code injection

pygoat/introduction/mitre.py

@@ -6,9 +6,16 @@
 import datetime
 from .models import CSRF_user_tbl
 from django.views.decorators.csrf import csrf_exempt
+# import os
 
 ## Mitre top1 | CWE:787
 
+# target zone
+FLAG = "NOT_SUPPOSED_TO_BE_ACCESSED"
+
+# target zone end
+
+
 @authentication_decorator
 def mitre_top1(request):
     if request.method == 'GET':
@@ -198,7 +205,17 @@ def csrf_transfer_monei_api(request,recipent,amount):
         return redirect ('/mitre/9/lab/transaction')
 
 
-@authentication_decorator
+# @authentication_decorator
 @csrf_exempt
 def mitre_lab_25_api(request):
-    pass
+    if request.method == "POST":
+        expression = request.POST.get('expression')
+        result = eval(expression)
+        return JsonResponse({'result': result})
+    else:
+        return redirect('/mitre/25/lab/')
+
+
+@authentication_decorator
+def mitre_lab_25(request):
+    return render(request, 'mitre/mitre_lab_25.html')

pygoat/introduction/templates/mitre/mitre_lab_25.html

@@ -0,0 +1,47 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+<title> Code Injection </title>
+{% endblock %}
+    <div class="jumbotron">
+        <h4 style="text-align:center"> Calculator </h4>
+        <div class="login" style="display: flex;justify-content: center;flex-direction: column;}">
+            <div>
+                <input type="textarea" id="input" style="width: 200px;height: 50px;">
+                <button id="btn" style="width: 100px;height: 50px;" onclick="calculate()"> Calculate </button>
+            </div>
+            <textarea id="output" style="width: 40%;height: 20px;"></textarea>
+        </div>
+    </div>
+    <div style= "position : fixed ; right : 7px; bottom : 7px"> <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/25'">Back to Lab
+    Details</button></div>
+    <script>
+        function calculate(){
+            var input = document.getElementById("input").value;
+            var output = document.getElementById("output");
+            var headers = new Headers();
+            var formdata = new FormData();
+            formdata.append("expression", input);
+            var requestOption = {
+                method: "POST",
+                body: formdata,
+                redirect: "follow",
+                headers: headers
+            };
+
+            fetch("/mitre/25/lab/api",requestOption)
+                .then(response => response.text())
+                .then(result => {
+                    var data = JSON.parse(result);
+                    output.value = data.result;
+                    console.log(result);
+                })
+                .catch(
+                    error => {console.log("error", error);
+                    output.value = "error";}
+                    );
+        } 
+    </script>
+
+{% endblock %}

pygoat/introduction/templates/mitre/mitre_top25.html

@@ -32,7 +32,7 @@ <h2 style="font-size: 2.7rem">CWE-94: <span>Code Injection</span></h2>
     This lab have a calculator with can compute simple arithmetic operations.
     Try to exploit that</p> 
     <div align="right">
-      <button class="btn btn-info" type="button" onclick="window.location.href='/sql_lab'">
+      <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/25/lab'">
         Access Lab
       </button>
     </div>

pygoat/introduction/urls.py

@@ -113,4 +113,5 @@
     path("mitre/9/lab/transaction",mitre.csrf_transfer_monei,name="csrf_lab_login_api"),
     path("mitre/9/lab/api/<str:recipent>/<int:amount>",mitre.csrf_transfer_monei_api,name="csrf_lab_login_api"),
     path("mitre/25/lab/api", mitre.mitre_lab_25_api, name="mitre_lab_25_api"),
+    path("mitre/25/lab", mitre.mitre_lab_25, name="mitre_lab_25"),
 ]

pygoat/pygoat/settings.py

@@ -165,4 +165,4 @@
 }
 
 SECRET_COOKIE_KEY = "PYGOAT"
-CSRF_TRUSTED_ORIGINS = ["http://127.0.0.1:8000","http://0.0.0.0:8000","http://172.16.188.81"]
+CSRF_TRUSTED_ORIGINS = ["http://127.0.0.1:8000","http://0.0.0.0:8000","http://172.16.189.10"]