1- from flask import Flask , request , render_template_string , send_from_directory
1+ from flask import Flask , request , render_template_string , jsonify
22import subprocess
33import os
44import sqlite3
5+ import requests
6+ from lxml import etree
57
8+ # Example hardcoded AWS credentials (sensitive data leakage)
69aws_access_key_id = 'AKIA2JAPX77RGLB664VE'
710aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'
811
1114@app .route ('/' , methods = ['GET' , 'POST' ])
1215def index ():
1316 output = ''
14- # SQL Injection?
17+ # 1 - SQL Injection
1518 db = sqlite3 .connect ("tutorial.db" )
1619 cursor = db .cursor ()
1720 username = ''
1821 password = ''
1922 try :
20- #the % is what makes it bad, instead of passing them in as parameters
21- #Example Exploit: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'
2223 cursor .execute ("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username , password ))
2324 except :
2425 pass
26+
2527 if request .method == 'POST' :
28+ # 2 - Command Injection
2629 if 'command' in request .form :
2730 cmd = request .form ['command' ]
2831 process = subprocess .Popen (cmd , shell = True , stdout = subprocess .PIPE , stderr = subprocess .PIPE )
@@ -31,34 +34,115 @@ def index():
3134 output = stdout .decode ('utf-8' )
3235 else :
3336 output = f"Error (Exit Code: { process .returncode } \n { stderr .decode ('utf-8' )}
37+
38+ # 3 - File Upload with no restrictions, and path traversal
3439 elif 'file' in request .files :
3540 uploaded_file = request .files ['file' ]
3641 uploaded_file .save (os .path .join ('/uploads' , uploaded_file .filename ))
3742 output = f"File { uploaded_file .filename }
43+
44+ # 4 - SQL Injection via input
3845 elif 'sql' in request .form :
3946 sql = request .form ['sql' ]
40- cursor .execute (sql )
41- output = 'SQL command executed successfully!'
47+ try :
48+ # Execute the user's SQL query
49+ cursor .execute (sql )
50+ # Fetch all rows from the query result
51+ rows = cursor .fetchall ()
52+ # Format the results for display
53+ if rows :
54+ output = "Results:\n " + "\n " .join (str (row ) for row in rows )
55+ else :
56+ output = "Query executed successfully, but no results found."
57+ except Exception as e :
58+ output = f"SQL Error: { e }
59+
60+ # 5 - Cross-Site Scripting (XSS)
61+ elif 'xss' in request .form :
62+ xss_input = request .form ['xss' ]
63+ output = f"Reflected XSS result: { xss_input }
64+
65+ # 6 - XML External Entity (XXE) Injection
66+ elif 'xml' in request .form :
67+ xml_data = request .form ['xml' ]
68+ try :
69+ # Use lxml to parse the XML data
70+ parser = etree .XMLParser (load_dtd = True , resolve_entities = True )
71+ tree = etree .fromstring (xml_data .encode (), parser )
72+ output = f"Parsed XML: { etree .tostring (tree , encoding = 'unicode' )}
73+ except Exception as e :
74+ output = f"XML Parsing Error: { e }
75+
76+ # 7 - Server-Side Request Forgery (SSRF)
77+ elif 'url' in request .form :
78+ url = request .form ['url' ]
79+ try :
80+ response = requests .get (url )
81+ output = f"SSRF Response: { response .text [:200 ]}
82+ except Exception as e :
83+ output = f"SSRF Error: { e }
4284
4385 return render_template_string ("""
4486 <h1>Intentionally Insecure App</h1>
87+ <hr>
88+
89+ <!-- Command Injection -->
4590 <form action="/" method="post">
46- Run a command: <input type="text" name="command">
91+ <h2>Command Injection</h2>
92+ <input type="text" name="command" value="ls -la">
4793 <input type="submit" value="Run">
4894 </form>
4995 <br>
96+
97+ <!-- File Upload -->
5098 <form action="/" method="post" enctype="multipart/form-data">
51- Upload a file: <input type="file" name="file">
99+ <h2>Path Traversal via File Upload</h2>
100+ <input type="file" name="file">
52101 <input type="submit" value="Upload">
53102 </form>
103+ <p>Try uploading a file named: <code>../../../../etc/passwd</code></p>
54104 <br>
105+
106+ <!-- SQL Injection -->
55107 <form action="/" method="post">
56- Inject some SQL <input type="text" name="sql">
108+ <h2>SQL Injection</h2>
109+ <input type="text" name="sql" value="SELECT * FROM users WHERE username = 'admin' OR '1'='1'">
57110 <input type="submit" value="Run">
58111 </form>
59- <pre>{{output}}</pre>
60- """ , output = output )
112+ <br>
61113
114+ <!-- Cross-Site Scripting (XSS) -->
115+ <form action="/" method="post">
116+ Enter XSS payload: <input type="text" name="xss" value="<script>alert('XSS');</script>">
117+ <input type="submit" value="Run">
118+ </form>
119+ <br>
120+
121+ <!-- XML External Entity (XXE) Injection -->
122+ <form action="/" method="post">
123+ <h2>XML External Entity (XXE) Injection</h2>
124+ <textarea name="xml" rows="5" cols="50">
125+ <?xml version="1.0"?>
126+ <!DOCTYPE root [
127+ <!ENTITY xxe SYSTEM "file:///etc/passwd">
128+ ]>
129+ <root>&xxe;</root>
130+ </textarea>
131+ <input type="submit" value="Parse XML">
132+ </form>
133+ <br>
134+
135+ <!-- Server-Side Request Forgery (SSRF) -->
136+ <form action="/" method="post">
137+ <h2>Server-Side Request Forgery (SSRF)</h2>
138+ <input type="text" name="url" value="http://localhost:8080/">
139+ <input type="submit" value="Request">
140+ </form>
141+ <br>
142+
143+ <hr>
144+ <pre>{{ output|safe }}</pre>
145+ """ , output = output )
62146
63147if __name__ == '__main__' :
64148 app .run (host = '0.0.0.0' , port = 8080 , debug = True )
0 commit comments