|
| 1 | +# adding comments |
| 2 | +# move line |
| 3 | +from flask import Flask, request, render_template_string, jsonify |
| 4 | +import subprocess |
| 5 | +import os |
| 6 | +import sqlite3 |
| 7 | +import requests |
| 8 | +from lxml import etree |
| 9 | + |
| 10 | +# Example hardcoded AWS credentials (sensitive data leakage) |
| 11 | +aws_access_key_id = '****64VE' |
| 12 | +aws_secret = '****9yO5' |
| 13 | + |
| 14 | +app = Flask(__name__) |
| 15 | + |
| 16 | +@app.route('/', methods=['GET', 'POST']) |
| 17 | +def index(): |
| 18 | + output = '' |
| 19 | + # 1 - SQL Injection |
| 20 | + db = sqlite3.connect("tutorial.db") |
| 21 | + cursor = db.cursor() |
| 22 | + username = '' |
| 23 | + password = '' |
| 24 | + try: |
| 25 | + cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
| 26 | + except: |
| 27 | + pass |
| 28 | + |
| 29 | + if request.method == 'POST': |
| 30 | + # 2 - Command Injection |
| 31 | + if 'command' in request.form: |
| 32 | + cmd = request.form['command'] |
| 33 | + process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 34 | + stdout, stderr = process.communicate() |
| 35 | + if process.returncode == 0: |
| 36 | + output = stdout.decode('utf-8') |
| 37 | + else: |
| 38 | + output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}" |
| 39 | + |
| 40 | + # 3 - File Upload with no restrictions, and path traversal |
| 41 | + elif 'file' in request.files: |
| 42 | + uploaded_file = request.files['file'] |
| 43 | + uploaded_file.save(os.path.join('/uploads', uploaded_file.filename)) |
| 44 | + output = f"File {uploaded_file.filename} uploaded successfully!" |
| 45 | + |
| 46 | + # 4 - SQL Injection via input |
| 47 | + elif 'sql' in request.form: |
| 48 | + sql = request.form['sql'] |
| 49 | + try: |
| 50 | + # Execute the user's SQL query |
| 51 | + cursor.execute(sql) |
| 52 | + # Fetch all rows from the query result |
| 53 | + rows = cursor.fetchall() |
| 54 | + # Format the results for display |
| 55 | + if rows: |
| 56 | + output = "Results:\n" + "\n".join(str(row) for row in rows) |
| 57 | + else: |
| 58 | + output = "Query executed successfully, but no results found." |
| 59 | + except Exception as e: |
| 60 | + output = f"SQL Error: {e}" |
| 61 | + |
| 62 | + # 5 - Cross-Site Scripting (XSS) |
| 63 | + elif 'xss' in request.form: |
| 64 | + xss_input = request.form['xss'] |
| 65 | + output = f"Reflected XSS result: {xss_input}" |
| 66 | + |
| 67 | + # 6 - XML External Entity (XXE) Injection |
| 68 | + elif 'xml' in request.form: |
| 69 | + xml_data = request.form['xml'] |
| 70 | + try: |
| 71 | + # Use lxml to parse the XML data |
| 72 | + parser = etree.XMLParser(load_dtd=True, resolve_entities=True) |
| 73 | + tree = etree.fromstring(xml_data.encode(), parser) |
| 74 | + output = f"Parsed XML: {etree.tostring(tree, encoding='unicode')}" |
| 75 | + except Exception as e: |
| 76 | + output = f"XML Parsing Error: {e}" |
| 77 | + |
| 78 | + # 7 - Server-Side Request Forgery (SSRF) |
| 79 | + elif 'url' in request.form: |
| 80 | + url = request.form['url'] |
| 81 | + try: |
| 82 | + response = requests.get(url) |
| 83 | + output = f"SSRF Response: {response.text[:200]}" |
| 84 | + except Exception as e: |
| 85 | + output = f"SSRF Error: {e}" |
| 86 | + |
| 87 | + # 8 - SQL injection with parameter instead of whole query |
| 88 | + if 'username' in request.form: |
| 89 | + username = request.form['username'] |
| 90 | + try: |
| 91 | + # Vulnerable SQL query using string interpolation |
| 92 | + query = "SELECT password FROM users WHERE username = '{}'".format(username) |
| 93 | + cursor.execute(query) |
| 94 | + result = cursor.fetchone() |
| 95 | + if result: |
| 96 | + output = f"Password for {username}: {result[0]}" |
| 97 | + else: |
| 98 | + output = "User not found." |
| 99 | + except Exception as e: |
| 100 | + output = f"SQL Error: {e}" |
| 101 | + |
| 102 | + return render_template_string(""" |
| 103 | + <h1>Intentionally Insecure App</h1> |
| 104 | + <hr> |
| 105 | +
|
| 106 | + <!-- Command Injection --> |
| 107 | + <form action="/" method="post"> |
| 108 | + <h2>Command Injection</h2> |
| 109 | + <input type="text" name="command" value="ls -la"> |
| 110 | + <input type="submit" value="Run"> |
| 111 | + </form> |
| 112 | + <br> |
| 113 | +
|
| 114 | + <!-- File Upload --> |
| 115 | + <form action="/" method="post" enctype="multipart/form-data"> |
| 116 | + <h2>Path Traversal via File Upload</h2> |
| 117 | + <input type="file" name="file"> |
| 118 | + <input type="submit" value="Upload"> |
| 119 | + </form> |
| 120 | + <p>Try uploading a file named: <code>../../../../etc/passwd</code></p> |
| 121 | + <br> |
| 122 | +
|
| 123 | + <!-- SQL Injection --> |
| 124 | + <form action="/" method="post"> |
| 125 | + <h2>SQL Injection</h2> |
| 126 | + <input type="text" name="sql" value="SELECT * FROM users WHERE username = 'admin' OR '1'='1'"> |
| 127 | + <input type="submit" value="Run"> |
| 128 | + </form> |
| 129 | + <br> |
| 130 | +
|
| 131 | + <!-- Cross-Site Scripting (XSS) --> |
| 132 | + <form action="/" method="post"> |
| 133 | + Enter XSS payload: <input type="text" name="xss" value="<script>alert('XSS');</script>"> |
| 134 | + <input type="submit" value="Run"> |
| 135 | + </form> |
| 136 | + <br> |
| 137 | +
|
| 138 | + <!-- XML External Entity (XXE) Injection --> |
| 139 | + <form action="/" method="post"> |
| 140 | + <h2>XML External Entity (XXE) Injection</h2> |
| 141 | + <textarea name="xml" rows="5" cols="50"> |
| 142 | +<?xml version="1.0"?> |
| 143 | +<!DOCTYPE root [ |
| 144 | +<!ENTITY xxe SYSTEM "file:///etc/passwd"> |
| 145 | +]> |
| 146 | +<root>&xxe;</root> |
| 147 | + </textarea> |
| 148 | + <input type="submit" value="Parse XML"> |
| 149 | + </form> |
| 150 | + <br> |
| 151 | +
|
| 152 | + <!-- Server-Side Request Forgery (SSRF) --> |
| 153 | + <form action="/" method="post"> |
| 154 | + <h2>Server-Side Request Forgery (SSRF)</h2> |
| 155 | + <input type="text" name="url" value="http://localhost:8080/"> |
| 156 | + <input type="submit" value="Request"> |
| 157 | + </form> |
| 158 | + <br> |
| 159 | + <!-- SQL Injection 2 --> |
| 160 | + <h2>SQL Injection 2</h2> |
| 161 | + <form action="/" method="post"> |
| 162 | + Enter Username: <input type="text" name="username" value="' UNION SELECT username || ' : ' || password FROM users --"> |
| 163 | + <input type="submit" value="Lookup"> |
| 164 | + </form> |
| 165 | + <hr> |
| 166 | + <pre>{{ output|safe }}</pre> |
| 167 | + """, output=output) |
| 168 | + |
| 169 | +if __name__ == '__main__': |
| 170 | + app.run(host='0.0.0.0', port=8080) |
| 171 | +Aikido Recommendation |
| 172 | + |
| 173 | +Very high priority to fix |
| 174 | + |
| 175 | +According to Aikido, this is a very high impact issue. We recommend fixing the issue as soon as possible. |
| 176 | + |
| 177 | +AI Autotriage Summary |
| 178 | + |
| 179 | +The Flask application runs in debug mode while being publicly accessible, exposing sensitive debug information and enabling remote code execution. |
| 180 | + |
| 181 | +Call Tree |
| 182 | + |
| 183 | +insecure-app/app.py |
0 commit comments