2.11.20 Adding view account profile

webpwnized · Sep 30, 2024 · a64236a · a64236a
1 parent 0b0a5a8
commit a64236a
Showing 1 changed file with 62 additions and 45 deletions.
diff --git a/src/set-up-database.php b/src/set-up-database.php
@@ -156,31 +156,31 @@ function format($pMessage, $pLevel ) {
     		echo format("Executed query 'CREATE TABLE' with result ".$lQueryResult,"S");
     	}// end if
 
-    	$lQueryString = "INSERT INTO accounts (username, password, mysignature, is_admin, firstname, lastname) VALUES
-    		('admin', 'adminpass', 'g0t r00t?', 'TRUE' ,'System' ,'Administrator'),
-    		('adrian', 'somepassword', 'Zombie Films Rock!', 'TRUE' ,'Adrian' ,'Crenshaw'),
-    		('john', 'monkey', 'I like the smell of confunk', 'FALSE' ,'John' ,'Pentest'),
-    		('jeremy', 'password', 'd1373 1337 speak', 'FALSE' ,'Jeremy' ,'Druin'),
-    		('bryce', 'password', 'I Love SANS', 'FALSE' ,'Bryce' ,'Galbraith'),
-    		('samurai', 'samurai', 'Carving fools', 'FALSE' ,'Samurai' ,'WTF'),
-    		('jim', 'password', 'Rome is burning', 'FALSE' ,'Jim' ,'Rome'),
-    		('bobby', 'password', 'Hank is my dad', 'FALSE' ,'Bobby' ,'Hill'),
-    		('simba', 'password', 'I am a super-cat', 'FALSE' ,'Simba' ,'Lion'),
-    		('dreveil', 'password', 'Preparation H', 'FALSE' ,'Dr.' ,'Evil'),
-    		('scotty', 'password', 'Scotty do', 'FALSE' ,'Scotty' ,'Evil'),
-    		('cal', 'password', 'C-A-T-S Cats Cats Cats', 'FALSE' ,'John' ,'Calipari'),
-    		('john', 'password', 'Do the Duggie!', 'FALSE' ,'John' ,'Wall'),
-    		('kevin', '42', 'Doug Adams rocks', 'FALSE' ,'Kevin' ,'Johnson'),
-    		('dave', 'set', 'Bet on S.E.T. FTW', 'FALSE' ,'Dave' ,'Kennedy'),
-    		('patches', 'tortoise', 'meow', 'FALSE' ,'Patches' ,'Pester'),
-    		('rocky', 'stripes', 'treats?', 'FALSE' ,'Rocky' ,'Paws'),
-    		('tim', 'lanmaster53', 'Because reconnaissance is hard to spell', 'FALSE' ,'Tim' ,'Tomes'),
-    		('ABaker', 'SoSecret', 'Muffin tops only', 'TRUE' ,'Aaron' ,'Baker'),
-    		('PPan', 'NotTelling', 'Where is Tinker?', 'FALSE' ,'Peter' ,'Pan'),
-    		('CHook', 'JollyRoger', 'Gator-hater', 'FALSE' ,'Captain' ,'Hook'),
-    		('james', 'i<3devs', 'Occupation: Researcher', 'FALSE' ,'James' ,'Jardine'),
-    		('ed', 'pentest', 'Commandline KungFu anyone?', 'FALSE' ,'Ed' ,'Skoudis')";
-    	$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
+		$lQueryString = "INSERT INTO accounts (username, password, mysignature, is_admin, firstname, lastname, api_token) VALUES
+			('admin', 'adminpass', 'g0t r00t?', 'TRUE' ,'System' ,'Administrator', '".bin2hex(random_bytes(32))."'),
+			('adrian', 'somepassword', 'Zombie Films Rock!', 'TRUE' ,'Adrian' ,'Crenshaw', '".bin2hex(random_bytes(32))."'),
+			('john', 'monkey', 'I like the smell of confunk', 'FALSE' ,'John' ,'Pentest', '".bin2hex(random_bytes(32))."'),
+			('jeremy', 'password', 'd1373 1337 speak', 'FALSE' ,'Jeremy' ,'Druin', '".bin2hex(random_bytes(32))."'),
+			('bryce', 'password', 'I Love SANS', 'FALSE' ,'Bryce' ,'Galbraith', '".bin2hex(random_bytes(32))."'),
+			('samurai', 'samurai', 'Carving fools', 'FALSE' ,'Samurai' ,'WTF', '".bin2hex(random_bytes(32))."'),
+			('jim', 'password', 'Rome is burning', 'FALSE' ,'Jim' ,'Rome', '".bin2hex(random_bytes(32))."'),
+			('bobby', 'password', 'Hank is my dad', 'FALSE' ,'Bobby' ,'Hill', '".bin2hex(random_bytes(32))."'),
+			('simba', 'password', 'I am a super-cat', 'FALSE' ,'Simba' ,'Lion', '".bin2hex(random_bytes(32))."'),
+			('dreveil', 'password', 'Preparation H', 'FALSE' ,'Dr.' ,'Evil', '".bin2hex(random_bytes(32))."'),
+			('scotty', 'password', 'Scotty do', 'FALSE' ,'Scotty' ,'Evil', '".bin2hex(random_bytes(32))."'),
+			('cal', 'password', 'C-A-T-S Cats Cats Cats', 'FALSE' ,'John' ,'Calipari', '".bin2hex(random_bytes(32))."'),
+			('john', 'password', 'Do the Duggie!', 'FALSE' ,'John' ,'Wall', '".bin2hex(random_bytes(32))."'),
+			('kevin', '42', 'Doug Adams rocks', 'FALSE' ,'Kevin' ,'Johnson', '".bin2hex(random_bytes(32))."'),
+			('dave', 'set', 'Bet on S.E.T. FTW', 'FALSE' ,'Dave' ,'Kennedy', '".bin2hex(random_bytes(32))."'),
+			('patches', 'tortoise', 'meow', 'FALSE' ,'Patches' ,'Pester', '".bin2hex(random_bytes(32))."'),
+			('rocky', 'stripes', 'treats?', 'FALSE' ,'Rocky' ,'Paws', '".bin2hex(random_bytes(32))."'),
+			('tim', 'lanmaster53', 'Because reconnaissance is hard to spell', 'FALSE' ,'Tim' ,'Tomes', '".bin2hex(random_bytes(32))."'),
+			('ABaker', 'SoSecret', 'Muffin tops only', 'TRUE' ,'Aaron' ,'Baker', '".bin2hex(random_bytes(32))."'),
+			('PPan', 'NotTelling', 'Where is Tinker?', 'FALSE' ,'Peter' ,'Pan', '".bin2hex(random_bytes(32))."'),
+			('CHook', 'JollyRoger', 'Gator-hater', 'FALSE' ,'Captain' ,'Hook', '".bin2hex(random_bytes(32))."'),
+			('james', 'i<3devs', 'Occupation: Researcher', 'FALSE' ,'James' ,'Jardine', '".bin2hex(random_bytes(32))."'),
+			('ed', 'pentest', 'Commandline KungFu anyone?', 'FALSE' ,'Ed' ,'Skoudis', '".bin2hex(random_bytes(32))."')";
+		$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
     	if (!$lQueryResult) {
     		$lErrorDetected = TRUE;
     	}else{
@@ -1222,12 +1222,12 @@ function format($pMessage, $pLevel ) {
 
 	$lAccountsXML = "";
 	$lAccountsText = "";
-	$lQueryString = "SELECT username, password, mysignature, is_admin FROM accounts;";
+	$lQueryString = "SELECT * FROM accounts;";
 	$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
 
 	if (isset($lQueryResult->num_rows)){
 		if ($lQueryResult->num_rows > 0) {
-			$lResultsFound = TRUE;
+			$lResultsFound = true;
 			$lRecordsFound = $lQueryResult->num_rows;
 		}//end if
 	}//end if
@@ -1236,26 +1236,43 @@ function format($pMessage, $pLevel ) {
 
 		echo format("Executed query 'SELECT * FROM accounts'. Found ".$lRecordsFound." records.","S");
 
-		$lAccountsXML='<?xml version="1.0" encoding="utf-8"?>'.PHP_EOL;
-		$lAccountsXML.="<Employees>".PHP_EOL;
-		$lCounter=1;
+		$lAccountsXML = '<?xml version="1.0" encoding="utf-8"?>'.PHP_EOL;
+		$lAccountsXML .= "<Accounts>".PHP_EOL;
+		$lCounter = 1;
 		$cTAB = CHR(9);
-
+
+		$lAccountsText = "CID,Username,Password,Signature,Type,FirstName,LastName,APIToken".PHP_EOL; // Add CSV header
+
 		while($row = $lQueryResult->fetch_object()){
-			$lAccountType = $row->is_admin?"Admin":"User";
-		   	$lAccountsXML.=$cTAB.'<Employee ID="'.$lCounter.'">'.PHP_EOL;
-		   	$lAccountsXML.=$cTAB.$cTAB.'<UserName>'.htmlspecialchars($row->username).'</UserName>'.PHP_EOL;
-		   	$lAccountsXML.=$cTAB.$cTAB.'<Password>'.htmlspecialchars($row->password).'</Password>'.PHP_EOL;
-		   	$lAccountsXML.=$cTAB.$cTAB.'<Signature>'.htmlspecialchars($row->mysignature).'</Signature>'.PHP_EOL;
-		   	$lAccountsXML.=$cTAB.$cTAB.'<Type>'.htmlspecialchars($lAccountType).'</Type>'.PHP_EOL;
-		   	$lAccountsXML.=$cTAB.'</Employee>'.PHP_EOL;
-
-		   	$lAccountsText.=$lCounter.",".$row->username.",".$row->password.",".$row->mysignature.",".$lAccountType.PHP_EOL;
-		   	$lCounter+=1;
-		}// end while
-
-		$lAccountsXML.="</Employees>".PHP_EOL;
-
+			$lAccountType = $row->is_admin == 'TRUE' ? "Admin" : "User";
+
+			// XML Generation
+			$lAccountsXML .= $cTAB.'<Account ID="'.$lCounter.'">'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<CID>'.htmlspecialchars($row->cid).'</CID>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<UserName>'.htmlspecialchars($row->username).'</UserName>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<Password>'.htmlspecialchars($row->password).'</Password>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<Signature>'.htmlspecialchars($row->mysignature).'</Signature>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<Type>'.htmlspecialchars($lAccountType).'</Type>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<FirstName>'.htmlspecialchars($row->firstname).'</FirstName>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<LastName>'.htmlspecialchars($row->lastname).'</LastName>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.$cTAB.'<APIToken>'.htmlspecialchars($row->api_token).'</APIToken>'.PHP_EOL;
+			$lAccountsXML .= $cTAB.'</Account>'.PHP_EOL;
+
+			// CSV Generation
+			$lAccountsText .= $row->cid.","
+						   . $row->username.","
+						   . $row->password.","
+						   . $row->mysignature.","
+						   . $lAccountType.","
+						   . $row->firstname.","
+						   . $row->lastname.","
+						   . $row->api_token.PHP_EOL;
+
+			$lCounter += 1;
+		}
+
+		$lAccountsXML .= "</Accounts>".PHP_EOL;
+
 		try{
 			/* Ubuntu 12.04LTS PHP cannot parse short syntax of
 			 * is_writable(pathinfo($lAccountXMLFilePath)['dirname']).