randomly vuln webapp updates

Co-Authored-By: Josh1438 <Josh1438@Josh1438>
2026-02-20 13:50:45 +00:00 · 2020-02-28 14:01:49 +00:00
parent c3dc5e0540
commit 86bce6cc67
20 changed files with 179 additions and 27 deletions
--- a/lib/resources/ws_attacks/sqli/vectors/vector_1
+++ b/lib/resources/ws_attacks/sqli/vectors/vector_1
@@ -4,7 +4,7 @@
    <input  type="text" name="name" maxlength="15" placeholder="Name">
    <input  type="text" name="number" size="30" placeholder="Phone Number" id="right-box"> <br><br>
    <input  type="text" name="email" size="55" placeholder="Email"> <br><br>
-    <input  type="text" name="question" size="55" placeholder="Please enter your question!"> <br><br>
+    <input  type="text" name="question" size="55" placeholder="Please enter your review!"> <br><br>
    <input  type="submit" name="go" value="Submit" id="submit-button">
  </form>
 </div>
--- a/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_1
+++ b/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_1
@@ -2,7 +2,8 @@ $badAgents = array('sqlmap');
 if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
    exit();
 }else{
-$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
-$email=str_replace("'", "''", htmlspecialchars($_POST['email']));
-$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
-$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));
+    $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+    $email=str_replace("'", "''", htmlspecialchars($_POST['email']));
+    $mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+    $question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));
+}
--- a/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_2
+++ b/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_2
@@ -8,3 +8,4 @@ if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
  $email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST2']));
  $mobile=str_replace($blacklist, " ", htmlspecialchars($_POST['mobile']));
  $question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));
+}
--- a/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_3
+++ b/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_3
@@ -7,3 +7,4 @@ if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
    $email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email]));
    $mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
    $question=str_replace($blacklist, "", htmlspecialchars($_POST['question']));
+}
--- a/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_4
+++ b/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_4
@@ -5,3 +5,4 @@ if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
    $blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
      $name=str_replace($blacklist, " ", htmlspecialchars($_GET['name']));
      $question=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET[$question]));
+}
--- a/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_5
+++ b/lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_5
@@ -5,3 +5,4 @@ if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
   $blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
      $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['name']));
      $question=str_replace($blacklist, " ", htmlspecialchars($_GET['question']));
+}
--- a/modules/generators/html/vuln_snippets/sqli_template/secgen_local/local.rb
+++ b/modules/generators/html/vuln_snippets/sqli_template/secgen_local/local.rb
@@ -105,8 +105,9 @@ class SQLiTemplateGenerator < StringEncoder
      end
    end

+    # TODO: I changed a "Question" to "Review" since it fed into the review output, reenable the feature
    if query.eql? query_1
-      heading_name = "Question"
+      heading_name = "Review"
      method = "POST"
    else
      heading_name = "Review"
@@ -137,7 +138,7 @@ class SQLiTemplateGenerator < StringEncoder
              ?>
              <div class=\"other-review\">
                <p><?php echo $row['#{headings_array[0]}']; ?>
-                <div id=\"left-by\">Left by <?php echo $row['#{headings_array[1]}']; ?></div>
+                <div id=\"left-by\"><?php echo $row['#{headings_array[1]}']; ?></div>
              </p>
            </div>
              <?php
--- a/modules/services/unix/http/php_5_stretch_compatible/php/manifests/install.pp
+++ b/modules/services/unix/http/php_5_stretch_compatible/php/manifests/install.pp
@@ -4,21 +4,28 @@ class php::install {

  exec { 'install php5 gpg key':
    command => '/usr/bin/wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg',
-  }
+  } ->

  exec { 'add repo to sources':
    command =>
      '/bin/echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list',
-  }
+  } ->

  exec { 'apt update':
    command => '/usr/bin/apt-get update',
-    require => [Exec['install php5 gpg key'], Exec['add repo to sources']],
-    before  => Package['php5.6']
-  }
+  } ->

  package { ['php5.6', 'php5.6-mysql','php5.6-cli', 'php5.6-common', 'php5.6-curl', 'php5.6-mbstring','php5.6-xml']:
    ensure => installed,
-  }
+  } ->

-}
+  package { 'php7.0-common':
+    ensure => 'absent',
+  }
+  # ->
+  #
+  # exec { 'disable php7':
+  #   command => '/usr/sbin/a2dismod php7.0',
+  #   require => [Exec['install php5 gpg key'], Exec['add repo to sources']],
+  # }
+}
--- a/modules/vulnerabilities/unix/webapp/commando/files/css/index.css
+++ b/modules/vulnerabilities/unix/webapp/commando/files/css/index.css
@@ -30,21 +30,24 @@
 	font-family: 'Ubuntu', sans-serif;
 }

+ .product img {
+	 object-fit: cover;
+ }
 .product form input[type=number] {
- 	width: 40px;
 	text-align: center;
+	width: 60%;
 }

 .product form input[type=submit] {
- 	float: right;
 	background-color: inherit;
 	color: orange;
 	border: 1px solid #cccccc;
- 	padding: 4px;
+ 	padding: 1px;
+	width: 35%;
 }

 .product form {
- 	width: 50%;
+	width: 95%;
 }

 footer ul {
@@ -106,3 +109,10 @@
 	color: #4F8A10;
 	margin: 1em
 }
+.error_msg {
+	border-radius: 1em;
+	border: 1px solid darkred;
+	padding: .75em;
+	color: darkred;
+	margin: 1em
+}
--- a/modules/vulnerabilities/unix/webapp/commando/files/js/jquery-3.3.1.slim.min.js
+++ b/modules/vulnerabilities/unix/webapp/commando/files/js/jquery-3.3.1.slim.min.js
--- a/modules/vulnerabilities/unix/webapp/commando/files/js/popper.min.js
+++ b/modules/vulnerabilities/unix/webapp/commando/files/js/popper.min.js
--- a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp
+++ b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp
@@ -142,6 +142,13 @@ class commando::install {
 	    source => 'puppet:///modules/commando/css',
 	    require => File[$docroot],
 	  }
+		# Static JS
+		file { "$docroot/js":
+	    ensure => directory,
+	    recurse => true,
+	    source => 'puppet:///modules/commando/js',
+	    require => File[$docroot],
+	  }

 		# Dynamic theme file
 		file { "$docroot/css/$theme":
--- a/modules/vulnerabilities/unix/webapp/commando/templates/home.php.erb
+++ b/modules/vulnerabilities/unix/webapp/commando/templates/home.php.erb
@@ -19,6 +19,10 @@ and can be found at: https://getbootstrap.com/docs/4.0/getting-started/introduct
          <div class="col-6"><p id="basket">Basket(0)</p></div>
    </div>

+      <%# Just says nothing is in stock (TODO: basket functionality) %>
+      <?php if($_GET["submit"] === "Add") echo '<div class="error_msg">Sorry, not in stock.</div>';
+      ?>
+
  		<% @search.each { |search| -%>
  			<%= search %>
  		<%} -%>
@@ -28,9 +32,9 @@ and can be found at: https://getbootstrap.com/docs/4.0/getting-started/introduct
    <%# This is taken from: https://getbootstrap.com/docs/4.0/getting-started/introduction/%>
    <!-- Optional JavaScript -->
    <!-- jQuery first, then Popper.js, then Bootstrap JS -->
-    <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
-    <script src="bootstrap.4.3.1.min.js"></script>
+    <script src="js/jquery-3.3.1.slim.min.js"></script>
+    <script src="js/popper.min.js"></script>
+    <script src="css/bootstrap.4.3.1.min.js"></script>

 </body>

--- a/modules/vulnerabilities/unix/webapp/commando/templates/subtemplates/header.html.erb
+++ b/modules/vulnerabilities/unix/webapp/commando/templates/subtemplates/header.html.erb
@@ -8,7 +8,7 @@
  <%# The selected theme %>
  <link rel="stylesheet" type="text/css" href="css/<%= @theme %>">
  <%# bootstrap remote css files, this is taken from: https://getbootstrap.com/docs/4.0/getting-started/download/ %>
-  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
+  <link rel="stylesheet" href="css/bootstrap.4.3.1.min.css">
  <%# css files for indiviual files referencing, found under css directory %>
  <link rel="stylesheet" type="text/css" href="css/index.css">
  <link rel="stylesheet" type="text/css" href="css/user.css">
--- a/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/default_scenario.xml
+++ b/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/default_scenario.xml
@@ -18,6 +18,7 @@

    <input into_datastore="IP_addresses">
      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
    </input>

  <vulnerability module_path=".*commando">
@@ -87,7 +88,7 @@

    <network type="private_network">
        <input into="IP_address">
-          <value>172.10.0.3</value>
+          <datastore access="next">IP_addresses</datastore>
        </input>
    </network>
  </system>
--- a/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/easy_difficulty.xml
+++ b/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/easy_difficulty.xml
@@ -18,6 +18,7 @@

    <input into_datastore="IP_addresses">
      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
    </input>

  <vulnerability module_path=".*commando">
@@ -93,7 +94,7 @@

    <network type="private_network">
        <input into="IP_address">
-          <value>172.10.0.3</value>
+          <datastore access="next">IP_addresses</datastore>
        </input>
    </network>
  </system>
--- a/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/hard_difficulty.xml
+++ b/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/hard_difficulty.xml
@@ -18,6 +18,7 @@

    <input into_datastore="IP_addresses">
      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
    </input>

  <vulnerability module_path=".*commando">
@@ -92,7 +93,7 @@

    <network type="private_network">
        <input into="IP_address">
-          <value>172.10.0.3</value>
+          <datastore access="next">IP_addresses</datastore>
        </input>
    </network>
  </system>
--- a/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/impossible_difficulty.xml
+++ b/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/impossible_difficulty.xml
@@ -18,6 +18,7 @@

    <input into_datastore="IP_addresses">
      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
    </input>

  <vulnerability module_path=".*commando">
@@ -101,7 +102,7 @@

    <network type="private_network">
        <input into="IP_address">
-          <value>172.10.0.3</value>
+          <datastore access="next">IP_addresses</datastore>
        </input>
    </network>
  </system>
--- a/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/medium_difficulty.xml
+++ b/scenarios/examples/vulnerability_examples/insecure_web_applications/commando/medium_difficulty.xml
@@ -18,6 +18,7 @@

    <input into_datastore="IP_addresses">
      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
    </input>

  <vulnerability module_path=".*commando">
@@ -93,7 +94,7 @@

    <network type="private_network">
        <input into="IP_address">
-          <value>172.10.0.3</value>
+          <datastore access="next">IP_addresses</datastore>
        </input>
    </network>
  </system>
--- a/scenarios/security_audit/rand_webapp.xml
+++ b/scenarios/security_audit/rand_webapp.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <name>Vulnerable webapp</name>
+  <author>Joshua Hickling</author>
+  <description>A web server with a (randomly) vulnerable webapp</description>
+
+  <type>ctf</type>
+  <type>attack-ctf</type>
+  <difficulty>easy</difficulty>
+
+  <system>
+    <system_name>web_server</system_name>
+    <base type="server" distro="Debian 9"/>
+
+    <input into_datastore="IP_addresses">
+      <value>172.10.0.2</value>
+      <value>172.10.0.3</value>
+    </input>
+
+    <vulnerability module_path=".*commando">
+
+      <input into_datastore="customer_feedback_table_headings">
+        <generator module_path=".*customer_feedback_table_headings" />
+      </input>
+
+      <input into_datastore="product_table_headings">
+        <generator module_path=".*product_table_headings" />
+      </input>
+
+      <input into="database">
+        <generator module_path=".*sql_table_setup">
+          <input into="customer_feedback_table_headings">
+            <datastore>customer_feedback_table_headings</datastore>
+          </input>
+          <input into="product_table_headings">
+            <datastore>product_table_headings</datastore>
+          </input>
+          <input into="field_to_leak">
+            <generator type="flag_generator" />
+          </input>
+        </generator>
+      </input>
+
+      <input into="sqli">
+        <generator module_path=".*sqli_template">
+          <input into="difficulty">
+            <value>easy</value>
+          </input>
+          <input into="table_headings">
+            <datastore>customer_feedback_table_headings</datastore>
+          </input>
+        </generator>
+      </input>
+
+      <input into="search">
+        <generator module_path=".*xss_search_template">
+          <input into="difficulty">
+            <value>easy</value>
+          </input>
+          <input into="blacklist">
+            <generator module_path=".*xss_blacklist" />
+          </input>
+          <input into="table_headings">
+            <datastore>product_table_headings</datastore>
+          </input>
+          <input into="strings_to_leak">
+            <generator type="flag_generator" />
+          </input>
+        </generator>
+      </input>
+
+    </vulnerability>
+
+  	<network type="private_network">
+        <input into="IP_address">
+          <datastore access="next">IP_addresses</datastore>
+        </input>
+  	</network>
+
+    <build type="cleanup">
+      <input into="root_password">
+        <generator type="strong_password_generator" />
+      </input>
+    </build>
+  </system>
+
+  <system>
+    <system_name>kali</system_name>
+    <base distro="Kali" name="MSF"/>
+
+    <utility module_path=".*/kali_web"/>
+		<utility module_path=".*/metasploit_framework"/>
+		<utility module_path=".*/handy_cli_tools"/>
+		<utility module_path=".*/nmap"/>
+
+    <network type="private_network">
+        <input into="IP_address">
+          <datastore access="next">IP_addresses</datastore>
+        </input>
+    </network>
+  </system>
+</scenario>