From 7f3bb8d26d5331658baea9182265a4975ad42abf Mon Sep 17 00:00:00 2001
From: Madhav Mehndiratta <madhavmehndiratta2k3@gmail.com>
Date: Wed, 22 Mar 2023 03:11:50 +0530
Subject: [PATCH] Create: Command Injection Lab 2

---
 Solutions/solution.md                        | 11 ++++++-
 introduction/templates/Lab/CMD/cmd.html      | 34 ++++++++++++++++++--
 introduction/templates/Lab/CMD/cmd_lab2.html | 32 ++++++++++++++++++
 introduction/urls.py                         |  1 +
 introduction/views.py                        | 19 +++++++++++
 5 files changed, 94 insertions(+), 3 deletions(-)
 create mode 100644 introduction/templates/Lab/CMD/cmd_lab2.html

diff --git a/Solutions/solution.md b/Solutions/solution.md
index 56e9f8310..769ee62bd 100644
--- a/Solutions/solution.md
+++ b/Solutions/solution.md
@@ -21,7 +21,7 @@ On Successful injection
 ![image](https://user-images.githubusercontent.com/61360833/118371252-5986ea00-b5c9-11eb-9efb-6beedd558f56.png)
 
 
-### Command Injection
+### Command Injection Lab 1
 The user on accessing the lab is provided with a feature to perform a name server lookup on the given domain. The user has to give a domain name and the server would perform a ns lookup and return back to the client. If the user is running the lab, based on the OS he can select Windows or Linux.
 
 The user can cause the server to execute commands ,because of the lack of input validation.
@@ -38,6 +38,15 @@ This should give you the output for both`ns lookup` as well as for the `ifconfig
 
 ![cmd_inj_2](https://user-images.githubusercontent.com/70275323/154504361-4baa73cb-f73b-44a8-8769-0af2e7b53c24.png)
 
+### Command Injection Lab 2
+We are given an input form where we can calculate basic arithmetic expressions. Our task is to exploit this functionality and achieve code execution. 
+
+This lab is using `eval()` function in backend which is used to evaluate expression in python. If the expression is a legal python statement, then it will be executed. 
+
+If we submit the expression `1 + 1`, we get the output as `2`. Similarly, on submitting the expression `7 * 7`, we get the output as `49`.
+
+Now, if we submit `os.system("id")`, we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting `os.system("sleep 30")`, and you will notice that the request completes after 30 seconds.
+
 ## A2:Broken Authentication
 
 The main aim of this lab is to login as admin, and to achieve this, exploit the lack of `rate limiting` feature in the otp verification flow. You can see that the otp is only of 3 digit(for demo purposes) and neither does the application have any captcha nor any restriction on number of tries for the otp.
diff --git a/introduction/templates/Lab/CMD/cmd.html b/introduction/templates/Lab/CMD/cmd.html
index 43886a3bb..bfea5917f 100644
--- a/introduction/templates/Lab/CMD/cmd.html
+++ b/introduction/templates/Lab/CMD/cmd.html
@@ -14,7 +14,7 @@ <h4>What is Command Injection</h4>
             attacker-supplied operating system commands are usually executed with the privileges of the vulnerable
             application. Command injection attacks are possible largely due to insufficient input validation.
         </p>
-        <button class="coll btn btn-info">Lab Details</button>
+        <button class="coll btn btn-info" style="margin-top: 15px;">Lab 1 Details</button>
         <div class="lab">
             <p class="bp">
                 This lab helps us to understand how command injection is exploitable in scenarios where inputs are sent
@@ -81,8 +81,38 @@ <h4>What is Command Injection</h4>
 
             </p>
         </div>
+
+        <button class="coll btn btn-info" style="margin-top: 15px; margin-left: 15px;">Lab 2 Details</button>
+        <div class="lab">
+            <p class="bp">
+                This is another lab to understand code execution. There are some functions in python such as eval(), exec() which can be used to achieve code execution.
+                <br><br>
+                In this lab, we will be learning about the <code>eval()</code> function in python3. The <code>eval()</code> function evaluates the specified expression, if the expression is a legal Python statement, it will be executed.
+
+                <br>
+
+                <br><b>Challenge Description:</b><br>
+                In this challenge, we are given an input box, where we can calculate any arithmetic expression such as <code>1 + 1</code> or <code>5 * 5</code> etc.
+                Your task is to exploit this input form and achieve command execution on the system.
+                <br><br>
+            <b>Challenge Solution:</b><br>
+                We know that this application is using the <code>eval()</code> function in the backend to calculate the output. Instead of submitting arithmetic expressions, we can also submit python3 commands, which will be executed by the <code>eval()</code> function.
+                <br><br>
+                First, if we submit the expression <code>1 + 1</code>, we get the output as <code>2</code>. Similarly, on submitting the expression <code>7 * 7</code>, we get the output as <code>49</code>.
+                <br><br>
+                Now, if we submit <code>os.system("id")</code>, we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting <code>os.system("sleep 30")</code>, and you will notice that the request completes after 30 seconds.</code>
+                <br><br>
+            </p>
+
+            <br>
+            <div align="right"> <button class="btn btn-info" type="button"
+                    onclick="window.location.href='/cmd_lab2'">Access Lab</button></div>
+
+            </p>
+        </div>
+
         <br>
-        <h4>Mitigation</h4><br>
+        <h4>Mitigation</h4>
         <p class="bp">
         <ul>
             <li>Input validation </li>
diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
new file mode 100644
index 000000000..a71a60579
--- /dev/null
+++ b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -0,0 +1,32 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+<title>Command Injection</title>
+{% endblock %}
+<div class="jumbotron">
+    <div class="container">
+        <h3 align="center">Evaluate any expression!</h3>
+        <form method="post" action="/cmd_lab2">
+            <input type="text" name="val" placeholder="eg. 7*7"><br><br>
+            <center><button class="btn btn-info" type="submit">GO</button></center>
+        </form>
+    </div>
+</div>
+<div class="container">
+    {% if output %}
+    <h6><b>Output</b></h6><br>
+    <b>
+        <pre>{{output}}</pre>
+    </b>
+    {% endif %}
+</div>
+
+
+<br>
+<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab
+        details</button></div>
+
+</p>
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/urls.py b/introduction/urls.py
index 5420aa5b3..ab0af803f 100644
--- a/introduction/urls.py
+++ b/introduction/urls.py
@@ -33,6 +33,7 @@
     path("500error",views.error,name="500error"),
     path("cmd",views.cmd,name="Command Injection"),
     path("cmd_lab",views.cmd_lab,name="Command Injection Lab"),
+    path("cmd_lab2",views.cmd_lab2,name="Command Injection Lab 2"),
     path("bau", views.bau, name="Broken Authe"),
     path("bau_lab", views.bau_lab, name="LAB"),
     path("login_otp", views.login_otp, name="OTP Login"),
diff --git a/introduction/views.py b/introduction/views.py
index f0b17e171..b4ed8cf78 100644
--- a/introduction/views.py
+++ b/introduction/views.py
@@ -440,6 +440,25 @@ def cmd_lab(request):
     else:
         return redirect('login')
 
+@csrf_exempt
+def cmd_lab2(request):
+    if request.user.is_authenticated:
+        if (request.method=="POST"):
+            val=request.POST.get('val')
+            
+            print(val)
+            try:
+                output = eval(val)
+            except:
+                output = "Something went wrong"
+                return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+            print("Output = ", output)
+            return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+        else:
+            return render(request, 'Lab/CMD/cmd_lab2.html')
+    else:
+        return redirect('login')
+
 #******************************************Broken Authentication**************************************************#
 
 def bau(request):