Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • master
1 result

Target

Select target project
  • nicolas.senecaux.etu/isi-tp2-injection
  • benjamin.pianet.etu/isi-tp2-injection
  • madouvi.hounsi.etu/isi-tp2-injection-ml
  • ainatiavina.ratefiarivony.etu/isi-tp2-injection
  • sanasadat.mirahsani.etu/isi-tp2-injection
  • samir.sadallah.etu/isi-tp2-injection
  • marwane.ouaret.etu/isi-tp2-injection
  • fabio.vandewaeter.etu/isi-tp2-injection
  • francois.gibier.etu/isi-tp2-injection
  • renaud.fondeur.etu/isi-tp2-injection
  • nathan.gerussi.etu/isi-tp-2-final
  • lucas.philippe.etu/isi-tp2-injection
  • pierre.lague.etu/isi-tp2-injection
  • victor.truyen.etu/isi-tp-2-injection-truyen
  • nathan.gerussi.etu/isi-tp2-injection
  • audrey.bilon.etu/isi-tp2-injection
  • valentin.bout.etu/isi-tp2-injection
  • anouar.fayk.etu/isi-tp2-injection
  • sara.saoudi.etu/isi-tp2-injection
  • elouan.markgraf.etu/isi-tp2-injection
  • joel.muakansilulu.etu/isi-tp2-injection
  • chialing.an.etu/isi-tp2-injection
  • cyril.guffroy.etu/isi-tp2-injection
  • anisse.benabdallah.etu/isi-tp2-injection
  • elhadjabdoulaye.diallo.etu/isi-tp2-injection
  • clement.dessingue.etu/isi-tp2-injection
  • adrien.morel2.etu/isi-tp2-injection
  • selma.hamlati.etu/isi-tp2-injection
  • cedric.bevilacqua.etu/isi-tp2-injection
  • aboubakarsiriki.diakite.etu/isi-tp2-injection
  • salim.oufriche.etu/isi-tp2-injection
  • julien.michot.etu/isi-tp2-injection
  • fabien.merceret.etu/isi-tp2-injection
  • robin.gallifa.etu/isi-tp2-injection
  • elmehdi.amine.etu/isi-tp2-injection
  • quentin.prognon.etu/isi-tp2-injection
  • ryan.rossez.etu/isi-tp2-injection
  • quentin.dinel.etu/isi-tp2-injection
  • aridath.salami.etu/isi-tp2-injection
  • victorien.delbano.etu/isi-tp2-injection
  • louis.laurent.etu/isi-tp2-injection
  • quentin.bouchard.etu/isi-tp2-injection
  • hippolyte.larzul.etu/isi-tp2-injection
  • ludovic.jozeau.etu/isi-tp2-injection
  • adrian.rosin.etu/isi-tp2-injection
  • benjamin.lemaire.etu/isi-tp2-injection
  • celia.oukaid.etu/isi-tp2-injection
  • thomas.brunet.etu/isi-tp2-injection
  • victor.roy.etu/isi-tp2-injection
  • thitouane.helle.etu/isi-tp2-injection
  • florent.maes.etu/isi-tp2-injection
  • louis.verdon.etu/isi-tp2-injection
  • martin.birlouez.etu/isi-tp2-injection
  • lucas.jourdain.etu/isi-tp2-injection
  • lucas.hennebicq.etu/isi-tp2-injection
  • louise.delbecque.etu/isi-tp2-injection
  • ilias.elabbassi.etu/isi-tp2-injection
  • luka.claeys.etu/isi-tp2-injection
  • hugo.sirard.etu/isi-tp2-injection
  • jeremy.curoux.etu/isi-tp2-injection
  • jules.bompard.etu/isi-tp2-injection
  • zakarya.elmazdoula.etu/isi-tp2-injection
  • pierre.graux/isi-tp2-injection
  • pascalsebastien.agba.etu/isi-tp2-injection
  • yaakoub.leguennec.etu/isi-tp2-injection
  • abdoulmatine.diallo.etu/isi-tp2-injection
  • reem.daoud.etu/isi-tp2-injection
  • antoine.bearez.etu/isi-tp2-injection
  • selim.lakhdar.etu/isi-tp2-injection
  • theo.pires.etu/isi-tp2-injection
  • clement.saulquin.etu/isi-tp2-injection
  • hugo.monfleur.etu/isi-tp2-injection
  • paul.leratlambert.etu/isi-tp2-injection
  • mohamedsaid.hammoudi.etu/isi-tp2-injection
  • alexandre.perseval.etu/isi-tp2-injection
  • alix.delbroucq.etu/isi-tp2-injection
  • audrey.dewaele.etu/isi-tp2-injection
  • cheick.fofana2.etu/isi-tp2-injection
  • ahmad.almosaalmaksour.etu/isi-tp2-injection
  • justin.bescop.etu/isi-tp2-injection
  • thiernoamadou.bah.etu/isi-tp2-injection
  • leo.mans.etu/isi-tp2-injection
  • eldin.smakic.etu/isi-tp2-injection
  • samy.boumahdi.etu/isi-tp2-injection
  • ziyue.zhou.etu/isi-tp2-injection
  • salma.elmoukhlis.etu/isi-tp2-injection
  • philippe.lesueur.etu/isi-tp2-injection
  • hocine.bouali.etu/isi-tp2-injection
  • alexis.finard.etu/isi-tp2-injection
  • hamza.ezzinaoui.etu/isi-tp2-injection
  • lisa.medah.etu/isi-tp2-injection
  • sebastien.bart.etu/isi-tp2-injection
  • yves.saidokibundila.etu/isi-tp2-injection
  • nordine.elammari.etu/isi-tp2-injection
  • kevin.nguyen.etu/isi-tp2-injection
  • florian.dendoncker.etu/isi-tp2-injection
  • vincent.samier.etu/isi-tp2-injection
  • etienne.sekkourialaoui.etu/isi-tp2-injection
  • pierre.michiels.etu/isi-tp2-injection
  • theo.denoyelle.etu/isi-tp2-injection
  • rayane.adaoun.etu/isi-tp2-injection
  • thiernosouleymane.bah.etu/isi-tp2-injection
  • loic.bontemps.etu/isi-tp2-injection
  • aymeric.lefeyer.etu/isi-tp2-injection
  • donovan.souvanthong.etu/isi-tp2-injection
  • julien.vanryssel.etu/isi-tp2-injection
  • mikolai.krol.etu/isi-tp2-injection
  • dounia.aggoune.etu/isi-tp2-injection
  • adrien.meunier.etu/isi-tp2-injection
  • youva.mokeddes.etu/isi-tp2-injection
  • nordine.feddal.etu/isi-tp2-injection
  • giuseppe.lipari/isi-tp2-injection
112 results
Select Git revision
  • master
1 result
Show changes
Commits on Source (6)
/config.py
English version here [README_en.md](README_en.md).
# TP: Etude d'un programme vulnérable en Python (Application Web)
Au cours de ce TP, vous allez étudier une application web minimaliste, qui est vulnérable à une faille d'injection SQL.
......@@ -20,7 +22,7 @@ Dans ce dépôt, vouz trouverez le fichier `serveur.py` contenant le source pyth
Un environnement virtuel Python3 est une sorte d'installation indépendante et auto-suffisante de Python3, qui sera placée dans votre dossier personnel, et dans laquelle vous pouvez installer des modules Python3 sans avoir besoin des droits root, ni de toucher au reste du système.
Si vous travaillez avec votre propre machine, assurez vous d'abord d'avoir installé l'outil de création d'environnement virtuel (sous Ubuntu/Debian: `sudo apt install python3-venv`)
Si vous travaillez avec votre propre machine, assurez vous d'abord d'avoir installé l'outil de création d'environnement virtuel (sous Ubuntu/Debian: `sudo apt-get update && sudo apt install python3-venv`)
Ensuite, préparez l'environnement virtuel avec la commande suivante (où `<nom de dossier>` est à remplacer par le nom du dossier qui contiendra votre environnement virtuel)
......@@ -57,7 +59,33 @@ Le module `cherrypy` est un framework d'applications Web en python, le module `m
### Création de la table MySQL
Pour créer la table qui servira à l'application, connectez vous à votre base de données MySQL avec l'outil de votre choix, et créez la table suivante:
Si vous utilisez une machine virtuelle Cloud de l'université, vous devez
installer le serveur mysql avec:
```
sudo apt install mysql-server
```
puis ensuite créer une base de données et un utilisateur:
```
sudo mysql
mysql> CREATE DATABASE isitp2;
mysql> CREATE USER 'isitp2'@'localhost' IDENTIFIED BY 'choisissezUnMotDePasse';
mysql> GRANT ALL PRIVILEGES ON isitp2.* TO 'isitp2'@'localhost';
```
Connectez vous à votre base de données MySQL comme ceci:
```
mysql -p -u isitp2 isitp2
Enter password: [tapez ici le mot de passe que vous avez choisi]
```
Une fois l'invite "mysql>" affiché, entrez la commande suivante pour créer la table:
```
CREATE TABLE chaines (
......@@ -68,8 +96,13 @@ CREATE TABLE chaines (
);
```
### Configuration de l'accès à la base de données
Vous devirez voir la réponse suivante:
```
Query OK, 0 rows affected (0.06 sec)
```
### Configuration de l'accès à la base de données
i
Renommez (ou copiez) le fichier de configuration de base de données `config.py.sample` en `config.py` et éditez le pour y mettre les informations d'accès à votre base MySQL.
Etant donné que le fichier `config.py` contient le mot de passe de votre serveur MySQL, vous prendez garde à ne pas le commit sur votre dépôt git (vous pouvez, par exemple, l'ajouter au `.gitignore`).
......@@ -97,6 +130,11 @@ Si cela fonctionne, vous aurez une ligne du type:
Vous devrez garder ce terminal ouvert pendant toute l'utilisation du serveur. Pour le stopper, faites un Ctrl-C dans le terminal où vous l'avez lancé.
Si vous utilisez une machine virtuelle Cloud de l'université, vous devrez vous devrez créer un tunnel SSH pour pouvoir acceder a l'application vulnérable depuis votre navigateur de salle de TP:
```
$ ssh <votre utilisateur VM>@<votre IP de VM> -L 8080:127.0.0.1:8080
```
Ensuite, allez sur `http://localhost:8080` avec votre navigateur, et testez le fonctionnement de la page. Notamment:
* Testez l'ajout d'une donnée via le formulaire, et vérifiez qu'elle est rajoutée en base de donnée
* Regardez le source de la page web
......@@ -142,7 +180,7 @@ Essayez d'insérer dans la base de données des chaines qui comportent des carac
En utilisant `curl`, et si besoin après avoir révisé le cours sur les injections SQL, réalisez une injection SQL qui insérer une chaine dans la base de données, tout en faisant en sorte que le champ `who` soit rempli avec ce que vous aurez décidé (et non pas votre adresse IP). Verifiez que cela a fonctionné ensuite.
L'exploitation d'injections SQL n'est pas limitée à la destruction de données. En supposant l'existence d'une autre table dans la base, imaginez un moyen d'utiliser cette faille d'injection SQL pour obtenir des informations sur les données de cette autre table (il n'est pas demandé de l'implémenter, mais d'expliquer une approche envisageable)
L'exploitation d'injections SQL n'est pas limitée à la corruption de données. En supposant l'existence d'une autre table dans la base, imaginez un moyen d'utiliser cette faille d'injection SQL pour obtenir des informations sur les données de cette autre table (il n'est pas demandé de l'implémenter, mais d'expliquer une approche envisageable)
#### Question 4 : Corriger l'application vulnérable
......
Version française ici [README.md](README.md).
# Lab: Study of a vulnerable program in Python (Web Application)
During this lab, your are going to study a minimalist web application
which is vulnerable to an SQL injection.
Prerequisite are:
* A Linux PC with Python 3
* An access to a MySQL server (on your machine, or elsewhere, no matter)
* Being able to program in Python
* Knowing the basis of HTML, javascript and SQL
* Having watched the lesson on SQL injection
You can use your OpenStack machine, as in the last subject on UNIX permissions.
You can also use the OVA image available at: https://nextcloud.univ-lille.fr/index.php/s/BMawwN5m8AcT9oJ
## Preparation
In this repository, you will find the file `serveur.py` which contains the python source code of the vulnerable server.
### Preparation of a Python3 virtual environment
A Python3 virtual environment is a kind of independent installation and self-sufficient of Python3, which will be placed in your personal folder, and in which you can install Python3 module without needing root rights, and without touching the rest of the system.
If you work with your own machine, be sure to have properly installed the virtual environment creation tool (on Ubuntu/Debian: `sudo apt install python3-venv`).
Then, prepare the virtual environment with the following command (where `<folder name>` should be replaced by the folder name that will contain your virtual environment).
```
python3 -m venv <folder name>
```
For example: `python3 -m venv myLabEnv`
### Virtual environment activation
To work with the virtual environment that you have prepare, you need first to activate it using the following command:
```
source <path to your virtual environment>/bin/activate
```
For example: `source myLabEnv/bin/activate`
This activation persists only during the ongoing shell/terminal session, and should be re-done if you disconnect, or if you relaunch a terminal. To known if the virtual environment is activated, you can verify that its name appears, in parenthesis, in you shell prompt.
For now on, all steps that should be realised in this lab (including the next preparation steps) requires the virtual environment to be activated.
### Required Python3 modules installation
Install required modules in your environment (don't forget that it needs to be activated) by executing the following commands:
```
pip3 install cherrypy
pip3 install mysql-connector-python
```
The module `cherrypy` is a Web application framework in python, the module `mysql-connector-python` allows to connect to a MySQL base.
### MySQL table creation
To create the table that will be used by the application, connect to your MySQL database with your favorite tool, and create the following table:
```
CREATE TABLE chaines (
id int NOT NULL AUTO_INCREMENT,
txt varchar(255) not null,
who varchar(255) not null,
PRIMARY KEY(id)
);
```
### Configuration of the database access
Rename (or copy) the database configuration file `config.py.sample` to `config.py` and edit it to add the information for accessing to your MySQL datatbase.
Given that the file `config.py` contains your MySQL server password, be careful not to commit it on your git repository (you can, for example, add it to the `.gitignore`).
## Work to be done
### Getting to known with the application
Launch the application with the following command (being in the git repository folder, and with the virtual environment activated):
```
./serveur.py
```
The common errors that you may encounter while launching the server are:
* File `serveur.py` not found: verify that your are well placed in the git repository folder.
* Modules not found (cherrypy or mysql connector): be sure that the virtual environment is activated
* Connection problem to the database: verify that the given informations in `config.py` are correct
* Port 8080 already in used: verify that an other server is not already listening the port 8080 (potentially an other instance of `serveur.py` launched in an other terminal)
If it works, you will have a line like:
```
[03/Dec/2020:13:10:03] ENGINE Serving on http://127.0.0.1:8080
```
You need to keep this terminal opened during all the server usage. To stop it, type Ctrl-C in the terminal you launched it.
Next, go to `http://localhost:8080` with your web browser, and test the page operation. Especially:
* Test the data addition using the form, and verify that the data is added in the database
* Look the source code of the web page
* Look the source code of the program serveur.py
The application allows to add strings in a table of the database (in the column txt), while logging the IP address of the string sender (in the column who)
You can look the CherryPy documentation at https://cherrypy.org/ and the python MySQL connector documentation at https://dev.mysql.com/doc/connector-python/en/
### Find a first vulnerability (SQL injection)
Remainder: the SQL injection vulnerability happens when an SQL requests is build non-securely, for example by concatenating strings, using elements given by a potential malicious user.
Thus, if we suppose that a request built as follows, even though the variable `value` is controlled by the used
```
request = "SELECT * FROM table WHERE champ='" + value "';"
```
If the value given by the user is: `'; <other SQL command>; --`, then
the request variable will have the following value: `SELECT * FROM table WHERE champ=''; <other SQL command>;
--';` and the other SQL command will be executed.
Without adding a second command to execute, it is possible to modify the SQL request to perform non-indented behavior.
For example, if the value given by the user is `' OR 1=1 --`, then
the SQL request will be: `SELECT * FROM table WHERE champ='' OR 1=1`, which will return all the data of the table.
Look at the `serveur.py` source code to find an SQL injection vulnerability. For helping purposes, you can also print the MySQL request by adding a `print(request)` in the method `index`.
Look the web page source code from your web browser. A mechanism has been setup to try to avoid the vulnerability exploitation.
#### Question 1
Answer the following questions:
* What is this mechanism?
* Is it effective? Why?
#### Question 2: Bypassing validation mechanism
Using the tool `curl`, propose a command that allows to send the form data to the server without passing through the validation. You can use the development tools of your browser, which allows to create automatically a `curl` command line from an http request: https://ec.haxx.se/usingcurl/usingcurl-copyas
Try to insert in the database some strings that contains characters that are forbidden by the validation, and verify that they are well inserted in the table.
#### Question 3: Vulnerability exploitation
Using `curl`, and after reading the SQL injection lesson if needed, realise an SQL injection that insert a string in the database and is able to choose the content of the filed `who` (insert something different than your IP address). Check that it works properly.
SQL injections exploitation is not limited to data destruction. Assuming that an other table exists in the database, imagine a way to use this SQL injection to obtain information on the data stored on the other table (it is not required to implement it, but explain a possible approach)
#### Question 4: Patching the vulnerable application
* Correct the security flaw in the application. You can read https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/ to have an idea on how to do it.
* Try again the flaw exploitation developed earlier, check that the application is no longer vulnerable.
### Find an other vulnerability (XSS)
Remainder: ab XSS flaw happens when a potential malicious user can inject HTML tags in a page, that will be interpreted by the web browser.
If a web service sends a page whose content is stored in this string variable:
```
page_content = "<p> Hello, " + name + "</p>"
```
If a malicious user can control the content of the variable `name`, then it can add HTML tags, that will be interpreted by the browser. That constitutes a security flaw, because one of theses tags is the tag `<script>`, which allows to execute javascript code on the browser. This javascript code can then perform malicious actions, such as session cookie stealing ...
Look at `server.py` to find an XSS vulnerability.
#### Question 5: XSS flaw exploitation
* First, using `curl` inject a script tag that print a dialog box on the screen of the visiting user. For information, the javascript syntax is: `alert('Hello!')`
* The, using `curl` exploit the XSS flaw that allows to steal the cookies of users that visit the page.
TO do this, a possible way is write a javascript code that modifies `document.location`, to redirect victims to the URL of a server you control, such that the content of the request contains the informations useful to steal.
You can find needed information here:
https://developer.mozilla.org/fr/docs/Web/API/Document/location
You can simulate a server to retrieve the information stolen using the following command:
```
nc -l -p <port number>
```
Thus, if someone goes to the URL `http://<your IP>:<port number>`, the full request will be printed by `nc` (be careful, it only works one time, you need to relaunch the nc command before each new try)
#### Question 6: Patching the flaw
Correct the XSS flaw in the file `server.py`, you can for example use
the `escape` function of the `html` python module.
Where this processing should be? At the database insertion time, at
the printing time, both? Why?
Try again the flaw exploitation developed earlier, and verify that the application is no longer vulnerable.
#!/usr/bin/env python3
DB_HOST="localhost"
DB_USER="isi"
DB_NAME="isi"
DB_PASS="toto"
#!/usr/bin/env python3
DB_HOST="localhost" #Laissez localhost ici
DB_USER="isi" #Mettez ici le nom d'utilisateur que vous avez créé pour votre base de données
DB_NAME="isi" #Mettez ici le nom de la base de données
DB_PASS="toto" #Mettez ici le mot de passe
......@@ -19,7 +19,7 @@ Nom, Prénom, email: ___
## Question 3
* Votre commande curl pour effacer la table
* Votre commande curl qui va permettre de rajouter une entree en mettant un contenu arbutraire dans le champ 'who'
* Expliquez comment obtenir des informations sur une autre table
......
......@@ -10,6 +10,7 @@ class VulnerableApp(object):
@cherrypy.expose
def index(self, **post):
cherrypy.response.cookie["ExempleCookie"] = "Valeur du cookie"
cursor = self.conn.cursor()
if cherrypy.request.method == "POST":
requete = "INSERT INTO chaines (txt,who) VALUES('" + post["chaine"] + "','" + cherrypy.request.remote.ip + "')"
......