Merge pull request #167 from RupakBiswas-2304/master

lab added on command injection
adeyosemanputra · Sep 1, 2022 · 6925b93 · 6925b93
2 parents bf7a3cd + 5f19dd5
commit 6925b93
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 *.pyc
 env
 pygoat/db.sqlite3
+venv
 *.sqlite3
 *db.sqlite3
 */app.log

diff --git a/pygoat/db.sqlite3 b/pygoat/db.sqlite3
diff --git a/pygoat/introduction/__pycache__/views.cpython-38.pyc b/pygoat/introduction/__pycache__/views.cpython-38.pyc
diff --git a/pygoat/introduction/mitre.py b/pygoat/introduction/mitre.py
@@ -4,6 +4,8 @@
 from hashlib import md5
 import jwt
 import datetime
+import re
+import subprocess
 from .models import CSRF_user_tbl
 from django.views.decorators.csrf import csrf_exempt
 # import os
@@ -218,4 +220,25 @@ def mitre_lab_25_api(request):
 
 @authentication_decorator
 def mitre_lab_25(request):
-    return render(request, 'mitre/mitre_lab_25.html')
+    return render(request, 'mitre/mitre_lab_25.html')
+
+@authentication_decorator
+def mitre_lab_17(request):
+    return render(request, 'mitre/mitre_lab_17.html')
+
+def command_out(command):
+    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    return process.communicate()
+
+
+@csrf_exempt
+def mitre_lab_17_api(request):
+    if request.method == "POST":
+        ip = request.POST.get('ip')
+        command = "nmap " + ip 
+        res, err = command_out(command)
+        res = res.decode()
+        err = err.decode()
+        pattern = "STATE SERVICE.*\\n\\n"
+        ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n')
+        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
diff --git a/pygoat/introduction/templates/mitre/mitre_lab_17.html b/pygoat/introduction/templates/mitre/mitre_lab_17.html
@@ -0,0 +1,51 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+<title> Code Injection </title>
+{% endblock %}
+<div class="jumbotron">
+    <h4 style="text-align:center"> PORT SCANNING SERVICE </h4>
+    <div class="login" style="display: flex;justify-content: center;flex-direction: column;">
+        <div>
+            <input type="textarea" id="input" style="width: 400px;height: 50px;">
+            <button id="btn" style="width: 100px;height: 50px;" onclick="apicall()"> SCAN </button>
+        </div><br>
+        <div id="output" style="width: 40%; border: 2px solid #777; border-radius: 5px; padding: 7px;">
+            output<br>
+        </div>
+    </div>
+    <div style= "position : fixed ; right : 7px; bottom : 7px"> <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/17'">Back to Lab
+        Details</button></div>
+
+    <script>
+        var ports = [];
+        function apicall(){
+            var input = document.getElementById("input").value;
+            var output = document.getElementById("output");
+            var headers = new Headers();
+            var formdata = new FormData();
+            formdata.append("ip", input);
+            var requestOption = {
+                method: "POST",
+                body: formdata,
+                redirect: "follow",
+                headers: headers
+            };
+            output.innerHTML = "";
+            fetch("/mitre/17/lab/api",requestOption)
+                .then(response => response.text())
+                .then(result => {
+                    var data = JSON.parse(result);
+                    ports = data.ports;
+                    for (p in data.ports){
+                        output.innerHTML += "<span>" + ports[p] + "</span><br>";}
+                })
+                .catch(
+                    error => {console.log("error", error);
+                    output.innerHTML = "error";}
+                    );
+        }
+
+    </script>
+{% endblock %}
diff --git a/pygoat/introduction/templates/mitre/mitre_lab_25.html b/pygoat/introduction/templates/mitre/mitre_lab_25.html
@@ -6,7 +6,7 @@
 {% endblock %}
     <div class="jumbotron">
         <h4 style="text-align:center"> Calculator </h4>
-        <div class="login" style="display: flex;justify-content: center;flex-direction: column;}">
+        <div class="login" style="display: flex;justify-content: center;flex-direction: column;">
             <div>
                 <input type="textarea" id="input" style="width: 400px;height: 50px;">
                 <button id="btn" style="width: 100px;height: 50px;" onclick="calculate()"> Calculate </button>

diff --git a/pygoat/introduction/templates/mitre/mitre_top17.html b/pygoat/introduction/templates/mitre/mitre_top17.html
@@ -19,6 +19,15 @@ <h2 style="font-size:2.7rem">CWE-77: <span>Command Injection</span></h2>
         </ul>
         Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
         Command injection is a common problem with wrapper programs.
+    </div><br>
+    <button class="coll btn btn-info">Lab 1 Details</button>
+    <div class="lab">
+        <p class="bp">
+        This is a web utility for scanning IP address for open ports.<br> 
+        Can you use this utility for something other than scanning ports?
+        <br>
+        <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/17/lab '">Access
+            Lab</button></div>
     </div>
 
 {% endblock %}
diff --git a/pygoat/introduction/templates/mitre/mitre_top21.html b/pygoat/introduction/templates/mitre/mitre_top21.html
@@ -21,5 +21,33 @@ <h2 style="font-size: 2.7rem">
   internal networks, use other URLs such as that can access documents on the
   system (using file://), or use other protocols such as gopher:// or tftp://,
   which may provide greater control over the contents of requests.
+</div><br><br>
+<button class="coll btn btn-info">Lab 1 Details</button>
+<div class="lab">
+    <p class="bp">
+    This lab helps you to get an idea of how SSRF can result in major Security flaw.
+
+    The next pages shows some blog, but can you figure out how the blogs are presented?
+
+    <br>
+    <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/ssrf_lab'">Access
+        Lab</button></div>
+</div>
+<button class="coll btn btn-info">Lab 2 Details</button>
+<div class="lab">
+    <p class="bp">
+      This website sends a request to the given url and displays the page withing the page.
+      now there is a page at <a href="/ssrf_target">/ssrf_target</a> which only allowes request from localhost ( ie 127.0.0.1 )
+      <br>
+      now start the server using <code>python manage.py runserver 0:8000</code><br>
+      get your network ip using <code>ifconfig</code> or <code>ipcofig</code>(in windows) <br>
+      now go to http://[your ip]/ssrf_target
+      <br>
+      Now you can't access the page because it is not from localhost.
+      Try to get access to this page content now using the utility.
+    </p>
+    <br>
+    <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/ssrf_lab2'">Access
+        Lab</button></div>
 </div>
 {% endblock %}
diff --git a/pygoat/introduction/urls.py b/pygoat/introduction/urls.py
@@ -114,4 +114,6 @@
     path("mitre/9/lab/api/<str:recipent>/<int:amount>",mitre.csrf_transfer_monei_api,name="csrf_lab_login_api"),
     path("mitre/25/lab/api", mitre.mitre_lab_25_api, name="mitre_lab_25_api"),
     path("mitre/25/lab", mitre.mitre_lab_25, name="mitre_lab_25"),
+    path("mitre/17/lab", mitre.mitre_lab_17, name="mitre_lab_17"),
+    path("mitre/17/lab/api",mitre.mitre_lab_17_api,name="mitre_lab_17_api"),
 ]