Guest User

Untitled

a guest
Jun 20th, 2018
67
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.56 KB | None | 0 0
  1. from flask import Flask, render_template, request, make_response, redirect
  2. import random
  3. import string
  4. from base64 import b64decode, b64encode
  5. from Crypto.Cipher import AES
  6. from hashlib import md5
  7. from Crypto.Hash import HMAC
  8.  
  9. BLOCK_SIZE = 16
  10. pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)
  11. unpad = lambda s: s[:-ord(s[len(s) - 1:])]
  12.  
  13. app = Flask(__name__)
  14. HMAC_SECRET = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))
  15. key = md5(''.join(random.choice(string.ascii_letters + string.digits) for _ in range(32)).encode('utf8')).hexdigest()
  16.  
  17. @app.route('/')
  18. def index():
  19. if 'token' in request.cookies:
  20. token = request.cookies['token']
  21. status, name = verify_token(token)
  22. if status == 0:
  23. return render_template('login.html')
  24. elif status == 1:
  25. return render_template('user.html', name=name)
  26. else:
  27. return render_template('admin.html', name=name)
  28. else:
  29. return render_template('login.html')
  30.  
  31. @app.route('/login', methods=['POST'])
  32. def login():
  33. response = make_response(redirect('/'))
  34. name = request.form['name']
  35. name = name.replace(":", "")
  36. if 0 < len(name) <= 1024:
  37. response.set_cookie('token', gen_token(name))
  38. return response
  39. else:
  40. return response
  41.  
  42. def gen_token(user):
  43. data = user + ":user"
  44. h = HMAC.new(HMAC_SECRET.encode("utf-8"))
  45. h.update(data.encode("utf-8"))
  46. mac = h.hexdigest()
  47. return encrypt(data + HMAC_SECRET) + mac.encode("utf-8")
  48.  
  49. def verify_token(token):
  50. if len(token) < 53:
  51. return 0, ""
  52. mac = token[-32:]
  53. token = token[:-32]
  54. try:
  55. data = decrypt(token)
  56. if len(data) >= 21:
  57. secret = data[-16:]
  58. data = data[:-16]
  59. i = data.rfind(":")
  60. if i >= 0:
  61. user = data[:i]
  62. if verify_hmac(secret, mac, user + ":user"):
  63. return 1, user
  64. elif verify_hmac(secret, mac, user + ":admin"):
  65. return 2, user
  66. except:
  67. pass
  68. return 0, 0
  69.  
  70. def encrypt(raw):
  71. raw = pad(raw)
  72. cipher = AES.new(key)
  73. return b64encode(cipher.encrypt(raw))
  74.  
  75. def decrypt(enc):
  76. enc = b64decode(enc)
  77. cipher = AES.new(key)
  78. return unpad(cipher.decrypt(enc)).decode('utf8')
  79.  
  80. def verify_hmac(secret, mac, msg):
  81. h = HMAC.new(secret.encode("utf-8"))
  82. h.update(msg.encode("utf-8"))
  83. if h.hexdigest() == mac:
  84. return True
  85. else:
  86. return False
  87.  
  88. if __name__ == "__main__":
  89. app.run(host='0.0.0.0', port=9999)
Add Comment
Please, Sign In to add comment