API REST pour l’attaquant

This commit is contained in:
Marc van der Wal 2023-10-25 15:50:24 +02:00
parent 1e14402a92
commit c910ad8f8d
13 changed files with 266 additions and 3 deletions

View File

@ -19,10 +19,61 @@ RUN apk add \
RUN pip install dkimpy
# Dependencies for REST API
RUN apk add \
gcc \
libc-dev \
make \
perl-app-cpanminus \
perl-clone \
perl-config-any \
perl-data-optlist \
perl-dev \
perl-exporter-tiny \
perl-extutils-config \
perl-extutils-helpers \
perl-extutils-installpaths \
perl-file-sharedir \
perl-file-sharedir-install \
perl-file-slurp \
perl-file-which \
perl-hash-merge-simple \
perl-hash-multivalue \
perl-http-date \
perl-http-headers-fast \
perl-import-into \
perl-json-maybexs \
perl-module-build \
perl-module-build-tiny \
perl-module-implementation \
perl-module-runtime \
perl-moo \
perl-params-util \
perl-params-validate \
perl-path-tiny \
perl-plack \
perl-readonly \
perl-ref-util \
perl-role-tiny \
perl-safe-isa \
perl-sub-exporter \
perl-sub-install \
perl-sub-quote \
perl-template-toolkit \
perl-type-tiny \
perl-yaml
RUN cpanm -n -v \
Dancer2 \
Module::Pluggable::Object
# TODO mettre un bashrc qui positionne un prompt qui montre bien quon est
# en train dêtre méchant
USER attaquant
ENTRYPOINT ["/bin/bash"]
COPY --chown=attaquant scripts /home/attaquant/scripts
COPY web-api /src/api
RUN chmod +x /src/api/bin/app.psgi
USER attaquant
ENTRYPOINT ["/src/api/bin/app.psgi"]

0
attacker/web-api/.dancer Normal file
View File

24
attacker/web-api/MANIFEST Normal file
View File

@ -0,0 +1,24 @@
MANIFEST
MANIFEST.SKIP
.dancer
Makefile.PL
config.yml
cpanfile
views/index.tt
views/layouts/main.tt
lib/Email/SpoofingDemo/API/DNS.pm
t/002_index_route.t
t/001_base.t
environments/production.yml
environments/development.yml
bin/app.psgi
public/500.html
public/dispatch.cgi
public/dispatch.fcgi
public/favicon.ico
public/404.html
public/javascripts/jquery.js
public/css/error.css
public/css/style.css
public/images/perldancer-bg.jpg
public/images/perldancer.jpg

View File

@ -0,0 +1,17 @@
^\.git\/
maint
^tags$
.last_cover_stats
Makefile$
^blib
^pm_to_blib
^.*.bak
^.*.old
^t.*sessions
^cover_db
^.*\.log
^.*\.swp$
MYMETA.*
^.gitignore
^.svn\/
^Email-SpoofingDemo-API-DNS-

View File

@ -0,0 +1,26 @@
use strict;
use warnings;
use ExtUtils::MakeMaker;
# Normalize version strings like 6.30_02 to 6.3002,
# so that we can do numerical comparisons on it.
my $eumm_version = $ExtUtils::MakeMaker::VERSION;
$eumm_version =~ s/_//;
WriteMakefile(
NAME => 'Email::SpoofingDemo::API::DNS',
AUTHOR => q{Marc van der Wal <marc.vanderwal@afnic.fr>},
VERSION_FROM => 'lib/Email/SpoofingDemo/API/DNS.pm',
ABSTRACT => 'Email spoofing demo: REST API for DNS',
($eumm_version >= 6.3001
? ('LICENSE'=> 'all-rights-reserved')
: ()),
PL_FILES => {},
PREREQ_PM => {
'Test::More' => 0,
'YAML' => 0,
'Dancer2' => 0.300000,
},
dist => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },
clean => { FILES => 'Email-SpoofingDemo-API-DNS-*' },
);

View File

@ -0,0 +1,9 @@
#!/usr/bin/perl
use strict;
use warnings;
use FindBin;
use lib "$FindBin::Bin/../lib";
use Email::SpoofingDemo::API::Attacker;
Email::SpoofingDemo::API::Attacker->to_app;

View File

@ -0,0 +1,4 @@
appname: "Email::SpoofingDemo::API::Attacker"
charset: "UTF-8"
serializer: JSON

11
attacker/web-api/cpanfile Normal file
View File

@ -0,0 +1,11 @@
requires "Dancer2" => "0.300000";
recommends "YAML" => "0";
recommends "URL::Encode::XS" => "0";
recommends "CGI::Deurl::XS" => "0";
recommends "HTTP::Parser::XS" => "0";
on "test" => sub {
requires "Test::More" => "0";
requires "HTTP::Request::Common" => "0";
};

View File

@ -0,0 +1,15 @@
# configuration file for development environment
logger: "console"
log: "core"
# should Dancer2 consider warnings as critical errors?
warnings: 1
# should Dancer2 show a stacktrace when an 5xx error is caught?
# if set to yes, public/500.html will be ignored and either
# views/500.tt, 'error_template' template, or a default error template will be used.
show_errors: 1
# print the banner
startup_info: 1

View File

@ -0,0 +1,16 @@
# configuration file for production environment
# only log warning and error messsages
log: "warning"
# log message to a file in logs/
logger: "file"
# don't consider warnings critical
warnings: 0
# hide errors
show_errors: 0
# disable server tokens in production environments
no_server_tokens: 1

View File

@ -0,0 +1,56 @@
package Email::SpoofingDemo::API::Attacker;
use Dancer2;
our $VERSION = '0.1';
my $SCRIPT = '/home/attaquant/scripts/send_email.py';
sub run_script {
open(my $fh, '-|', $SCRIPT, '--non-interactive', @_)
or die "$SCRIPT: $!";
my $json;
{
local $/ = undef;
$json = <$fh>;
}
close($fh);
if (($? >> 8) != 0) {
die $json;
}
return from_json($json);
}
get '/' => sub { return "Welcome"; };
get '/config' => sub {
return run_script('--get-config');
};
post '/spoof' => sub {
my $helo = body_parameters->{'helo'};
my $scenario = body_parameters->{'scenario'};
if (not defined $scenario) {
status 400;
return "Need a scenario name";
}
my @args = ('--template', $scenario);
if (defined $helo) {
push @args, ('--helo', $helo);
}
if (body_parameters->{'replace_mail_from'}) {
push @args, ('--replace-rfc5321-mail-from');
}
return run_script(@args);
};
any qr{.*} => sub { status 'not_found'; return "Invalid route" };
dance;
true;

View File

@ -0,0 +1,16 @@
#!/usr/bin/env perl
BEGIN { $ENV{DANCER_APPHANDLER} = 'PSGI';}
use Dancer2;
use FindBin '$RealBin';
use Plack::Runner;
# For some reason Apache SetEnv directives don't propagate
# correctly to the dispatchers, so forcing PSGI and env here
# is safer.
set apphandler => 'PSGI';
set environment => 'production';
my $psgi = path($RealBin, '..', 'bin', 'app.psgi');
die "Unable to read startup script: $psgi" unless -r $psgi;
Plack::Runner->run($psgi);

View File

@ -0,0 +1,18 @@
#!/usr/bin/env perl
BEGIN { $ENV{DANCER_APPHANDLER} = 'PSGI';}
use Dancer2;
use FindBin '$RealBin';
use Plack::Handler::FCGI;
# For some reason Apache SetEnv directives don't propagate
# correctly to the dispatchers, so forcing PSGI and env here
# is safer.
set apphandler => 'PSGI';
set environment => 'production';
my $psgi = path($RealBin, '..', 'bin', 'app.psgi');
my $app = do($psgi);
die "Unable to read startup script: $@" if $@;
my $server = Plack::Handler::FCGI->new(nproc => 5, detach => 1);
$server->run($app);