john
/
mooc-securing-software-21-projects
1
0
Fork 0
Code

Added XXE vulnerability

This commit is contained in:
John Ahlroos 2021-03-02 20:57:11 +02:00
parent fee6e985c3
commit 1283970bea
Signed by: john
GPG Key ID: 258D0F70DB84CD5D
6 changed files with 66 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
project1/project1/settings.py
View File

@ -53,6 +53,8 @@ MIDDLEWARE = [
ROOT_URLCONF = 'project1.urls' ROOT_URLCONF = 'project1.urls'
STATICFILES_DIRS = ["static"]
TEMPLATE_DIR = os.path.join(BASE_DIR, "templates") TEMPLATE_DIR = os.path.join(BASE_DIR, "templates")
TEMPLATES = [ TEMPLATES = [
{ {

9
project1/project1/urls.py
View File

@ -14,18 +14,17 @@ Including another URLconf
2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) 2. Add a URL to urlpatterns: path('blog/', include('blog.urls'))
""" """
from django.contrib import admin, auth from django.contrib import admin, auth
from django.urls import path, include from django.urls import path,re_path,include
from . import views from . import views
urlpatterns = [ urlpatterns = [
path('admin/', admin.site.urls), path('admin/', admin.site.urls),
path('', views.home),
path('find_product', views.find_product),
path('login', views.login), path('login', views.login),
path('do_login', views.do_login), path('do_login', views.do_login),
path('logout', views.logout), path('logout', views.logout),
path('', views.home),
path('add_product', views.add_product), path('add_product', views.add_product),
path('import_products', views.import_products) path('import_products', views.import_products)
] ]

45
project1/project1/views.py
View File

@ -4,10 +4,29 @@ from project1.models import Product
from django.contrib import auth from django.contrib import auth
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django import forms from django import forms
from xml.dom import pulldom
from xml.dom.pulldom import parse
from xml.sax import make_parser
from xml.sax.handler import feature_external_ges, feature_external_pes
# https://docs.python.org/3/library/xml.dom.pulldom.html#module-xml.dom.pulldom
def home(request):
filter = request.GET.get('filter', '')
if filter == '':
return all_products(request)
else:
return filtered_products(request)
@login_required(login_url='/login') @login_required(login_url='/login')
def home(request): def all_products(request):
return render(request, "index.html") products = Product.objects.all()
return render(request, "index.html", {"products": products})
def filtered_products(request):
filter = request.GET.get('filter', '')
products = Product.objects.raw("SELECT * FROM project1_Product where name like '%" + filter + "%'")
return render(request, "index.html", {"products": products})
def login(request): def login(request):
return render(request, 'login.html') return render(request, 'login.html')
@ -31,23 +50,27 @@ def add_product(request):
name = request.POST.get('name', '') name = request.POST.get('name', '')
product = Product.objects.create(name=name) product = Product.objects.create(name=name)
print('Added product ' + product.name) print('Added product ' + product.name)
return HttpResponse(content='Saved product ' + product.name) return HttpResponseRedirect('/')
def find_product(request):
search = request.GET.get('name', '')
print('Searching for ' + search)
products = Product.objects.raw(
"SELECT * FROM project1_Product where name like '%" + search + "%'")
return HttpResponse("<br/>".join(map(lambda p: p.name, products)))
@login_required(login_url='/login') @login_required(login_url='/login')
def import_products(request): def import_products(request):
form = UploadFileForm(request.POST, request.FILES) form = UploadFileForm(request.POST, request.FILES)
if form.is_valid(): if form.is_valid():
file = request.FILES['file'] file = request.FILES['file']
parser = make_parser()
parser.setFeature(feature_external_ges, True)
doc = parse(file, parser=parser)
for event, node in doc:
if event == pulldom.START_ELEMENT and node.tagName == 'product':
doc.expandNode(node)
name = node.firstChild.wholeText
product = Product.objects.create(name=name)
print("Added product ", name)
return HttpResponseRedirect('/') return HttpResponseRedirect('/')
else: else:
return HttpResponse(content="Upload failed.") return HttpResponse(content="Upload failed.")
class UploadFileForm(forms.Form): class UploadFileForm(forms.Form):
file = forms.FileField() file = forms.FileField()

10
project1/static/products.xml Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<products>
<product>Coffee</product>
<product>Tea</product>
<product>Chocholate</product>
<product>&xxe;</product>
</products>

15
project1/templates/index.html
View File

@ -2,6 +2,16 @@
<html> <html>
<body> <body>
<p>
<h2>Products:</h2>
<ul>
{% autoescape off %} {% for p in products %}
<li>{{ p.name}}</li>
{% endfor %} {% endautoescape %}
</ul>
</p>
<p> <p>
<form method="POST" action="/add_product"> <form method="POST" action="/add_product">
{% csrf_token %} {% csrf_token %}
@ -12,9 +22,9 @@
</form> </form>
</p> </p>
<p> <p>
<form method="GET" action="/find_product"> <form method="GET">
<label>Find Product by Name</label><br/> <label>Find Product by Name</label><br/>
<input id="find_product_by_name" name="name" type="text" /> <input id="find_product_by_name" name="filter" type="text" />
<button type="submit ">Search</button> <button type="submit ">Search</button>
<a href="#" onClick="sql_inject_attack()">Sql injection attack (Get all users of system along with their details)</a> <a href="#" onClick="sql_inject_attack()">Sql injection attack (Get all users of system along with their details)</a>
</form> </form>
@ -25,6 +35,7 @@
<label for="file">Import Products (XML):</label><br> <label for="file">Import Products (XML):</label><br>
<input name="file" type="file" /> <input name="file" type="file" />
<button type="submit ">Submit</button> <button type="submit ">Submit</button>
<span>Use <a href="/static/products.xml" download="wicked-products.xml">this file</a> to use a XXE Entity vulnerability to expose all users on a Unix system</span>
</form> </form>
</p> </p>

3
project1/templates/login.html
View File

@ -8,6 +8,9 @@
<div style="color:red" id=message></div> <div style="color:red" id=message></div>
<p>
Want to abuse the broken access control vulnerability and view all products without logging in? <a href="/?filter=%">Click here</a>
</p>
<script> <script>
function xss_inject() { function xss_inject() {
var img = "https://www.freepnglogos.com/uploads/hacker-png/hacker-interpol-arrests-suspected-anonymous-hackers-motley-5.png"; var img = "https://www.freepnglogos.com/uploads/hacker-png/hacker-interpol-arrests-suspected-anonymous-hackers-motley-5.png";