digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implemented IDOR vulnerability and flag.

Browse Source
This commit is contained in:
Thalita
2021-08-25 19:37:20 +01:00
parent e4364dfc41
commit d080104ddc
13 changed files with 220 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/generators/content/database/sql_table_setup/secgen_local/local.rb
View File

@@ -18,7 +18,7 @@ class TableCreateGenerator < StringEncoder
product_headings = "#{self.product_table_headings}".split(',')
$i = 0
$num = 6
$num = 7
last_record = false
product_table_records = []

0
modules/generators/html/vuln_snippets/idor_product_template/idor_product_template.pp Normal file
View File

0
modules/generators/html/vuln_snippets/idor_product_template/manifests/.no_puppet Normal file
View File

0
modules/generators/html/vuln_snippets/idor_product_template/manifests/_no_puppet Normal file
View File

89
modules/generators/html/vuln_snippets/idor_product_template/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/ruby
require_relative '../../../../../../lib/objects/local_string_encoder.rb'
class IdorProductTemplateGenerator < StringEncoder
attr_accessor :strings_to_leak
attr_accessor :table_headings
def initialize
super
self.module_name = 'IDOR Product Snippet Generator'
self.strings_to_leak = ''
self.table_headings = ''
end
def encode_all
headings = "#{self.table_headings}"
headings_array = headings.split(',')
table_name = headings_array[0]
name = headings_array[1]
price = headings_array[2]
img = headings_array[3]
flag_statement = "<div class=\"alert alert-info\">
Well done, you have successfully exploited an insecure direct object reference vulnerability!<br/>
Here is a flag: #{strings_to_leak}
</div>"
flag_check = "<?php
if ($max_id == $id) {
?> <div>#{flag_statement}</div>
<?php } ?>"
layout = "<?php
if(isset($_GET['id'])){
$id = $_GET['id'];
$statement = \"SELECT * FROM #{table_name} WHERE ID = \".$id;
$statement .= \"; SELECT MAX(ID) FROM #{table_name}\";
if (mysqli_multi_query($conn2, $statement)) {
if ($result = mysqli_store_result($conn2)) {
$row = mysqli_fetch_array($result);
if (!empty($row)) {
?>
<div class=\"jumbotron\">
<img src=\"<?php echo $row['#{img}']; ?>\" alt=\"image\" class=\"img-fluid\" />
<div class=\"h2\"><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
<div class=\"h3\">&pound;<?php echo $row['#{price}']; ?></div>
</div>
<?php
mysqli_free_result($result);
} else {
header('Location: not_found.php');
}
}
if (mysqli_more_results($conn2)) {
mysqli_next_result($conn2);
$result = mysqli_store_result($conn2);
$max_id = mysqli_fetch_row($result)[0];
?> <div>#{flag_check}</div> <?php
}
}
}
?>"
snippet = layout
self.outputs << snippet
end
def get_options_array
super + [['--table_headings', GetoptLong::REQUIRED_ARGUMENT],
['--strings_to_leak', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--table_headings'
self.table_headings << arg;
when '--strings_to_leak'
self.strings_to_leak << arg;
end
end
def encoding_print_string
'table_headings: ' + self.table_headings.to_s + print_string_padding +
'strings_to_leak: ' + self.strings_to_leak.to_s + print_string_padding
end
end
IdorProductTemplateGenerator.new.run

23
modules/generators/html/vuln_snippets/idor_product_template/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,23 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>IDOR Product Vulnerability Generator</name>
<author>Thalita Vergilio</author>
<module_license>MIT</module_license>
<description>Generates a php template with a vector that is vulnerable to insecure direct object reference attacks</description>
<type>idor_snippet</type>
<platform>unix</platform>
<default_input into="table_headings">
<generator module_path=".*product_table_headings" />
</default_input>
<default_input into="strings_to_leak">
<generator type="flag_generator" />
</default_input>
<output_type>generated_attack_template</output_type>
</generator>

26
modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb
View File

@@ -61,38 +61,42 @@ class XSSsearchTemplateGenerator < StringEncoder
query ="if(isset($_POST['submit'])){
$search=mysqli_real_escape_string($conn2, $_POST['search']);
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' "
elsif difficulty.eql? 'medium'
query = "if(isset($_POST['submit'])){
$blacklist = array(#{medium_blacklist_insert});
$search=str_replace($blacklist, \"\", $_POST['search']);
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' "
elsif difficulty.eql? 'hard'
query = "if(isset($_POST['submit'])){
$blacklist = array(#{blacklist_insert});
$search=str_replace($blacklist, \"\", $_POST['search']);
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; "
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' "
else
query = "if(isset($_POST['submit'])){
$search=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['search']));
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\";"
$statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' "
end
query << "ORDER BY ID LIMIT 6 \";"
submit = "<?php
$result=mysqli_query($conn2, $statement);
$result=mysqli_query($conn2, $statement);
echo '<p id=\"sucess\">You searched for: '.$search.'<br>';
while ($row=mysqli_fetch_assoc($result)){
?>
<div class=\"product\">
<img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
<div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
<a href=\"/product.php?id=<?php echo $row['id']?>\">
<img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
<div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
</a>
<div>&pound;<?php echo $row['#{price}']; ?></div>
<div>
<form>
@@ -118,7 +122,7 @@ class XSSsearchTemplateGenerator < StringEncoder
#{payload_statement} \n\n
#{flag_statement}
else {
$sql = \"SELECT * FROM #{table_name}\";
$sql = \"SELECT * FROM #{table_name} ORDER BY ID LIMIT 6\";
?>
</div>
<div class=\"col\-9\">
@@ -128,8 +132,10 @@ class XSSsearchTemplateGenerator < StringEncoder
while ($row=mysqli_fetch_assoc($standard)){
?>
<div class=\"product\">
<img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
<div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
<a href=\"/product.php?id=<?php echo $row['id']?>\">
<img src=\"<?php echo $row['#{img}']; ?>\" alt=\"shirt\" height=\"224px\" width=\"224px\" />
<div><?php echo $row['#{name}']; ?> <i class=\"sizes\">(Low Stock)</i></div>
</a>
<div>&pound;<?php echo $row['#{price}']; ?></div>
<div>
<form>

BIN
modules/vulnerabilities/unix/webapp/commando/files/images/not_found.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

17
modules/vulnerabilities/unix/webapp/commando/manifests/install.pp
View File

@@ -4,6 +4,7 @@ class commando::install {
# attack code snippets
$search = $secgen_parameters['search']
$sqli_attack = $secgen_parameters['sqli']
$idor = $secgen_parameters['idor']
# On/Off switches
$aa_activation = $secgen_parameters['default_admin_deactivation'][0]
@@ -37,7 +38,7 @@ class commando::install {
$intro_paragraph = $organisation['intro_paragraph']
}
# database differenitaion generation
# database differentiation generation
$php_database = $secgen_parameters['database']
$user_table_name = $secgen_parameters['user_table_name'][0]
@@ -87,7 +88,7 @@ class commando::install {
# home page
file{ "$docroot/index.php":
ensure => file,
content => template('commando/home.php.erb'),
content => template('commando/home.php.erb')
}
# about/information page
@@ -126,6 +127,18 @@ class commando::install {
content => template('commando/connect.php.erb')
}
# product page
file{ "$docroot/product.php":
ensure => file,
content => template('commando/product.php.erb')
}
# not found page
file{ "$docroot/not_found.php":
ensure => file,
content => template('commando/not_found.php.erb')
}
# Standard files which are not dynamic moving accross to the server
# Auth file
if $ve_activation == 'false' {

1
modules/vulnerabilities/unix/webapp/commando/secgen_metadata.xml
View File

@@ -20,6 +20,7 @@ WARNING: This module needs some further testing, and may not work without input
<read_fact>search</read_fact>
<read_fact>database</read_fact>
<read_fact>organisation</read_fact>
<read_fact>idor</read_fact>
<default_input into="port">
<value>80</value>

22
modules/vulnerabilities/unix/webapp/commando/templates/not_found.php.erb Normal file
View File

@@ -0,0 +1,22 @@
<?php include 'connect.php';?>
<!DOCTYPE html>
<html lang="en">
<% $page_title = 'Not Found' %>
<%= scope.function_template(['commando/subtemplates/header.html.erb']) %>
<body>
<%= scope.function_template(['commando/subtemplates/nav.html.erb']) %>
<div class="container container-fluid">
<div class="jumbotron">
<img src="images/not_found.jpg" alt="not found">
</div>
</div>
<script src="js/jquery-3.3.1.slim.min.js"></script>
<script src="js/popper.min.js"></script>
<script src="css/bootstrap.4.3.1.min.js"></script>
</body>
</html>

29
modules/vulnerabilities/unix/webapp/commando/templates/product.php.erb Normal file
View File

@@ -0,0 +1,29 @@
<?php include 'connect.php';?>
<!DOCTYPE html>
<html lang="en">
<% $page_title = 'Product' %>
<%= scope.function_template(['commando/subtemplates/header.html.erb']) %>
<body>
<%= scope.function_template(['commando/subtemplates/nav.html.erb']) %>
<div class="container container-fluid">
<% @idor.each { |idor| -%>
<%= idor %>
<%} -%>
</div>
<script src="js/jquery-3.3.1.slim.min.js"></script>
<script src="js/popper.min.js"></script>
<script src="css/bootstrap.4.3.1.min.js"></script>
</body>
<%= scope.function_template(['commando/subtemplates/footer.html.erb']) %>
</html>

37
scenarios/security_audit/rand_webapp.xml
View File

@@ -86,6 +86,17 @@
</generator>
</input>
<input into="idor">
<generator module_path=".*idor_product_template">
<input into="table_headings">
<datastore>product_table_headings</datastore>
</input>
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
</input>
</vulnerability>
<network type="private_network">
@@ -101,19 +112,19 @@
</build>
</system>
<system>
<system_name>kali</system_name>
<base distro="Kali" name="MSF"/>
<!-- <system>-->
<!-- <system_name>kali</system_name>-->
<!-- <base distro="Kali" name="MSF"/>-->
<utility module_path=".*/kali_web"/>
<utility module_path=".*/metasploit_framework"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<!-- <utility module_path=".*/kali_web"/>-->
<!-- <utility module_path=".*/metasploit_framework"/>-->
<!-- <utility module_path=".*/handy_cli_tools"/>-->
<!-- <utility module_path=".*/nmap"/>-->
<network type="private_network">
<input into="IP_address">
<datastore access="next">IP_addresses</datastore>
</input>
</network>
</system>
<!-- <network type="private_network">-->
<!-- <input into="IP_address">-->
<!-- <datastore access="next">IP_addresses</datastore>-->
<!-- </input>-->
<!-- </network>-->
<!-- </system>-->
</scenario>