Merge pull request #19 from SamuraiWTF/employee-list

Employee list
SamuraiWTF · Jul 20, 2024 · 5f3dcec · 5f3dcec
2 parents 1e7be80 + 297a579
commit 5f3dcec
Show file tree

Hide file tree

Showing 6 changed files with 253 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -8,23 +8,64 @@ Samurai-Dojo is a set of vulnerable web applications created by and for the Samu
 
 Each app is located in its respective folder, than can be moved the the appropriate location for web root on your server.  Sample apache configuration files (needed at least for scavenger's challenge) are also provided and need to be moved to the /etc/apache2/sites-available/ folder on Debian/Ubuntu or integrated in your apache configuration file on other distributions.
 
-### Vagrant
-For ease of development a Vagrant configuration are available.  The Vagrant configuration and deployment are stored in the following files:
-* `Vagrantfile` : contains a standard Vagrant config (no plugins required)
-* `bootstrap.sh` : contains the installation script to get Samurai-Dojo up and running on Apache
+## Running Samurai Dojo Applications
 
-The one configuration item that is necessary is on your local host (i.e. not the Vagrant guest) add the following mappings to your hosts file.
+You can run Samurai Dojo-Basic either using Vagrant or Docker. Choose the method that best suits your environment and preferences.
 
-   ```
-   127.0.0.1       dojo-basic
-   127.0.0.1       dojo-scavenger
-   127.0.0.1       dojo-helpdesk
-   ```
+### Option 1: Using Vagrant
 
-============
+1. Install [Vagrant](https://www.vagrantup.com/) and [VirtualBox](https://www.virtualbox.org/).
+2. Clone this repository.
+3. Navigate to the project directory in your terminal.
+4. Run `vagrant up`. This will create a virtual machine that shares a drive with the host machine.
+5. When done, set up your hosts file as listed below.
+6. Connect to the web interface and reset the database.
+
+### Option 2: Using Docker (Recommended!)
+
+1. Install [Docker Desktop](https://docs.docker.com/desktop/) if you don't already have it.
+2. Clone this repository.
+3. Navigate to the project directory in your terminal.
+4. Run `docker-compose up -d`. This will build and start the containers (dojo-basic, dojo-scavenger, and required databases) in detached mode.
+5. The application should now be accessible at `http://localhost:30080` for the basic PHP app and `http://localhost:31080` for the scavenger app.
+6. To stop the containers, run `docker-compose down`.
+
+## Regarding the helpdesk application 
+
+You may find some references to a helpdesk application. Consider this a work in progress that is not normally used (yet).
+It should running at http://127.0.0.1:32080.
+
+## Setting up your hosts file
+
+Add the following entries to your hosts file:
+
+```
+127.0.0.2       dojo-basic
+127.0.0.2       dojo-basic.wtf
+```
+
+On Unix-like systems (including macOS), the hosts file is located at `/etc/hosts`.
+On Windows, it's located at `C:\Windows\System32\drivers\etc\hosts`.
+
+## Resetting the Database
+
+After setting up, connect to the web interface and use the "Reset DB" option in the "Pentester Help" menu to initialize the database.
+
+## Security Warning
+
+This application is deliberately vulnerable. DO NOT run this on a production network or any network exposed to the internet. Use it only on a private, isolated network or local development environment.
+
+## Contributing
+
+Contributions to improve Samurai Dojo-Basic are welcome. Please submit pull requests or open issues on the GitHub repository.
+
+## License
+
+[Insert license information here]
+
+## Credits
 
-   Local access via the vagrant machine is:
+Originally created by Justin Searle
+Maintained by the SamuraiWTF team
 
-   http://127.0.0.1:30080 for dojo-basic
-   http://127.0.0.1:31080 for dojo-scavenger
-   http://127.0.0.1:32080 for helpdesk
+Samurai Dojo-Basic is a [SamuraiWTF](http://github.com/SamuraiWTF) Project.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '2'
+
 
 services:
   basicphp:

diff --git a/src/basic/css/dojo-basic.css b/src/basic/css/dojo-basic.css
@@ -47,6 +47,7 @@ body {
 .page-title {
     text-align: center;
     font-size: 24px;
+    margin-bottom: 20px;
 }
 
 input[type="text"],
@@ -98,3 +99,79 @@ input[type="submit"]:hover {
 .blog-controls input[type="submit"]:hover {
     background-color: #e68a00; /* Darker shade of orange */
 }
+
+/* New styles for the employee directory table */
+.employee-table {
+    width: 100%;
+    border-collapse: collapse;
+    margin-top: 20px;
+}
+
+.employee-table th,
+.employee-table td {
+    border: 1px solid #ddd;
+    padding: 12px;
+    text-align: left;
+}
+
+.employee-table th {
+    background-color: #003366;
+    color: white;
+}
+
+.employee-table th a {
+    color: white;
+    text-decoration: none;
+    display: block;
+    width: 100%;
+    height: 100%;
+}
+
+.employee-table th a:hover {
+    color: #ff9900;
+}
+
+.employee-table tr:nth-child(even) {
+    background-color: #f2f2f2;
+}
+
+.employee-table tr:hover {
+    background-color: #e6f7ff;
+}
+
+.employee-table td a {
+    color: #003366;
+    text-decoration: none;
+}
+
+.employee-table td a:hover {
+    color: #ff9900;
+    text-decoration: underline;
+}
+
+/* Sorting indicators */
+.sort-indicator {
+    margin-left: 5px;
+}
+
+/* Sorting indicators */
+.sort-indicator {
+    margin-left: 5px;
+}
+
+/* General spacing improvements */
+.main-content {
+    padding: 20px;
+}
+
+p {
+    margin-bottom: 15px;
+}
+
+/* Hint section styling */
+.hint {
+    background-color: #FFFF00;
+    padding: 15px;
+    margin-top: 20px;
+    border-radius: 5px;
+}
diff --git a/src/basic/employee-directory.php b/src/basic/employee-directory.php
@@ -0,0 +1,79 @@
+<div class="page-title"><h2>Employee Directory</h2></div>
+
+<?php
+// Function to get employees (now using accounts table and filtering out admin)
+function getEmployees($sortColumn = "last_name", $sortDirection = "DESC") {
+    global $conn;
+    $sortOrder = $sortColumn . " " . $sortDirection;
+
+    // Prepare the query with a placeholder for the ORDER BY clause
+    $query = "SELECT cid, username, first_name, last_name, department, hire_date
+              FROM accounts
+              WHERE username != 'admin'
+              ORDER BY " . $sortOrder;
+
+    // Execute the query
+    $result = $conn->query($query);
+
+    // Check for errors without exposing the query
+    if (!$result) {
+        error_log("SQL Error: " . $conn->error);
+        return [];
+    }
+
+    $employees = [];
+    while ($row = $result->fetch_assoc()) {
+        $employees[] = $row;
+    }
+    return $employees;
+}
+
+// Handle the sort order from user input
+$sortColumn = isset($_GET['sort']) ? $_GET['sort'] : 'last_name';
+$sortDirection = isset($_GET['direction']) && $_GET['direction'] === 'DESC' ? 'DESC' : 'ASC';
+
+// Get employees based on sort order
+$employees = getEmployees($sortColumn, $sortDirection);
+
+// Function to generate sort URL
+function getSortUrl($column) {
+    global $sortColumn, $sortDirection;
+    $newDirection = ($column === $sortColumn && $sortDirection === 'ASC') ? 'DESC' : 'ASC';
+    return "?page=employee-directory.php&sort=" . $column . "&direction=" . $newDirection;
+}
+?>
+
+<div class="table-responsive">
+    <table class="employee-table">
+        <thead>
+            <tr>
+                <th><a href="<?php echo getSortUrl('last_name'); ?>">Name <span class="sort-indicator"><?php echo ($sortColumn === 'last_name') ? ($sortDirection === 'ASC' ? '▲' : '▼') : ''; ?></span></a></th>
+                <th><a href="<?php echo getSortUrl('department'); ?>">Department <span class="sort-indicator"><?php echo ($sortColumn === 'department') ? ($sortDirection === 'ASC' ? '▲' : '▼') : ''; ?></span></a></th>
+                <th><a href="<?php echo getSortUrl('hire_date'); ?>">Hire Date <span class="sort-indicator"><?php echo ($sortColumn === 'hire_date') ? ($sortDirection === 'ASC' ? '▲' : '▼') : ''; ?></span></a></th>
+                <th>Blog</th>
+            </tr>
+        </thead>
+        <tbody>
+            <?php foreach ($employees as $employee): ?>
+            <tr>
+                <td><?php echo htmlspecialchars($employee['first_name'] . ' ' . $employee['last_name']); ?></td>
+                <td><?php echo htmlspecialchars($employee['department']); ?></td>
+                <td><?php echo htmlspecialchars($employee['hire_date']); ?></td>
+                <td><a href="?page=view-someones-blog.php&show_only_user=<?php echo urlencode($employee['username']); ?>">View Blog</a></td>
+            </tr>
+            <?php endforeach; ?>
+        </tbody>
+    </table>
+</div>
+
+<?php
+// Hint section
+if ($_COOKIE["showhints"] == 1) {
+    echo '<p><span style="background-color: #FFFF00">
+    <b>Blind SQL Injection Hint:</b> The sort parameter in the URL is vulnerable to blind SQL injection.
+    Try manipulating the ORDER BY clause to extract information.
+    Example: ?page=employee-directory.php&sort=(CASE WHEN (SELECT SUBSTRING(password,1,1) FROM accounts WHERE username=\'admin\')=\'F\' THEN last_name ELSE first_name END)&direction=ASC
+    Observe how the order changes based on your condition.
+    </span></p>';
+}
+?>
diff --git a/src/basic/header.php b/src/basic/header.php
@@ -117,6 +117,7 @@
 		<li><a href="?page=login.php&returnURL=<?php echo $_SERVER['SCRIPT_NAME']; ?>">Login</a></li>
      <?php }; if ($_COOKIE["sessionid"]) { ?>
             <li><a href="?page=user-info.php">User Info</a></li>
+            <li><a href="?page=employee-directory.php">Employee Directory</a></li>
 		<li><a href="?page=add-to-your-blog.php">Blog Entry</a></li>
 		<li><a href="?page=view-someones-blog.php">View Blogs</a></li>
 		<li><a href="?page=text-file-viewer.php">Reading Room</a></li>

diff --git a/src/basic/reset-db.php b/src/basic/reset-db.php
@@ -31,11 +31,15 @@
 
 echo("<br>Creating accounts table...");
 $query = 'CREATE TABLE accounts( '.
-		 'cid INT NOT NULL AUTO_INCREMENT, '.
+         'cid INT NOT NULL AUTO_INCREMENT, '.
          'username TEXT, '.
          'password TEXT, '.
-		 'mysignature TEXT, '.
-		 'PRIMARY KEY(cid))';
+         'mysignature TEXT, '.
+         'first_name TEXT, '.
+         'last_name TEXT, '.
+         'department TEXT, '.
+         'hire_date DATE, '.
+         'PRIMARY KEY(cid))';
 $result = $conn->query($query);
 echo mysqli_error($conn );
 
@@ -52,29 +56,44 @@
 echo mysqli_error($conn );
 
 echo("<br>Populating accounts table...");
-$query = "INSERT INTO accounts (username, password, mysignature) VALUES
-	('admin', 'Flynn', 'Monkey!!!'),
-	('adrian', 'somepassword', 'Zombie Films Rock!!!'),
-	('john', 'monkey', 'I like the smell of confunk'),
-	('ed', 'pentest', 'Commandline KungFu anyone?'),
-	('justin', 'hawk', 'ICS is amazing.'),
-	('micwg', 'cim', 'Windows is awful.'),
-	('jasong', 'pentest', 'Eh? Oh I can''t say that anymore.')
-	";
+$query = "INSERT INTO accounts (username, password, mysignature, first_name, last_name, department, hire_date) VALUES
+    ('admin', 'Flynn', 'Monkey!!!', 'Admin', 'User', 'IT', '2018-01-01'),
+    ('adrian', 'somepassword', 'Ironclad security is my specialty!', 'Adrian', 'Steelforge', 'Marketing', '2019-05-20'),
+    ('john', 'monkey', 'Defending the cyber hills since 2010', 'John', 'Peaks', 'Sales', '2020-03-15'),
+    ('ed', 'pentest', 'SANStastic adventures in security!', 'Ed', 'Scriptorium', 'Training', '2021-07-01'),
+    ('justin', 'hawk', 'Soaring through ICS security', 'Justin', 'Falconer', 'Training', '2022-02-14'),
+    ('micwg', 'cim', 'Maple-flavored client-side security, eh?', 'Mic', 'Northguard', 'Engineering', '2019-11-30'),
+    ('jasong', 'pentest', 'Extending security one suite at a time', 'Jason', 'Ideasmith', 'Engineering', '2020-09-22'),
+    ('kevin', 'force42', 'May the security be with you, always', 'Kevin', 'Skyguard', 'Management', '2015-05-04')";
 //echo $query;
 $result = $conn->query($query);
 echo mysqli_error($conn );
 
 echo("<br>Populating blogs table...");
 $query ="INSERT INTO `blogs_table` (`cid`, `blogger_name`, `comment`, `date`) VALUES
-	(1, 'adrian', 'Well, I''ve been working on this for a bit. Welcome to my crappy blog software. :)', '2009-03-01 22:26:12'),
-	(2, 'adrian', 'Looks like I got a lot more work to do. Fun, Fun, Fun!!!', '2009-03-01 22:26:54'),
-	(3, 'anonymous', 'An anonymous blog? Huh? ', '2009-03-01 22:27:11'),
-	(4, 'ed', 'I love me some Netcat!!!', '2009-03-01 22:27:48'),
-	(5, 'john', 'Listen to Pauldotcom!', '2009-03-01 22:29:04'),
-	(6, 'john', 'Why give users the ability to get to the unfiltered Internet? It''s just asking for trouble. ', '2009-03-01 22:29:49'),
-	(7, 'john', 'Chocolate is GOOD!!!', '2009-03-01 22:30:06'),
-	(8, 'admin', 'Fear me, for I am ROOT!', '2009-03-01 22:31:13')";
+    (1, 'adrian', 'Well, I''ve been working on this for a bit. Welcome to my crappy blog software. :)', '2009-03-01 22:26:12'),
+    (2, 'adrian', 'Looks like I got a lot more work to do. Fun, Fun, Fun!!!', '2009-03-01 22:26:54'),
+    (3, 'anonymous', 'An anonymous blog? Huh? ', '2009-03-01 22:27:11'),
+    (4, 'ed', 'I love me some Netcat!!!', '2009-03-01 22:27:48'),
+    (5, 'john', 'Listen to Pauldotcom!', '2009-03-01 22:29:04'),
+    (6, 'john', 'Why give users the ability to get to the unfiltered Internet? It''s just asking for trouble. ', '2009-03-01 22:29:49'),
+    (7, 'john', 'Chocolate is GOOD!!!', '2009-03-01 22:30:06'),
+    (8, 'admin', 'Fear me, for I am ROOT!', '2009-03-01 22:31:13'),
+    (9, 'ed', 'Hack the planet!', '2024-07-19 10:15:00'),
+    (10, 'justin', 'Remember: it''s not a bug, it''s an undocumented feature.', '2024-07-19 11:30:00'),
+    (11, 'micwg', 'Just spent 3 hours debugging. It was DNS. It''s always DNS!', '2024-07-19 14:45:00'),
+    (12, 'jasong', 'Did you hear about the Olympic size swimming pool on the roof?', '2024-07-19 16:20:00'),
+    (13, 'adrian', 'I''m not arguing, I''m just explaining why I''m right.', '2024-07-19 18:00:00'),
+    (14, 'john', 'There are 10 types of people in this world: those who understand binary and those who don''t.', '2024-07-19 20:30:00'),
+    (15, 'micwg', 'I''m not antisocial, I just like my space... 127.0.0.1 is where the heart is.', '2024-07-20 09:15:00'),
+    (16, 'justin', 'Keep calm and sudo on!', '2024-07-20 11:45:00'),
+    (17, 'ed', 'I don''t always test my code, but when I do, I do it in production.', '2024-07-20 14:00:00'),
+    (18, 'jasong', 'Life is short, use Python.', '2024-07-20 16:30:00'),
+    (19, 'kevin', 'Just found a way to bypass the firewall. Don''t tell the admin!', '2024-07-21 09:15:00'),
+    (20, 'kevin', 'Pro tip: \"P@ssw0rd\" is not a strong password, no matter how many times you use it.', '2024-07-21 11:30:00'),
+    (21, 'kevin', 'Today''s goal: Stay away from the cookie jar. And by cookie jar, I mean other people''s session cookies.', '2024-07-21 14:45:00'),
+    (22, 'kevin', 'Remember, kids: SQL injection is like adding hot sauce. A little goes a long way, but too much and you''ll regret it.', '2024-07-22 10:00:00'),
+    (23, 'kevin', 'Breaking news: I found a security flaw in our coffee machine. It''s now brewing espresso for everyone. You''re welcome.', '2024-07-22 16:45:00')";
 //echo $query;
 $result = $conn->query($query);
 echo mysqli_error($conn );