] +
HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] +
HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] +
HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] +
HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] +
HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] +
HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] +
HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] +
HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] +
HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] +
HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] +
HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] +
HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] +
HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] +
HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] +
HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] +
HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] +
HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] +
HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] +
HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] +
HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] +
HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] +
HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] +
HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] +
HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F];
if (!this.is224) {
hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] +
HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] +
HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] +
HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F];
}
return hex;
};
Sha256.prototype.toString = Sha256.prototype.hex;
Sha256.prototype.digest = function () {
this.finalize();
var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
h6 = this.h6, h7 = this.h7;
var arr = [
(h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF,
(h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF,
(h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF,
(h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF,
(h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF,
(h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF,
(h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF
];
if (!this.is224) {
arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF);
}
return arr;
};
Sha256.prototype.array = Sha256.prototype.digest;
Sha256.prototype.arrayBuffer = function () {
this.finalize();
var buffer = new ArrayBuffer(this.is224 ? 28 : 32);
var dataView = new DataView(buffer);
dataView.setUint32(0, this.h0);
dataView.setUint32(4, this.h1);
dataView.setUint32(8, this.h2);
dataView.setUint32(12, this.h3);
dataView.setUint32(16, this.h4);
dataView.setUint32(20, this.h5);
dataView.setUint32(24, this.h6);
if (!this.is224) {
dataView.setUint32(28, this.h7);
}
return buffer;
};
function HmacSha256(key, is224, sharedMemory) {
var i, type = typeof key;
if (type === 'string') {
var bytes = [], length = key.length, index = 0, code;
for (i = 0; i < length; ++i) {
code = key.charCodeAt(i);
if (code < 0x80) {
bytes[index++] = code;
} else if (code < 0x800) {
bytes[index++] = (0xc0 | (code >> 6));
bytes[index++] = (0x80 | (code & 0x3f));
} else if (code < 0xd800 || code >= 0xe000) {
bytes[index++] = (0xe0 | (code >> 12));
bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
bytes[index++] = (0x80 | (code & 0x3f));
} else {
code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff));
bytes[index++] = (0xf0 | (code >> 18));
bytes[index++] = (0x80 | ((code >> 12) & 0x3f));
bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
bytes[index++] = (0x80 | (code & 0x3f));
}
}
key = bytes;
} else {
if (type === 'object') {
if (key === null) {
throw new Error(ERROR);
} else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) {
key = new Uint8Array(key);
} else if (!Array.isArray(key)) {
if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) {
throw new Error(ERROR);
}
}
} else {
throw new Error(ERROR);
}
}
if (key.length > 64) {
key = (new Sha256(is224, true)).update(key).array();
}
var oKeyPad = [], iKeyPad = [];
for (i = 0; i < 64; ++i) {
var b = key[i] || 0;
oKeyPad[i] = 0x5c ^ b;
iKeyPad[i] = 0x36 ^ b;
}
Sha256.call(this, is224, sharedMemory);
this.update(iKeyPad);
this.oKeyPad = oKeyPad;
this.inner = true;
this.sharedMemory = sharedMemory;
}
HmacSha256.prototype = new Sha256();
HmacSha256.prototype.finalize = function () {
Sha256.prototype.finalize.call(this);
if (this.inner) {
this.inner = false;
var innerHash = this.array();
Sha256.call(this, this.is224, this.sharedMemory);
this.update(this.oKeyPad);
this.update(innerHash);
Sha256.prototype.finalize.call(this);
}
};
var exports = createMethod();
exports.sha256 = exports;
exports.sha224 = createMethod(true);
exports.sha256.hmac = createHmacMethod();
exports.sha224.hmac = createHmacMethod(true);
if (COMMON_JS) {
module.exports = exports;
} else {
root.sha256 = exports.sha256;
root.sha224 = exports.sha224;
if (AMD) {
define(function () {
return exports;
});
}
}
})();
function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}
function token_part_3(t, y="ZZ") {
document.getElementById("token").value=sha256(document.getElementById("token").value+y)
}
function token_part_2(e="YY") {
document.getElementById("token").value=sha256(e+document.getElementById("token").value)
}
function token_part_1(a,b) {
document.getElementById("token").value=do_something(document.getElementById("phrase").value)
}
document.getElementById("phrase").value="";
setTimeout(function(){token_part_2("XX")},300);
document.getElementById("send").addEventListener("click", token_part_3);
token_part_1("ABCD", 44);

0
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/impossible.php Normal file
View File

24
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/low.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
$page[ 'body' ] .= <<<EOF
<script>
/*
MD5 code from here
https://github.com/blueimp/JavaScript-MD5
*/
!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<<t|n>>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<<r%32,n[14+(r+64>>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e<n.length;e+=16)i=l,a=g,d=v,h=m,g=f(g=f(g=f(g=f(g=c(g=c(g=c(g=c(g=u(g=u(g=u(g=u(g=o(g=o(g=o(g=o(g,v=o(v,m=o(m,l=o(l,g,v,m,n[e],7,-680876936),g,v,n[e+1],12,-389564586),l,g,n[e+2],17,606105819),m,l,n[e+3],22,-1044525330),v=o(v,m=o(m,l=o(l,g,v,m,n[e+4],7,-176418897),g,v,n[e+5],12,1200080426),l,g,n[e+6],17,-1473231341),m,l,n[e+7],22,-45705983),v=o(v,m=o(m,l=o(l,g,v,m,n[e+8],7,1770035416),g,v,n[e+9],12,-1958414417),l,g,n[e+10],17,-42063),m,l,n[e+11],22,-1990404162),v=o(v,m=o(m,l=o(l,g,v,m,n[e+12],7,1804603682),g,v,n[e+13],12,-40341101),l,g,n[e+14],17,-1502002290),m,l,n[e+15],22,1236535329),v=u(v,m=u(m,l=u(l,g,v,m,n[e+1],5,-165796510),g,v,n[e+6],9,-1069501632),l,g,n[e+11],14,643717713),m,l,n[e],20,-373897302),v=u(v,m=u(m,l=u(l,g,v,m,n[e+5],5,-701558691),g,v,n[e+10],9,38016083),l,g,n[e+15],14,-660478335),m,l,n[e+4],20,-405537848),v=u(v,m=u(m,l=u(l,g,v,m,n[e+9],5,568446438),g,v,n[e+14],9,-1019803690),l,g,n[e+3],14,-187363961),m,l,n[e+8],20,1163531501),v=u(v,m=u(m,l=u(l,g,v,m,n[e+13],5,-1444681467),g,v,n[e+2],9,-51403784),l,g,n[e+7],14,1735328473),m,l,n[e+12],20,-1926607734),v=c(v,m=c(m,l=c(l,g,v,m,n[e+5],4,-378558),g,v,n[e+8],11,-2022574463),l,g,n[e+11],16,1839030562),m,l,n[e+14],23,-35309556),v=c(v,m=c(m,l=c(l,g,v,m,n[e+1],4,-1530992060),g,v,n[e+4],11,1272893353),l,g,n[e+7],16,-155497632),m,l,n[e+10],23,-1094730640),v=c(v,m=c(m,l=c(l,g,v,m,n[e+13],4,681279174),g,v,n[e],11,-358537222),l,g,n[e+3],16,-722521979),m,l,n[e+6],23,76029189),v=c(v,m=c(m,l=c(l,g,v,m,n[e+9],4,-640364487),g,v,n[e+12],11,-421815835),l,g,n[e+15],16,530742520),m,l,n[e+2],23,-995338651),v=f(v,m=f(m,l=f(l,g,v,m,n[e],6,-198630844),g,v,n[e+7],10,1126891415),l,g,n[e+14],15,-1416354905),m,l,n[e+5],21,-57434055),v=f(v,m=f(m,l=f(l,g,v,m,n[e+12],6,1700485571),g,v,n[e+3],10,-1894986606),l,g,n[e+10],15,-1051523),m,l,n[e+1],21,-2054922799),v=f(v,m=f(m,l=f(l,g,v,m,n[e+8],6,1873313359),g,v,n[e+15],10,-30611744),l,g,n[e+6],15,-1560198380),m,l,n[e+13],21,1309151649),v=f(v,m=f(m,l=f(l,g,v,m,n[e+4],6,-145523070),g,v,n[e+11],10,-1120210379),l,g,n[e+2],15,718787259),m,l,n[e+9],21,-343485551),l=t(l,i),g=t(g,a),v=t(v,d),m=t(m,h);return[l,g,v,m]}function a(n){var t,r="",e=32*n.length;for(t=0;t<e;t+=8)r+=String.fromCharCode(n[t>>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t+=1)r[t]=0;var e=8*n.length;for(t=0;t<e;t+=8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t%32;return r}function h(n){return a(i(d(n),8*n.length))}function l(n,t){var r,e,o=d(n),u=[],c=[];for(u[15]=c[15]=void 0,o.length>16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r<n.length;r+=1)t=n.charCodeAt(r),e+="0123456789abcdef".charAt(t>>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);
function rot13(inp) {
return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});
}
function generate_token() {
var phrase = document.getElementById("phrase").value;
document.getElementById("token").value = md5(rot13(phrase));
}
generate_token();
</script>
EOF;
?>

1
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.js Normal file
View File

@@ -0,0 +1 @@
function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething("XX")},300);function do_elsesomething(e){document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")}

5
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/javascript/source/medium.php Normal file
View File

@@ -0,0 +1,5 @@
<?php
$page[ 'body' ] .= <<<EOF
<script src="/vulnerabilities/javascript/source/medium.js"></script>
EOF;
?>

2
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/upload/help/help.php
View File

@@ -34,7 +34,7 @@
<h3>High Level</h3>
<p>Once the file has been received from the client, the server will try to resize any image that was included in the request.</p>
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file includion</span>.</pre>
<pre>Spoiler: <span class="spoiler">need to link in another vulnerability, such as file inclusion</span>.</pre>
<br />

20
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source.php
View File

@@ -43,6 +43,9 @@ switch ($id) {
case "weak_id" :
$vuln = 'Weak Session IDs';
break;
case "javascript" :
$vuln = 'JavaScript';
break;
default:
$vuln = "Unknown Vulnerability";
}
@@ -50,10 +53,26 @@ switch ($id) {
$source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.php" );
$source = str_replace( array( '$html .=' ), array( 'echo' ), $source );
$js_html = "";
if (file_exists (DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js")) {
$js_source = @file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/source/{$security}.js" );
$js_html = "
<h2>vulnerabilities/{$id}/source/{$security}.js</h2>
<div id=\"code\">
<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
<tr>
<td><div id=\"code\">" . highlight_string( $js_source, true ) . "</div></td>
</tr>
</table>
</div>
";
}
$page[ 'body' ] .= "
<div class=\"body_padded\">
<h1>{$vuln} Source</h1>
<h2>vulnerabilities/{$id}/source/{$security}.php</h2>
<div id=\"code\">
<table width='100%' bgcolor='white' style=\"border:2px #C0C0C0 solid\">
<tr>
@@ -61,6 +80,7 @@ $page[ 'body' ] .= "
</tr>
</table>
</div>
{$js_html}
<br /> <br />
<form>

3
modules/vulnerabilities/unix/web_training/dvwa/files/DVWA-master/vulnerabilities/view_source_all.php
View File

@@ -27,6 +27,9 @@ $impsrc = str_replace( array( '$html .=' ), array( 'echo' ), $impsrc);
$impsrc = highlight_string( $impsrc, true );
switch ($id) {
case "javascript" :
$vuln = 'JavaScript';
break;
case "fi" :
$vuln = 'File Inclusion';
break;

39
modules/vulnerabilities/unix/web_training/dvwa/manifests/apache.pp
View File

@@ -4,33 +4,52 @@ class dvwa::apache {
$db_password = $secgen_parameters['db_password'][0]
$docroot = '/var/www/dvwa'
package { ['php5', 'php5-gd', 'php5-mysql']:
if ($operatingsystem == 'Debian') {
package { 'mysql-server':
ensure => installed,
}
case $operatingsystemrelease {
/^9.*/: { # do 9.x stretch stuff
$php_version = "php7.0"
}
/^7.*/: { #do 7.x wheezy stuff
$php_version = "php"
}
}
} else {
# kali
$php_version = "php7.3"
}
package { ['php', 'php-mysqli', 'php-gd', 'libapache2-mod-php']:
ensure => installed,
}
class { '::apache':
default_vhost => false,
default_mods => 'php',
default_mods => $php_version,
overwrite_ports => false,
mpm_module => 'prefork',
}
::apache::vhost { 'dvwa':
port => $port,
docroot => $docroot,
}
mysql::db { 'dvwa_database':
user => 'dvwa_user',
password => $db_password,
host => 'localhost',
grant => ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP'],
}
# mysql::db { 'dvwa_database':
# user => 'dvwa_user',
# password => $db_password,
# host => 'localhost',
# grant => ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP'],
# }
mysql_user{ 'dvwa_user@localhost':
ensure => present,
password_hash => mysql_password($db_password)
}
mysql_grant{'dvwa_user@localhost/dvwa_database.*':
user => 'dvwa_user@localhost',
table => 'dvwa_database.*',

14
modules/vulnerabilities/unix/web_training/dvwa/secgen_metadata.xml
View File

@@ -15,11 +15,11 @@
<read_fact>port</read_fact>
<read_fact>db_password</read_fact>
<default_input into="port">
<value>80</value>
</default_input>
<default_input into="db_password">
<generator type="strong_password_generator"/>
</default_input>
@@ -30,12 +30,12 @@
<software_license>GPLv3</software_license>
<!-- TODO: Make stretch compatible, php5 packages are not available... -->
<conflict>
<!-- <conflict>
<name>Stretch</name>
</conflict>
<conflict>
<name>Kali</name>
</conflict>
</conflict> -->
<!-- <conflict>
<distro>Kali</distro>
</conflict> -->
<requires>
<module_path>.*/apache.*</module_path>

21
scenarios/examples/vulnerability_examples/dvwa.xml
View File

@@ -5,12 +5,29 @@
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<system>
<system_name>dvwa</system_name>
<base platform="linux" type="server"/>
<system_name>dvwa_stretch</system_name>
<base distro="Debian 9" type="desktop" name="KDE"/>
<vulnerability module_path=".*dvwa" />
<network type="private_network" range="dhcp"/>
</system>
<system>
<system_name>dvwa_wheezy</system_name>
<base distro="Debian 7" type="desktop" name="KDE"/>
<vulnerability module_path=".*dvwa" />
<network type="private_network" range="dhcp"/>
</system>
<system>
<system_name>dvwa_kali</system_name>
<base distro="Kali" name="MSF"/>
<vulnerability module_path=".*dvwa" />
<network type="private_network" range="dhcp"/>
</system>
</scenario>

350
scenarios/labs/ads_1_authentication.xml Normal file
View File

@@ -0,0 +1,350 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Authentication lab</name>
<author>Z. Cliffe Schreuders</author>
<description>A Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot. Topics covered: Protecting integrity with file attributes; Protecting integrity with read-only filesystems.</description>
<type>ctf-lab</type>
<type>hackerbot-lab</type>
<type>lab-sheet</type>
<difficulty>intermediate</difficulty>
<system>
<system_name>desktop</system_name>
<base distro="Debian 9" type="desktop" name="KDE"/>
<input into_datastore="IP_addresses">
<!-- 0 desktop -->
<value>172.16.0.2</value>
<!-- 1 server -->
<value>172.16.0.3</value>
<!-- 2 hackerbot_server -->
<value>172.16.0.4</value>
<!-- 3 kali_cracker -->
<value>172.16.0.5</value>
</input>
<!-- generate some usernames to use -->
<input into_datastore="usernames">
<!-- main user -->
<generator type="random_word_generator">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
<!-- 4 other users -->
<generator type="random_word_generator">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
<generator type="random_word_generator">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
<generator type="random_word_generator">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
<generator type="random_word_generator">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<!-- generate some passwords to be cracked -->
<input into_datastore="weak_passwords">
<generator type="weak_password_generator"/>
<generator type="weak_password_generator"/>
<generator type="weak_password_generator"/>
<generator type="medium_password_generator"/>
</input>
<!-- accounts on the desktop, with the main user as a sudoer, with no flags -->
<input into_datastore="user_accounts_desktop">
<!-- main user, sudoer -->
<generator type="account">
<input into="username">
<datastore access="0">usernames</datastore>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>true</value>
</input>
</generator>
<!-- other users, with weak passwords, no flags -->
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="0">weak_passwords</datastore>
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
</generator>
</input>
<input into_datastore="desktop_root_password">
<generator type="strong_password_generator"/>
</input>
<!--Create the users-->
<utility module_path=".*parameterised_accounts">
<input into="accounts">
<datastore>user_accounts_desktop</datastore>
</input>
</utility>
<utility module_path=".*kde_minimal">
<input into="autologin_user">
<datastore access="0">usernames</datastore>
</input>
<input into="accounts">
<datastore>user_accounts_desktop</datastore>
</input>
<input into="autostart_konsole">
<value>true</value>
</input>
</utility>
<utility module_path=".*handy_cli_tools"/>
<utility module_path=".*hash_tools"/>
<utility module_path=".*iceweasel">
<input into="accounts">
<datastore>user_accounts_desktop</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="2">IP_addresses</datastore>
</input>
</utility>
<utility module_path=".*pidgin">
<input into="server_ip">
<datastore access="2">IP_addresses</datastore>
</input>
<input into="accounts">
<datastore access="0">user_accounts_desktop</datastore>
</input>
</utility>
<vulnerability module_path=".*ssh_root_login">
<input into="root_password">
<datastore>desktop_root_password</datastore>
</input>
</vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>server</system_name>
<base distro="Debian 9" type="server"/>
<!-- user accounts on the server, with matching usernames and passwords, but with flags to find -->
<input into_datastore="user_accounts_server">
<!-- main user, NOT sudoer -->
<generator type="account">
<input into="username">
<datastore access="0">usernames</datastore>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>false</value>
</input>
</generator>
<!-- other users, with the SAME weak passwords, WITH flags -->
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="0">weak_passwords</datastore>
</input>
<input into="leaked_filenames">
<value>flag</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
<input into="leaked_filenames">
<value>flag</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
<input into="leaked_filenames">
<value>flag</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
<generator type="account">
<input into="username">
<datastore access="next">usernames</datastore>
</input>
<input into="password">
<datastore access="next">weak_passwords</datastore>
</input>
<input into="leaked_filenames">
<value>flag</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
</input>
<!--Create the users-->
<utility module_path=".*parameterised_accounts">
<input into="accounts">
<datastore>user_accounts_server</datastore>
</input>
</utility>
<utility module_path=".*handy_cli_tools"/>
<vulnerability module_path=".*ssh_root_login">
<input into="root_password">
<datastore>desktop_root_password</datastore>
</input>
</vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>hackerbot_server</system_name>
<base distro="Kali" name="MSF"/>
<service type="ircd"/>
<utility module_path=".*metasploit_framework"/>
<utility module_path=".*nmap"/>
<utility module_path=".*handy_cli_tools"/>
<service type="httpd"/>
<utility module_path=".*hackerbot">
<input into="hackerbot_configs">
<generator module_path=".*hbauthentication">
<input into="accounts">
<datastore>user_accounts_desktop</datastore>
</input>
<input into="root_password">
<datastore>desktop_root_password</datastore>
</input>
<input into="server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
</generator>
</input>
</utility>
<network type="private_network" >
<input into="IP_address">
<datastore access="2">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<generator type="strong_password_generator"/>
</input>
</build>
</system>
<system>
<system_name>kali_cracker</system_name>
<base distro="Kali" name="MSF"/>
<input into_datastore="kali_root_account">
<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<utility module_path=".*kali_pwtools"/>
<utility module_path=".*metasploit_framework"/>
<utility module_path=".*handy_cli_tools"/>
<utility module_path=".*nmap"/>
<utility module_path=".*iceweasel">
<input into="accounts">
<datastore>kali_root_account</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="2">IP_addresses</datastore>
</input>
</utility>
<network type="private_network" >
<input into="IP_address">
<datastore access="3">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>

53
scenarios/labs/websec_lab_env.xml Normal file
View File

@@ -0,0 +1,53 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Web security lab environment</name>
<author>Z. Cliffe Schreuders</author>
<description>An environment for web security labs. Debian Stretch desktop with Damn Vulnerable Web App server, and Kali Linux. </description>
<type>lab-environment</type>
<system>
<system_name>kali</system_name>
<base distro="Kali" name="MSF"/>
<input into_datastore="IP_addresses">
<value>172.16.0.2</value>
<value>172.16.0.3</value>
<value>172.16.0.4</value>
</input>
<input into_datastore="kali_root_account">
<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<utility module_path=".*kali_web"/>
<utility module_path=".*metasploit_framework"/>
<utility module_path=".*handy_cli_tools"/>
<utility module_path=".*nmap"/>
<utility module_path=".*iceweasel">
<input into="accounts">
<datastore>kali_root_account</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="0">IP_addresses</datastore>
</input>
</utility>
<vulnerability module_path=".*dvwa" />
<network type="private_network" >
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>