From 1283970bea0873e27d1a98c999589ba8c6b0f37a Mon Sep 17 00:00:00 2001 From: John Ahlroos Date: Tue, 2 Mar 2021 20:57:11 +0200 Subject: [PATCH] Added XXE vulnerability --- project1/project1/settings.py | 2 ++ project1/project1/urls.py | 9 ++++--- project1/project1/views.py | 45 ++++++++++++++++++++++++++--------- project1/static/products.xml | 10 ++++++++ project1/templates/index.html | 15 ++++++++++-- project1/templates/login.html | 3 +++ 6 files changed, 66 insertions(+), 18 deletions(-) create mode 100644 project1/static/products.xml diff --git a/project1/project1/settings.py b/project1/project1/settings.py index 3a10ff9..449cc3f 100644 --- a/project1/project1/settings.py +++ b/project1/project1/settings.py @@ -53,6 +53,8 @@ MIDDLEWARE = [ ROOT_URLCONF = 'project1.urls' +STATICFILES_DIRS = ["static"] + TEMPLATE_DIR = os.path.join(BASE_DIR, "templates") TEMPLATES = [ { diff --git a/project1/project1/urls.py b/project1/project1/urls.py index 53af268..31f7e8e 100644 --- a/project1/project1/urls.py +++ b/project1/project1/urls.py @@ -14,18 +14,17 @@ Including another URLconf 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) """ from django.contrib import admin, auth -from django.urls import path, include +from django.urls import path,re_path,include from . import views urlpatterns = [ path('admin/', admin.site.urls), - path('', views.home), - - path('find_product', views.find_product), + path('login', views.login), path('do_login', views.do_login), path('logout', views.logout), + path('', views.home), + path('add_product', views.add_product), path('import_products', views.import_products) - ] diff --git a/project1/project1/views.py b/project1/project1/views.py index 8a6d6ce..081c11d 100644 --- a/project1/project1/views.py +++ b/project1/project1/views.py @@ -4,10 +4,29 @@ from project1.models import Product from django.contrib import auth from django.contrib.auth.decorators import login_required from django import forms +from xml.dom import pulldom +from xml.dom.pulldom import parse +from xml.sax import make_parser +from xml.sax.handler import feature_external_ges, feature_external_pes + +# https://docs.python.org/3/library/xml.dom.pulldom.html#module-xml.dom.pulldom + +def home(request): + filter = request.GET.get('filter', '') + if filter == '': + return all_products(request) + else: + return filtered_products(request) @login_required(login_url='/login') -def home(request): - return render(request, "index.html") +def all_products(request): + products = Product.objects.all() + return render(request, "index.html", {"products": products}) + +def filtered_products(request): + filter = request.GET.get('filter', '') + products = Product.objects.raw("SELECT * FROM project1_Product where name like '%" + filter + "%'") + return render(request, "index.html", {"products": products}) def login(request): return render(request, 'login.html') @@ -31,23 +50,27 @@ def add_product(request): name = request.POST.get('name', '') product = Product.objects.create(name=name) print('Added product ' + product.name) - return HttpResponse(content='Saved product ' + product.name) - -def find_product(request): - search = request.GET.get('name', '') - print('Searching for ' + search) - products = Product.objects.raw( - "SELECT * FROM project1_Product where name like '%" + search + "%'") - return HttpResponse("
".join(map(lambda p: p.name, products))) + return HttpResponseRedirect('/') @login_required(login_url='/login') def import_products(request): form = UploadFileForm(request.POST, request.FILES) if form.is_valid(): file = request.FILES['file'] + parser = make_parser() + parser.setFeature(feature_external_ges, True) + doc = parse(file, parser=parser) + for event, node in doc: + if event == pulldom.START_ELEMENT and node.tagName == 'product': + doc.expandNode(node) + name = node.firstChild.wholeText + product = Product.objects.create(name=name) + print("Added product ", name) + return HttpResponseRedirect('/') else: return HttpResponse(content="Upload failed.") class UploadFileForm(forms.Form): - file = forms.FileField() \ No newline at end of file + file = forms.FileField() + diff --git a/project1/static/products.xml b/project1/static/products.xml new file mode 100644 index 0000000..a114986 --- /dev/null +++ b/project1/static/products.xml @@ -0,0 +1,10 @@ + + +]> + + Coffee + Tea + Chocholate + &xxe; + diff --git a/project1/templates/index.html b/project1/templates/index.html index 8099814..7959b21 100644 --- a/project1/templates/index.html +++ b/project1/templates/index.html @@ -2,6 +2,16 @@ + +

+

Products:

+ +

+

{% csrf_token %} @@ -12,9 +22,9 @@

-

+
- + Sql injection attack (Get all users of system along with their details)
@@ -25,6 +35,7 @@
+ Use this file to use a XXE Entity vulnerability to expose all users on a Unix system

diff --git a/project1/templates/login.html b/project1/templates/login.html index e065a7e..7f5ee76 100644 --- a/project1/templates/login.html +++ b/project1/templates/login.html @@ -8,6 +8,9 @@
+

+ Want to abuse the broken access control vulnerability and view all products without logging in? Click here +