From b0cf064f819357feedc77d6d5eb0de49e122554a Mon Sep 17 00:00:00 2001
From: marcinzelent <zelent.marcin@gmail.com>
Date: Sat, 16 Jun 2018 22:50:18 +0200
Subject: Added command injection example and secured examples

---
 examples-secure/buffer-overflow/buffer-overflow.c  |  19 +++++++++++
 .../command-injection/command-injection.c          |  17 ++++++++++
 examples-secure/sql-injection/index.html           |  25 ++++++++++++++
 examples-secure/sql-injection/login.php            |  25 ++++++++++++++
 examples-secure/sql-injection/users.db             | Bin 0 -> 8192 bytes
 examples-secure/xss/comments.db                    | Bin 0 -> 8192 bytes
 examples-secure/xss/index.php                      |  36 +++++++++++++++++++++
 examples/buffer-overflow/buffer-overflow           | Bin 8520 -> 0 bytes
 examples/buffer-overflow/buffer-overflow.c         |   2 +-
 examples/command-injection/command-injection.c     |  12 +++++++
 examples/xss/comments.db                           | Bin 8192 -> 8192 bytes
 11 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 examples-secure/buffer-overflow/buffer-overflow.c
 create mode 100644 examples-secure/command-injection/command-injection.c
 create mode 100644 examples-secure/sql-injection/index.html
 create mode 100644 examples-secure/sql-injection/login.php
 create mode 100644 examples-secure/sql-injection/users.db
 create mode 100644 examples-secure/xss/comments.db
 create mode 100644 examples-secure/xss/index.php
 delete mode 100755 examples/buffer-overflow/buffer-overflow
 create mode 100644 examples/command-injection/command-injection.c

diff --git a/examples-secure/buffer-overflow/buffer-overflow.c b/examples-secure/buffer-overflow/buffer-overflow.c
new file mode 100644
index 0000000..261a58e
--- /dev/null
+++ b/examples-secure/buffer-overflow/buffer-overflow.c
@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+	char buf[16];
+	int ok = 0;
+
+	printf("Type admin password: ");
+	fgets(buf, sizeof buf, stdin);
+	buf[strlen(buf)-1] = '\0';
+
+	if (strcmp(buf, "pass123")) printf("\nWrong password!\n");
+	else ok = 1;
+
+	if (ok) printf("\nLogged in as admin.\n");
+
+	return 0;
+}
diff --git a/examples-secure/command-injection/command-injection.c b/examples-secure/command-injection/command-injection.c
new file mode 100644
index 0000000..01eb15d
--- /dev/null
+++ b/examples-secure/command-injection/command-injection.c
@@ -0,0 +1,17 @@
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char **argv)
+{
+	int argl = strlen(argv[1]);
+	char cmd[argl + 6];
+
+	for (int i = 0; i < argl; i++)
+		if (argv[1][i] == ';' || argv[1][i] == '|' || argv[1][i] == '&')
+			argv[1][i] = ' ';
+	strcpy(cmd, "echo ");
+	strcat(cmd, argv[1]);
+	system(cmd);
+
+	return 0;
+}
diff --git a/examples-secure/sql-injection/index.html b/examples-secure/sql-injection/index.html
new file mode 100644
index 0000000..d3e760b
--- /dev/null
+++ b/examples-secure/sql-injection/index.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+	<head>
+		<title>Login page</title>
+		<meta charset="utf-8" />
+<style>
+body {
+	text-align: center;
+}
+
+input {
+	margin-bottom: 5px;
+}
+
+</style>
+	</head>
+	<body>
+		<h1>Login</h1>
+		<form action="login.php" method="post">
+			<input type="text" name="email" placeholder="E-mail"><br>
+			<input type="password" name="pass" placeholder="Password"><br>
+			<input type="submit" value="Log in">
+		</form>
+	</body>
+</html>
diff --git a/examples-secure/sql-injection/login.php b/examples-secure/sql-injection/login.php
new file mode 100644
index 0000000..f0340e3
--- /dev/null
+++ b/examples-secure/sql-injection/login.php
@@ -0,0 +1,25 @@
+<?php
+   class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('users.db');
+      }
+   }
+
+   if(isset($_POST['email'], $_POST['pass']))
+   {
+	$email = $_POST['email'];
+	$pass = $_POST['pass'];
+
+	$db = new MyDB();
+
+	$sql = $db->prepare('SELECT * FROM Users WHERE email=:email AND password=:pass');
+	$sql->bindValue(':email', $email, SQLITE3_TEXT);
+	$sql->bindValue(':pass', $pass, SQLITE3_TEXT);
+
+	$ret = $sql->execute();
+	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+		echo 'Logged in as '.$row['email'].'<br>';
+	}
+	$db->close();
+   }
+?>
diff --git a/examples-secure/sql-injection/users.db b/examples-secure/sql-injection/users.db
new file mode 100644
index 0000000..9ddf64e
Binary files /dev/null and b/examples-secure/sql-injection/users.db differ
diff --git a/examples-secure/xss/comments.db b/examples-secure/xss/comments.db
new file mode 100644
index 0000000..959a2c8
Binary files /dev/null and b/examples-secure/xss/comments.db differ
diff --git a/examples-secure/xss/index.php b/examples-secure/xss/index.php
new file mode 100644
index 0000000..7bc3d45
--- /dev/null
+++ b/examples-secure/xss/index.php
@@ -0,0 +1,36 @@
+<?php
+	class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('comments.db');
+      }
+   }
+
+	if (isset($_POST['user'], $_POST['comment'])) {
+		$user = $_POST['user'];
+		$comment = $_POST['comment'];
+
+		$db = new MyDB();
+
+		$sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')';
+		$ret = $db->exec($sql);
+		$db->close();
+	}
+
+	echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
+	   	 '<meta charset="utf-8"></head><body><h1>Comments</h1>';
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Comments';
+	$ret = $db->query($sql);
+	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+		echo '<p><b>' . $row['user'] . '</b> says:<br>' . htmlspecialchars($row['comment'], ENT_QUOTES, 'UTF-8'). '</p>';
+
+	$db->close();
+
+	echo '<h2>Add comment</h1><form action="index.php" method="post">' .
+		 '<input type="text" name="user" placeholder="User name"><br>' .
+		 '<input type="text" name="comment" placeholder="Comment"><br>' .
+		 '<input type="submit" value="Add"><br>' .
+		 '</form></body></html>';
+?>
diff --git a/examples/buffer-overflow/buffer-overflow b/examples/buffer-overflow/buffer-overflow
deleted file mode 100755
index c518559..0000000
Binary files a/examples/buffer-overflow/buffer-overflow and /dev/null differ
diff --git a/examples/buffer-overflow/buffer-overflow.c b/examples/buffer-overflow/buffer-overflow.c
index 96f0ee8..4fcce8c 100644
--- a/examples/buffer-overflow/buffer-overflow.c
+++ b/examples/buffer-overflow/buffer-overflow.c
@@ -6,7 +6,7 @@ int main(void)
 	char buf[16];
 	int ok = 0;
 
-	printf("Type admin password: \n");
+	printf("Type admin password: ");
 	gets(buf);
 
 	if (strcmp(buf, "pass123")) printf("\nWrong password!\n");
diff --git a/examples/command-injection/command-injection.c b/examples/command-injection/command-injection.c
new file mode 100644
index 0000000..914b32e
--- /dev/null
+++ b/examples/command-injection/command-injection.c
@@ -0,0 +1,12 @@
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char **argv)
+{
+	char cmd[strlen(argv[1]) + 6];
+	strcpy(cmd, "echo ");
+	strcat(cmd, argv[1]);
+	system(cmd);
+
+	return 0;
+}
diff --git a/examples/xss/comments.db b/examples/xss/comments.db
index 32114c2..2c1a491 100644
Binary files a/examples/xss/comments.db and b/examples/xss/comments.db differ
-- 
cgit v1.2.3