daily pastebin goal
18%
SHARE
TWEET

Untitled

a guest Mar 23rd, 2019 103 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import os
  2. import subprocess
  3. from flask import Flask, render_template_string, request, redirect, url_for, \
  4.         session, send_file, abort
  5. from flask_sqlalchemy import SQLAlchemy
  6.  
  7. app = Flask(__name__)
  8.  
  9. app.config['SECRET_KEY'] = 'supersecretysecret'
  10. app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///sqlite.db'
  11.  
  12. db = SQLAlchemy(app)
  13.  
  14.  
  15. class User(db.Model):
  16.     id = db.Column(db.Integer, primary_key=True)
  17.     username = db.Column(db.String(256), unique=True)
  18.     password = db.Column(db.String(256))
  19.     display_name = db.Column(db.String(256))
  20.     access = db.Column(db.Boolean)
  21.  
  22.  
  23. class Post(db.Model):
  24.     id = db.Column(db.Integer, primary_key=True)
  25.     name = db.Column(db.String(256))
  26.     post = db.Column(db.String(256))
  27.  
  28.  
  29. class Flag(db.Model):
  30.     id = db.Column(db.Integer, primary_key=True)
  31.     flag = db.Column(db.String(36))
  32.  
  33.  
  34. pwd = os.getcwd()
  35. ls = subprocess.check_output(['ls', '-lap'])
  36.  
  37. index_template = '''
  38. <html>
  39.    <head>
  40.        <title>
  41.            My Super Duper Site
  42.        </title>
  43.    </head>
  44.    <body>
  45.        <a href='{{ url_for('login') }}'>
  46.            Login
  47.        </a>
  48.        <a href='{{ url_for('download', downloadFile='test.txt') }}'>
  49.            Download
  50.        </a>
  51.        <h1>
  52.            Welcome to my super duper site
  53.        </h1>
  54.        Yaii, I have finally moved away from PHP *yuck* <br>
  55.        My friend introduced me to Python Flask and it is *sings* awesome!!! \
  56.                <br>
  57.        This entire site pages are all in a single file! <br>
  58.        Don't believe me ??? <br>
  59.        Take a look for yourself ! <br>
  60.        <pre>
  61. $ pwd
  62. %s
  63.  
  64. $ ls -lap
  65. %s
  66.        </pre>
  67.        Ignore the uploads/ folder and the sqlite db, all the actual website \
  68.                pages and stuff are in the <b>single</b> py file
  69.    </body>
  70. </html>
  71. ''' % (pwd, ls)
  72.  
  73. login_template = '''
  74. <html>
  75.    <head>
  76.        <title>
  77.            Login
  78.        </title>
  79.    </head>
  80.    <body>
  81.        <form action='' method='POST'>
  82.            Username : <input type='text' name='username'><br>
  83.            Password : <input type='password' name='password'><br>
  84.            <input type='submit' value='Submit'>
  85.        </form>
  86.    </body>
  87. </html>
  88. '''
  89.  
  90. download_template = '''
  91. <html>
  92.    <head>
  93.        <title>
  94.            Login
  95.        </title>
  96.    </head>
  97.    <body>
  98.        <pre>
  99. %s
  100.        </pre>
  101.    </body>
  102. </html>'''
  103.  
  104. secret_template = '''
  105. <html>
  106.    <head>
  107.        <title>
  108.            Super Secret Comments Page
  109.        </title>
  110.    </head>
  111.    <body>
  112.        %s
  113.        <form action='' method='POST'>
  114.            Comment : <input type='text' name='comment'><br>
  115.            <input type='submit' value='Submit'>
  116.        </form>
  117.    </body>
  118. </html>
  119. '''
  120.  
  121.  
  122. @app.route('/')
  123. def index():
  124.     return render_template_string(index_template)
  125.  
  126.  
  127. @app.route('/login', methods=['GET', 'POST'])
  128. def login():
  129.     if request.form:
  130.         username = request.form.get('username', '')
  131.         password = request.form.get('password', '')
  132.         user = User.query.filter_by(username=username,
  133.                                     password=password).first()
  134.         if user:
  135.             session['username'] = user.username
  136.             session['name'] = user.display_name
  137.             return redirect(url_for('index'))
  138.     return render_template_string(login_template)
  139.  
  140.  
  141. @app.route('/download/')
  142. def downloadList():
  143.     output = subprocess.check_output(['ls', '-lapR', 'uploads'])
  144.     return render_template_string(download_template % output)
  145.  
  146.  
  147. @app.route('/download/<path:downloadFile>')
  148. def download(downloadFile):
  149.     path = 'uploads/' + downloadFile
  150.     if os.path.isfile(path):
  151.         return send_file(path)
  152.     else:
  153.         abort(404)
  154.  
  155.  
  156. @app.route('/supersecretpage_5f4dcc3b5aa7', methods=['GET', 'POST'])
  157. def supersecret():
  158.     User.query.filter_by(username=session.get('username', ''),
  159.                          access=True).first_or_404()
  160.     if request.form:
  161.         post = request.form.get('comment', '')
  162.         db.session.add(Post(name=session.get('name', ''), post=post))
  163.         db.session.commit()
  164.     posts = Post.query.all()
  165.     data = []
  166.     for i, post in enumerate(posts):
  167.         # Double '{' to protect against various injecion
  168.         # Pass posts in as a variable to the template injection to stop
  169.         # template injection which let Crash get shell
  170.         # post.name is directly from the db which I control so that's fine
  171.         # no need to waste processing encoding that
  172.         s = post.name + ' : {{ posts[%d].post }}' % i
  173.         data.append(s)
  174.     data = "<br>\n".join(data)
  175.     try:
  176.         return render_template_string(secret_template % data, posts=posts)
  177.     except:
  178.         # Something went wrong DELETE IT ALL
  179.         Post.query.delete()
  180.         db.session.commit()
  181.         return redirect(url_for('supersecret'))
  182.  
  183.  
  184. if __name__ == '__main__':
  185.     app.run(debug=True)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top