testing sql injection vuln

TMFRook · Oct 24, 2017 · e74790d · e74790d
1 parent 0f83f02
commit e74790d
Show file tree

Hide file tree

Showing 12 changed files with 164 additions and 36 deletions.
diff --git a/app.go b/app.go
@@ -10,6 +10,8 @@ import (
 	"govwa/util/middleware"
 	"govwa/user"
 	"govwa/user/session"
+
+	"govwa/vulnerability/sqli"
 )
 
 const (
@@ -49,13 +51,15 @@ func main() {
 	mw := middleware.New()
 	router := httprouter.New()
 	userObj := user.New()
+	sqlI := sqli.New()
 
 	router.ServeFiles("/public/*filepath", http.Dir("public/"))
 	router.GET("/", mw.LoggingMiddleware(mw.AuthCheck(indexHandler)))
 	router.GET("/index", mw.LoggingMiddleware(mw.AuthCheck(indexHandler)))
 
 	userObj.SetRouter(router)
-
+	sqlI.SetRouter(router)
+
 	s := http.Server{
 		Addr : ":8082",
 		Handler : router,

diff --git a/public/css/main.css b/public/css/main.css
@@ -4,7 +4,12 @@ body {
     height: 100%;
     background: #f4f4f4;
 }
-
+.header{
+    background-image: url("http://localhost:8082/public/img/header.png");
+    width: 1140px;
+    height: 100px;
+    margin-bottom: 20px;
+}
 .nav-side-menu {
     overflow: auto;
     font-family: verdana;
@@ -17,6 +22,7 @@ body {
     border: 1px solid #428bca;
     color: #000;
     border-radius: 4px;
+    margin-bottom: 20px
 }
 
 .nav-side-menu .brand {
@@ -237,7 +243,7 @@ body {
     height: 60px;
     line-height: 60px;
     /* Vertically center the text there */
-    background-color: #B61313;
+    background-color: #428bca;
 }
 
 .footer>.container {

diff --git a/public/img/header.png b/public/img/header.png
diff --git a/templates/template.header.html b/templates/template.header.html
@@ -10,15 +10,8 @@
     <script type="text/javascript" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
     <link href="{{.weburl}}public/css/main.css" rel="stylesheet">
 </head>
-<style>
-    .header{
-        background: #428bca;
-        height: 100px;
-    }
-</style>
 <body>
     <div class="container">
-        <nav class="navbar header bg-faded" role="navigation">
-            <p>tes</p>
+        <nav class="header" role="navigation">
         </nav>
         {{end}}
diff --git a/templates/template.sidebar.html b/templates/template.sidebar.html
@@ -24,7 +24,7 @@
                         <a href="#"><i class="fa fa-bug fa-lg"></i> SQL Injection <span class="arrow"></span></a>
                     </li>
                     <ul class="sub-menu collapse" id="sqli">
-                        <li><a href="#">SQLI 1</a></li>
+                        <li><a href="{{.weburl}}sqli1">SQLI 1</a></li>
                         <li><a href="#">SQLI 2</a></li>
                     </ul>
 

diff --git a/templates/template.sqli.html b/templates/template.sqli.html
@@ -1,17 +1,24 @@
-{{define "template.sqli"}} {{template "template.header" .}} {{template "template.sidebar" .}}
+{{define "template.sqli"}} 
+{{template "template.header" .}} 
+{{template "template.sidebar" .}}
 <div class="col-md-9">
     <div class="panel panel-primary">
         <div class="panel-heading">SQL Injection</div>
         <div class="panel-body">
             <div class="pnl">
                 <span class="subheader">SQL Injection Vulnerability</span>
                 <p>
-                    Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has
-                    survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently
-                    with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
+                    data :
+                    {{.error}}
+                    {{.name}}
+                    {{.city}}
+                    {{.number}}
+                    {{.uid}}
+
                 </p>
             </div>
         </div>
     </div>
 </div>
-{{template "template.footer"}} {{ end }}
+{{template "template.footer"}} 
+{{ end }}
diff --git a/user/session/session.go b/user/session/session.go
@@ -27,7 +27,7 @@ func (self *Self) SetSession(w http.ResponseWriter, r *http.Request, data map[st
 	session.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   86400,
-		HttpOnly: true,
+		HttpOnly: false, //set to false for xss :) 
 	}
 
 	session.Values["govwa_session"] = true
@@ -84,12 +84,11 @@ func (self *Self) IsLoggedIn(r *http.Request) bool {
 }
 
 
-func init(){
+/* func init(){
 	store.Options = &sessions.Options{
-		//Domain : util.Cfg.Webserver,
 		Path:     "/",
 		MaxAge:   -1,
 		HttpOnly: true,
 	}
 
-}
+} */
diff --git a/user/user.go b/user/user.go
@@ -89,6 +89,8 @@ func loginAction(w http.ResponseWriter, r *http.Request, _ httprouter.Params) bo
 		sessionData["uname"] = uData.uname
 		sessionData["id"] = strconv.Itoa(uData.id)
 
+		util.SetCookie(w, "Uid", strconv.Itoa(uData.id)) //save user_id to cookie
+
 		s.SetSession(w, r, sessionData)
 		log.Println("Login Success")
 		return true
@@ -100,6 +102,8 @@ func loginAction(w http.ResponseWriter, r *http.Request, _ httprouter.Params) bo
 func Logout(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	s := session.New()
 	s.DeleteSession(w, r)
+	cookies := []string{"Level", "Uid"}
+	util.DeleteCookie(w,cookies)
 	util.Redirect(w, r, "login", 302)
 }
 

diff --git a/util/cookie.go b/util/cookie.go
@@ -1,15 +1,17 @@
 package util
 
-import "net/http"
+import (
+	"net/http"
+	"time"
+)
 
 func SetCookieLevel(w http.ResponseWriter, r *http.Request) string {
 	ck := r.FormValue("level")
 	level := ck
 	if level == "" {
 		level = "low"
 	}
-	cookie := http.Cookie{Name: "level", Value: level}
-	http.SetCookie(w, &cookie)
+	SetCookie(w,"Level",level)
 	return level
 }
 
@@ -24,4 +26,28 @@ func CheckLevel(r *http.Request) bool {
 	}
 }
 
-tes
+/* cookie setter getter */
+
+func SetCookie(w http.ResponseWriter, name, value string){
+	cookie := http.Cookie{
+		Name: name, 
+		Value: value,
+	}
+	http.SetCookie(w, &cookie)
+}
+
+func GetCookie(r *http.Request, name string)string{
+	cookie, _ := r.Cookie(name)
+	return cookie.Value
+}
+
+func DeleteCookie(w http.ResponseWriter, cookies []string){
+	for _,name := range cookies{
+		cookie := &http.Cookie{
+			Name:     name,
+			Value:    "",
+			Expires: time.Unix(0, 0),
+		}
+		http.SetCookie(w, cookie)
+	}
+}
diff --git a/util/template.go b/util/template.go
@@ -1,6 +1,7 @@
 package util
 
 import (
+	"log"
 	"encoding/json"
 	"html/template"
 	"net/http"
@@ -9,7 +10,10 @@ import (
 func SafeRender(w http.ResponseWriter, name string, data map[string]interface{}) {
 
 	template := template.Must(template.ParseGlob("templates/*"))
-	template.ExecuteTemplate(w, name, data)
+	err := template.ExecuteTemplate(w, name, data)
+	if err != nil{
+		log.Println(err.Error())
+	}
 }
 
 func RenderAsJson(w http.ResponseWriter, data ...interface{}) {

diff --git a/vulnerability/sqli/function.go b/vulnerability/sqli/function.go
@@ -0,0 +1,56 @@
+package sqli
+
+import(
+	"log"
+	"fmt"
+	"database/sql"
+
+	"govwa/util/database"
+)
+
+var DB *sql.DB
+
+func init(){
+	DB, _ = database.Connect()
+	/* if err != nil{
+		log.Println(err.Error())
+	} */
+}
+
+type Profile struct{
+	Uid int
+	Name string
+	City string
+	PhoneNumber string
+}
+
+func newProfile()*Profile{
+	return &Profile{}
+}
+
+func(p *Profile)unsafeQueryGetData(uid string)error{
+
+	/* this funciton use to get data Profile from database with vulnerable query */
+
+	getProfileSql := fmt.Sprintf(`SELECT p.user_id, p.full_name, p.city, p.phone_number 
+								FROM Profile as p,Users as u 
+								where p.user_id = u.id 
+								and u.id=%s`,uid) //here is the vulnerable query
+
+	rows, err := DB.Query(getProfileSql)
+	if err != nil{
+		log.Printf("query error :%s",err.Error())
+		return err  //this will return error query to clien hmmmm.
+	}
+	defer rows.Close()
+	//var profile = Profile{}
+	for rows.Next(){
+		err = rows.Scan(&p.Uid,&p.Name,&p.City,&p.PhoneNumber)
+		if err != nil{
+			log.Printf("Row scan error: %s", err.Error())
+			return err
+		}
+	}
+	return nil
+}
+
diff --git a/vulnerability/sqli/sqli.go b/vulnerability/sqli/sqli.go
@@ -1,21 +1,50 @@
 package sqli
 
 import(
-	"govwa/util/database"
+
+	"strconv"
 	"net/http"
-	"fmt"
+
+	"github.com/julienschmidt/httprouter"
+
+	"govwa/util/middleware"
+	"govwa/util"
+
+
 )
-import "govwa/util"
 
-type User struct{
-	Id int `json:"id"`
-	Name string `json:"name"`
+type SQLI struct{}
+
+func New()SQLI{
+	return SQLI{}
+}
+
+func (self SQLI)SetRouter(r *httprouter.Router){
+	mw := middleware.New()
+	r.GET("/sqli1", mw.AuthCheck(sqli1Handler))
 }
 
-func New()*User{
-	return nil
+func sqli1Handler(w http.ResponseWriter, r *http.Request, _ httprouter.Params){
+
+	uid := util.GetCookie(r,"Uid")//many developer use this style set reference key in cookie with no sanitaze
+	p := newProfile()
+
+	data := make(map[string]interface{})
+
+	err := p.unsafeQueryGetData(uid)
+
+	if err != nil{
+		data["error"] = err.Error()
+	}
+	data["uid"] = strconv.Itoa(p.Uid)
+	data["name"] = p.Name
+	data["city"] = p.City
+	data["number"] = p.PhoneNumber
+
+	util.SafeRender(w,"template.sqli",data)
+
 }
-func UnsafeGetData(r *http.Request)(User, error){
+/* func UnsafeGetData(r *http.Request)(User, error){
 	db, err := database.Connect()
 	if err != nil{
 		return User{},err
@@ -73,4 +102,4 @@ func getUserHandler(w http.ResponseWriter, r *http.Request) {
 		fmt.Println(err.Error())
 	}
 	util.RenderAsJson(w, data)
-}
+} */