diff --git a/README.md b/README.md index bf11b53..7a67d80 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,8 @@ This vulnerable application contains the following API/Web Service vulnerabiliti * Command Injection * Postmessage Security (JavaScript Security) * Prototype Pollution (JavaScript Security) - +* XPATH Injection +* XML-RPC User Enumeration ## Set Up Instructions @@ -105,8 +106,6 @@ Within your /etc/hosts file, ensure localhost resolves to dvws.local. This ensur ## To Do * XML Bomb Denial-of-Service -* XPATH Injection -* XML-RPC User Enumeration * API Endpoint Brute Forcing Challenges * CSV Injection * Path Traversal diff --git a/config.xml b/config.xml new file mode 100644 index 0000000..a9fd9b0 --- /dev/null +++ b/config.xml @@ -0,0 +1,22 @@ + + + 0.0.1 + + test + test + + + mysql + root + mysecretpassword + + + mongodb + null + null + + + http://dvws.local:9090/xmlrpc + http://dvws.local/api-docs/#/ + + \ No newline at end of file diff --git a/controllers/notebook.js b/controllers/notebook.js index e7eda7c..94eee07 100644 --- a/controllers/notebook.js +++ b/controllers/notebook.js @@ -3,6 +3,21 @@ const mongoose = require('mongoose'); const Note = require('../models/notebook'); const jwt = require('jsonwebtoken') const { exec } = require('child_process'); +var xpath = require('xpath'); +const xml2js = require('xml2js'); +const fs = require('fs'); +dom = require('xmldom').DOMParser +const parser = new xml2js.Parser({ attrkey: "ATTR" }); + + +let xml_string = fs.readFileSync("config.xml", "utf8"); +xml_string = xml_string.replace(/>\s*/g, '>'); // Replace "> " with ">" +xml_string = xml_string.replace(/\s* { + + var uservalue = decodeURI(req.params.release.toString()) + var xpath_result = xpath.evaluate( + "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']", // xpathExpression + doc, // contextNode + null, // namespaceResolver + xpath.XPathResult.ANY_TYPE, // resultType + null // result + ) + + var result = []; + node = xpath_result.iterateNext(); + while (node) { + result.push(node.toString()); + node = xpath_result.iterateNext(); + } + + res.send(result.toString()); + + }, create_a_note: (req, res) => { res = set_cors(req, res) res.set('Cache-Control', 'no-store, no-cache, must-revalidate, private') diff --git a/package.json b/package.json index 91322a7..b8960f1 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,9 @@ "mysql": "^2.18.1", "swagger-ui-express": "^4.1.4", "xml2js": "^0.4.23", - "xmlrpc": "^1.3.2" + "xmldom": "^0.4.0", + "xmlrpc": "^1.3.2", + "xpath": "0.0.32" }, "devDependencies": { "cross-env": "^5.2.0", diff --git a/public/admin.html b/public/admin.html index a94878f..fce49cd 100644 --- a/public/admin.html +++ b/public/admin.html @@ -13,7 +13,7 @@

Damn Vulnerable Web Services
Admin Area

-

Functionality only availiable to Admin Users

+

Functionality only available to Admin Users

diff --git a/public/home.html b/public/home.html index af0d4e1..4340819 100644 --- a/public/home.html +++ b/public/home.html @@ -20,6 +20,7 @@

Damn Vulnerable Web Services
Home Area

var url = window.location.href; var hash = url.substring(url.indexOf('#') + 1); document.write('Welcome User: ' + hash + ''); +

DVWS Release: {{ ResponseMessage }}

The following areas can be accessed:
@@ -29,11 +30,45 @@

Damn Vulnerable Web Services
Home Area

Passphrase Generator
File Upload Area
- + - + + + + + + + + + \ No newline at end of file diff --git a/routes/notebook.js b/routes/notebook.js index a02cc6c..198e592 100644 --- a/routes/notebook.js +++ b/routes/notebook.js @@ -13,6 +13,9 @@ module.exports = (router) => { router.route('/v2/info') .get(controller.get_info); + router.route('/v2/:release') + .get(controller.get_release); + router.route('/v2/sysinfo/:command') .get(validateToken, controller.get_sysinfo); diff --git a/startup_script.js b/startup_script.js index efa08ad..8744a90 100644 --- a/startup_script.js +++ b/startup_script.js @@ -53,8 +53,27 @@ function createAdmin() { console.log(result.error); } // Close the connection after saving + + }); + + const user2 = new User({ + username: "test", + password: "test", + admin: false + }); + + user2.save((err, user2) => { + if (!err) { + console.log(user2); + } else { + result.error = err; + console.log(result.error); + } + // Close the connection after saving mongoose.disconnect(); }); + + }); }