Commando a bunch of modules for generating a randomised vulnerable web app with randomised table names, XSS, SQLi, etc.

Co-Authored-By: Josh1438 <Josh1438@Josh1438>

lib/helpers/constants.rb

@@ -46,6 +46,9 @@ BLACKLISTED_WORDS_FILE = "#{ROOT_DIR}/lib/resources/blacklisted_words/blacklist.
 IMAGES_DIR = "#{ROOT_DIR}/lib/resources/images"
 ASCII_ART_DIR = "#{ROOT_DIR}/lib/resources/ascii_art"
 PASSWORDLISTS_DIR = "#{ROOT_DIR}/lib/resources/passwordlists"
+WS_ATTACK_DIR = "#{ROOT_DIR}/lib/resources/ws_attacks"
+STYLING_DIR = "#{ROOT_DIR}/lib/resources/website_styling"
+SAMP_DBS_DIR = "#{ROOT_DIR}/lib/resources/sample_databases"
 
 # Path to build puppet modules
 STDLIB_PUPPET_DIR = "#{MODULES_DIR}build/puppet/stdlib"

lib/resources/wordlists/admin_name

@@ -0,0 +1,12 @@
+Admin
+admin
+Administrator
+administrator
+Sudo
+sudo
+Superuser
+superuser
+Su
+su
+Root
+root

lib/resources/wordlists/customer_feedback_table_records_list

@@ -0,0 +1,12 @@
+(1,'Joshua', 'josh@josh.com', '07928372635', 'Had a very positive experience with this service! 5 Stars! How do they do it?',''),
+(2,'John', 'john@josh.com', '07928372639', 'Very useful!',''),
+(3,'Martin', 'martin@josh.com', '07928372634', 'Good service, never had a problem',''),
+(4,'Claire', 'Claire@josh.com', '09237216382','Would Recommend to a friend',''),
+(5,'Charlotte', 'charlotte@josh.com', '092163734843', 'How did I live before this service!',''),
+(6,'Ella', 'ella@josh.com', '09321472342', 'Very useful service, how they do it ill never know!',''),
+(7,'Reece', 'reece@josh.com','8273872342','Wonderful!',''),
+(8,'Ryan', 'ryan@josh.com', '35246485832' , 'Terrible, wish Id have never bothered!',''),
+(9,'Janet', 'janet@josh.com', '223423423423', 'Horrible!',''),
+(10,'Barbara','Barbara@josh.com', '2342354673', 'Cant wait to use this service again!', ''),
+(11, 'Peter', 'Peter@josh.com', '2345457585', 'Brilliant service', ''),
+(12, 'Max', 'Max@josh.com', '45778956456', 'Remind me what it is you guys actually do again?',''),

lib/resources/wordlists/default_admin_passwords

@@ -0,0 +1,4 @@
+admin
+password
+password1
+password123

lib/resources/wordlists/sql_product_table_records_list

@@ -0,0 +1,49 @@
+(1,'Keyboard', '20', 'images/computer_stuff/computer10'),
+(2,'Mouse', '30', 'images/computer_stuff/computer4'),
+(3,'Macbook', '1590', 'images/computer_stuff/computer1'),
+(4,'Macbook Pro', '2756', 'images/computer_stuff/computer2'),
+(5,'Ergo Mouse', '200', 'images/computer_stuff/computer3'),
+(6,'Games Mouse', '190', 'images/computer_stuff/computer5'),
+(7,'Keyboard white', '200', 'images/computer_stuff/computer6'),
+(8,'iMac', '3000', 'images/computer_stuff/computer7'),
+(9,'Shiny Keyboard', '1590', 'images/computer_stuff/computer9'),
+(10,'Audi TT','15000','images/cars/car1'),
+(11,'Mercedes','16000','images/cars/car2'),
+(12,'BMW','9000','images/cars/car3'),
+(13,'Mercedes AMG','7000','images/cars/car4'),
+(14,'Lamborghini','4999','images/cars/car5'),
+(15,'Red Ferrari','5000','images/cars/car6'),
+(16,'Yellow Ferrari','7894','images/cars/car7'),
+(17,'Audi','6547','images/cars/car8'),
+(18,'Range Rover','10000','images/cars/car9'),
+(19,'Toyota','94000','images/cars/car10'),
+(20,'White Cat','500','images/cats/cat2'),
+(21,'Gold Cat','600','images/cats/cat3'),
+(22,'Lazy Cat','700','images/cats/cat4'),
+(23,'Grey Cat','800','images/cats/cat5'),
+(24,'Confused Cat','855','images/cats/cat6'),
+(25,'Cat','567','images/cats/cat7'),
+(26,'V.White Cat','999','images/cats/cat8'),
+(27,'Tiny Cat','677','images/cats/cat9'),
+(28,'Wonkey Cat','457','images/cats/cat10'),
+(29,'Cat Bunch','900','images/cats/cats1'),
+(30,'Light Pug','4000','images/dogs/dog1'),
+(31,'Puppy','4503','images/dogs/dog2'),
+(32,'Spaniel','3875','images/dogs/dog3'),
+(33,'Black Pug','5345','images/dogs/dog4'),
+(34,'Fluffy Dog','3433','images/dogs/dog5'),
+(35,'Happy Dog','5367','images/dogs/dog6'),
+(36,'Beagle','2000','images/dogs/dog7'),
+(37,'Labrador','4567','images/dogs/dog8'),
+(38,'Two Pups','10000','images/dogs/dog9'),
+(39,'Curious Dog','3456','images/dogs/dog10'),
+(40,'Hammer Set','49','images/tools/tool1'),
+(41,'Wrenches','40','images/tools/tool2'),
+(42,'Tool Set','60','images/tools/tool3'),
+(43,'Silver Wrench','30','images/tools/tool4'),
+(44,'Hammer/Plyer','55','images/tools/tool5'),
+(45,'Screws','4.99','images/tools/tool6'),
+(46,'Plyers','23.99','images/tools/tool7'),
+(47,'Drill bits','56.90','images/tools/tool8'),
+(48,'Socket Wrenches','230','images/tools/tool9'),
+(49,'Black Wrench','300','images/tools/tool10'),

lib/resources/wordlists/xss_blacklist

@@ -0,0 +1,22 @@
+script
+SCRIPT
+ScRiPt
+sCrIpT
+confirm
+xss
+123
+alert
+SRC
+javascript
+IMG
+img
+ImG
+iMg
+prompt
+svg
+onload
+body
+BODY
+bOdY
+BoDy
+onerror

lib/resources/ws_attacks/sqli/search/sql.php

@@ -0,0 +1,39 @@
+
+<h2 class="section-heading theme">Search</h2>
+<hr class="mb-4">
+
+<?php
+if(!isset($_SESSION['paramater'])){
+	$paramater=array("search","lookup","lookingfor", "searched");
+	$pickparam=array_rand($paramater);
+	$selectedparam=$paramater[$pickparam];
+	$_SESSION['paramater'] = $selectedparam;
+}else {
+	$selectedparam = $_SESSION['paramater'];
+}
+
+echo '<p class="text-faded theme">Search our site to find what you are looking for:</p>';
+//form taken from https://www.w3schools.com/php/php_forms.asp and ammended (first form on the page)
+echo '<form  method="POST" action="'.$_SERVER["SCRIPT_NAME"].'" id="searchform" class="theme">';
+echo '<input  type="text" name="'.$selectedparam.'">';
+echo '<input  type="submit" name="submit" value="Search"></form> ';
+
+if(isset($_POST['submit'])){
+  	$search=htmlspecialchars($_POST[$selectedparam]);
+	$statement="SELECT * FROM Products WHERE name LIKE '%" .$search ."%'";
+	$result=mysqli_query($conn2, $statement);
+	while ($row=mysqli_fetch_assoc($result)){
+		?>
+		<div class="product_holder">
+			<img src="<?php echo $row['img'];?>.jpg" height="128px" width="128px" />
+			<div class="txt_holder">
+				<?php echo $row['name'];?>
+			</div>
+		</div>
+		<?php
+	}
+}
+?>
+<br>
+<br>
+<br>

lib/resources/ws_attacks/sqli/search/sql2.php

@@ -0,0 +1,34 @@
+<?php
+	if(!isset($_SESSION['paramatersql2'])){
+		$paramater=array("search","lookup","lookingfor", "searched");
+		$pickparam=array_rand($paramater);
+		$selectedparamsql2=$paramater[$pickparam];
+		$_SESSION['paramatersql2'] = $selectedparamsql2;
+	}else {
+		$selectedparamsql2 = $_SESSION['paramatersql2'];
+	}
+
+?>
+<p class="text-faded theme">Search our products and services:</p>
+<?php
+	//form taken from https://www.w3schools.com/php/php_forms.asp and ammended (first form on the page)
+	echo '<form  method="POST" action="'.$_SERVER["SCRIPT_NAME"].'" id="searchform">';
+	echo '<input  type="text" name="'.$selectedparamsql2.'">';
+	echo '<input  type="submit" name="submit" value="Search"></form>';
+
+	if(isset($_POST['submit'])){
+	  	$search=htmlspecialchars($_POST[$selectedparamsql2]);
+		$statement="SELECT * FROM Products WHERE name LIKE '%" .$search ."%'";
+		$result=mysqli_query($conn2, $statement);
+		while ($row=mysqli_fetch_assoc($result)){
+			?>
+			<div class="product_holder">
+				<img src="<?php echo $row['img'];?>.jpg" height="128px" width="128px" />
+				<div class="txt_holder">
+					<?php echo $row['name'];?>
+				</div>
+			</div>
+			<?php
+		}
+	}
+?>

lib/resources/ws_attacks/sqli/search/sqliGET.php

@@ -0,0 +1,34 @@
+<p class="text-faded theme">Search our site:</p>
+
+<?php
+
+	if(!isset($_SESSION['paramater1sqlget'])){
+		$paramater1=array("search","lookup","lookingfor", "searched");
+		$pickparam1=array_rand($paramater1);
+		$selectedparam1sqlget=$paramater1[$pickparam1];
+		$_SESSION['paramater1sqlget'] = $selectedparam1sqlget;
+	}else {
+		$selectedparam1sqlget = $_SESSION['paramater1sqlget'];
+	}
+
+	//form taken from https://www.w3schools.com/php/php_forms.asp and ammended (first form on the page)
+	echo '<form  method="GET" action="'.$_SERVER["SCRIPT_NAME"].'" class="text-faded theme" id="searchform">';
+	echo '<input  type="text" name="'.$selectedparam1sqlget.'">';
+	echo '<input  type="submit" name="submit" value="Search"></form> ';
+
+	if(isset($_GET['submit'])){
+	  $search=htmlspecialchars($_GET[$selectedparam1sqlget]);
+	  $statement="SELECT * FROM Products WHERE name LIKE '%" .$search ."%'";
+	  $result=mysqli_query($conn2, $statement);
+	  while ($row=mysqli_fetch_assoc($result)){
+			?>
+			<div class="product_holder">
+				<img src="<?php echo $row['img'];?>.jpg" height="128px" width="128px" />
+				<div class="txt_holder">
+					<?php echo $row['name'];?>
+				</div>
+			</div>
+			<?php
+	  }
+	}
+?>

lib/resources/ws_attacks/sqli/vectors/vector_1

@@ -0,0 +1,10 @@
+<!--Taken from lauras code and edited-->
+<div class="col-12" id="review-form">
+  <?php echo '<form  method="POST" action="'.$_SERVER['SCRIPT_NAME'].'">'; ?>
+    <input  type="text" name="name" maxlength="15" placeholder="Name">
+    <input  type="text" name="number" size="30" placeholder="Phone Number" id="right-box"> <br><br>
+    <input  type="text" name="email" size="55" placeholder="Email"> <br><br>
+    <input  type="text" name="question" size="55" placeholder="Please enter your question!"> <br><br>
+    <input  type="submit" name="go" value="Submit" id="submit-button">
+  </form>
+</div>

lib/resources/ws_attacks/sqli/vectors/vector_2

@@ -0,0 +1,8 @@
+<!--Taken from lauras code and edited-->
+<div class="row" id="review-form">
+  <?php echo '<form  method="GET" action="'.$_SERVER['SCRIPT_NAME'].'">'; ?>
+    <input  type="text" name="name" size="20" placeholder="Company"><br><br>
+    <input  type="text" name="question" size="40" placeholder="Please enter your review!"><br><br>
+    <input  type="submit" name="go" value="Submit" id="submit-button">
+  </form>
+</div>

lib/resources/ws_attacks/sqli/vulnerabilities/easy/vuln_1

@@ -0,0 +1,4 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars($_POST['email']);
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/easy/vuln_2

@@ -0,0 +1,4 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email']));
+$mobile=htmlspecialchars($_POST['mobile']);
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/easy/vuln_3

@@ -0,0 +1,4 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email']));
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=htmlspecialchars($_POST['question']);

lib/resources/ws_attacks/sqli/vulnerabilities/easy/vuln_4

@@ -0,0 +1,2 @@
+$name= htmlspecialchars($_GET['name']);
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/easy/vuln_5

@@ -0,0 +1,2 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['name']));
+$question=htmlspecialchars($_GET['question']);

lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_1

@@ -0,0 +1,8 @@
+$badAgents = array('sqlmap');
+if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
+    exit();
+}else{
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=str_replace("'", "''", htmlspecialchars($_POST['email']));
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_2

@@ -0,0 +1,10 @@
+//sqlmap block from https://stackoverflow.com/questions/1357983/how-to-block-some-of-http-user-agent-using-php
+$badAgents = array('sqlmap');
+if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
+    exit();
+}else{
+  $blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+  $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+  $email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST2']));
+  $mobile=str_replace($blacklist, " ", htmlspecialchars($_POST['mobile']));
+  $question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_3

@@ -0,0 +1,9 @@
+$badAgents = array('sqlmap');
+if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
+    exit();
+}else{
+  $blacklist = array("'", "SELECT", "FROM", "DROP", "TABLE", 'SLEEP');
+    $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+    $email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email]));
+    $mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+    $question=str_replace($blacklist, "", htmlspecialchars($_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_4

@@ -0,0 +1,7 @@
+$badAgents = array('sqlmap');
+if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
+    exit();
+}else{
+    $blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+      $name=str_replace($blacklist, " ", htmlspecialchars($_GET['name']));
+      $question=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET[$question]));

lib/resources/ws_attacks/sqli/vulnerabilities/hard/vuln_5

@@ -0,0 +1,7 @@
+$badAgents = array('sqlmap');
+if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) {
+    exit();
+}else{
+   $blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+      $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['name']));
+      $question=str_replace($blacklist, " ", htmlspecialchars($_GET['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/impossible/vuln_1

@@ -0,0 +1,4 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email']));
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/impossible/vuln_2

@@ -0,0 +1,2 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['name']));
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/medium/vuln_1

@@ -0,0 +1,4 @@
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=str_replace("'", "''", $_POST['email']);
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/medium/vuln_2

@@ -0,0 +1,5 @@
+$blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email']));
+$mobile=str_replace($blacklist, " ", $_POST['mobile']);
+$question=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['question']));

lib/resources/ws_attacks/sqli/vulnerabilities/medium/vuln_3

@@ -0,0 +1,5 @@
+$blacklist = array("'", "SELECT", "FROM", "DROP", "TABLE", 'SLEEP');
+$name=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['name']));
+$email=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['email']));
+$mobile=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['mobile']));
+$question=str_replace($blacklist, "", $_POST['question']);

lib/resources/ws_attacks/sqli/vulnerabilities/medium/vuln_4

@@ -0,0 +1,3 @@
+$blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+  $name=htmlspecialchars(mysqli_real_escape_string($conn2, $_GET['name']));
+  $question=str_replace($blacklist, " ", $_GET['question']);

lib/resources/ws_attacks/sqli/vulnerabilities/medium/vuln_5

@@ -0,0 +1,3 @@
+$blacklist = array('SELECT', 'UNION', 'FROM', 'DROP', 'SLEEP', 'TABLE');
+  $name=str_replace($blacklist, " ", $_GET['name']);
+  $question=filter_var($_GET['question'], FILTER_SANITIZE_ENCODED);

lib/resources/ws_attacks/xss_stored/vectors/vector_1

@@ -0,0 +1,5 @@
+<!--form taken from https://www.w3schools.com/php/php_forms.asp and ammended (first form on the page)-->
+              <?php echo '<form  method="POST" action="'.$_SERVER['SCRIPT_NAME'].'">'; ?>
+              <input type="text" name="search">
+              <input type="submit" name="submit" value="Search"></form>
+              <?php

modules/generators/content/css_theme/secgen_local/local.rb

@@ -0,0 +1,21 @@
+#!/usr/bin/ruby
+require_relative '../../../../../lib/objects/local_string_encoder.rb'
+require 'faker'
+
+class CSSFileSelector < StringEncoder
+
+  def initialize
+    super
+    self.module_name = 'CSS File Selector'
+  end
+
+  # This utilises from the Website_theme generator
+  def encode_all
+    # TODO: FIXME: shouldn't be reading from this module directory directly
+    filenames = Dir.entries("#{ROOT_DIR}/modules/vulnerabilities/unix/webapp/commando/files/css_themes/").reject {|f| File.directory?(f) || f[0].include?('.')}
+    self.outputs << filenames.sample
+  end
+
+end
+
+CSSFileSelector.new.run

modules/generators/content/css_theme/secgen_metadata.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>CSS File Selector Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>CSS file selector for the commando module.</description>
+
+  <type>css_file</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>string</output_type>
+
+</generator>

modules/generators/content/database/customer_feedback_table_headings/secgen_local/local.rb

@@ -0,0 +1,29 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_generator.rb'
+class QuestionTableGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'Question table name'
+  end
+
+  def generate
+
+    table_name = ['question','review', 'customer_review']
+    selected_table_name = table_name.sample
+
+    name_column = ['name','firstname', 'companyname', 'names', 'fullname']
+    selected_name_heading = name_column.sample
+
+    mobile_column = ['mobile','phone', 'phonenumber', 'landline']
+    selected_mobile_heading = mobile_column.sample
+
+    email_column = ['email_address','contact_email', 'email']
+    selected_email_heading = email_column.sample
+
+    output = selected_table_name + "," + selected_name_heading + "," + selected_mobile_heading + "," + selected_email_heading
+
+    self.outputs << output
+  end
+end
+
+QuestionTableGenerator.new.run

modules/generators/content/database/customer_feedback_table_headings/secgen_metadata.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Customer feedback table headings Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a set of 4 headings for a customer feedback table in SQL</description>
+
+  <type>SQL_table_headings</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>generated_headings</output_type>
+</generator>

modules/generators/content/database/product_table_headings/secgen_local/local.rb

@@ -0,0 +1,28 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_generator.rb'
+class ProductTableHeadingsGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'product table headings'
+  end
+
+  def generate
+    table_name = ['Product','product', 'Products', 'products', 'merchandise', 'stock']
+    selected_table_name = table_name.sample
+
+    product_name_column = ['product_title','name', 'product', 'item', 'stock_name']
+    selected_product_name_heading = product_name_column.sample
+
+    price_column = ['price', 'charge', 'rrp', 'cost']
+    selected_price_heading = price_column.sample
+
+    image_column = ['image', 'img', 'thumbnail', 'product_image', 'product_img', 'pic', 'picture']
+    selected_image_heading = image_column.sample
+
+    output = selected_table_name + "," + selected_product_name_heading + "," + selected_price_heading + "," + selected_image_heading
+
+    self.outputs << output
+  end
+end
+
+ProductTableHeadingsGenerator.new.run

modules/generators/content/database/product_table_headings/secgen_metadata.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Product Table Heading Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a set of 4 headings for a product table in SQL</description>
+
+  <type>SQL_table_headings</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>generated_headings</output_type>
+</generator>

modules/generators/content/database/sql_table_setup/secgen_local/local.rb

@@ -0,0 +1,154 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_encoder.rb'
+class TableCreateGenerator < StringEncoder
+  attr_accessor :customer_feedback_table_headings
+  attr_accessor :product_table_headings
+  attr_accessor :field_to_leak
+
+  def initialize
+    super
+    self.module_name = 'SQL table setup template generator'
+    self.customer_feedback_table_headings = ''
+    self.product_table_headings = ''
+    self.field_to_leak = ''
+  end
+
+  def encode_all
+
+    product_headings = "#{self.product_table_headings}".split(',')
+
+    $i = 0
+    $num = 6
+    last_record = false
+    product_table_records = []
+
+    records_file = File.readlines("#{WORDLISTS_DIR}/sql_product_table_records_list")
+
+    while $i < $num  do
+
+       selected_item = records_file.sample
+
+       if $i == ($num - 1)
+         last_record = true
+       end
+
+       if $i > 0
+         if product_table_records.include?(selected_item) == true
+           until product_table_records.include?(selected_item) == false
+             selected_item = records_file.sample
+           end
+         end
+      end
+
+      if last_record == false
+        product_table_records[$i] = selected_item
+      elsif
+        product_table_records[$i] = selected_item.slice(0..-3).insert(-1 ,';')
+      end
+
+       $i +=1
+
+    end
+
+    product_table =
+    "CREATE TABLE `#{product_headings[0]}` (
+      `id` int(6) NOT NULL AUTO_INCREMENT,
+      `#{product_headings[1]}` varchar(128) NOT NULL,
+      `#{product_headings[2]}` varchar(128) NOT NULL,
+      `#{product_headings[3]}` varchar(128) NOT NULL,
+      PRIMARY KEY (`id`)
+    ) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;\n
+    INSERT INTO `#{product_headings[0]}` (id,#{product_headings[1]},#{product_headings[2]},#{product_headings[3]}) VALUES
+      #{product_table_records.join()}"
+
+    customer_feedback_headings = "#{self.customer_feedback_table_headings}".split(',')
+
+    $i = 0
+    $num = 3
+    last_record = false
+    customer_feedback_table_records = []
+
+    records_file = File.readlines("#{WORDLISTS_DIR}/customer_feedback_table_records_list")
+
+    while $i < $num  do
+       selected_item = records_file.sample
+
+       if $i == ($num - 1)
+         last_record = true
+       end
+
+       if $i > 0
+         if customer_feedback_table_records.include?(selected_item) == true
+           until customer_feedback_table_records.include?(selected_item) == false
+             selected_item = records_file.sample
+           end
+         end
+      end
+
+      if last_record == false
+        customer_feedback_table_records[$i] = selected_item
+      elsif
+        customer_feedback_table_records[$i] = selected_item.slice(0..-3).insert(-1 ,';')
+      end
+
+       $i +=1
+    end
+
+    feedback_table =
+    "CREATE TABLE `#{customer_feedback_headings[0]}` (
+        `ID` int(6) NOT NULL,
+        `#{customer_feedback_headings[1]}` varchar(100) NOT NULL,
+        `#{customer_feedback_headings[3]}` varchar(200) NOT NULL,
+        `#{customer_feedback_headings[2]}` varchar(100) NOT NULL,
+        `#{customer_feedback_headings[0]}` varchar(150) NOT NULL,
+        `secrets` varchar(200)
+      ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+      INSERT INTO `#{customer_feedback_headings[0]}` (`ID`,`#{customer_feedback_headings[1]}`, `#{customer_feedback_headings[3]}`, `#{customer_feedback_headings[2]}`, `#{customer_feedback_headings[0]}`,`secrets`) VALUES
+        (5,\' \',\' \',\' \',\' \','#{field_to_leak}'),
+        #{customer_feedback_table_records.join()}
+      ALTER TABLE `#{customer_feedback_headings[0]}`
+        ADD PRIMARY KEY (`ID`);
+
+      --
+      -- AUTO_INCREMENT for dumped tables
+      --
+
+      --
+      -- AUTO_INCREMENT for table `#{customer_feedback_headings[0]}`
+      --
+      ALTER TABLE `#{customer_feedback_headings[0]}`
+        MODIFY `ID` int(6) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;
+      COMMIT;"
+
+      snippet = product_table + "\n\n" + feedback_table
+
+    self.outputs << snippet
+  end
+
+  def get_options_array
+    super + [['--customer_feedback_table_headings', GetoptLong::REQUIRED_ARGUMENT],
+              ['--product_table_headings', GetoptLong::REQUIRED_ARGUMENT],
+              ['--field_to_leak', GetoptLong::REQUIRED_ARGUMENT]]
+  end
+
+  def process_options(opt, arg)
+    super
+    case opt
+    when '--customer_feedback_table_headings'
+        self.customer_feedback_table_headings << arg;
+    when '--product_table_headings'
+        self.product_table_headings << arg;
+    when '--field_to_leak'
+        self.field_to_leak << arg;
+    end
+  end
+
+
+  def encoding_print_string
+    'customer_feedback_table_headings: ' + self.customer_feedback_table_headings.to_s +
+    'product_table_headings: ' + self.product_table_headings.to_s +
+    'field_to_leak: ' + self.field_to_leak.to_s
+  end
+end
+TableCreateGenerator.new.run

modules/generators/content/database/sql_table_setup/secgen_metadata.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>SQL table structure template</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a table structure for a SQL database</description>
+
+  <type>sql_table_template</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <read_fact>customer_feedback_table_headings</read_fact>
+  <read_fact>product_table_headings</read_fact>
+  <read_fact>field_to_leak</read_fact>
+
+  <default_input into="customer_feedback_table_headings">
+    <generator module_path=".*customer_feedback_table_headings" />
+  </default_input>
+
+  <default_input into="product_table_headings">
+    <generator module_path=".*product_table_headings" />
+  </default_input>
+
+  <default_input into="field_to_leak">
+    <generator type="flag_generator" />
+  </default_input>
+
+  <output_type>table_structure</output_type>
+</generator>

modules/generators/content/database/users_table_name/secgen_local/local.rb

@@ -0,0 +1,19 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_generator.rb'
+class UserTableNameGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'product table headings'
+  end
+
+  def generate
+    table_name = ['user','User', 'users', 'Users', 'accounts', 'account', 'user_accounts', 'user_account']
+    selected_table_name = table_name.sample
+
+    output = selected_table_name
+
+    self.outputs << output
+  end
+end
+
+UserTableNameGenerator.new.run

modules/generators/content/database/users_table_name/secgen_metadata.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Users Table Name Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a name for a users table in a PHP web applicaiton</description>
+
+  <type>SQL_table_name</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>generated_table_name</output_type>
+</generator>

modules/generators/content/default_admin_username/secgen_local/local.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/ruby
+require_relative '../../../../../lib/objects/local_string_generator.rb'
+
+class AdminUsernameGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'Default Admin Username Generator'
+  end
+
+  def generate
+    creds = File.readlines("#{WORDLISTS_DIR}/admin_name")
+
+    self.outputs << creds.sample.chomp
+  end
+end
+
+AdminUsernameGenerator.new.run

modules/generators/content/default_admin_username/secgen_metadata.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Default Admin Username Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Selects a random username for an admin user</description>
+
+  <type>admin_username_generator</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>admin_generated_username</output_type>
+
+</generator>

modules/generators/html/vuln_snippets/sqli_template/secgen_local/local.rb

@@ -0,0 +1,177 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_encoder.rb'
+class SQLiTemplateGenerator < StringEncoder
+  attr_accessor :table_headings
+  attr_accessor :difficulty
+
+  def initialize
+    super
+    self.module_name = 'SQLi Snippet Generator'
+    self.table_headings = ''
+    self.difficulty = ''
+  end
+
+  def encode_all
+    #inputs: difficulty and database table headings
+    difficulty_input = "#{self.difficulty}"
+    headings = "#{self.table_headings}"
+
+    #Formatting: table headings for database
+    headings_array = headings.split(',')
+
+    #Query: input of table headings to differentiate queries, these are queries from lauras code but used as a template here
+    query_1 = "$statement= \"INSERT INTO " + headings_array[0] + " (" + headings + ") VALUES" + "('$question','$name', '$mobile', '$email')\";"
+    query_2 = "$statement= \"INSERT INTO " + headings_array[0] + " (" + headings_array[1] + "," + headings_array[0] + ") " + "VALUES ('$question', '$name')\";"
+
+    #input: Attack vector definition
+    attack_vector = ["#{WS_ATTACK_DIR}/sqli/vectors/vector_1", "#{WS_ATTACK_DIR}/sqli/vectors/vector_2"]
+
+    #Selection: attack vector choice to help select the vulnerability
+    choice = attack_vector.sample
+    vector = File.readlines(choice)
+    vector_template = vector.join('')
+
+    if difficulty_input.eql? ''
+      random = ['easy', 'medium', 'hard', 'impossible']
+      choice = random.sample
+    end
+
+    if difficulty_input.eql? 'hard'
+      hard_diff_insert = '}'
+    end
+
+    #NOTE: all vulnerability files are taken from lauras code and heavily edited
+    if difficulty_input.eql? 'easy' # sets query difficulty to easy
+      if choice.eql? "#{WS_ATTACK_DIR}/sqli/vectors/vector_1"
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/easy/vuln_1", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/easy/vuln_2", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/easy/vuln_3"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_1
+      else
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/easy/vuln_4", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/easy/vuln_5"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_2
+      end
+    elsif difficulty_input.eql? 'medium' # sets query difficulty to medium
+      if choice.eql? "#{WS_ATTACK_DIR}/sqli/vectors/vector_1"
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/medium/vuln_1", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/medium/vuln_2", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/medium/vuln_3"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_1
+      else
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/medium/vuln_4", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/medium/vuln_5"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_2
+      end
+    elsif difficulty_input.eql? 'hard' # sets query difficulty to hard
+      if choice.eql? "#{WS_ATTACK_DIR}/sqli/vectors/vector_1"
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/hard/vuln_1", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/hard/vuln_2", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/hard/vuln_3"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_1
+      else
+          vulnerable_inputs = ["#{WS_ATTACK_DIR}/sqli/vulnerabilities/hard/vuln_4", "#{WS_ATTACK_DIR}/sqli/vulnerabilities/hard/vuln_5"]
+
+          vulnerability = File.readlines(vulnerable_inputs.sample)
+          vuln_template = vulnerability.join('')
+
+          query = query_2
+      end
+    elsif difficulty_input.eql? 'impossible' # sets query difficulty to impossible
+      if choice.eql? "#{WS_ATTACK_DIR}/sqli/vectors/vector_1"
+
+          vulnerability = File.readlines("#{WS_ATTACK_DIR}/sqli/vulnerabilities/impossible/vuln_1")
+          vuln_template = vulnerability.join('')
+
+          query = query_1
+      else
+
+          vulnerability = File.readlines("#{WS_ATTACK_DIR}/sqli/vulnerabilities/impossible/vuln_2")
+          vuln_template = vulnerability.join('')
+
+          query = query_2
+      end
+    end
+
+    if query.eql? query_1
+      heading_name = "Question"
+      method = "POST"
+    else
+      heading_name = "Review"
+      method="GET"
+    end
+
+    # output is new code, lauras is discarded at this point
+    # output concatenation
+    submit="
+        if(mysqli_query($conn2, $statement)){
+             ?><div class=\"col-12\"id=\"sucess\">Thank you <?php echo $name;?> for your #{heading_name}!</div><?php
+         }
+     }
+     #{hard_diff_insert}
+     ?>"
+
+    heading = "<div class=\"row\"><h3>Please leave us a #{heading_name}!</h3></div>\n"
+
+    query_concat = "<?php\nif(isset($_#{method}['go'])){ \n" + vuln_template + query + "\n" + submit
+
+    submit_output = "
+    <div class=\"row\">
+        <h3>Other reviews</h3><br />
+          <?php
+          	$statement2=\"SELECT * FROM #{headings_array[0]}\";
+          	$result=mysqli_query($conn2, $statement2);
+          	while ($row=mysqli_fetch_assoc($result)){
+              ?>
+              <div class=\"other-review\">
+                <p><?php echo $row['#{headings_array[0]}']; ?>
+                <div id=\"left-by\">Left by <?php echo $row['#{headings_array[1]}']; ?></div>
+              </p>
+            </div>
+              <?php
+          	}
+          ?>
+    </div>"
+
+    #concatenation of all selected sections of file read for output
+    snippet = heading + vector_template + "\n" + query_concat + "\n" + submit_output
+
+    #output of the generator
+    self.outputs << snippet
+  end
+
+  def get_options_array
+    super + [['--table_headings', GetoptLong::REQUIRED_ARGUMENT],
+             ['--difficulty', GetoptLong::REQUIRED_ARGUMENT]]
+  end
+
+  def process_options(opt, arg)
+    super
+    case opt
+    when '--difficulty'
+        self.difficulty << arg;
+    when '--table_headings'
+        self.table_headings << arg;
+    end
+  end
+
+
+  def encoding_print_string
+    'difficulty: ' + self.difficulty.to_s + print_string_padding +
+    'table_headings: ' + self.table_headings.to_s
+  end
+end
+
+SQLiTemplateGenerator.new.run

modules/generators/html/vuln_snippets/sqli_template/secgen_metadata.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+
+  <name>SQLi Vulnerability Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a php template with a vector that is vulnerable to SQL injection attacks</description>
+
+  <type>web_application_vulnerability</type>
+  <type>sqli</type>
+  <type>form_vulnerability</type>
+  <platform>unix</platform>
+
+  <read_fact>table_headings</read_fact>
+  <read_fact>difficulty</read_fact>
+
+  <default_input into="table_headings">
+    <generator module_path=".*question_table" />
+  </default_input>
+
+  <output_type>generated_attack_template</output_type>
+</generator>

modules/generators/html/vuln_snippets/xss_blacklist/secgen_local/local.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_generator.rb'
+
+class XSSBlacklistGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'XSS blacklist Generator'
+  end
+
+  def generate
+    # 53,721,360 different possibilities
+
+    blacklist_file = File.readlines("#{WORDLISTS_DIR}/xss_blacklist")
+
+    blacklist = []
+    $i = 0
+    $num = 6
+
+    while $i < $num  do
+       blacklist[$i] = blacklist_file.sample
+       $i +=1
+    end
+
+    if blacklist[1] == blacklist[0]
+      blacklist[1] = blacklist_file.sample
+    end
+
+    until blacklist[2] != blacklist[0] && blacklist[2] != blacklist[1] do
+      blacklist[2] = blacklist_file.sample
+    end
+
+    until blacklist[3] != blacklist[0] && blacklist[3] != blacklist[1] && blacklist[3] != blacklist[2] do
+      blacklist[3] = blacklist_file.sample
+    end
+
+    until blacklist[4] != blacklist[0] && blacklist[4] != blacklist[1] && blacklist[4] != blacklist[2] && blacklist[4] != blacklist[3] do
+      blacklist[4] = blacklist_file.sample
+    end
+
+    until blacklist[5] != blacklist[0] && blacklist[5] != blacklist[1] && blacklist[5] != blacklist[2] && blacklist[5] != blacklist[3] && blacklist[5] != blacklist[4] do
+      blacklist[5] = blacklist_file.sample
+    end
+
+    blacklist_o = blacklist[0].rstrip() + ',' + blacklist[1].rstrip() + ',' +  blacklist[2].rstrip() + ',' +  blacklist[3].rstrip() + ',' +  blacklist[4].rstrip() + ',' +  blacklist[5].rstrip()
+
+    self.outputs << blacklist_o
+  end
+end
+
+XSSBlacklistGenerator.new.run

modules/generators/html/vuln_snippets/xss_blacklist/secgen_metadata.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Blacklist Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates an array to be used as blacklist for increased difficulty within a XSS attack</description>
+
+  <type>html_blacklist</type>
+  <platform>unix</platform>
+
+  <output_type>html_blacklist</output_type>
+</generator>

modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb

@@ -0,0 +1,182 @@
+#!/usr/bin/ruby
+require_relative '../../../../../../lib/objects/local_string_encoder.rb'
+class XSSsearchTemplateGenerator < StringEncoder
+  attr_accessor :table_headings # 840 possibilities
+  attr_accessor :difficulty # 4 possibilities
+  attr_accessor :strings_to_leak
+  attr_accessor :blacklist # 53,721,360 possibilities at 6 blacklist slots and 9,240 at 3
+
+  # total possibilities around 1.6 Billion I think
+
+  def initialize
+    super
+    self.module_name = 'XSS search Snippet Generator'
+    self.table_headings = ''
+    self.difficulty = ''
+    self.strings_to_leak = ''
+    self.blacklist = ''
+  end
+
+  def encode_all
+
+    # uses html snippet generator as a base
+    # headings input requried for generation, each heading split by a comma
+    headings = "#{self.table_headings}"
+    headings_array = headings.split(',')
+
+    # used for headings, table name and column headings
+    table_name = headings_array[0]
+    # email heading
+    name = headings_array[1]
+    # price heading
+    price = headings_array[2]
+    #image headings
+    img = headings_array[3]
+
+    blacklist = "#{self.blacklist}"
+    blacklist_array = blacklist.split(',')
+
+    blacklist_insert = "\'" + blacklist_array[0] + "\',\'" + blacklist_array[1] + "\',\'" + blacklist_array[2] + "\',\'" + blacklist_array[3] + "\',\'" + blacklist_array[4] + "\',\'" + blacklist_array[5] + "\'"
+
+    medium_blacklist_insert = "\'" + blacklist_array[0] + "\',\'" + blacklist_array[1] + "\',\'" + blacklist_array[2] + "\'"
+
+    # The snippets of code below are taken from lauras code and edited slightly
+    flag_statement = "if(in_array($search, $payloads)){
+                        ?>
+                        <div id=\"sucess\">
+                          #{strings_to_leak}
+                        </div>
+                        <?php
+                    }
+                  }"
+
+    payloads = ["<script>confirm(1)</script>", "<script>confirm(123)</script>", "<script>confirm('xss')</script>", "<IMG SRC=javascript:alert('XSS')>", "<IMG SRC=javascript:confirm(1)>", "<SCRIPT>confirm(1)</SCRIPT>", "<SCRIPT>confirm(123)</SCRIPT>", "<SCRIPT>confirm('XSS')</SCRIPT>", "<SCRIPT>confirm('xss')</SCRIPT>", "<svg onload=confirm(1)>", "<script>prompt(1)</script>", "<script>prompt(123)</script>", "<script>prompt('xss')</script>", "<SCRIPT>prompt(123)</SCRIPT>", "<SCRIPT>prompt('XSS')</SCRIPT>", "<SCRIPT>prompt('xss')</SCRIPT>", "<BODY ONLOAD=prompt('hellox worldss')>", "<img src=x onerror=prompt(123)>", "<body onload=prompt('hellox worldss')>", "<IMG SRC=x onerror=prompt(123)>"]
+
+    vector_input = File.readlines("#{WS_ATTACK_DIR}/xss_stored/vectors/vector_1")
+    vector = vector_input.join('')
+
+    if difficulty.eql? 'easy'
+
+        query ="if(isset($_POST['submit'])){
+              	$search=mysqli_real_escape_string($conn2, $_POST['search']);
+                $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
+
+    elsif difficulty.eql? 'medium'
+
+      query = "if(isset($_POST['submit'])){
+            	  $blacklist = array(#{medium_blacklist_insert});
+              	$search=str_replace($blacklist, \"\", $_POST['search']);
+                $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
+
+    elsif difficulty.eql? 'hard'
+
+      query = "if(isset($_POST['submit'])){
+      	  $blacklist = array(#{blacklist_insert});
+        	$search=str_replace($blacklist, \"\", $_POST['search']);
+          $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
+
+    else
+
+      query = "if(isset($_POST['submit'])){
+              	$search=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['search']));
+                $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\";"
+
+    end
+
+    submit = "<?php
+    $result=mysqli_query($conn2, $statement);
+                echo '<p id=\"sucess\">You searched for: '.$search.'<br>';
+                while ($row=mysqli_fetch_assoc($result)){
+                    ?>
+                    <div class=\"product\">
+                      <img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
+                      <div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
+                      <div>&pound;<?php echo $row['#{price}']; ?></div>
+                      <div>
+                        <form>
+                          <input type=\"number\" name=\"quantity\" min=\"0\" max=\"5\" value=\"0\">
+                          <input type=\"submit\" name=\"submit\" value=\"Add\">
+                        </form>
+                      </div>
+                    </div>
+                    <?php
+              }"
+
+    payload_statement = "$payloads = #{payloads};"
+
+    layout = "<div class=\"row\">
+                <div class=\"col\-3\" id=\"left\-side\-columns\">
+                    #{vector}
+                    #{query}
+                    ?>
+                </div>
+                <div class=\"col\-9\">
+                  <div class=\"product-grid\">
+                      #{submit}
+                      #{payload_statement} \n\n
+                      #{flag_statement}
+                    else {
+                        $sql = \"SELECT * FROM #{table_name}\";
+                        ?>
+                        </div>
+                        <div class=\"col\-9\">
+                          <div class=\"product-grid\">
+                        <?php
+                        $standard=mysqli_query($conn2, $sql);
+                        while ($row=mysqli_fetch_assoc($standard)){
+                            ?>
+                            <div class=\"product\">
+                              <img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
+                              <div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
+                              <div>&pound;<?php echo $row['#{price}']; ?></div>
+                              <div>
+                                <form>
+                                  <input type=\"number\" name=\"quantity\" min=\"0\" max=\"5\" value=\"0\">
+                                  <input type=\"submit\" name=\"submit\" value=\"Add\">
+                                </form>
+                              </div>
+                            </div>
+                            <?php
+                      }
+                    }
+                      ?>
+                  </div>
+                </div>
+              </div>"
+
+    snippet = layout
+
+    self.outputs << snippet
+  end
+
+  def get_options_array
+    super + [['--table_headings', GetoptLong::REQUIRED_ARGUMENT],
+             ['--difficulty', GetoptLong::REQUIRED_ARGUMENT],
+             ['--strings_to_leak', GetoptLong::REQUIRED_ARGUMENT],
+             ['--blacklist', GetoptLong::REQUIRED_ARGUMENT]]
+  end
+
+  def process_options(opt, arg)
+    super
+    case opt
+    when '--difficulty'
+        self.difficulty << arg;
+    when '--table_headings'
+        self.table_headings << arg;
+    when '--strings_to_leak'
+        self.strings_to_leak << arg;
+    when '--blacklist'
+        self.blacklist << arg;
+    end
+  end
+
+
+  def encoding_print_string
+    'difficulty: ' + self.difficulty.to_s + print_string_padding +
+    'table_headings: ' + self.table_headings.to_s + print_string_padding +
+    'strings_to_leak: ' + self.strings_to_leak.to_s + print_string_padding +
+    'blacklist: ' + self.blacklist.to_s
+  end
+end
+
+XSSsearchTemplateGenerator.new.run

modules/generators/html/vuln_snippets/xss_search_template/secgen_metadata.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+
+  <name>XSS Search Vulnerability Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Generates a php template with a vector that is vulnerable to Reflected XSS attacks</description>
+
+  <type>xss_snippet</type>
+  <type>reflected_xss</type>
+  <type>search_vuln</type>
+  <platform>unix</platform>
+
+  <default_input into="table_headings">
+    <generator module_path=".*product_table_headings" />
+  </default_input>
+
+  <default_input into="blacklist">
+    <generator module_path=".*xss_blacklist" />
+  </default_input>
+
+  <default_input into="strings_to_leak">
+    <generator type="flag_generator" />
+  </default_input>
+  <output_type>generated_attack_template</output_type>
+</generator>

modules/generators/passwords/default_admin_password/secgen_local/local.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/ruby
+require_relative '../../../../../lib/objects/local_string_generator.rb'
+
+class AdminUsernameGenerator < StringGenerator
+  def initialize
+    super
+    self.module_name = 'Default Admin Password Generator'
+  end
+
+  def generate
+    creds = File.readlines("#{WORDLISTS_DIR}/default_admin_passwords")
+
+    self.outputs << creds.sample.chomp
+  end
+end
+
+AdminUsernameGenerator.new.run

modules/generators/passwords/default_admin_password/secgen_metadata.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Default Admin Password Generator</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>Selects a random password for an admin user</description>
+
+  <type>password_generator</type>
+  <type>local_calculation</type>
+  <platform>linux</platform>
+  <platform>windows</platform>
+
+  <output_type>generated_passwords</output_type>
+
+</generator>

modules/generators/structured_content/vulnerable_php_admin_account/secgen_local/local.rb

@@ -0,0 +1,58 @@
+#!/usr/bin/ruby
+require_relative '../../../../../lib/objects/local_string_encoder.rb'
+class AdminAccountGenerator < StringEncoder
+  attr_accessor :username
+  attr_accessor :password
+  attr_accessor :name
+  attr_accessor :address
+
+  def initialize
+    super
+    self.module_name = 'Admin Account Generator / Builder'
+    self.username = ''
+    self.password = ''
+    self.name = ''
+    self.address = []
+
+  end
+
+  def encode_all
+    account_hash = {}
+    account_hash['username'] = self.username
+    account_hash['password'] = self.password
+    account_hash['name'] = self.name
+    account_hash['address'] = self.address
+
+    self.outputs << account_hash.to_json
+  end
+
+  def get_options_array
+    super + [['--address', GetoptLong::OPTIONAL_ARGUMENT],
+             ['--name', GetoptLong::OPTIONAL_ARGUMENT],
+             ['--password', GetoptLong::OPTIONAL_ARGUMENT],
+             ['--username', GetoptLong::REQUIRED_ARGUMENT]]
+  end
+
+  def process_options(opt, arg)
+    super
+    case opt
+      when '--username'
+        self.username << arg;
+      when '--password'
+        self.password << arg;
+      when '--name'
+        self.name << arg;
+      when '--address'
+        self.address << arg;
+    end
+  end
+
+  def encoding_print_string
+    'username: ' + self.username.to_s + print_string_padding +
+    'password: ' + self.password.to_s  + print_string_padding +
+    'address: ' + self.address.to_s + print_string_padding +
+    'name: ' + self.name.to_s
+  end
+end
+
+AdminAccountGenerator.new.run

modules/generators/structured_content/vulnerable_php_admin_account/secgen_metadata.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+
+<generator xmlns="http://www.github/cliffe/SecGen/generator"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
+  <name>Vulnerable PHP Admin Account</name>
+  <author>Joshua Hickling</author>
+  <module_license>MIT</module_license>
+  <description>
+    Utilised in commando vulnerability for a admin account which can be logged into via php.
+    Created by SQL, used to differentitate the site.
+  </description>
+
+  <type>php_admin_account</type>
+  <platform>linux</platform>
+
+  <read_fact>username</read_fact>
+  <read_fact>password</read_fact>
+  <read_fact>name</read_fact>
+  <read_fact>address</read_fact>
+
+  <default_input into="username">
+    <generator module_path=".*default_admin_username"/>
+  </default_input>
+  <default_input into="password">
+    <generator module_path=".*default_admin_password"/>
+  </default_input>
+  <default_input into="name">
+    <generator type="name" />
+  </default_input>
+  <default_input into="address">
+    <generator type="address_generator_uk" />
+  </default_input>
+
+  <output_type>php_admin_account</output_type>
+</generator>

modules/vulnerabilities/unix/webapp/commando/commando.pp

@@ -0,0 +1,2 @@
+include commando::apache
+include commando::install

modules/vulnerabilities/unix/webapp/commando/files/css/about.css

@@ -0,0 +1,43 @@
+#about {
+	padding: 2em;
+}
+
+#about p {
+	padding-top: 1em;
+	margin-top: 1em;
+}
+
+#review-form {
+	padding-bottom: 1em;
+	margin-bottom: 1em;
+	margin-top: 2em;
+}
+
+#right-box {
+	margin-left: .75em;
+}
+
+#left-by {
+	color: #a6a6a6;
+}
+
+#submit-button {
+	padding: .5em;
+	border: 0;
+}
+
+.other-review {
+	border-top: 1px solid #8c8c8c;
+	padding-top: 1em;
+	margin-top: 1em;
+	width: 100%;
+}
+
+.other-review:last-of-type {
+	border-bottom: 1px solid #8c8c8c;
+	margin-bottom: 1em;
+}
+
+#contact_info {
+	margin-top: 1em;
+}

modules/vulnerabilities/unix/webapp/commando/files/css/index.css

@@ -0,0 +1,108 @@
+#left-side-columns {
+	border-right: 1px solid #f2f2f2;
+	margin-top: 1em;
+}
+
+#left-side-columns input[type=text] {
+    float: none;
+    display: block;
+    text-align: left;
+    width: 100%;
+    margin: 0;
+    padding: 10px;
+  }
+
+  .product-grid {
+  	margin: 1em;
+  }
+
+  .product {
+  	width: 30%;
+  	display: inline-block;
+  	margin-top: 2em;
+  }
+
+  .sizes {
+  	color: #cccccc;
+  }
+
+ html {
+ 	font-family: 'Ubuntu', sans-serif;
+ }
+
+ .product form input[type=number] {
+ 	width: 40px;
+ 	text-align: center;
+ }
+
+ .product form input[type=submit] {
+ 	float: right;
+ 	background-color: inherit;
+ 	color: orange;
+ 	border: 1px solid #cccccc;
+ 	padding: 4px;
+ }
+
+ .product form {
+ 	width: 50%;
+ }
+
+ footer ul {
+ 	list-style: none;
+ 	color: #4d4d4d;
+	margin-left: 31%;
+ }
+
+ footer li {
+ 	display: inline-block;
+ 	padding-left: 1em;
+ 	padding-right: 1em;
+ }
+
+ footer div:first-of-type {
+ 		width: 50%;
+ 		margin: auto;
+ }
+
+#basket {
+	float: right;
+}
+
+#r-banner p {
+	padding-top: .5em;
+}
+
+#r-banner {
+	margin-top: 1em;
+	border-top: 1px solid #e6e6e6;
+	border-bottom: 1px solid #e6e6e6;
+}
+
+#search-box {
+	border: none;
+	border-bottom: 1px solid #e6e6e6;
+}
+
+.col-3 form input[type=submit] {
+	margin-top: .5em;
+}
+
+.error {
+	border-radius: 1em;
+	border: 1px solid #FABABC;
+	background-color: #FADFE0;
+	padding: .75em;
+	color: #7F1C12;
+	margin: 1em;
+	width: 100%;
+	text-align: center;
+}
+
+#sucess {
+	border-radius: 1em;
+	border: 1px solid #4F8A10;
+	background-color: #DFF2BF;
+	padding: .75em;
+	color: #4F8A10;
+	margin: 1em
+}

modules/vulnerabilities/unix/webapp/commando/files/css/login.css

@@ -0,0 +1,25 @@
+#form-holder {
+	width: 320px;
+	margin: auto;
+	border: 1px solid #e2e2e2;
+	margin-top: 3em;
+	margin-bottom: 2em;
+	padding: 1em;
+	background-color: #f5f5f5;
+	border-radius: 4px;
+}
+
+#form-holder h3 {
+	padding-bottom: .5em;
+}
+
+#form-holder input[type=submit] {
+	padding: .5em;
+	border: none;
+	border-radius: 4px;
+	color: white;
+}
+
+#remember {
+	padding-top: .5em;
+}

modules/vulnerabilities/unix/webapp/commando/files/css/user.css

@@ -0,0 +1,28 @@
+#pp {
+	border-radius: 50%;
+	border: 1px solid #e2e2e2;
+	height: 128px;
+	display: block;
+    margin: 0 auto;
+}
+
+#pp-holder {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+  width: 50%;
+  margin-top: 3em;
+}
+
+#welcome {
+	border-radius: 1em;
+	border: 1px solid #e2e2e2;
+	background-color: #F8F9FA;
+	padding: .75em;
+	color: #808080;
+	margin: 1em;
+}
+
+#details {
+	margin-left: 2em;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme1.css

@@ -0,0 +1,27 @@
+nav {
+  background-color: #942911;
+}
+
+.navbar-brand {
+  color: #593837 !important;
+}
+
+.nav-link {
+  color: #593837 !important;
+}
+
+.nav-item active {
+  color: #90a583 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #942911;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #942911;
+}
+
+.product form input[type=submit] {
+ color: #90a583;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme10.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #38023b;
+}
+
+.navbar-brand {
+  color: #8896ab !important;
+}
+
+.nav-link {
+  color: #8896ab !important;
+}
+
+.nav-item active {
+  color: #4a7b9d !important;
+}
+
+#login-button, #submit-button {
+  background-color: #38023b;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #38023b;
+}
+
+#about {
+  background-color: #a288e3;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #4a7b9d;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme11.css

@@ -0,0 +1,33 @@
+nav {
+  background-color: #646165;
+}
+
+.navbar-brand {
+  color: #ddfcad !important;
+}
+
+.nav-link {
+  color: #ddfcad !important;
+}
+
+.nav-item active {
+  color: #c8e087 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #646165;
+  color: white !important;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #646165;
+}
+
+#about {
+  background-color: #95a472;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #c8e087;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme12.css

@@ -0,0 +1,33 @@
+nav {
+  background-color: #36413e;
+}
+
+.navbar-brand {
+  color: #8d8d92 !important;
+}
+
+.nav-link {
+  color: #8d8d92 !important;
+}
+
+.nav-item active {
+  color: #beb2c8 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #36413e;
+  color: white !important;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #36413e;
+}
+
+#about {
+  background-color: #5d5e60;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #beb2c8;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme13.css

@@ -0,0 +1,33 @@
+nav {
+  background-color: #4c4b63;
+}
+
+.navbar-brand {
+  color: #c3c3c3 !important;
+}
+
+.nav-link {
+  color: #c3c3c3 !important;
+}
+
+.nav-item active {
+  color: #aba8b2 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #4c4b63;
+  color: white !important;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #4c4b63;
+}
+
+#about {
+  background-color: #5386e4;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #aba8b2;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme14.css

@@ -0,0 +1,33 @@
+nav {
+  background-color: #d5a021;
+}
+
+.navbar-brand {
+  color: #a49694 !important;
+}
+
+.nav-link {
+  color: #a49694 !important;
+}
+
+.nav-item active {
+  color: #736b60 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #d5a021;
+  color: white !important;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #d5a021;
+}
+
+#about {
+  background-color: #4b4237;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #736b60;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme15.css

@@ -0,0 +1,33 @@
+nav {
+  background-color: #3c1518;
+}
+
+.navbar-brand {
+  color: #fff94f !important;
+}
+
+.nav-link {
+  color: #fff94f !important;
+}
+
+.nav-item active {
+  color: #d58936 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #3c1518;
+  color: white !important;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #3c1518;
+}
+
+#about {
+  background-color: #69140e;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #d58936;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme2.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #758ecd;
+}
+
+.navbar-brand {
+  color: #c1cefe !important;
+}
+
+.nav-link {
+  color: #c1cefe !important;
+}
+
+.nav-item active {
+  color: #a0ddff !important;
+}
+
+#login-button, #submit-button {
+  background-color: #758ecd;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #758ecd;
+}
+
+#about {
+  background-color: #624cab;
+  color: #c1cefe;
+}
+
+.product form input[type=submit] {
+ color: #a0ddff;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme3.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #9e7682;
+}
+
+.navbar-brand {
+  color: #f7c4a5 !important;
+}
+
+.nav-link {
+  color: #f7c4a5 !important;
+}
+
+.nav-item active {
+  color: #4d4861 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #9e7682;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #9e7682;
+}
+
+#about {
+  background-color: #605770;
+  color: #f7c4a5;
+}
+
+.product form input[type=submit] {
+ color: #4d4861;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme4.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #8fc93a;
+}
+
+.navbar-brand {
+  color: #e4cc37 !important;
+}
+
+.nav-link {
+  color: #e4cc37 !important;
+}
+
+.nav-item active {
+  color: #e18335 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #8fc93a;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #8fc93a;
+}
+
+#about {
+  background-color: #0072bb;
+  color: #1e91d6;
+}
+
+.product form input[type=submit] {
+ color: #e18335;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme5.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #e63b2e;
+}
+
+.navbar-brand {
+  color: #ff7733 !important;
+}
+
+.nav-link {
+  color: #ff7733 !important;
+}
+
+.nav-item active {
+  color: #e15634 !important;
+}
+
+#login-button, #submit-button {
+  background-color: #e63b2e;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #e63b2e;
+}
+
+#about {
+  background-color: #f85a3e;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #e15634;
+}

modules/vulnerabilities/unix/webapp/commando/files/css_themes/theme6.css

@@ -0,0 +1,32 @@
+nav {
+  background-color: #00bd9d;
+}
+
+.navbar-brand {
+  color: #8bd7d2 !important;
+}
+
+.nav-link {
+  color: #8bd7d2 !important;
+}
+
+.nav-item active {
+  color: #54defd !important;
+}
+
+#login-button, #submit-button {
+  background-color: #00bd9d;
+}
+
+footer li:first-of-type {
+ border-right: 1px solid #00bd9d;
+}
+
+#about {
+  background-color: #49c6e5;
+  color: #e1e6e1;
+}
+
+.product form input[type=submit] {
+ color: #54defd;
+}