fixes

TomerTelem · Apr 3, 2019 · af97689 · af97689
1 parent bd6a75a
commit af97689
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 21 deletions.
diff --git a/README.rst b/README.rst
@@ -7,3 +7,14 @@ Vulpy is a web application developed in Python / Flask / SQLite that has two fac
 **BAD**: Tries to code like (possibly) you. :p
 
 
+Kali Linux Dependencies
+-----------------------
+
+Packages that must be installed on a Kali Linux system:
+
+- python3-bcrypt
+- python3-click
+- python3-cryptography
+- python3-flask
+- python3-geoip2
+
diff --git a/bad/libposts.py b/bad/libposts.py
@@ -27,7 +27,6 @@ def post(username, text):
 
     rows = c.execute("INSERT INTO posts (username, text, date) VALUES (?, ?, DateTime('now'))", (username, text)) #WHERE username = ?", (username,)).fetchall()
     conn.commit()
-    #posts = [ dict(zip(row.keys(), row)) for row in rows ]
 
     return True
 

diff --git a/bad/libuser.py b/bad/libuser.py
@@ -1,8 +1,7 @@
 import sqlite3
 import libuser
 
-# SQL Injection vulnerability on username/password parameters
-def login(username, password, **kwargs):
+def login(username, password):
 
     conn = sqlite3.connect('users1.sqlite')
     conn.set_trace_callback(print)

diff --git a/bad/mod_mfa.py b/bad/mod_mfa.py
@@ -1,13 +1,12 @@
-import sqlite3
-from flask import Blueprint, render_template, redirect, request, g, session, make_response, flash
-import libuser
-import libsession
-import libmfa
-import pyotp
-import qrcode
+
 import base64
 from io import BytesIO
 
+import pyotp
+import qrcode
+from flask import Blueprint, flash, g, redirect, render_template, request
+
+import libmfa
 
 mod_mfa = Blueprint('mod_mfa', __name__, template_folder='templates')
 
@@ -30,10 +29,6 @@ def do_mfa_view():
         img.save(buffered, format="PNG")
         img_str = base64.b64encode(buffered.getvalue()).decode()
 
-        print(img)
-        print(dir(img))
-        print(img_str)
-
         return render_template('mfa.enable.html', secret_url=secret_url, img_str=img_str)
 
 
@@ -48,7 +43,6 @@ def do_mfa_enable():
     otp = request.form.get('otp')
 
     totp = pyotp.TOTP(secret)
-    #totp.now() # => '492039'
 
     if totp.verify(otp):
         libmfa.mfa_enable(g.session['username'])
@@ -71,4 +65,3 @@ def do_mfa_disable():
 
     libmfa.mfa_disable(g.session['username'])
     return redirect('/mfa/')
-
diff --git a/bad/vulpy-ssl.py b/bad/vulpy-ssl.py
@@ -26,4 +26,4 @@ def do_home():
 def before_request():
     g.session = libsession.load(request)
 
-app.run(debug=True, ssl_context=('/tmp/acme.cert', '/tmp/acme.key'))
+app.run(debug=True, host='127.0.1.1', ssl_context=('/tmp/acme.cert', '/tmp/acme.key'))
diff --git a/bad/vulpy.py b/bad/vulpy.py
@@ -50,5 +50,5 @@ def add_csp_headers(response):
         response.headers['Content-Security-Policy'] = csp
     return response
 
-app.run(debug=True, extra_files='csp.txt')
+app.run(debug=True, host='127.0.1.1', port=5000, extra_files='csp.txt')
 
diff --git a/good/vulpy-ssl.py b/good/vulpy-ssl.py
@@ -26,4 +26,4 @@ def do_home():
 def before_request():
     g.session = libsession.load(request)
 
-app.run(debug=True, ssl_context=('/tmp/acme.cert', '/tmp/acme.key'))
+app.run(debug=True, host='127.0.1.1', ssl_context=('/tmp/acme.cert', '/tmp/acme.key'))
diff --git a/good/vulpy.py b/good/vulpy.py
@@ -14,7 +14,7 @@
 import libsession
 
 app = Flask('vulpy')
-app.config['SECRET_KEY'] = 'aaaaaaa'
+app.config['SECRET_KEY'] = '123aa8a93bdde342c871564a62282af857bda14b3359fde95d0c5e4b321610c1'
 
 app.register_blueprint(mod_hello, url_prefix='/hello')
 app.register_blueprint(mod_user, url_prefix='/user')
@@ -50,5 +50,5 @@ def add_csp_headers(response):
         response.headers['Content-Security-Policy'] = csp
     return response
 
-app.run(debug=True, extra_files='csp.txt')
+app.run(debug=True, host='127.0.1.1', port=5001, extra_files='csp.txt')