aboutsummaryrefslogtreecommitdiff
path: root/examples-secure
diff options
context:
space:
mode:
Diffstat (limited to 'examples-secure')
-rw-r--r--examples-secure/buffer-overflow/buffer-overflow.c19
-rw-r--r--examples-secure/command-injection/command-injection.c17
-rw-r--r--examples-secure/sql-injection/index.html25
-rw-r--r--examples-secure/sql-injection/login.php25
-rw-r--r--examples-secure/sql-injection/users.dbbin0 -> 8192 bytes
-rw-r--r--examples-secure/xss/comments.dbbin0 -> 8192 bytes
-rw-r--r--examples-secure/xss/index.php36
7 files changed, 122 insertions, 0 deletions
diff --git a/examples-secure/buffer-overflow/buffer-overflow.c b/examples-secure/buffer-overflow/buffer-overflow.c
new file mode 100644
index 0000000..261a58e
--- /dev/null
+++ b/examples-secure/buffer-overflow/buffer-overflow.c
@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+ char buf[16];
+ int ok = 0;
+
+ printf("Type admin password: ");
+ fgets(buf, sizeof buf, stdin);
+ buf[strlen(buf)-1] = '\0';
+
+ if (strcmp(buf, "pass123")) printf("\nWrong password!\n");
+ else ok = 1;
+
+ if (ok) printf("\nLogged in as admin.\n");
+
+ return 0;
+}
diff --git a/examples-secure/command-injection/command-injection.c b/examples-secure/command-injection/command-injection.c
new file mode 100644
index 0000000..01eb15d
--- /dev/null
+++ b/examples-secure/command-injection/command-injection.c
@@ -0,0 +1,17 @@
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char **argv)
+{
+ int argl = strlen(argv[1]);
+ char cmd[argl + 6];
+
+ for (int i = 0; i < argl; i++)
+ if (argv[1][i] == ';' || argv[1][i] == '|' || argv[1][i] == '&')
+ argv[1][i] = ' ';
+ strcpy(cmd, "echo ");
+ strcat(cmd, argv[1]);
+ system(cmd);
+
+ return 0;
+}
diff --git a/examples-secure/sql-injection/index.html b/examples-secure/sql-injection/index.html
new file mode 100644
index 0000000..d3e760b
--- /dev/null
+++ b/examples-secure/sql-injection/index.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+ <head>
+ <title>Login page</title>
+ <meta charset="utf-8" />
+<style>
+body {
+ text-align: center;
+}
+
+input {
+ margin-bottom: 5px;
+}
+
+</style>
+ </head>
+ <body>
+ <h1>Login</h1>
+ <form action="login.php" method="post">
+ <input type="text" name="email" placeholder="E-mail"><br>
+ <input type="password" name="pass" placeholder="Password"><br>
+ <input type="submit" value="Log in">
+ </form>
+ </body>
+</html>
diff --git a/examples-secure/sql-injection/login.php b/examples-secure/sql-injection/login.php
new file mode 100644
index 0000000..f0340e3
--- /dev/null
+++ b/examples-secure/sql-injection/login.php
@@ -0,0 +1,25 @@
+<?php
+ class MyDB extends SQLite3 {
+ function __construct() {
+ $this->open('users.db');
+ }
+ }
+
+ if(isset($_POST['email'], $_POST['pass']))
+ {
+ $email = $_POST['email'];
+ $pass = $_POST['pass'];
+
+ $db = new MyDB();
+
+ $sql = $db->prepare('SELECT * FROM Users WHERE email=:email AND password=:pass');
+ $sql->bindValue(':email', $email, SQLITE3_TEXT);
+ $sql->bindValue(':pass', $pass, SQLITE3_TEXT);
+
+ $ret = $sql->execute();
+ while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+ echo 'Logged in as '.$row['email'].'<br>';
+ }
+ $db->close();
+ }
+?>
diff --git a/examples-secure/sql-injection/users.db b/examples-secure/sql-injection/users.db
new file mode 100644
index 0000000..9ddf64e
--- /dev/null
+++ b/examples-secure/sql-injection/users.db
Binary files differ
diff --git a/examples-secure/xss/comments.db b/examples-secure/xss/comments.db
new file mode 100644
index 0000000..959a2c8
--- /dev/null
+++ b/examples-secure/xss/comments.db
Binary files differ
diff --git a/examples-secure/xss/index.php b/examples-secure/xss/index.php
new file mode 100644
index 0000000..7bc3d45
--- /dev/null
+++ b/examples-secure/xss/index.php
@@ -0,0 +1,36 @@
+<?php
+ class MyDB extends SQLite3 {
+ function __construct() {
+ $this->open('comments.db');
+ }
+ }
+
+ if (isset($_POST['user'], $_POST['comment'])) {
+ $user = $_POST['user'];
+ $comment = $_POST['comment'];
+
+ $db = new MyDB();
+
+ $sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')';
+ $ret = $db->exec($sql);
+ $db->close();
+ }
+
+ echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
+ '<meta charset="utf-8"></head><body><h1>Comments</h1>';
+
+ $db = new MyDB();
+
+ $sql = 'SELECT * FROM Comments';
+ $ret = $db->query($sql);
+ while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+ echo '<p><b>' . $row['user'] . '</b> says:<br>' . htmlspecialchars($row['comment'], ENT_QUOTES, 'UTF-8'). '</p>';
+
+ $db->close();
+
+ echo '<h2>Add comment</h1><form action="index.php" method="post">' .
+ '<input type="text" name="user" placeholder="User name"><br>' .
+ '<input type="text" name="comment" placeholder="Comment"><br>' .
+ '<input type="submit" value="Add"><br>' .
+ '</form></body></html>';
+?>