lab working, just need to document it

digininja · Jan 11, 2023 · 2d6547f · 2d6547f
1 parent 7213322
commit 2d6547f
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 242 deletions.
diff --git a/vulnerabilities/authbypass/change_user_details.php b/vulnerabilities/authbypass/change_user_details.php
@@ -4,8 +4,17 @@
 
 dvwaDatabaseConnect();
 
+/*
+On impossible only the admin is allowed to retrieve the data.
+*/
+
+if (dvwaSecurityLevelGet() == "impossible" && dvwaCurrentUser() != "admin") {
+	print json_encode (array ("result" => "fail", "error" => "Access denied"));
+}
+
 if ($_SERVER['REQUEST_METHOD'] != "POST") {
 	$result = array (
+						"result" => "fail",
 						"error" => "Only POST requests are accepted"
 					);
 	echo json_encode($result);
@@ -17,6 +26,7 @@
 	$data = json_decode($json);
 	if (is_null ($data)) {
 		$result = array (
+							"result" => "fail",
 							"error" => 'Invalid format, expecting "{id: {user ID}, first_name: "{first name}", surname: "{surname}"}'
 
 						);
@@ -25,6 +35,7 @@
 	}
 } catch (Exception $e) {
 	$result = array (
+						"result" => "fail",
 						"error" => 'Invalid format, expecting \"{id: {user ID}, first_name: "{first name}", surname: "{surname}\"}'
 
 					);
@@ -34,7 +45,7 @@
 
 $query = "UPDATE users SET first_name = '" . $data->first_name . "', last_name = '" .  $data->surname . "' where user_id = " . $data->id . "";
 $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
+
+print json_encode (array ("result" => "ok"));
+exit;
 ?>
-{
-"result": "ok"
-}
diff --git a/vulnerabilities/authbypass/get_user_form.php b/vulnerabilities/authbypass/get_user_form.php
@@ -4,6 +4,13 @@
 
 dvwaDatabaseConnect();
 
+/*
+On high and impossible, only the admin is allowed to retrieve the data.
+*/
+if ((dvwaSecurityLevelGet() == "high" || dvwaSecurityLevelGet() == "impossible") && dvwaCurrentUser() != "admin") {
+	print json_encode (array ("result" => "fail", "error" => "Access denied"));
+}
+
 $query  = "SELECT user_id, first_name, last_name FROM users";
 $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query );
 
@@ -29,8 +36,6 @@
 	$users[] = $user;
 }
 
-foreach ($users as $user) {
-	?>
-	<p><input type="text" id="first_name_<?=$user['user_id']?>" name="first_name" value="<?=$user['first_name']?>" /><input type="text" name="surname" id="surname_<?=$user['user_id']?>" value="<?=$user['surname']?>" /><input type="button" value="Update" onclick="submit_change(<?=$user['user_id']?>)" /></p>
-	<?php
-}
+print json_encode ($users);
+exit;
+?>
diff --git a/vulnerabilities/authbypass/index.php b/vulnerabilities/authbypass/index.php
@@ -43,45 +43,21 @@
 	<div id="user_form"></div>';
 
 $page[ 'body' ] .= "
-<script>
-	function show_save_result (data) {
-		if (data.result == 'ok') {
-			document.getElementById('save_result').innerText = 'Save Successful';
-		} else {
-			document.getElementById('save_result').innerText = 'Save Failed';
-		}
-	}
-		
-	function submit_change(id) {
-		first_name = document.getElementById('first_name_' + id).value
-		surname = document.getElementById('surname_' + id).value
-
-		fetch('change_user_details.php', {
-			method: 'POST',
-			headers: {
-				'Accept': 'application/json',
-				'Content-Type': 'application/json'
-			},
-			body: JSON.stringify({ 'id': id, 'first_name': first_name, 'surname': surname })
-		}
-		)
-		.then((response) => response.json())
-		.then((data) => show_save_result(data));
+<script src='authbypass.js'></script>
 
-		/*
-		alert (first_name);
-		alert (surname);
-		*/
-	}
+<table id='user_table'>
+	<thead>
+		<th>ID</th>
+		<th>First Name</th>
+		<th>Surname</th>
+		<th>Update</th>
+	</thead>
+	<tbody>
+	</tbody>
+</table>
 
-	var xhr= new XMLHttpRequest();
-	xhr.open('GET', 'get_user_form.php', true);
-	xhr.onreadystatechange= function() {
-	if (this.readyState!==4) return;
-		if (this.status!==200) return;
-			document.getElementById('user_form').innerHTML= this.responseText;
-	};
-	xhr.send();
+<script>
+	populate_form();
 </script>
 ";
 

diff --git a/vulnerabilities/authbypass/source/high.php b/vulnerabilities/authbypass/source/high.php
@@ -1,43 +1,14 @@
 <?php
+/*
+Only the admin user is allowed to access this page.
 
-if( isset( $_GET[ 'Login' ] ) ) {
-	// Check Anti-CSRF token
-	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+Make sure to remember to add checks to get and update data.
 
-	// Sanitise username input
-	$user = $_GET[ 'username' ];
-	$user = stripslashes( $user );
-	$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
+*/
 
-	// Sanitise password input
-	$pass = $_GET[ 'password' ];
-	$pass = stripslashes( $pass );
-	$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-	$pass = md5( $pass );
-
-	// Check database
-	$query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
-	$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
-	if( $result && mysqli_num_rows( $result ) == 1 ) {
-		// Get users details
-		$row    = mysqli_fetch_assoc( $result );
-		$avatar = $row["avatar"];
-
-		// Login successful
-		$html .= "<p>Welcome to the password protected area {$user}</p>";
-		$html .= "<img src=\"{$avatar}\" />";
-	}
-	else {
-		// Login failed
-		sleep( rand( 0, 3 ) );
-		$html .= "<pre><br />Username and/or password incorrect.</pre>";
-	}
-
-	((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
 }
-
-// Generate Anti-CSRF token
-generateSessionToken();
-
 ?>
diff --git a/vulnerabilities/authbypass/source/impossible.php b/vulnerabilities/authbypass/source/impossible.php
@@ -1,102 +1,11 @@
 <?php
-
-if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
-	// Check Anti-CSRF token
-	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
-
-	// Sanitise username input
-	$user = $_POST[ 'username' ];
-	$user = stripslashes( $user );
-	$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-
-	// Sanitise password input
-	$pass = $_POST[ 'password' ];
-	$pass = stripslashes( $pass );
-	$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-	$pass = md5( $pass );
-
-	// Default values
-	$total_failed_login = 3;
-	$lockout_time       = 15;
-	$account_locked     = false;
-
-	// Check the database (Check user information)
-	$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
-	$data->bindParam( ':user', $user, PDO::PARAM_STR );
-	$data->execute();
-	$row = $data->fetch();
-
-	// Check to see if the user has been locked out.
-	if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) )  {
-		// User locked out.  Note, using this method would allow for user enumeration!
-		//$html .= "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
-
-		// Calculate when the user would be allowed to login again
-		$last_login = strtotime( $row[ 'last_login' ] );
-		$timeout    = $last_login + ($lockout_time * 60);
-		$timenow    = time();
-
-		/*
-		print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
-		print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
-		print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
-		*/
-
-		// Check to see if enough time has passed, if it hasn't locked the account
-		if( $timenow < $timeout ) {
-			$account_locked = true;
-			// print "The account is locked<br />";
-		}
-	}
-
-	// Check the database (if username matches the password)
-	$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
-	$data->bindParam( ':user', $user, PDO::PARAM_STR);
-	$data->bindParam( ':password', $pass, PDO::PARAM_STR );
-	$data->execute();
-	$row = $data->fetch();
-
-	// If its a valid login...
-	if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
-		// Get users details
-		$avatar       = $row[ 'avatar' ];
-		$failed_login = $row[ 'failed_login' ];
-		$last_login   = $row[ 'last_login' ];
-
-		// Login successful
-		$html .= "<p>Welcome to the password protected area <em>{$user}</em></p>";
-		$html .= "<img src=\"{$avatar}\" />";
-
-		// Had the account been locked out since last login?
-		if( $failed_login >= $total_failed_login ) {
-			$html .= "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
-			$html .= "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
-		}
-
-		// Reset bad login count
-		$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
-		$data->bindParam( ':user', $user, PDO::PARAM_STR );
-		$data->execute();
-	} else {
-		// Login failed
-		sleep( rand( 2, 4 ) );
-
-		// Give the user some feedback
-		$html .= "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";
-
-		// Update bad login count
-		$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
-		$data->bindParam( ':user', $user, PDO::PARAM_STR );
-		$data->execute();
-	}
-
-	// Set the last login time
-	$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
-	$data->bindParam( ':user', $user, PDO::PARAM_STR );
-	$data->execute();
+/*
+Only the admin user is allowed to access this page
+*/
+
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
 }
-
-// Generate Anti-CSRF token
-generateSessionToken();
-
 ?>
diff --git a/vulnerabilities/authbypass/source/low.php b/vulnerabilities/authbypass/source/low.php
@@ -1,32 +1,3 @@
 <?php
 
-if( isset( $_GET[ 'Login' ] ) ) {
-	// Get username
-	$user = $_GET[ 'username' ];
-
-	// Get password
-	$pass = $_GET[ 'password' ];
-	$pass = md5( $pass );
-
-	// Check the database
-	$query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
-	$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
-	if( $result && mysqli_num_rows( $result ) == 1 ) {
-		// Get users details
-		$row    = mysqli_fetch_assoc( $result );
-		$avatar = $row["avatar"];
-
-		// Login successful
-		$html .= "<p>Welcome to the password protected area {$user}</p>";
-		$html .= "<img src=\"{$avatar}\" />";
-	}
-	else {
-		// Login failed
-		$html .= "<pre><br />Username and/or password incorrect.</pre>";
-	}
-
-	((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
-}
-
 ?>
diff --git a/vulnerabilities/authbypass/source/medium.php b/vulnerabilities/authbypass/source/medium.php
@@ -1,35 +1,11 @@
 <?php
-
-if( isset( $_GET[ 'Login' ] ) ) {
-	// Sanitise username input
-	$user = $_GET[ 'username' ];
-	$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-
-	// Sanitise password input
-	$pass = $_GET[ 'password' ];
-	$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-	$pass = md5( $pass );
-
-	// Check the database
-	$query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
-	$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
-	if( $result && mysqli_num_rows( $result ) == 1 ) {
-		// Get users details
-		$row    = mysqli_fetch_assoc( $result );
-		$avatar = $row["avatar"];
-
-		// Login successful
-		$html .= "<p>Welcome to the password protected area {$user}</p>";
-		$html .= "<img src=\"{$avatar}\" />";
-	}
-	else {
-		// Login failed
-		sleep( 2 );
-		$html .= "<pre><br />Username and/or password incorrect.</pre>";
-	}
-
-	((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
+/*
+Only the admin user is allowed to access this page
+*/
+
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
 }
-
 ?>