Skip to content

Fixed DEBUG variable effects in the vulnerable server code. #5883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion data/txt/sha256sums.txt
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ ca86d61d3349ed2d94a6b164d4648cff9701199b5e32378c3f40fca0f517b128 extra/shutils/
df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264 extra/shutils/recloak.sh
1972990a67caf2d0231eacf60e211acf545d9d0beeb3c145a49ba33d5d491b3f extra/shutils/strip.sh
4608f21a4333c162ab3c266c903fda4793cc5834de30d06affe9b7566dd09811 extra/vulnserver/__init__.py
eed1db5da17eca4c65a8f999166e2246eef84397687ae820bbe4984ef65a09df extra/vulnserver/vulnserver.py
486d94bdd9603ef157e2b6c409df9099ff9219782e4bf76770bca5d01ed8d537 extra/vulnserver/vulnserver.py
96a39b4e3a9178e4e8285d5acd00115460cc1098ef430ab7573fc8194368da5c lib/controller/action.py
fad6640f60eac8ad1b65895cbccc39154864843a2a0b0f2ac596d3227edcd4f6 lib/controller/checks.py
34e9cf166e21ce991b61ca7695c43c892e8425f7e1228daec8cadd38f786acc6 lib/controller/controller.py
Expand Down
26 changes: 23 additions & 3 deletions extra/vulnserver/vulnserver.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

import base64
import json
import os
import re
import sqlite3
import sys
Expand All @@ -19,7 +20,7 @@

PY3 = sys.version_info >= (3, 0)
UNICODE_ENCODING = "utf-8"
DEBUG = False
DEBUG = os.getenv('VULN_SERVER_DEBUG', '').lower() in ('true', '1', 'yes', 'on')

if PY3:
from http.client import INTERNAL_SERVER_ERROR
Expand Down Expand Up @@ -82,12 +83,17 @@ def _(*args, **kwargs):

print = _

def debug_print(msg):
if DEBUG:
print("[DEBUG] %s" % msg)

class ThreadingServer(ThreadingMixIn, HTTPServer):
def finish_request(self, *args, **kwargs):
try:
HTTPServer.finish_request(self, *args, **kwargs)
except Exception:
if DEBUG:
debug_print("Error in finish_request:")
traceback.print_exc()

class ReqHandler(BaseHTTPRequestHandler):
Expand Down Expand Up @@ -144,19 +150,26 @@ def do_REQUEST(self):
try:
if self.params.get("echo", ""):
output += "%s<br>" % self.params["echo"]
debug_print("Echo parameter: %s" % self.params["echo"])

if self.params.get("reflect", ""):
output += "%s<br>" % self.params.get("id")
debug_print("Reflect parameter: %s" % self.params.get("id"))

with _lock:
if "query" in self.params:
debug_print("Executing query: %s" % self.params["query"])
_cursor.execute(self.params["query"])
elif "id" in self.params:
if "base64" in self.params:
_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % base64.b64decode("%s===" % self.params["id"], altchars=self.params.get("altchars")).decode())
decoded_id = base64.b64decode("%s===" % self.params["id"], altchars=self.params.get("altchars")).decode()
debug_print("Decoded base64 ID: %s" % decoded_id)
_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % decoded_id)
else:
debug_print("Executing query with ID: %s" % self.params["id"])
_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params["id"])
results = _cursor.fetchall()
debug_print("Query results: %s" % results)

output += "<b>SQL results:</b><br>\n"

Expand All @@ -180,7 +193,9 @@ def do_REQUEST(self):
output += "</body></html>"
except Exception as ex:
code = INTERNAL_SERVER_ERROR
output = "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex)
error_msg = "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex)
debug_print("Error occurred: %s" % error_msg)
output = error_msg

self.send_response(code)

Expand Down Expand Up @@ -213,7 +228,9 @@ def do_POST(self):
data = self.rfile.read(length)
data = unquote_plus(data.decode(UNICODE_ENCODING, "ignore"))
self.data = data
debug_print("Received POST data: %s" % data)
elif self.headers.get("Transfer-encoding") == "chunked":
debug_print("Processing chunked transfer encoding")
data, line = b"", b""
count = 0

Expand Down Expand Up @@ -243,13 +260,16 @@ def run(address=LISTEN_ADDRESS, port=LISTEN_PORT):
try:
_alive = True
_server = ThreadingServer((address, port), ReqHandler)
debug_print("Initializing server at 'http://%s:%d'" % (address, port))
print("[i] running HTTP server at 'http://%s:%d'" % (address, port))
_server.serve_forever()
except KeyboardInterrupt:
debug_print("Received keyboard interrupt")
_server.socket.close()
raise
finally:
_alive = False
debug_print("Server stopped")

if __name__ == "__main__":
try:
Expand Down
Loading