Last active
April 9, 2021 05:14
-
-
Save santrancisco/3fc661031543f37b26bb1e42ead8669b to your computer and use it in GitHub Desktop.
simple php challenge
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:10:53 +0000] "POST /index.php HTTP/1.1" 200 900 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:10:53 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:715 bytesOut:900 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:11:19 +0000 "POST /index.php" 200 /app/index.php 12.317 2048 0.00% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:11:19 +0000] "POST /index.php HTTP/1.1" 200 926 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:11:19 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:715 bytesOut:926 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:11:27 +0000 "POST /index.php" 200 /app/index.php 14.809 2048 0.00% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:11:27 +0000] "POST /index.php HTTP/1.1" 200 927 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:11:27 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:713 bytesOut:927 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:11:31 +0000 "POST /index.php" 200 /app/index.php 12.316 2048 0.00% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:11:31 +0000] "POST /index.php HTTP/1.1" 200 939 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:11:31 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:734 bytesOut:939 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:11:35 +0000 "POST /index.php" 200 /app/index.php 10.551 2048 0.00% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:11:35 +0000] "POST /index.php HTTP/1.1" 200 924 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:11:35 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:716 bytesOut:924 reqTime:0 | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:12:19 +0000] "-" 408 0 "-" "-" | |
| [httpd:access] docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:12:19 +0000] "-" 408 bytesIn:0 bytesOut:0 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:13:00 +0000 "POST /index.php" 200 /app/index.php 40.200 2048 24.88% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:13:00 +0000] "POST /index.php HTTP/1.1" 200 951 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:13:00 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:715 bytesOut:951 reqTime:0 | |
| [php-fpm:access] 127.0.0.1 - 11/Jul/2019:14:13:05 +0000 "POST /index.php" 200 /app/index.php 13.657 2048 73.22% | |
| docker.vm:80 172.17.0.1 - - [11/Jul/2019:14:13:05 +0000] "POST /index.php HTTP/1.1" 200 949 "http://justsomefakelog.com/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" | |
| [httpd:access] localhost:80 172.17.0.1 - - [11/Jul/2019:14:13:05 +0000] "POST /index.php HTTP/1.1" 200 bytesIn:715 bytesOut:949 reqTime:0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| # Nick, don't forget to reenable auth after testing! | |
| #Session_start(); | |
| #if (!isset($_SESSION['user'])) { | |
| # echo 'please login'; | |
| # exit(); | |
| #} | |
| $url = $_GET['url']; | |
| $info = parse_url($url); | |
| if (!is_array($info) || substr($info['scheme'],0,4) !== 'http') { | |
| header("HTTP/1.1 404 Not Found"); | |
| echo "<h3> 404 - WRONG SCHEME! </h3>"; | |
| exit(); | |
| } | |
| $curl = curl_init(); | |
| curl_setopt($curl, CURLOPT_URL, $url); | |
| curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
| curl_setopt($curl, CURLOPT_MAXREDIRS, 0); | |
| curl_setopt($curl, CURLOPT_TIMEOUT, 10); | |
| curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10); | |
| $data = curl_exec($curl); | |
| if (curl_error($curl)) { | |
| echo(curl_error($curl)); | |
| } else { | |
| echo $data; | |
| } | |
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| session_start(); | |
| $user = "admin"; | |
| $secret = "0e770334890835629043478642775106"; //Super secret password! | |
| //Well, Super secret password! | |
| // Some says you can't hardcoded the password but surely if it's complex enough, it should not matter? | |
| if ($_REQUEST['signout'] === "true") | |
| { | |
| setcookie("PHPSESSID","",0, "/"); | |
| header("Location: http://".$_SERVER['HTTP_HOST']."/index.php"); | |
| die(); | |
| } | |
| $username = ""; | |
| if ($_REQUEST['user'] != ""){ | |
| $username = $_REQUEST['user']; | |
| } | |
| // User verification happens here, better not screw this up, Nick! | |
| if(isset($_POST['user']) && isset($_POST['password'])) { | |
| if($_POST['user'] == $user) { | |
| if(md5(trim($_POST['password'])) == $secret) { | |
| $_SESSION['user'] = $_POST['user']; | |
| $verified = true; | |
| } else { | |
| header("Location: index.php?user=${username}"); | |
| echo 'wrong password!'; | |
| exit(); | |
| } | |
| } else { | |
| header("Location: index.php?user=${username}"); | |
| echo 'wrong username!'; | |
| } | |
| } | |
| ?> | |
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <title>Envelope</title> | |
| <meta name="viewport" content="width=device-width, initial-scale=1"> | |
| <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" /> | |
| </head> | |
| <body> | |
| <nav class="navbar navbar-default navbar-fixed-top"> | |
| <div class="container"> | |
| <a class="navbar-brand" href="">Envelope</a> | |
| <a href="index.php?signout=true">Sign out</a> | |
| </div> | |
| </div> | |
| </nav> | |
| <div class="container"> | |
| <div class="jumbotron"> | |
| <div > | |
| <?php | |
| if (isset($_SESSION['user'])) { | |
| echo "<div >Hi ${username}! Your daily message: What's the meaning of life?</div>"; | |
| ?> | |
| <br> | |
| <div> | |
| <h4>Current prod site (Ben, if this page shows an error, page ITOPS!):</h4> | |
| <iframe width="100%" height="500px" src="/fetchurl.php?url=https://cmgroup.com/"></iframe> | |
| </div> | |
| <div > | |
| <br> | |
| <form action="/index.php" method="POST" class="form-signin"> | |
| <h3>Log file:</h3> | |
| <br> | |
| <label for="filename" class="sr-only">Filename</label> | |
| <input type="text" name="filename" id="filename" class="form-control" placeholder="Log files, name: web.log, auth.log, access.log" required="" autofocus=""> | |
| <br> | |
| <label for="delete">Delete file</label> | |
| <input type="checkbox" name="deleteflag" id="deleteflag"> | |
| <br> | |
| <button class="btn btn-lg btn-primary btn-block" type="submit">Interact</button> | |
| </form> | |
| </div> | |
| <?php | |
| if($_REQUEST['deleteflag'] === "on" && $_REQUEST['filename'] != ""){ | |
| // May 2019 Update: Allow user to delete log file | |
| $filename = $_REQUEST['filename']; | |
| $result = shell_exec('rm -- logs/'.escapeshellarg($filename).' 2>&1'); | |
| echo "<br><pre>".$result."</pre>"; | |
| } | |
| else if(isset($_POST['filename'])) { | |
| // Feb 2010: Allow SRE users to read logs. | |
| $filename = $_POST['filename']; | |
| $files = shell_exec('cat -- logs/'.escapeshellarg($filename).' 2>&1'); | |
| echo "<br><pre>".htmlspecialchars($files)."</pre>"; | |
| } | |
| } | |
| else | |
| { | |
| ?> | |
| </div> | |
| <div class="d-flex justify-content-center"> | |
| <form action="" method="POST" class="form-signin"> | |
| <h2>Please login</h2> | |
| <br> | |
| <label for="user" class="sr-only">Username</label> | |
| <input type="text" name="user" id="user" class="form-control" placeholder="Username" required="" autofocus="" value="<?php echo $username ?>"> | |
| <label for="password" class="sr-only">Password</label> | |
| <input type="password" id="password" name="password" class="form-control" placeholder="Password" required=""> | |
| <br> | |
| <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button> | |
| </form> | |
| </div> | |
| <?php } ?> | |
| </div> | |
| </div> | |
| </body> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_version = "0.14.6" | |
| } | |
| // Targeting Ohio region of the account where it is safe | |
| provider "aws" { | |
| region = "us-east-2" | |
| allowed_account_ids = ["{ID OF THE ACCOUNT WE ARE DEPLOYING TO}"] | |
| } | |
| variable "name" { | |
| type=string | |
| default="secchallenge" | |
| description="The name of deployment." | |
| } | |
| variable "key_name" { | |
| type=string | |
| default="secops" | |
| description="The name of the ssh key pair we use to manage the cluster." | |
| } | |
| data "aws_ami" "ubuntu" { | |
| most_recent = true | |
| filter { | |
| name = "name" | |
| values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] | |
| } | |
| filter { | |
| name = "virtualization-type" | |
| values = ["hvm"] | |
| } | |
| owners = ["099720109477"] # Canonical | |
| } | |
| ### Plumbing network | |
| module "vpc" { | |
| source = "terraform-aws-modules/vpc/aws" | |
| name = "${var.name}-vpc" | |
| cidr = "10.8.0.0/16" | |
| azs = ["us-east-2a", "us-east-2b"] | |
| private_subnets = ["10.8.1.0/24", "10.8.2.0/24"] | |
| public_subnets = ["10.8.101.0/24", "10.8.102.0/24"] | |
| enable_nat_gateway = false | |
| enable_vpn_gateway = false | |
| tags = { | |
| Terraform = "true" | |
| } | |
| } | |
| module "web_server_sg" { | |
| source = "terraform-aws-modules/security-group/aws" | |
| vpc_id = module.vpc.vpc_id | |
| name = "${var.name}-web-server" | |
| description = "Security group for web-server" | |
| ingress_rules = ["https-443-tcp","http-80-tcp","ssh-tcp"] | |
| ingress_cidr_blocks = ["0.0.0.0/0"] | |
| tags = { | |
| Terraform = "true" | |
| } | |
| egress_rules = [ "all-all" ] | |
| egress_cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| ### Create EC2 instance | |
| ## CHange instance type to bigger one when running the event | |
| ## When choosing instance type - remember at least 1gb of ram and be a little generous. | |
| module "ec2" { | |
| source = "terraform-aws-modules/ec2-instance/aws" | |
| name = "interviewchallenge" | |
| subnet_id = module.vpc.public_subnets[0] | |
| associate_public_ip_address = true | |
| tags = { | |
| ScheduledShutdown = "no" | |
| OffHours = "off" | |
| } | |
| ami = data.aws_ami.ubuntu.id | |
| instance_type = "t2.micro" | |
| key_name = var.key_name | |
| monitoring = true | |
| vpc_security_group_ids = [module.web_server_sg.this_security_group_id] | |
| user_data= <<EOF | |
| #!/bin/bash | |
| #set -ex | |
| apt-get update | |
| apt-get install -y git htop | |
| apt-get install -y apt-utils mysql-client | |
| apt-get install -y apache2 | |
| apt-get install -y php libapache2-mod-php php-mcrypt php-mysql php-curl | |
| systemctl restart apache2 | |
| mkdir -p /var/www/html | |
| curl https://gist.githubusercontent.com/santrancisco/3fc661031543f37b26bb1e42ead8669b/raw/index.php -o /var/www/html/index.php | |
| rm /var/www/html/index.html | |
| curl https://gist.githubusercontent.com/santrancisco/3fc661031543f37b26bb1e42ead8669b/raw/fetchurl.php -o /var/www/html/fetchurl.php | |
| mkdir -p /var/www/html/logs | |
| echo "Secret admin log" > /var/www/html/logs/admin.log | |
| echo "Secret authentication log" > /var/www/html/logs/auth.log | |
| curl https://gist.githubusercontent.com/santrancisco/3fc661031543f37b26bb1e42ead8669b/raw/fake.log -o /var/www/html/logs/web.log | |
| systemctl restart apache2 | |
| EOF | |
| } | |
| output "externalEC2ip" { | |
| value = module.ec2.public_ip | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DO NOT USE ANY OF THIS CODE IN YOUR APP... This is just a demo code to show case some vulneraiblities.