Merge pull request adeyosemanputra#190 from madhavmehndiratta/master

Create: Command Injection Lab 2
v0nerd · Mar 22, 2023 · 9a3bebc · 9a3bebc
2 parents a5e441d + 7f3bb8d
commit 9a3bebc
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 3 deletions.
diff --git a/Solutions/solution.md b/Solutions/solution.md
@@ -21,7 +21,7 @@ On Successful injection
 ![image](https://user-images.githubusercontent.com/61360833/118371252-5986ea00-b5c9-11eb-9efb-6beedd558f56.png)
 
 
-### Command Injection
+### Command Injection Lab 1
 The user on accessing the lab is provided with a feature to perform a name server lookup on the given domain. The user has to give a domain name and the server would perform a ns lookup and return back to the client. If the user is running the lab, based on the OS he can select Windows or Linux.
 
 The user can cause the server to execute commands ,because of the lack of input validation.
@@ -38,6 +38,15 @@ This should give you the output for both`ns lookup` as well as for the `ifconfig
 
 ![cmd_inj_2](https://user-images.githubusercontent.com/70275323/154504361-4baa73cb-f73b-44a8-8769-0af2e7b53c24.png)
 
+### Command Injection Lab 2
+We are given an input form where we can calculate basic arithmetic expressions. Our task is to exploit this functionality and achieve code execution. 
+
+This lab is using `eval()` function in backend which is used to evaluate expression in python. If the expression is a legal python statement, then it will be executed. 
+
+If we submit the expression `1 + 1`, we get the output as `2`. Similarly, on submitting the expression `7 * 7`, we get the output as `49`.
+
+Now, if we submit `os.system("id")`, we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting `os.system("sleep 30")`, and you will notice that the request completes after 30 seconds.
+
 ## A2:Broken Authentication
 
 The main aim of this lab is to login as admin, and to achieve this, exploit the lack of `rate limiting` feature in the otp verification flow. You can see that the otp is only of 3 digit(for demo purposes) and neither does the application have any captcha nor any restriction on number of tries for the otp.

diff --git a/introduction/templates/Lab/CMD/cmd.html b/introduction/templates/Lab/CMD/cmd.html
@@ -14,7 +14,7 @@ <h4>What is Command Injection</h4>
             attacker-supplied operating system commands are usually executed with the privileges of the vulnerable
             application. Command injection attacks are possible largely due to insufficient input validation.
         </p>
-        <button class="coll btn btn-info">Lab Details</button>
+        <button class="coll btn btn-info" style="margin-top: 15px;">Lab 1 Details</button>
         <div class="lab">
             <p class="bp">
                 This lab helps us to understand how command injection is exploitable in scenarios where inputs are sent
@@ -81,8 +81,38 @@ <h4>What is Command Injection</h4>
 
             </p>
         </div>
+
+        <button class="coll btn btn-info" style="margin-top: 15px; margin-left: 15px;">Lab 2 Details</button>
+        <div class="lab">
+            <p class="bp">
+                This is another lab to understand code execution. There are some functions in python such as eval(), exec() which can be used to achieve code execution.
+                <br><br>
+                In this lab, we will be learning about the <code>eval()</code> function in python3. The <code>eval()</code> function evaluates the specified expression, if the expression is a legal Python statement, it will be executed.
+
+                <br>
+
+                <br><b>Challenge Description:</b><br>
+                In this challenge, we are given an input box, where we can calculate any arithmetic expression such as <code>1 + 1</code> or <code>5 * 5</code> etc.
+                Your task is to exploit this input form and achieve command execution on the system.
+                <br><br>
+            <b>Challenge Solution:</b><br>
+                We know that this application is using the <code>eval()</code> function in the backend to calculate the output. Instead of submitting arithmetic expressions, we can also submit python3 commands, which will be executed by the <code>eval()</code> function.
+                <br><br>
+                First, if we submit the expression <code>1 + 1</code>, we get the output as <code>2</code>. Similarly, on submitting the expression <code>7 * 7</code>, we get the output as <code>49</code>.
+                <br><br>
+                Now, if we submit <code>os.system("id")</code>, we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting <code>os.system("sleep 30")</code>, and you will notice that the request completes after 30 seconds.</code>
+                <br><br>
+            </p>
+
+            <br>
+            <div align="right"> <button class="btn btn-info" type="button"
+                    onclick="window.location.href='/cmd_lab2'">Access Lab</button></div>
+
+            </p>
+        </div>
+
         <br>
-        <h4>Mitigation</h4><br>
+        <h4>Mitigation</h4>
         <p class="bp">
         <ul>
             <li>Input validation </li>

diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -0,0 +1,32 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+<title>Command Injection</title>
+{% endblock %}
+<div class="jumbotron">
+    <div class="container">
+        <h3 align="center">Evaluate any expression!</h3>
+        <form method="post" action="/cmd_lab2">
+            <input type="text" name="val" placeholder="eg. 7*7"><br><br>
+            <center><button class="btn btn-info" type="submit">GO</button></center>
+        </form>
+    </div>
+</div>
+<div class="container">
+    {% if output %}
+    <h6><b>Output</b></h6><br>
+    <b>
+        <pre>{{output}}</pre>
+    </b>
+    {% endif %}
+</div>
+
+
+<br>
+<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab
+        details</button></div>
+
+</p>
+
+
+{% endblock %}
diff --git a/introduction/urls.py b/introduction/urls.py
@@ -33,6 +33,7 @@
     path("500error",views.error,name="500error"),
     path("cmd",views.cmd,name="Command Injection"),
     path("cmd_lab",views.cmd_lab,name="Command Injection Lab"),
+    path("cmd_lab2",views.cmd_lab2,name="Command Injection Lab 2"),
     path("bau", views.bau, name="Broken Authe"),
     path("bau_lab", views.bau_lab, name="LAB"),
     path("login_otp", views.login_otp, name="OTP Login"),

diff --git a/introduction/views.py b/introduction/views.py
@@ -440,6 +440,25 @@ def cmd_lab(request):
     else:
         return redirect('login')
 
+@csrf_exempt
+def cmd_lab2(request):
+    if request.user.is_authenticated:
+        if (request.method=="POST"):
+            val=request.POST.get('val')
+
+            print(val)
+            try:
+                output = eval(val)
+            except:
+                output = "Something went wrong"
+                return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+            print("Output = ", output)
+            return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+        else:
+            return render(request, 'Lab/CMD/cmd_lab2.html')
+    else:
+        return redirect('login')
+
 #******************************************Broken Authentication**************************************************#
 
 def bau(request):