Patched introduction/views.py

patched.codes[bot] · patched.codes[bot] · commit 3afd6ec9a9cc · 2024-05-28T16:43:11.000+08:00
diff --git a/introduction/views.py b/introduction/views.py
@@ -405,7 +405,6 @@ def cmd(request):
         return render(request,'Lab/CMD/cmd.html')
     else:
         return redirect('login')
-@csrf_exempt
 def cmd_lab(request):
     if request.user.is_authenticated:
         if(request.method=="POST"):
@@ -414,15 +413,15 @@ def cmd_lab(request):
             os=request.POST.get('os')
             print(os)
             if(os=='win'):
-                command="nslookup {}".format(domain)
+                command=["nslookup", domain]
             else:
-                command = "dig {}".format(domain)
+                command = ["dig", domain]
             
             try:
                 # output=subprocess.check_output(command,shell=True,encoding="UTF-8")
                 process = subprocess.Popen(
                     command,
-                    shell=True,
+                    shell=False,
                     stdout=subprocess.PIPE, 
                     stderr=subprocess.PIPE)
                 stdout, stderr = process.communicate()
@@ -481,8 +480,6 @@ def bau_lab(request):
 
 def login_otp(request):
     return render(request,"Lab/BrokenAuth/otp.html")
-
-@csrf_exempt
 def Otp(request):
     if request.method=="GET":
         email=request.GET.get('email')
@@ -540,7 +537,6 @@ def a9(request):
         return render(request,"Lab/A9/a9.html")
     else:
         return redirect('login')
-@csrf_exempt
 def a9_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
@@ -550,7 +546,8 @@ def a9_lab(request):
             try :
                 file=request.FILES["file"]
                 try :
-                    data = yaml.load(file,yaml.Loader)
+                    import json
+                    data = json.loads(file.read())
                     
                     return render(request,"Lab/A9/a9_lab.html",{"data":data})
                 except:
@@ -562,8 +559,6 @@ def a9_lab(request):
         return redirect('login')
 def get_version(request):
       return render(request,"Lab/A9/a9_lab.html",{"version":"pyyaml v5.1"})
-
-@csrf_exempt
 def a9_lab2(request):
     if not request.user.is_authenticated:
         return redirect('login')
@@ -598,6 +593,7 @@ def a9_lab2(request):
             return render(request, "Lab/A9/a9_lab2.html", {"data":"Please Upload a file", "error":True})
 
 
+
 @authentication_decorator
 def A9_discussion(request):
     return render(request, "playground/A9/index.html")
@@ -734,9 +730,6 @@ def a1_broken_access(request):
         return redirect('login')
     
     return render(request,"Lab_2021/A1_BrokenAccessControl/broken_access.html")
-
-
-@csrf_exempt
 def a1_broken_access_lab_1(request):
     if request.user.is_authenticated:
         pass
@@ -771,8 +764,6 @@ def a1_broken_access_lab_1(request):
 
     else:
         return render(request,'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html',{"no_creds":True})
-
-@csrf_exempt
 def a1_broken_access_lab_2(request):
     if request.user.is_authenticated:
         pass
@@ -842,9 +833,6 @@ def injection(request):
         return redirect('login')
     
     return render(request,"Lab_2021/A3_Injection/injection.html")
-
-
-@csrf_exempt
 def injection_sql_lab(request):
     if request.user.is_authenticated:
 
@@ -854,7 +842,7 @@ def injection_sql_lab(request):
         print(password)
 
         if name:
-            sql_query = "SELECT * FROM introduction_sql_lab_table WHERE id='"+name+"'AND password='"+password+"'"
+            sql_query = "SELECT * FROM introduction_sql_lab_table WHERE id=%s AND password=%s"
 
             sql_instance = sql_lab_table(id="admin", password="65079b006e85a7e798abecb99e47c154")
             sql_instance.save()
@@ -868,7 +856,7 @@ def injection_sql_lab(request):
             print(sql_query)
 
             try:
-                user = sql_lab_table.objects.raw(sql_query)
+                user = sql_lab_table.objects.raw(sql_query, [name, password])
                 user = user[0].id
                 print(user)
 
@@ -897,6 +885,7 @@ def injection_sql_lab(request):
         return redirect('login')
 
 
+
 ##----------------------------------------------------------------------------------------------------------
 ##----------------------------------------------------------------------------------------------------------
 
@@ -907,7 +896,6 @@ def ssrf(request):
         return render(request,"Lab/ssrf/ssrf.html")
     else:
         return redirect('login')
-
 def ssrf_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
@@ -917,6 +905,7 @@ def ssrf_lab(request):
             try :
                 dirname = os.path.dirname(__file__)
                 filename = os.path.join(dirname, file)
+                filename = os.path.abspath(filename)
                 file = open(filename,"r")
                 data = file.read()
                 return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":data})
@@ -944,26 +933,39 @@ def ssrf_target(request):
         return render(request,"Lab/ssrf/ssrf_target.html")
     else:
         return render(request,"Lab/ssrf/ssrf_target.html",{"access_denied":True})
-
 @authentication_decorator
 def ssrf_lab2(request):
     if request.method == "GET":
         return render(request, "Lab/ssrf/ssrf_lab2.html")
 
     elif request.method == "POST":
         url = request.POST["url"]
+        allowed_schemes = ["https"]
+        allowed_hosts = ["example.com"]
         try:
-            response = requests.get(url)
-            return render(request, "Lab/ssrf/ssrf_lab2.html", {"response": response.content.decode()})
+            parsed_url = urlparse(url)
+            if parsed_url.scheme in allowed_schemes and parsed_url.netloc in allowed_hosts:
+                response = requests.get(url)
+                return render(request, "Lab/ssrf/ssrf_lab2.html", {"response": "Request successful"})
+            else:
+                return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "Invalid URL"})
         except:
             return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "Invalid URL"})
+
 #--------------------------------------- Server-side template injection --------------------------------------#
 
 def ssti(request):
     if request.user.is_authenticated:
         return render(request,"Lab_2021/A3_Injection/ssti.html")
     else:
         return redirect('login')
+from django.shortcuts import render
+from django.shortcuts import redirect
+from django.http import HttpResponse
+from .models import Blogs
+import os
+import uuid
+from django.template import Template
 
 def ssti_lab(request):
     if request.user.is_authenticated:
@@ -985,8 +987,10 @@ def ssti_lab(request):
             new_blog.save() 
             dirname = os.path.dirname(__file__)
             filename = os.path.join(dirname, f"templates/Lab_2021/A3_Injection/Blogs/{id}.html")
+            template = Template(blog)
+            rendered_blog = template.render({})
             file = open(filename, "w+") 
-            file.write(blog)
+            file.write(rendered_blog)
             file.close()
             return redirect(f'blog/{id}')
     else:
@@ -1007,6 +1011,7 @@ def crypto_failure(request):
         return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure.html",{"success":False,"failure":False})
     else:
         redirect('login')
+import hashlib
 
 def crypto_failure_lab(request):
     if request.user.is_authenticated:
@@ -1016,14 +1021,20 @@ def crypto_failure_lab(request):
             username = request.POST["username"]
             password = request.POST["password"]
             try:
-                password = md5(password.encode()).hexdigest()
-                user = CF_user.objects.get(username=username,password=password)
+                user = CF_user.objects.get(username=username)
+                # Assuming 'password' field now stores salt
+                salt = user.password[:32] 
+                password_hash = hashlib.scrypt(
+                    password.encode(), salt=salt, n=2**14, r=8, p=1
+                ).hex()
+                user = CF_user.objects.get(username=username, password=password_hash)
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html",{"user":user, "success":True,"failure":False})
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html",{"success":False, "failure":True})
     else :
         return redirect('login')
 
+
 def crypto_failure_lab2(request):
     if request.user.is_authenticated:
         if request.method == "GET":
@@ -1037,7 +1048,6 @@ def crypto_failure_lab2(request):
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"user":user, "success":True,"failure":False})
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
-
 # based on CWE-319
 def crypto_failure_lab3(request):
     if request.user.is_authenticated:
@@ -1066,20 +1076,19 @@ def crypto_failure_lab3(request):
                     expire = datetime.datetime.now() + datetime.timedelta(minutes=60)
                     cookie = f"{username}|{expire}"
                     response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":True, "failure":False , "admin":False})
-                    response.set_cookie("cookie", cookie)
+                    response.set_cookie("cookie", cookie, httponly=True, secure=True, samesite='Lax')
                     response.status_code = 200
                     return response
                 else:
                     response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":False, "failure":True})
-                    response.set_cookie("cookie", None)
+                    response.set_cookie("cookie", None, httponly=True, secure=True, samesite='Lax')
                     return response
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
 
+
 #-----------------------------------------------SECURITY MISCONFIGURATION -------------------
 from pygoat.settings import SECRET_COOKIE_KEY
-
-
 def sec_misconfig_lab3(request):
     if not request.user.is_authenticated:
         return redirect('login')
@@ -1099,7 +1108,7 @@ def sec_misconfig_lab3(request):
 
         cookie = jwt.encode(payload, SECRET_COOKIE_KEY, algorithm='HS256')
         response = render(request,"Lab/sec_mis/sec_mis_lab3.html", {"admin":False} )
-        response.set_cookie(key = "auth_cookie", value = cookie)
+        response.set_cookie(key = "auth_cookie", value = cookie, secure=True, httponly=True, samesite='Lax')
         return response
 
 # - ------------------------Identification and Authentication Failures--------------------------------
@@ -1159,7 +1168,6 @@ def auth_failure_lab2(request):
     "User3":{"userid":"3", "username":"User3", "password": "5a91a66f0c86b5435fe748706b99c17e6e54a17e03c2a3ef8d0dfa918db41cf6"},
     "User4":{"userid":"4", "username":"User4", "password": "6046bc3337728a60967a151ee584e4fd7c53740a49485ebdc38cac42a255f266"}
 }
-
 # USER_A7_LAB3 = {
 #     "User1":{"userid":"1", "username":"User1", "password": "Hash1"},
 #     "User2":{"userid":"2", "username":"User2", "password": "Hash2"},
@@ -1168,7 +1176,6 @@ def auth_failure_lab2(request):
 # }
 
 @authentication_decorator
-@csrf_exempt
 def auth_failure_lab3(request):
     if request.method == "GET":
         try:
@@ -1194,7 +1201,7 @@ def auth_failure_lab3(request):
             session_data = AF_session_id.objects.create(session_id=token, user=USER_A7_LAB3[username]['username'])
             session_data.save()
             response = render(request, "Lab_2021/A7_auth_failure/lab3.html", {"success":True, "failure":False, "username":username})
-            response.set_cookie("session_id", token)
+            response.set_cookie("session_id", token, secure=True, httponly=True, samesite='Lax')
             return response
 
 #-- coding playground for lab2
