From 34d9ca0b63e63a3ff659a5cbc1fa22f18adfc758 Mon Sep 17 00:00:00 2001 From: pwned-17 Date: Tue, 4 May 2021 02:34:14 +0530 Subject: [PATCH] A9 :Writeup and Lab Completed --- .all-contributorsrc | 54 +++++++++++++++ README.md | 26 ++++++++ .../introduction/templates/Lab/A10/a10.html | 36 ++++++++++ .../templates/Lab/A10/a10_lab.html | 16 +++++ .../introduction/templates/Lab/A10/debug.log | 65 +++++++++++++++++++ pygoat/introduction/templates/Lab/A9/a9.html | 24 +++++-- .../introduction/templates/Lab/A9/a9_lab.html | 2 +- .../templates/introduction/base.html | 3 - pygoat/introduction/urls.py | 8 +-- pygoat/introduction/views.py | 18 ++++- pygoat/pygoat/settings.py | 25 +++++++ 11 files changed, 260 insertions(+), 17 deletions(-) create mode 100644 .all-contributorsrc create mode 100644 pygoat/introduction/templates/Lab/A10/a10.html create mode 100644 pygoat/introduction/templates/Lab/A10/a10_lab.html create mode 100644 pygoat/introduction/templates/Lab/A10/debug.log diff --git a/.all-contributorsrc b/.all-contributorsrc new file mode 100644 index 000000000..4fc080b3c --- /dev/null +++ b/.all-contributorsrc @@ -0,0 +1,54 @@ +{ + "files": [ + "README.md" + ], + "imageSize": 100, + "commit": false, + "contributors": [ + { + "login": "pwned-17", + "name": "pwned-17", + "avatar_url": "https://avatars.githubusercontent.com/u/61360833?v=4", + "profile": "https://github.com/pwned-17", + "contributions": [ + "code" + ] + }, + { + "login": "prince-7", + "name": "Aman Singh", + "avatar_url": "https://avatars.githubusercontent.com/u/53997924?v=4", + "profile": "https://github.com/prince-7", + "contributions": [ + "code" + ] + }, + { + + "login": "adeyosemanputra", + "name": "adeyosemanputra", + "avatar_url": "https://avatars.githubusercontent.com/u/24958168?v=4", + "profile": "https://github.com/adeyosemanputra", +"contributions": [ + "code", + "doc" + ] + }, + { + "login": "gaurav618618", + "name": "gaurav618618", + "avatar_url": "https://avatars.githubusercontent.com/u/29380890?v=4", + "profile": "https://github.com/gaurav618618", + "contributions": [ + "code", + "doc" + ] + } + ], + "contributorsPerLine": 7, + "projectName": "pygoat", + "projectOwner": "adeyosemanputra", + "repoType": "github", + "repoHost": "https://github.com", + "skipCi": true +} diff --git a/README.md b/README.md index e34ea887a..821a0e887 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ # pygoat
+ +[![All Contributors](https://img.shields.io/badge/all_contributors-3-orange.svg?style=flat-square)](#contributors-) + intentionally vuln web Application Security in django. our roadmap build intentionally vuln web Application in django. The Vulnerability can based on OWASP top ten @@ -24,3 +27,26 @@ To setup the project on your local machine: The project will be available at 127.0.0.1:8000. + +## Contributors ✨ + +Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)): + + + + + + + + + + + +

pwned-17

💻

Aman Singh

💻

adeyosemanputra

💻 📖

gaurav618618

💻 📖
+ + + + + + +This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! \ No newline at end of file diff --git a/pygoat/introduction/templates/Lab/A10/a10.html b/pygoat/introduction/templates/Lab/A10/a10.html new file mode 100644 index 000000000..7e75051ee --- /dev/null +++ b/pygoat/introduction/templates/Lab/A10/a10.html @@ -0,0 +1,36 @@ +{% extends 'introduction/base.html' %} +{% block content %} +{% block title %} +Insufficient Logging & Monitoring +{% endblock %} +
+

Insufficient Logging & Monitoring

+
+

What does Insufficient Logging & Monitoring means?

+

+ +

+ +
+

+ +

+
+
+
+
+

Mitigation

+

+

    +
  • +
  • +
  • +
  • +
+

+
+
+ + + +{% endblock %} \ No newline at end of file diff --git a/pygoat/introduction/templates/Lab/A10/a10_lab.html b/pygoat/introduction/templates/Lab/A10/a10_lab.html new file mode 100644 index 000000000..d14e114e0 --- /dev/null +++ b/pygoat/introduction/templates/Lab/A10/a10_lab.html @@ -0,0 +1,16 @@ +{% extends "introduction/base.html" %} +{% load static %} +{% block content %} +{% block title %} +Insufficient Logging & Monitoring +{% endblock %} + +
+

+ There have been recent attempts from hackers to break into the website, The hackers created a superuser can you find out what credentials were used. +

+
+ + + +{% endblock %} \ No newline at end of file diff --git a/pygoat/introduction/templates/Lab/A10/debug.log b/pygoat/introduction/templates/Lab/A10/debug.log new file mode 100644 index 000000000..3a89134a7 --- /dev/null +++ b/pygoat/introduction/templates/Lab/A10/debug.log @@ -0,0 +1,65 @@ +INFO "GET /admin?username=Hacker&password=Hacker HTTP/1.1" 301 0 +INFO "GET /admin/?username=Hacker&password=Hacker HTTP/1.1" 200 5536 +INFO "GET /static/admin/css/dashboard.css HTTP/1.1" 304 0 +INFO "GET /static/admin/css/base.css HTTP/1.1" 304 0 +INFO "GET /static/admin/css/responsive.css HTTP/1.1" 304 0 +INFO "GET /static/admin/css/fonts.css HTTP/1.1" 304 0 +INFO "GET /static/admin/img/icon-addlink.svg HTTP/1.1" 304 0 +INFO "GET /static/admin/img/icon-changelink.svg HTTP/1.1" 304 0 +INFO "GET /static/admin/fonts/Roboto-Light-webfont.woff HTTP/1.1" 304 0 +INFO "GET /static/admin/fonts/Roboto-Regular-webfont.woff HTTP/1.1" 304 0 +INFO "GET /static/admin/fonts/Roboto-Bold-webfont.woff HTTP/1.1" 304 0 +INFO "GET /admin/logout/ HTTP/1.1" 200 1207 +INFO "GET /admin/logout/ HTTP/1.1" 302 0 +INFO "GET /admin/ HTTP/1.1" 302 0 +INFO "GET /admin/login/?next=/admin/ HTTP/1.1" 200 1913 +INFO "GET /static/admin/css/login.css HTTP/1.1" 304 0 +INFO Watching for file changes with StatReloader +INFO "GET /get_version HTTP/1.1" 200 8619 +INFO "GET /a10 HTTP/1.1" 200 8783 +INFO "GET /a10_lab HTTP/1.1" 200 8336 +WARNING Not Found: /debug.log +WARNING "GET /debug.log HTTP/1.1" 404 7841 +INFO "GET /debug HTTP/1.1" 200 1165 +INFO "GET /a9 HTTP/1.1" 200 10163 +INFO "GET /a9_lab HTTP/1.1" 200 8608 +INFO "POST /a9_lab HTTP/1.1" 200 8713 +INFO "GET /get_version HTTP/1.1" 200 8619 +INFO "GET /a9 HTTP/1.1" 200 10937 +INFO "GET /static/Lab/xss.js HTTP/1.1" 304 0 +INFO "GET /static/Lab/xss.js HTTP/1.1" 304 0 +INFO "GET /a9_lab HTTP/1.1" 200 8608 +INFO "POST /a9_lab HTTP/1.1" 200 8713 +INFO "GET /a9_lab HTTP/1.1" 200 8608 +INFO "GET /a9 HTTP/1.1" 200 10918 +INFO "GET /a9 HTTP/1.1" 200 10902 +INFO "GET /a9_lab HTTP/1.1" 200 8608 +INFO "POST /a9_lab HTTP/1.1" 200 8713 +INFO "GET /a9 HTTP/1.1" 200 10907 +INFO "GET /a9 HTTP/1.1" 200 10911 +INFO "GET /a9_lab HTTP/1.1" 200 8608 +INFO "POST /a9_lab HTTP/1.1" 200 8694 +INFO "POST /a9_lab HTTP/1.1" 200 8694 +INFO "POST /a9_lab HTTP/1.1" 200 8694 +INFO "POST /a9_lab HTTP/1.1" 200 8713 +INFO A:\wsl\Pygoat\pygoat\pygoat\introduction\views.py changed, reloading. +INFO Watching for file changes with StatReloader +INFO "POST /a9_lab HTTP/1.1" 200 8713 +INFO "POST /a9_lab HTTP/1.1" 200 8673 +INFO "GET /a10 HTTP/1.1" 200 8783 +INFO "GET /a9 HTTP/1.1" 200 10911 +INFO "GET /a9 HTTP/1.1" 200 10961 +INFO "GET /a9 HTTP/1.1" 200 10965 +INFO "GET /a9 HTTP/1.1" 200 10843 +INFO "GET / HTTP/1.1" 200 8157 +INFO "GET /bau HTTP/1.1" 200 13031 +INFO "GET /xxe HTTP/1.1" 200 12993 +INFO "GET /ba HTTP/1.1" 200 10581 +INFO "GET /ba HTTP/1.1" 200 10581 +INFO "GET /ba HTTP/1.1" 200 10581 +INFO "GET /sec_mis HTTP/1.1" 200 10639 +INFO "GET /xss HTTP/1.1" 200 14803 +INFO "GET /sec_mis HTTP/1.1" 200 10639 +INFO "GET /insec_des HTTP/1.1" 200 11814 +INFO "GET /a9 HTTP/1.1" 200 10843 +INFO "GET /a10 HTTP/1.1" 200 8661 diff --git a/pygoat/introduction/templates/Lab/A9/a9.html b/pygoat/introduction/templates/Lab/A9/a9.html index 7040f57ab..5656e9d1d 100644 --- a/pygoat/introduction/templates/Lab/A9/a9.html +++ b/pygoat/introduction/templates/Lab/A9/a9.html @@ -15,11 +15,23 @@

What is Using Components with Know Vulnerability means?

- This lab helps us to understand some areas where this threat can occur. -
The user on accessing the lab is given with certain libraries used by jack in his project. - Try to identify if they are safe or vulnerable. - - + This lab helps us to understand why components with know vulnerability can be a serious issue. +
+ The user on accessing the lab is provided with a feature to convert yaml files into json objects. + The user needs to choose an yaml file and click upload to get the json data. + There is also a get version feature which tells the user the version of the library the app uses. + + Exploiting the vulnerability. +

    +
  • The app uses pyyaml 5.1 Which is vulnerable to code execution.
  • +
  • You can google the library with the version to get the poc and vulnerability details
  • +
  • Create An yaml file with this payload:
  • + !!python/object/apply:subprocess.Popen
    + - ls +
    +
  • On Uploading this file the user should be able to see the output of the command executed.
  • + +

@@ -29,7 +41,7 @@

What is Using Components with Know Vulnerability means?

-

Mitigation

+

Mitigation

diff --git a/pygoat/introduction/urls.py b/pygoat/introduction/urls.py index 4b2d9c7f2..78a60462e 100644 --- a/pygoat/introduction/urls.py +++ b/pygoat/introduction/urls.py @@ -33,9 +33,9 @@ path("secret", views.secret, name="Secret key for A6"), path("a9",views.a9,name="A9"), path("a9_lab",views.a9_lab,name="A9 LAb"), - path("get_version",views.get_version,name="Get Version") - - - + path("get_version",views.get_version,name="Get Version"), + path("a10",views.a10,name="A10"), + path("a10_lab",views.a10_lab,name="A10 LAb"), + path("debug",views.debug,name="debug"), ] \ No newline at end of file diff --git a/pygoat/introduction/views.py b/pygoat/introduction/views.py index 8028727fd..94c97e0d7 100644 --- a/pygoat/introduction/views.py +++ b/pygoat/introduction/views.py @@ -256,8 +256,12 @@ def a9_lab(request): try : file=request.FILES["file"] - data = yaml.load(file) - return render(request,"Lab/A9/a9_lab.html",{"data":data}) + try : + data = yaml.load(file) + return render(request,"Lab/A9/a9_lab.html",{"data":data}) + except: + return render(request, "Lab/A9/a9_lab.html", {"data": "Error"}) + except: return render(request, "Lab/A9/a9_lab.html", {"data":"Please Upload a Yaml file."}) @@ -266,7 +270,15 @@ def get_version(request): +#*********************************************************A10*************************************************# +def a10(request): + return render(request,"Lab/A10/a10.html") +def a10_lab(request): + return render(request,"Lab/A10/a10_lab.html") - +def debug(request): + response = render(request,'Lab/A10/debug.log') + response['Content-Type'] = 'text/plain' + return response diff --git a/pygoat/pygoat/settings.py b/pygoat/pygoat/settings.py index 540bc664b..654f3e47d 100644 --- a/pygoat/pygoat/settings.py +++ b/pygoat/pygoat/settings.py @@ -11,6 +11,7 @@ """ import os +import logging # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -122,3 +123,27 @@ STATIC_URL = '/static/' +LOGGING ={ + 'version': 1, + 'loggers': { + 'django': { + 'handlers': ['file'], + 'level': 'DEBUG' + } + }, + 'handlers': { + 'file': { + 'level': 'INFO', + 'class': 'logging.FileHandler', + 'filename': './introduction/templates/Lab/A10/debug.log', + 'formatter': 'simpleRe', + } + }, + 'formatters': { + 'simpleRe': { + 'format': '{levelname} {message}', + 'style': '{', + } + } +} +