def change_password():
if request.method == 'POST':
username = request.form['username']
password1 = request.form['password1']
password2 = request.form['password2']
# before connecting to database, check if passwords match
if (password1 != password2):
flash('Unable to Change Password: Passwords Do Not Match!',
'danger')
return render_template('login_sessions.html')
# check that user is not part of the website demo, if so do not change password
if (username == 'scottm') or (username == 'gatesb') or (
username == 'admin') or (username
== 'hibberts') or (username
== 'fakeUsername'):
flash('This User Password Cannot Be Changed', 'danger')
return render_template('login_sessions.html')
# check if user exists in database
query0 = 'SELECT user FROM accounts WHERE user = %s'
data0 = (username, )
connection = connect_to_database()
check_name = execute_query(connection, query0, data0).fetchall()
if not (check_name):
flash('Username Does Not Exist', 'danger')
return render_template('login_sessions.html')
# check password requirements are met
specialChar = ['$', '@', '#', '%', '!', '^', '&', '*', '(' ')']
if not any(char in specialChar for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('login_sessions.html')
if not any(char.islower() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('login_sessions.html')
if not any(char.isupper() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('login_sessions.html')
if not any(char.isdigit() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('login_sessions.html')
if len(password1) < 8:
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('login_sessions.html')
# if password requirements are met, update the database with the new password
query1 = 'UPDATE accounts SET password = %s WHERE user = %s'
data1 = (password1, username)
connection = connect_to_database()
getUser = execute_query(connection, query1, data1).fetchone()
connection.commit()
flash('Password Changed!', 'success')
return render_template('login_sessions.html')
def db_dump():
choice = request.args.get('db')
db_connection = connect_to_database()
#depending on the button the user clicks, these next lines will dump the appropriate database
if choice == '1':
query = "SELECT password FROM accounts_unencrypted"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html', type='None', passwords=passwords)
elif choice == '2':
query = "SELECT encrypted_password FROM accounts_base64"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='base64',
passwords=passwords)
elif choice == '3':
query = "SELECT encrypted_password FROM accounts_md5"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html', type='md5', passwords=passwords)
elif choice == '4':
query = "SELECT encrypted_password FROM accounts_sha256"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='SHA-256',
passwords=passwords)
elif choice == '5':
query = "SELECT encrypted_password FROM accounts_pb"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='PBKDF2',
passwords=passwords)
elif choice == '6':
query = "SELECT password FROM accounts_unencrypted_safe"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html', type='None', passwords=passwords)
elif choice == '7':
query = "SELECT encrypted_password FROM accounts_base64_safe"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='base64',
passwords=passwords)
elif choice == '8':
query = "SELECT encrypted_password FROM accounts_md5_safe"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html', type='md5', passwords=passwords)
elif choice == '9':
query = "SELECT encrypted_password FROM accounts_sha256_safe"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='SHA-256',
passwords=passwords)
elif choice == '10':
query = "SELECT encrypted_password FROM accounts_pb_safe"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html',
type='PBKDF2',
passwords=passwords)
else:
query = "SELECT password FROM accounts_unencrypted"
passwords = execute_query(db_connection, query).fetchall()
return render_template('dbDump.html', type='None', passwords=passwords)
def login_misconfig():
if request.method == 'POST':
user = request.form['username']
password = request.form['password']
# check if user account exists
connection = connect_to_database()
query = 'SELECT * FROM default_accounts WHERE user = %s AND password = %s'
data = (user, password)
userAccount = execute_query(connection, query, data).fetchall()
# if user account exists return account page
if userAccount:
return render_template('account_admin.html', user=userAccount)
else:
#this retrieves the log data for the error message
query2 = 'SELECT * FROM mysql.general_log a ORDER BY event_time desc LIMIT 6;'
log = execute_query(connection, query2).fetchall()
query3 = 'SHOW VARIABLES LIKE "%version%";'
log2 = execute_query(connection, query3).fetchall()
#these next statements format the error message so it is displayed properly
for row in log:
for col in row:
if isinstance(col, str):
for char in col:
if char == '"':
char = "'"
flash('Incorrect Username/Password', 'danger')
return render_template('login_misconfig.html', log=log, log2=log2)
else:
return render_template('login_misconfig.html')
def login_xss():
user = request.args.get('username')
password = request.args.get('password')
connection = connect_to_database()
query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
data = (user, password)
userAccount = execute_query(connection, query, data).fetchall()
if userAccount:
return render_template('account_xss.html', user=userAccount)
else:
return render_template('login_xss.html', username=user)
def withdraw():
user = request.form['username']
db_connection = connect_to_database()
cursor = db_connection.cursor()
cursor.execute("UPDATE `accounts` SET `balance` = 0 WHERE `user` = '%s'" %
(request.form['username']))
db_connection.commit()
query = "SELECT * FROM accounts WHERE user = %s"
data = (request.form['username'], )
updated = execute_query(db_connection, query, data).fetchall()
#row_result1 = execute_query(db_connection1, newBalance, data).fetchone()
#return "ok"
return render_template('account.html', user=updated)
def login_exposure():
if request.method == 'POST':
user = request.form['username']
password = request.form['password']
# check if user account exists
db_connection = connect_to_database()
query = "SELECT * FROM `accounts` WHERE `user` = '" + user + "' AND `password` = '" + password + "' "
userAccount = execute_query(db_connection, query).fetchall()
# if user account exists load account page
if userAccount:
return render_template('account.html', user=userAccount)
else:
flash('Incorrect Username/Password', 'danger')
return render_template('login_exposure.html')
else:
return render_template('login_exposure.html')
def login_xxe():
if request.method == 'POST':
user = request.form['username']
password = request.form['password']
token = request.form['attackToken']
connection = connect_to_database()
query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
data = (user, password)
userAccount = execute_query(connection, query, data).fetchall()
# if user account exists load account page
if userAccount:
return render_template('account_xxe.html', user=userAccount)
else:
flash('Incorrect Username/Password', 'danger')
return render_template('login_xxe.html', attackToken=token)
else:
token = request.args.get('attackToken')
return render_template('login_xxe.html', attackToken=token)
def login_sessions():
if request.method == 'POST':
user = request.form['username']
password = request.form['password']
connection = connect_to_database()
query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
data = (user, password)
userAccount = execute_query(connection, query, data).fetchall()
# if user account exists create session data which can be accessed in other routes
if userAccount:
session['loggedin'] = True
session['username'] = user
session['password'] = password
session['data'] = userAccount
return render_template('account_sessions.html', user=userAccount)
# if error in login
else:
flash('Incorrect Username/Password', 'danger')
return render_template('login_sessions.html')
else:
return render_template('login_sessions.html')
def login():
if request.method == 'POST':
user = request.form['username']
password = request.form['password']
token = request.form['attackToken']
if recaptcha.verify():
# check if user account exists
connection = connect_to_database()
query = 'SELECT * FROM accounts WHERE user = %s AND password = %s'
data = (user, password)
userAccount = execute_query(connection, query, data).fetchall()
# if user account exists load account page
if userAccount:
return render_template('account.html', user=userAccount)
else:
flash('Incorrect Username/Password', 'danger')
return render_template('login.html', attackToken=token)
else:
flash('Error with ReCaptcha. Please verify you are not a robot.',
'danger')
return render_template('login.html', attackToken=token)
else:
token = request.args.get('attackToken')
return render_template('login.html', attackToken=token)
def register():
if request.method == 'POST':
username = request.form['createUsername']
password1 = request.form['createPassword1']
password2 = request.form['createPassword2']
token = request.form['attackToken']
referrer = request.form['referrer']
# generate a random bank balance between $10 - $1,000,000
bankBalance = random.randint(10, 1000000)
# check username is unique
query1 = 'SELECT user FROM accounts WHERE user = %s'
data1 = (username, )
db_connection = connect_to_database()
check_name = execute_query(db_connection, query1, data1).fetchall()
if (check_name):
flash('Username Not Available. Please Try Again!', 'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
# check password requirements are met
specialChar = ['$', '@', '#', '%', '!', '^', '&', '*', '(' ')']
if not any(char in specialChar for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
if not any(char.islower() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
if not any(char.isupper() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
if not any(char.isdigit() for char in password1):
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
if len(password1) < 8 or len(password1) > 30:
flash('Password Does Not Meet Requirements. Please Try Again!',
'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
# if passwords don't match return error message
if (password1 != password2):
flash('Passwords Do Not Match. Please Try Again!', 'danger')
return render_template('register.html',
attackToken=token,
referrer=referrer)
#This will add the user to all the account tables in the DB
query = "INSERT INTO accounts ('user', 'password', 'balance') VALUES (%s, %s, %s)"
data = (username, password1, bankBalance)
execute_query(db_connection, query, data)
db_connection.commit()
# will redirect to the login page (displaying success message)
# if they have successfully created an account
flash('Registration Successful! Please Login Below', 'success')
if referrer:
#manipulates text so the page viewed before going to the registration page is where
#the user is directed after they have successfully created a new user
referrer = referrer.split('/')
referrer = referrer[len(referrer) - 1]
return render_template('/' + referrer + '.html', attackToken=token)
#this is only rendered if the user went to the registration page directly
#e.g. typed faultyvault.com/register in the address bar of the browser
return render_template('login.html', attackToken=0)
else:
token = request.args.get('attackToken')
referrer = request.referrer
if referrer:
#removes any query data from the referring url
if '?' in referrer:
referrer = referrer.split('?', 2)
referrer = referrer[0]
return render_template('register.html',
referrer=referrer,
attackToken=token)
#this is only rendered if the user went to the registration page directly
#e.g. typed faultyvault.com/register in the address bar of the browser
return render_template('register.html', referrer='/login')