From 736fb6d7219ef544bba0277ad97981b3edac7aa4 Mon Sep 17 00:00:00 2001
From: RupakBiswas-2304 <rupak_2001cs57@iitp.ac.in>
Date: Sat, 27 Aug 2022 09:00:20 +0530
Subject: [PATCH] code injection

---
 pygoat/db.sqlite3                             | Bin 331776 -> 331776 bytes
 pygoat/introduction/mitre.py                  |  21 +++++++-
 .../templates/mitre/mitre_lab_25.html         |  47 ++++++++++++++++++
 .../templates/mitre/mitre_top25.html          |   2 +-
 pygoat/introduction/urls.py                   |   1 +
 pygoat/pygoat/settings.py                     |   2 +-
 6 files changed, 69 insertions(+), 4 deletions(-)
 create mode 100644 pygoat/introduction/templates/mitre/mitre_lab_25.html

diff --git a/pygoat/db.sqlite3 b/pygoat/db.sqlite3
index c6fc9d9bd8e4bc1960c67196f58aef8e171654e1..5104abc207742b12a00f0086387911a5f1a281ef 100644
GIT binary patch
delta 544
zcmZozAkwfvWP&u~{E0HojPo}poX-<9S1>TPGBC3;GSV}(G&3=?Xm-eNcgSbl?vT%P
zWCF7Rr{Gj}W>+yzGp<jZ(Oe?jHoVuk6FJ{=f93hXDY!L`c|C`h3bQX`Wp;&SQDwe`
zX-ZyJPQF=wfn{1@PPw6ZUVeFEa(Q{B1xQg|RbFvcZc4tHfnk18YL;P=v1L`ENpiY*
zhEZOjS)zsc_GnJ#m2AugT!z!x1(;)5xB|EgH#-`f<eZ)_#mr-5Xn=66nSrr^xtWC=
zvm>LCfsv7}fu$};+Q`bpz{<o@4=871YGK|E)VDofie>6m9v1Fw2EN<8TX`mMX9LZQ
z=GJIZvS9UX4t6Bu_UVciESu`{gK{nXt<pj=s!}Rk(v8a<i@eivigE)ivU1!5-Es=t
zQw`1B3Mxt~(hEZUO)M;Yk(~t#Vu-7ol+3{v6ABN#RIiG#ESF;c@=C|)x)v<Ug7brN
zveT?W3M|Zh(hHqTot!N5;{)6)gS?8pO~Ooqb6rxiLz1!_GxCj+3N1q`TwIYIff_bV
W%4R@EggQ<?$H}a){qA2DWg!4F!J_p5

delta 152
zcmV;J0B8SzpcH_h6p$MMnUNer0hzI2&u$ShATTyMH8(mnFfKAVI5RXggFtVGKyLxJ
zKyL!XkOM9WTa^a`MHmY530n#j3p@?h3t<WG3-t{642caL3m3CNF!u<zTL}ZH1_Le%
zZ<hxU16{L0FbfKYZyE!)ZyE%Z)d&I&wEzy=4Yji&aH$Olf+IEsO@mcIm(B?TAh+H9
G1S1l@BranB

diff --git a/pygoat/introduction/mitre.py b/pygoat/introduction/mitre.py
index 2f43bca40..dfc0d4821 100644
--- a/pygoat/introduction/mitre.py
+++ b/pygoat/introduction/mitre.py
@@ -6,9 +6,16 @@
 import datetime
 from .models import CSRF_user_tbl
 from django.views.decorators.csrf import csrf_exempt
+# import os
 
 ## Mitre top1 | CWE:787
 
+# target zone
+FLAG = "NOT_SUPPOSED_TO_BE_ACCESSED"
+
+# target zone end
+
+
 @authentication_decorator
 def mitre_top1(request):
     if request.method == 'GET':
@@ -198,7 +205,17 @@ def csrf_transfer_monei_api(request,recipent,amount):
         return redirect ('/mitre/9/lab/transaction')
 
 
-@authentication_decorator
+# @authentication_decorator
 @csrf_exempt
 def mitre_lab_25_api(request):
-    pass
\ No newline at end of file
+    if request.method == "POST":
+        expression = request.POST.get('expression')
+        result = eval(expression)
+        return JsonResponse({'result': result})
+    else:
+        return redirect('/mitre/25/lab/')
+
+
+@authentication_decorator
+def mitre_lab_25(request):
+    return render(request, 'mitre/mitre_lab_25.html')
\ No newline at end of file
diff --git a/pygoat/introduction/templates/mitre/mitre_lab_25.html b/pygoat/introduction/templates/mitre/mitre_lab_25.html
new file mode 100644
index 000000000..de08fdd92
--- /dev/null
+++ b/pygoat/introduction/templates/mitre/mitre_lab_25.html
@@ -0,0 +1,47 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+<title> Code Injection </title>
+{% endblock %}
+    <div class="jumbotron">
+        <h4 style="text-align:center"> Calculator </h4>
+        <div class="login" style="display: flex;justify-content: center;flex-direction: column;}">
+            <div>
+                <input type="textarea" id="input" style="width: 200px;height: 50px;">
+                <button id="btn" style="width: 100px;height: 50px;" onclick="calculate()"> Calculate </button>
+            </div>
+            <textarea id="output" style="width: 40%;height: 20px;"></textarea>
+        </div>
+    </div>
+    <div style= "position : fixed ; right : 7px; bottom : 7px"> <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/25'">Back to Lab
+    Details</button></div>
+    <script>
+        function calculate(){
+            var input = document.getElementById("input").value;
+            var output = document.getElementById("output");
+            var headers = new Headers();
+            var formdata = new FormData();
+            formdata.append("expression", input);
+            var requestOption = {
+                method: "POST",
+                body: formdata,
+                redirect: "follow",
+                headers: headers
+            };
+
+            fetch("/mitre/25/lab/api",requestOption)
+                .then(response => response.text())
+                .then(result => {
+                    var data = JSON.parse(result);
+                    output.value = data.result;
+                    console.log(result);
+                })
+                .catch(
+                    error => {console.log("error", error);
+                    output.value = "error";}
+                    );
+        } 
+    </script>
+
+{% endblock %}
\ No newline at end of file
diff --git a/pygoat/introduction/templates/mitre/mitre_top25.html b/pygoat/introduction/templates/mitre/mitre_top25.html
index 538dc33ef..d0653f830 100644
--- a/pygoat/introduction/templates/mitre/mitre_top25.html
+++ b/pygoat/introduction/templates/mitre/mitre_top25.html
@@ -32,7 +32,7 @@ <h2 style="font-size: 2.7rem">CWE-94: <span>Code Injection</span></h2>
     This lab have a calculator with can compute simple arithmetic operations.
     Try to exploit that</p> 
     <div align="right">
-      <button class="btn btn-info" type="button" onclick="window.location.href='/sql_lab'">
+      <button class="btn btn-info" type="button" onclick="window.location.href='/mitre/25/lab'">
         Access Lab
       </button>
     </div>
diff --git a/pygoat/introduction/urls.py b/pygoat/introduction/urls.py
index af9dabc13..afd1418df 100644
--- a/pygoat/introduction/urls.py
+++ b/pygoat/introduction/urls.py
@@ -113,4 +113,5 @@
     path("mitre/9/lab/transaction",mitre.csrf_transfer_monei,name="csrf_lab_login_api"),
     path("mitre/9/lab/api/<str:recipent>/<int:amount>",mitre.csrf_transfer_monei_api,name="csrf_lab_login_api"),
     path("mitre/25/lab/api", mitre.mitre_lab_25_api, name="mitre_lab_25_api"),
+    path("mitre/25/lab", mitre.mitre_lab_25, name="mitre_lab_25"),
 ]
diff --git a/pygoat/pygoat/settings.py b/pygoat/pygoat/settings.py
index 769300daf..bfdfc63d9 100644
--- a/pygoat/pygoat/settings.py
+++ b/pygoat/pygoat/settings.py
@@ -165,4 +165,4 @@
 }
 
 SECRET_COOKIE_KEY = "PYGOAT"
-CSRF_TRUSTED_ORIGINS = ["http://127.0.0.1:8000","http://0.0.0.0:8000","http://172.16.188.81"]
\ No newline at end of file
+CSRF_TRUSTED_ORIGINS = ["http://127.0.0.1:8000","http://0.0.0.0:8000","http://172.16.189.10"]
\ No newline at end of file