New test application: The Magical Code Injection Rainbow

[andresriancho]

SpiderLabs has created a test web application:
https://github.com/SpiderLabs/MCIR

@unicornsasfuel doesn't work at SpiderLabs anymore and wants me to send a PR to https://github.com/unicornsasfuel/MCIR , but that's not possible at github. Asked him over Twitter what he wants to do:

@dan_crowley since I can't send the PR to a forked repo on github, what should I do? Someone from TW maintaining it? Ideas?

It might be a good idea to:

• Review the test cases to understand if they are real or CTF-like
• Write a docker image for it MCIR docker image SpiderLabs/MCIR#3
• Write unittests which scan this application and find vulnerabilities
  • eval: https://github.com/SpiderLabs/MCIR/tree/master/phpwn
  • RFI: https://github.com/SpiderLabs/MCIR/tree/master/rfidk
  • OS commanding: https://github.com/SpiderLabs/MCIR/tree/master/shellol
  • SQL injection (might be difficult, requires mysql): https://github.com/SpiderLabs/MCIR/tree/master/sqlol
  • XML injection: https://github.com/SpiderLabs/MCIR/tree/master/xmlmao
  • XSS: https://github.com/SpiderLabs/MCIR/tree/master/xssmh

Related with

Write unittests against all WAVSEP sections #1800

[andresriancho]

SpiderLabs/MCIR#4

[unicornsasfuel]

SQLol supports SQLite if you change the database config file at sqlol/includes/database.config.php. A commented-out example SQLite configuration section is provided. This should make the SQLi tests easier.

[andresriancho]

@unicornsasfuel yes, the setup will be easier, but there are some tests which require a real DB (SLEEP delays) and some payloads only work in mysql; others only in pgsql, etc.

Best case would be to have different test applications, one for each DB.