Beispiel #1
0
def login_misconfig():
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        # check if user account exists
        connection = connect_to_database()
        query = 'SELECT * FROM default_accounts WHERE user = %s AND password = %s'
        data = (user, password)
        userAccount = execute_query(connection, query, data).fetchall()
        # if user account exists return account page
        if userAccount:
            return render_template('account_admin.html', user=userAccount)
        else:
            #this retrieves the log data for the error message
            query2 = 'SELECT * FROM mysql.general_log a ORDER BY event_time desc LIMIT 6;'
            log = execute_query(connection, query2).fetchall()
            query3 = 'SHOW VARIABLES LIKE "%version%";'
            log2 = execute_query(connection, query3).fetchall()
            #these next statements format the error message so it is displayed properly
            for row in log:
                for col in row:
                    if isinstance(col, str):
                        for char in col:
                            if char == '"':
                                char = "'"
            flash('Incorrect Username/Password', 'danger')
            return render_template('login_misconfig.html', log=log, log2=log2)
    else:
        return render_template('login_misconfig.html')
Beispiel #2
0
def change_password():
    if request.method == 'POST':
        username = request.form['username']
        password1 = request.form['password1']
        password2 = request.form['password2']
        # before connecting to database, check if passwords match
        if (password1 != password2):
            flash('Unable to Change Password: Passwords Do Not Match!',
                  'danger')
            return render_template('login_sessions.html')
        # check that user is not part of the website demo, if so do not change password
        if (username == 'scottm') or (username == 'gatesb') or (
                username == 'admin') or (username
                                         == 'hibberts') or (username
                                                            == 'fakeUsername'):
            flash('This User Password Cannot Be Changed', 'danger')
            return render_template('login_sessions.html')
        # check if user exists in database
        query0 = 'SELECT user FROM accounts WHERE user = %s'
        data0 = (username, )
        connection = connect_to_database()
        check_name = execute_query(connection, query0, data0).fetchall()
        if not (check_name):
            flash('Username Does Not Exist', 'danger')
            return render_template('login_sessions.html')
        # check password requirements are met
        specialChar = ['$', '@', '#', '%', '!', '^', '&', '*', '(' ')']
        if not any(char in specialChar for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('login_sessions.html')
        if not any(char.islower() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('login_sessions.html')
        if not any(char.isupper() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('login_sessions.html')
        if not any(char.isdigit() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('login_sessions.html')
        if len(password1) < 8:
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('login_sessions.html')
        # if password requirements are met, update the database with the new password
        query1 = 'UPDATE accounts SET password = %s WHERE user = %s'
        data1 = (password1, username)
        connection = connect_to_database()
        getUser = execute_query(connection, query1, data1).fetchone()
        connection.commit()
        flash('Password Changed!', 'success')
        return render_template('login_sessions.html')
Beispiel #3
0
def account_xxe(user):
    # check user is logged in
    if 'loggedin' in session:
        display_row = 'SELECT * from `accounts` WHERE `user` = %s' % (user)
        row_result = execute_query(db_connection, display_row).fetchone()
        return render_template('account_xxe.html',
                               user=session['user'],
                               row=row_result)
    # if not logged in redirect to login page
    else:
        return redirect(url_for('login_xxe'))
Beispiel #4
0
def login_xss():
    user = request.args.get('username')
    password = request.args.get('password')
    connection = connect_to_database()
    query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
    data = (user, password)
    userAccount = execute_query(connection, query, data).fetchall()
    if userAccount:
        return render_template('account_xss.html', user=userAccount)
    else:
        return render_template('login_xss.html', username=user)
Beispiel #5
0
def withdraw():
    user = request.form['username']
    db_connection = connect_to_database()
    cursor = db_connection.cursor()
    cursor.execute("UPDATE `accounts` SET `balance` = 0 WHERE `user` = '%s'" %
                   (request.form['username']))
    db_connection.commit()
    query = "SELECT * FROM accounts WHERE user = %s"
    data = (request.form['username'], )
    updated = execute_query(db_connection, query, data).fetchall()
    #row_result1 = execute_query(db_connection1, newBalance, data).fetchone()
    #return "ok"
    return render_template('account.html', user=updated)
Beispiel #6
0
def login_exposure():
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        # check if user account exists
        db_connection = connect_to_database()
        query = "SELECT * FROM `accounts` WHERE `user` = '" + user + "' AND `password` = '" + password + "' "
        userAccount = execute_query(db_connection, query).fetchall()
        # if user account exists load account page
        if userAccount:
            return render_template('account.html', user=userAccount)
        else:
            flash('Incorrect Username/Password', 'danger')
            return render_template('login_exposure.html')
    else:
        return render_template('login_exposure.html')
Beispiel #7
0
def login_xxe():
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        token = request.form['attackToken']
        connection = connect_to_database()
        query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
        data = (user, password)
        userAccount = execute_query(connection, query, data).fetchall()
        # if user account exists load account page
        if userAccount:
            return render_template('account_xxe.html', user=userAccount)
        else:
            flash('Incorrect Username/Password', 'danger')
            return render_template('login_xxe.html', attackToken=token)
    else:
        token = request.args.get('attackToken')
        return render_template('login_xxe.html', attackToken=token)
Beispiel #8
0
def login_sessions():
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        connection = connect_to_database()
        query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
        data = (user, password)
        userAccount = execute_query(connection, query, data).fetchall()
        # if user account exists create session data which can be accessed in other routes
        if userAccount:
            session['loggedin'] = True
            session['username'] = user
            session['password'] = password
            session['data'] = userAccount
            return render_template('account_sessions.html', user=userAccount)
        # if error in login
        else:
            flash('Incorrect Username/Password', 'danger')
            return render_template('login_sessions.html')
    else:
        return render_template('login_sessions.html')
Beispiel #9
0
def login():
    if request.method == 'POST':
        user = request.form['username']
        password = request.form['password']
        token = request.form['attackToken']
        if recaptcha.verify():
            # check if user account exists
            connection = connect_to_database()
            query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
            data = (user, password)
            userAccount = execute_query(connection, query, data).fetchall()
            # if user account exists load account page
            if userAccount:
                return render_template('account.html', user=userAccount)
            else:
                flash('Incorrect Username/Password', 'danger')
                return render_template('login.html', attackToken=token)
        else:
            flash('Error with ReCaptcha. Please verify you are not a robot.',
                  'danger')
            return render_template('login.html', attackToken=token)
    else:
        token = request.args.get('attackToken')
        return render_template('login.html', attackToken=token)
Beispiel #10
0
def db_dump():
    choice = request.args.get('db')
    db_connection = connect_to_database()
    #depending on the button the user clicks, these next lines will dump the appropriate database
    if choice == '1':
        query = "SELECT password FROM accounts_unencrypted"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html', type='None', passwords=passwords)
    elif choice == '2':
        query = "SELECT encrypted_password FROM accounts_base64"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='base64',
                               passwords=passwords)
    elif choice == '3':
        query = "SELECT encrypted_password FROM accounts_md5"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html', type='md5', passwords=passwords)
    elif choice == '4':
        query = "SELECT encrypted_password FROM accounts_sha256"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='SHA-256',
                               passwords=passwords)
    elif choice == '5':
        query = "SELECT encrypted_password FROM accounts_pb"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='PBKDF2',
                               passwords=passwords)
    elif choice == '6':
        query = "SELECT password FROM accounts_unencrypted_safe"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html', type='None', passwords=passwords)
    elif choice == '7':
        query = "SELECT encrypted_password FROM accounts_base64_safe"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='base64',
                               passwords=passwords)
    elif choice == '8':
        query = "SELECT encrypted_password FROM accounts_md5_safe"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html', type='md5', passwords=passwords)
    elif choice == '9':
        query = "SELECT encrypted_password FROM accounts_sha256_safe"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='SHA-256',
                               passwords=passwords)
    elif choice == '10':
        query = "SELECT encrypted_password FROM accounts_pb_safe"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html',
                               type='PBKDF2',
                               passwords=passwords)
    else:
        query = "SELECT password FROM accounts_unencrypted"
        passwords = execute_query(db_connection, query).fetchall()
        return render_template('dbDump.html', type='None', passwords=passwords)
Beispiel #11
0
def register():
    if request.method == 'POST':
        username = request.form['createUsername']
        password1 = request.form['createPassword1']
        password2 = request.form['createPassword2']
        token = request.form['attackToken']
        referrer = request.form['referrer']
        # generate a random bank balance between $10 - $1,000,000
        bankBalance = random.randint(10, 1000000)
        # check username is unique
        query1 = 'SELECT user FROM accounts WHERE user = %s'
        data1 = (username, )
        db_connection = connect_to_database()
        check_name = execute_query(db_connection, query1, data1).fetchall()
        if (check_name):
            flash('Username Not Available. Please Try Again!', 'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        # check password requirements are met
        specialChar = ['$', '@', '#', '%', '!', '^', '&', '*', '(' ')']
        if not any(char in specialChar for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        if not any(char.islower() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        if not any(char.isupper() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        if not any(char.isdigit() for char in password1):
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        if len(password1) < 8 or len(password1) > 30:
            flash('Password Does Not Meet Requirements. Please Try Again!',
                  'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        # if passwords don't match return error message
        if (password1 != password2):
            flash('Passwords Do Not Match. Please Try Again!', 'danger')
            return render_template('register.html',
                                   attackToken=token,
                                   referrer=referrer)
        #This will add the user to all the account tables in the DB
        query = "INSERT INTO accounts ('user', 'password', 'balance') VALUES (%s, %s, %s)"
        data = (username, password1, bankBalance)
        execute_query(db_connection, query, data)
        db_connection.commit()
        # will redirect to the login page (displaying success message)
        # if they have successfully created an account
        flash('Registration Successful! Please Login Below', 'success')
        if referrer:
            #manipulates text so the page viewed before going to the registration page is where
            #the user is directed after they have successfully created a new user
            referrer = referrer.split('/')
            referrer = referrer[len(referrer) - 1]
            return render_template('/' + referrer + '.html', attackToken=token)
        #this is only rendered if the user went to the registration page directly
        #e.g. typed faultyvault.com/register in the address bar of the browser
        return render_template('login.html', attackToken=0)
    else:
        token = request.args.get('attackToken')
        referrer = request.referrer
        if referrer:
            #removes any query data from the referring url
            if '?' in referrer:
                referrer = referrer.split('?', 2)
                referrer = referrer[0]
            return render_template('register.html',
                                   referrer=referrer,
                                   attackToken=token)
        #this is only rendered if the user went to the registration page directly
        #e.g. typed faultyvault.com/register in the address bar of the browser
        return render_template('register.html', referrer='/login')