Admin panels login - brute force logging in -tests (#249)

CERT-Polska · Dec 8, 2023 · 6bcc377 · 6bcc377
1 parent eaab344
commit 6bcc377
Show file tree

Hide file tree

Showing 16 changed files with 2,441 additions and 0 deletions.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -364,8 +364,156 @@ services:
       - "4443:4443"
       - "4444:4444"
 
+## TESTS
+
+#  joomla: # not needed
+#    image: joomla:php8.2-apache
+#    ports:
+#      - 80:80
+#    volumes:
+##      - ./test/data/joomla_login/configuration.php:/var/www/html/configuration.php
+#      - joomla-data:/var/www/html
+#    environment:
+#      JOOMLA_DB_HOST: joomla-mysql:3306
+##      JOOMLA_DB_USER: joomla
+#      JOOMLA_DB_PASSWORD: password
+#
+#  joomla-mysql: # not needed
+#    image: mysql:5.7
+#    ports:
+#      - 3306:3306
+#    volumes:
+#      - joomla-mysql-data:/var/lib/mysql
+#    environment:
+#      MYSQL_ROOT_PASSWORD: password
+#      MYSQL_USER: joomla
+#      MYSQL_PASSWORD: password
+#      MYSQL_DATABASE: joomla
+#
+#  phpmyadmin:
+#    image: phpmyadmin/phpmyadmin
+#    container_name: phpmyadmin
+#    environment:
+#      - PMA_ARBITRARY=1
+#    restart: always
+#    ports:
+#      - 8081:80
+#
+#  django-db:
+#    image: postgres
+#    volumes:
+#      - postgres_data:/var/lib/postgresql/data/
+#    environment:
+#      - POSTGRES_USER=django_user
+#      - POSTGRES_PASSWORD=django_password
+#      - POSTGRES_DB=django_db
+#
+#  django-web:
+#    image: python:3.11.4-slim-buster
+#    environment:
+#      - DJANGO_SUPERUSER_PASSWORD=password
+#      - DJANGO_SUPERUSER_USERNAME=djangouser
+#      - DJANGO_SUPERUSER_EMAIL=test111111111@exampple.com
+#
+#    depends_on:
+#      - django-db
+#    stdin_open: true
+#    tty: true
+#    command: >
+#      sh -c "pip install Django &&
+#      python3 usr/src/app/manage.py makemigrations &&
+#      python3 usr/src/app/manage.py migrate &&
+#      python3 usr/src/app/manage.py runserver 0.0.0.0:8000 &&
+#      python3 usr/src/app/manage.py loaddata db.json"
+#    volumes:
+#      - ./test/data/django/:/usr/src/app/
+#      - ./requirements.txt:/urs/src/app/requirements.txt
+#    ports:
+#      - 8000:8000
+#    env_file:
+#      - ./test/data/django/.env.django-sample
+#
+#  drupal:
+#    image: drupal:latest
+#    depends_on:
+#      - drupal-postgres
+#    ports:
+#      - 88:88
+#    volumes:
+#      - drupal_modules:/var/www/html/modules
+#      - drupal_profiles:/var/www/html/profiles
+#      - drupal_themes:/var/www/html/themes
+#      - drupal_sites:/var/www/html/sites
+#    restart: always
+#
+#  drupal-postgres:
+#    image: postgres
+#    environment:
+#      POSTGRES_PASSWORD: password
+#      POSTGRES_EXTENSIONS: pg_trgm
+##    command: >
+##      sh -c "psql -U postgres &&
+##             pg_restore -U postgres -C -d postgres db-postgres.tar"
+#    ports:
+#      - 5432:5432
+#    volumes:
+#      - ./test/data/drupal/db_extensions:/docker-entrypoint-initdb.d
+#      - drupal_db_data:/var/lib/postgresql/data
+#      - ./test/data/database/db-postgres.tar:/db-postgres.tar
+#    restart: always
+#
+#  singlepage-website:
+#    image: nginx:latest
+#    volumes:
+#      - ./test/data/single_page/:/usr/share/nginx/html/
+#    ports:
+#      - 8080:80
+#
+#  symfony-mysql:
+#    image: mysql
+#    command: --default-authentication-plugin=mysql_native_password
+#    environment:
+#      MYSQL_ROOT_PASSWORD: secret
+#      MYSQL_DATABASE: symfony_docker
+#      MYSQL_USER: symfony
+#      MYSQL_PASSWORD: symfony
+#    ports:
+#      - 4306:3306
+#    volumes:
+#      - ./mysql:/var/lib/mysql
+#
+#  symfony-nginx:
+#    image: nginx:stable-alpine
+#    ports:
+#      - 8082:80
+#    volumes:
+#      - ./test/data/symfony:/var/www/symfony_docker
+#      - ./test/data/symfony/nginx/default.conf:/etc/nginx/conf.d/default.conf
+#    depends_on:
+#      - symfony-php
+#      - symfony-mysql
+#
+#  symfony-php:
+#    build:
+#      context: ./test/data/symfony/docker
+#    ports:
+#      - 9000:9000
+#    volumes:
+#      - ./test/data/symfony/app:/var/www/symfony_docker
+#      - ./test/data/symfony/config/php.ini:/usr/local/etc/php/php.ini
+#    depends_on:
+#      - symfony-mysql
+
 volumes:
   data-mongodb:
   data-redis:
   data-nuclei-templates:
   data-nuclei-config:
+#  joomla-mysql-data:
+#  joomla-data:
+#  postgres_data:
+#  drupal_modules:
+#  drupal_profiles:
+#  drupal_themes:
+#  drupal_sites:
+#  drupal_db_data:
diff --git a/test/data/django/.env.django-sample b/test/data/django/.env.django-sample
@@ -0,0 +1,14 @@
+DEBUG=1
+SECRET_KEY=foo
+DJANGO_ALLOWED_HOSTS=localhost 127.0.0.1 [::1]
+SQL_ENGINE=django.db.backends.postgresql
+SQL_DATABASE=django_db
+SQL_USER=django_user
+SQL_PASSWORD=django_password
+SQL_HOST=db
+SQL_PORT=5432
+
+
+DJANGO_SUPERUSER_PASSWORD=password
+DJANGO_SUPERUSER_USERNAME=djangouser
+DJANGO_SUPERUSER_EMAIL=test111111111@exampple.com
diff --git a/test/data/django/db.json b/test/data/django/db.json
diff --git a/test/data/django/djangoapp/__init__.py b/test/data/django/djangoapp/__init__.py
diff --git a/test/data/django/djangoapp/asgi.py b/test/data/django/djangoapp/asgi.py
@@ -0,0 +1,16 @@
+"""
+ASGI config for djangoapp project.
+
+It exposes the ASGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/howto/deployment/asgi/
+"""
+
+import os
+
+from django.core.asgi import get_asgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'djangoapp.settings')
+
+application = get_asgi_application()
diff --git a/test/data/django/djangoapp/settings.py b/test/data/django/djangoapp/settings.py
@@ -0,0 +1,128 @@
+"""
+Django settings for djangoapp project.
+
+Generated by 'django-admin startproject' using Django 4.2.7.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/4.2/ref/settings/
+"""
+import os
+from pathlib import Path
+
+# Build paths inside the project like this: BASE_DIR / 'subdir'.
+BASE_DIR = Path(__file__).resolve().parent.parent
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'django-insecure-6dzg8*^0)4k$n8q0^69xgzg-q*-8$c&hxek%jv$d5x)%kuu+_d'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = []
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'djangoapp.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'djangoapp.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/4.2/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        # "ENGINE": "django.db.backends.postgresql",
+        'NAME': BASE_DIR / 'db.sqlite3',
+        "USER": os.environ.get("SQL_USER", "user"),
+        "PASSWORD": os.environ.get("SQL_PASSWORD", "password"),
+        "HOST": os.environ.get("SQL_HOST", "localhost"),
+        "PORT": os.environ.get("SQL_PORT", "5432"),
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/4.2/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/4.2/howto/static-files/
+
+STATIC_URL = 'static/'
+
+# Default primary key field type
+# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field
+
+DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
diff --git a/test/data/django/djangoapp/urls.py b/test/data/django/djangoapp/urls.py
@@ -0,0 +1,22 @@
+"""
+URL configuration for djangoapp project.
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/4.2/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.contrib import admin
+from django.urls import path
+
+urlpatterns = [
+    path('admin/', admin.site.urls),
+]
diff --git a/test/data/django/djangoapp/wsgi.py b/test/data/django/djangoapp/wsgi.py
@@ -0,0 +1,16 @@
+"""
+WSGI config for djangoapp project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'djangoapp.settings')
+
+application = get_wsgi_application()
diff --git a/test/data/django/manage.py b/test/data/django/manage.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+"""Django's command-line utility for administrative tasks."""
+import os
+import sys
+
+
+def main():
+    """Run administrative tasks."""
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'djangoapp.settings')
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError as exc:
+        raise ImportError(
+            "Couldn't import Django. Are you sure it's installed and "
+            "available on your PYTHONPATH environment variable? Did you "
+            "forget to activate a virtual environment?"
+        ) from exc
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/test/data/drupal/database/db-postgres.tar b/test/data/drupal/database/db-postgres.tar
diff --git a/test/data/drupal/db_extensions/install_extensions.sql b/test/data/drupal/db_extensions/install_extensions.sql
@@ -0,0 +1 @@
+CREATE EXTENSION IF NOT EXISTS pg_trgm;