node_insec_basic_wup.js

/*
 This script depends on "mime_types.txt" accessible in my public pastes https://pastebin.com/u/IWBH_01
 It is a basic insecure nodejs server with upload.
*/

global.self=global;0;


var http = require("http"),
fs=require("fs"),
zlib=require("zlib"),


gurl=function(s,bf,af){
var a1="",ci0=s.indexOf(bf);
if(ci0+1){a1=s.substr(ci0+bf.length);
    var ci1=a1.indexOf(af);
    if(ci1+1)a1=a1.substring(0,ci1);
}
return a1;},

urlqp=function(wlc){
var oo={},a0=wlc.substr(wlc.indexOf("?")+1).split("&"),i2=0;
while(i2<a0.length){
    var zi2=a0[i2],ei=zi2.indexOf("="),ez=ei>0;
    oo[decodeURIComponent((ez?zi2.substr(0,ei):zi2).replace(/\+/g," ")).replace(/\x20/g,"_")]=ez?decodeURIComponent(zi2.substr(ei+1).replace(/\+/g," ")):"";
    i2++;
}
return oo;},

mimes_=urlqp(gurl(fs.readFileSync("//mnt/sdb2/stuff_stored_here/windows/www_partial/mime_types.txt","utf-8"),'"','";')),


esc_str=function(s,l,e,h){
if(!l)l=127;
s=s.split('');
var i0=0,cc,cs,ex="\"'\r\n\0"+(typeof e=="string"?e:""),L='length';
while(i0<s[L]){
cc=s[i0].charCodeAt(0);
if((ex.indexOf(s[i0])+1)||cc>l){
if(h) s[i0]="&#"+cc+";"; else{
cs=cc.toString(16);
if(cs[L]<2)cs="0"+cs;
if(cs[L]==2)s[i0]="\\x"+cs;
else if(cs[L]==3)cs="0"+cs;
if(cs[L]==4)s[i0]="\\u"+cs;}
}i0++;
}return s.join('');},


getFoF=function(pth,fp,si){ //fp = client side path, si = show index.html
 if(fs.existsSync(pth)){
  try{
   var itms=fs.readdirSync(pth),skp;
   if(si){ for(var nm of itms){ var nL=nm.toLowerCase(); if(nL=="index.html"||nL=="index.htm"){ skp=!0;if(pth[pth.length-1]!="/")pth+="/";pth+=nm;break; } } }

   if(!skp){
   itms.sort().reverse();
   var p2=fp||pth,lcs=p2[p2.length-1]=="/",p3=p2+(lcs?"":"/"),ti="Index of "+esc_str(p3,127,!1,!0),r="<!Doctype html><html><head><meta content=\"text/html;charset=utf-8\" http-equiv=\"Content-Type\"/>"+(lcs?"":"<base href=\""+p3+"\">")+"<title>"+ti+"</title></head><body><div style=\"position:fixed;top:0;left:0;overflow:scroll;\">\r\n"+ti+"<br>\r\n<table><tr><td>Name</td><td>Type</td><td>Size</td><td>Created</td><td>Modified</td></tr><tr><td><a href=\"../\">../ (parent folder)</a></td><td>Folder</td><td>-</td><td>-</td><td>-</td></tr>\r\n";
   for(var fn of itms){
    var st2=fs.statSync(p3+fn),idr=st2.isDirectory();
    r+="<tr><td><a href=\""+encodeURI(fn)+(idr?"/":"")+"\">"+esc_str(fn,127,!1,!0)+"</a></td><td>"+(idr?"Folder":"File")+"</td><td>"+st2.size+" bytes</td><td>"+st2.ctime.toGMTString()+"</td><td>"+st2.mtime.toGMTString()+"</td></tr>\r\n";
   }
   return r+"</table><br>Upload here: <input type='file' id='f1' multiple='true' ><br><span id='res'></span></div><script type=\"text/javascript\">var d=document,gI='getElementById',sy1=d.getElementsByTagName('div')[0].style,f1=d[gI]('f1'),res=d[gI]('res'); sy1.width=self.innerWidth+'px';sy1.height=self.innerHeight+'px'; f1.onchange="+(function(){
 var i=0,frds=[],
    rdff=function(e){
       var fi=f1.files[this.n],xhr1=new XMLHttpRequest(),d0="/*ulf"+location.pathname;
       if(d0[d0.length-1]!="/")d0+="/";
       xhr1.open("POST",d0+fi.name,!0);
       res.innerHTML+="<br>sending "+fi.name;
       xhr1.onload=function(){res.innerHTML+="<br>"+fi.name+": "+xhr1.responseText;};
       xhr1.send(e.target.result);
       delete frds[this.n];
    },
    errf=function(e){res.innerHTML+=("<br>The file '"+f1.files[this.n].name+"' could not be read! Code "+e.target.error.code);};

    while(i<f1.files.length){
        frds[i] = new FileReader();
        frds[i].n=i;
        frds[i].addEventListener("load",rdff);
        frds[i].addEventListener("error",errf);
        frds[i].readAsArrayBuffer(f1.files[i]);
        i++;
    }
}).toString()+";</script></body></html>";
   }
  }catch(e){}
  return fs.readFileSync(pth);
 }
},


snd_rsp=function(rc,rspS,hed){
 if(!rspS)rspS="no content";
 var h1={"Content-Type":"text/html;charset=utf-8","Content-Length":rspS.length,"Access-Control-Allow-Origin":"*"};
 if(typeof hed=="object")Object.assign(h1,hed);
 if(rspS.length>2048){
  if(typeof rspS=="string")rspS=new Buffer(rspS);
  h1["Content-Encoding"]="gzip";
  rspS=zlib.gzipSync(rspS);
  h1["Content-Length"]=rspS.length;
 }
 this.writeHead(rc||200,h1);
 this.write(rspS);
 this.end();
},

srv_func=function(req, rsp){
  self.L_req=req;
var Sk=req.socket,
o_={"rep":{"ip":Sk.remoteAddress,"port":Sk.remotePort},
 "lep":{"ip":Sk.localAddress,"port":Sk.localPort}},
rspnd=snd_rsp.bind(rsp),
buf_=[];
  console.log("got "+req.url+"\nfrom: "+o_.rep.ip+"\n");
 req.on('data',buf_.push.bind(buf_));
 req.on('end', function(){
  var body=Buffer.concat(buf_),
  qi=req.url.indexOf("?"),unq=decodeURIComponent(qi>0?req.url.substr(0,qi):req.url).replace(/\/\.\.\//g,"/").replace(/\/.\//g,"/"),
  sc,rspS,rshed={},rspS;
  if(unq.substr(0,6)=="/*ulf/"&&body.length){
   console.log("upload?");
   var fp=unq.substr(5); rspS="";
   if(fs.existsSync(fp)){ rspS="file exists."; }else{ try{ fs.writeFileSync(fp,body); rspS="did? "; }catch(e){ rspS+=e; } }
  }else if(unq=="/*fuwp.html"){
   rspS=getFoF("//home/tc/Documents/fuwp.html");
  }else{
   rspS=getFoF(unq);
   var pxt=unq.lastIndexOf(".")+1,ext=pxt?unq.substr(pxt):0;
   if(ext)rshed["Content-Type"]=mimes_[ext]+";charset=utf-8";
  }
  if(!rspS){ sc=404; rspS="not found."; }

  rspnd(sc,rspS,rshed);
 });

};


self.svr1=http.createServer(srv_func);
svr1.listen(120);