diff --git a/modules/generators/content/database/sql_table_setup/secgen_local/local.rb b/modules/generators/content/database/sql_table_setup/secgen_local/local.rb index 3bbf8b09e..ab2aedd09 100644 --- a/modules/generators/content/database/sql_table_setup/secgen_local/local.rb +++ b/modules/generators/content/database/sql_table_setup/secgen_local/local.rb @@ -18,7 +18,7 @@ class TableCreateGenerator < StringEncoder product_headings = "#{self.product_table_headings}".split(',') $i = 0 - $num = 6 + $num = 7 last_record = false product_table_records = [] diff --git a/modules/generators/html/vuln_snippets/idor_product_template/idor_product_template.pp b/modules/generators/html/vuln_snippets/idor_product_template/idor_product_template.pp new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/html/vuln_snippets/idor_product_template/manifests/.no_puppet b/modules/generators/html/vuln_snippets/idor_product_template/manifests/.no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/html/vuln_snippets/idor_product_template/manifests/_no_puppet b/modules/generators/html/vuln_snippets/idor_product_template/manifests/_no_puppet new file mode 100644 index 000000000..e69de29bb diff --git a/modules/generators/html/vuln_snippets/idor_product_template/secgen_local/local.rb b/modules/generators/html/vuln_snippets/idor_product_template/secgen_local/local.rb new file mode 100644 index 000000000..baf6bae0b --- /dev/null +++ b/modules/generators/html/vuln_snippets/idor_product_template/secgen_local/local.rb @@ -0,0 +1,89 @@ +#!/usr/bin/ruby +require_relative '../../../../../../lib/objects/local_string_encoder.rb' +class IdorProductTemplateGenerator < StringEncoder + attr_accessor :strings_to_leak + attr_accessor :table_headings + + def initialize + super + self.module_name = 'IDOR Product Snippet Generator' + self.strings_to_leak = '' + self.table_headings = '' + end + + def encode_all + headings = "#{self.table_headings}" + headings_array = headings.split(',') + table_name = headings_array[0] + name = headings_array[1] + price = headings_array[2] + img = headings_array[3] + + flag_statement = "
+ Well done, you have successfully exploited an insecure direct object reference vulnerability!
+ Here is a flag: #{strings_to_leak} +
" + + flag_check = "
#{flag_statement}
+ " + + layout = " +
+ \" alt=\"image\" class=\"img-fluid\" /> +
(Low Stock)
+
£
+
+
#{flag_check}
" + + snippet = layout + + self.outputs << snippet + end + + def get_options_array + super + [['--table_headings', GetoptLong::REQUIRED_ARGUMENT], + ['--strings_to_leak', GetoptLong::REQUIRED_ARGUMENT]] + end + + def process_options(opt, arg) + super + case opt + when '--table_headings' + self.table_headings << arg; + when '--strings_to_leak' + self.strings_to_leak << arg; + end + end + + def encoding_print_string + 'table_headings: ' + self.table_headings.to_s + print_string_padding + + 'strings_to_leak: ' + self.strings_to_leak.to_s + print_string_padding + end +end + +IdorProductTemplateGenerator.new.run diff --git a/modules/generators/html/vuln_snippets/idor_product_template/secgen_metadata.xml b/modules/generators/html/vuln_snippets/idor_product_template/secgen_metadata.xml new file mode 100644 index 000000000..7cd3492e0 --- /dev/null +++ b/modules/generators/html/vuln_snippets/idor_product_template/secgen_metadata.xml @@ -0,0 +1,23 @@ + + + + + IDOR Product Vulnerability Generator + Thalita Vergilio + MIT + Generates a php template with a vector that is vulnerable to insecure direct object reference attacks + + idor_snippet + unix + + + + + + + + + generated_attack_template + diff --git a/modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb b/modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb index b8455f9a1..15cc0faa2 100644 --- a/modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb +++ b/modules/generators/html/vuln_snippets/xss_search_template/secgen_local/local.rb @@ -61,38 +61,42 @@ class XSSsearchTemplateGenerator < StringEncoder query ="if(isset($_POST['submit'])){ $search=mysqli_real_escape_string($conn2, $_POST['search']); - $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; " + $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' " elsif difficulty.eql? 'medium' query = "if(isset($_POST['submit'])){ $blacklist = array(#{medium_blacklist_insert}); $search=str_replace($blacklist, \"\", $_POST['search']); - $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; " + $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' " elsif difficulty.eql? 'hard' query = "if(isset($_POST['submit'])){ $blacklist = array(#{blacklist_insert}); $search=str_replace($blacklist, \"\", $_POST['search']); - $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\"; " + $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' " else query = "if(isset($_POST['submit'])){ $search=htmlspecialchars(mysqli_real_escape_string($conn2, $_POST['search'])); - $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%'\";" + $statement=\"SELECT * FROM #{table_name} WHERE #{name} LIKE '%\" .$search .\"%' " end + query << "ORDER BY ID LIMIT 6 \";" + submit = "You searched for: '.$search.'
'; while ($row=mysqli_fetch_assoc($result)){ ?>
- \" alt=\"shirt\" height=\"224px\" width=\"224px\" /> -
(Low Stock)
+ \"> + \" alt=\"shirt\" height=\"224px\" width=\"224px\" /> +
(Low Stock)
+
£
@@ -118,7 +122,7 @@ class XSSsearchTemplateGenerator < StringEncoder #{payload_statement} \n\n #{flag_statement} else { - $sql = \"SELECT * FROM #{table_name}\"; + $sql = \"SELECT * FROM #{table_name} ORDER BY ID LIMIT 6\"; ?>
@@ -128,8 +132,10 @@ class XSSsearchTemplateGenerator < StringEncoder while ($row=mysqli_fetch_assoc($standard)){ ?>
- \" alt=\"shirt\" height=\"224px\" width=\"224px\" /> -
(Low Stock)
+ \"> + \" alt=\"shirt\" height=\"224px\" width=\"224px\" /> +
(Low Stock)
+
£
diff --git a/modules/vulnerabilities/unix/webapp/commando/files/images/not_found.jpg b/modules/vulnerabilities/unix/webapp/commando/files/images/not_found.jpg new file mode 100644 index 000000000..e2b294d79 Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/commando/files/images/not_found.jpg differ diff --git a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp index 931986fcc..5b1545fbd 100644 --- a/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp +++ b/modules/vulnerabilities/unix/webapp/commando/manifests/install.pp @@ -4,6 +4,7 @@ class commando::install { # attack code snippets $search = $secgen_parameters['search'] $sqli_attack = $secgen_parameters['sqli'] + $idor = $secgen_parameters['idor'] # On/Off switches $aa_activation = $secgen_parameters['default_admin_deactivation'][0] @@ -37,7 +38,7 @@ class commando::install { $intro_paragraph = $organisation['intro_paragraph'] } - # database differenitaion generation + # database differentiation generation $php_database = $secgen_parameters['database'] $user_table_name = $secgen_parameters['user_table_name'][0] @@ -87,7 +88,7 @@ class commando::install { # home page file{ "$docroot/index.php": ensure => file, - content => template('commando/home.php.erb'), + content => template('commando/home.php.erb') } # about/information page @@ -126,6 +127,18 @@ class commando::install { content => template('commando/connect.php.erb') } + # product page + file{ "$docroot/product.php": + ensure => file, + content => template('commando/product.php.erb') + } + + # not found page + file{ "$docroot/not_found.php": + ensure => file, + content => template('commando/not_found.php.erb') + } + # Standard files which are not dynamic moving accross to the server # Auth file if $ve_activation == 'false' { diff --git a/modules/vulnerabilities/unix/webapp/commando/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/commando/secgen_metadata.xml index 3a7012c5e..e50069d31 100644 --- a/modules/vulnerabilities/unix/webapp/commando/secgen_metadata.xml +++ b/modules/vulnerabilities/unix/webapp/commando/secgen_metadata.xml @@ -20,6 +20,7 @@ WARNING: This module needs some further testing, and may not work without input search database organisation +idor 80 diff --git a/modules/vulnerabilities/unix/webapp/commando/templates/not_found.php.erb b/modules/vulnerabilities/unix/webapp/commando/templates/not_found.php.erb new file mode 100644 index 000000000..1a960b49c --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/commando/templates/not_found.php.erb @@ -0,0 +1,22 @@ + + + + + +<% $page_title = 'Not Found' %> +<%= scope.function_template(['commando/subtemplates/header.html.erb']) %> + + +<%= scope.function_template(['commando/subtemplates/nav.html.erb']) %> +
+
+ not found +
+
+ + + + + + + diff --git a/modules/vulnerabilities/unix/webapp/commando/templates/product.php.erb b/modules/vulnerabilities/unix/webapp/commando/templates/product.php.erb new file mode 100644 index 000000000..fe9a88da8 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/commando/templates/product.php.erb @@ -0,0 +1,29 @@ + + + + + +<% $page_title = 'Product' %> +<%= scope.function_template(['commando/subtemplates/header.html.erb']) %> + + + + <%= scope.function_template(['commando/subtemplates/nav.html.erb']) %> + +
+ + <% @idor.each { |idor| -%> + <%= idor %> + <%} -%> + +
+ + + + + + + +<%= scope.function_template(['commando/subtemplates/footer.html.erb']) %> + + diff --git a/scenarios/security_audit/rand_webapp.xml b/scenarios/security_audit/rand_webapp.xml index 6b0396ceb..e6833ce34 100644 --- a/scenarios/security_audit/rand_webapp.xml +++ b/scenarios/security_audit/rand_webapp.xml @@ -86,6 +86,17 @@ + + + + product_table_headings + + + + + + + @@ -101,19 +112,19 @@ - - kali - + + + - - - - + + + + - - - IP_addresses - - - + + + + + +