import osimport subprocessfrom flask import Flask, render_template_string, r

1. import os
2. import subprocess
3. from flask import Flask, render_template_string, request, redirect, url_for, \
4.         session, send_file, abort
5. from flask_sqlalchemy import SQLAlchemy
6.  
7. app = Flask(__name__)
8.  
9. app.config['SECRET_KEY'] = 'supersecretysecret'
10. app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///sqlite.db'
11.  
12. db = SQLAlchemy(app)
13.  
14.  
15. class User(db.Model):
16.     id = db.Column(db.Integer, primary_key=True)
17.     username = db.Column(db.String(256), unique=True)
18.     password = db.Column(db.String(256))
19.     display_name = db.Column(db.String(256))
20.     access = db.Column(db.Boolean)
21.  
22.  
23. class Post(db.Model):
24.     id = db.Column(db.Integer, primary_key=True)
25.     name = db.Column(db.String(256))
26.     post = db.Column(db.String(256))
27.  
28.  
29. class Flag(db.Model):
30.     id = db.Column(db.Integer, primary_key=True)
31.     flag = db.Column(db.String(36))
32.  
33.  
34. pwd = os.getcwd()
35. ls = subprocess.check_output(['ls', '-lap'])
36.  
37. index_template = '''
38. <html>
39.    <head>
40.        <title>
41.            My Super Duper Site
42.        </title>
43.    </head>
44.    <body>
45.        <a href='{{ url_for('login') }}'>
46.            Login
47.        </a>
48.        <a href='{{ url_for('download', downloadFile='test.txt') }}'>
49.            Download
50.        </a>
51.        <h1>
52.            Welcome to my super duper site
53.        </h1>
54.        Yaii, I have finally moved away from PHP *yuck* <br>
55.        My friend introduced me to Python Flask and it is *sings* awesome!!! \
56.                <br>
57.        This entire site pages are all in a single file! <br>
58.        Don't believe me ??? <br>
59.        Take a look for yourself ! <br>
60.        <pre>
61. $ pwd
62. %s
63.  
64. $ ls -lap
65. %s
66.        </pre>
67.        Ignore the uploads/ folder and the sqlite db, all the actual website \
68.                pages and stuff are in the <b>single</b> py file
69.    </body>
70. </html>
71. ''' % (pwd, ls)
72.  
73. login_template = '''
74. <html>
75.    <head>
76.        <title>
77.            Login
78.        </title>
79.    </head>
80.    <body>
81.        <form action='' method='POST'>
82.            Username : <input type='text' name='username'><br>
83.            Password : <input type='password' name='password'><br>
84.            <input type='submit' value='Submit'>
85.        </form>
86.    </body>
87. </html>
88. '''
89.  
90. download_template = '''
91. <html>
92.    <head>
93.        <title>
94.            Login
95.        </title>
96.    </head>
97.    <body>
98.        <pre>
99. %s
100.        </pre>
101.    </body>
102. </html>'''
103.  
104. secret_template = '''
105. <html>
106.    <head>
107.        <title>
108.            Super Secret Comments Page
109.        </title>
110.    </head>
111.    <body>
112.        %s
113.        <form action='' method='POST'>
114.            Comment : <input type='text' name='comment'><br>
115.            <input type='submit' value='Submit'>
116.        </form>
117.    </body>
118. </html>
119. '''
120.  
121.  
122. @app.route('/')
123. def index():
124.     return render_template_string(index_template)
125.  
126.  
127. @app.route('/login', methods=['GET', 'POST'])
128. def login():
129.     if request.form:
130.         username = request.form.get('username', '')
131.         password = request.form.get('password', '')
132.         user = User.query.filter_by(username=username,
133.                                     password=password).first()
134.         if user:
135.             session['username'] = user.username
136.             session['name'] = user.display_name
137.             return redirect(url_for('index'))
138.     return render_template_string(login_template)
139.  
140.  
141. @app.route('/download/')
142. def downloadList():
143.     output = subprocess.check_output(['ls', '-lapR', 'uploads'])
144.     return render_template_string(download_template % output)
145.  
146.  
147. @app.route('/download/<path:downloadFile>')
148. def download(downloadFile):
149.     path = 'uploads/' + downloadFile
150.     if os.path.isfile(path):
151.         return send_file(path)
152.     else:
153.         abort(404)
154.  
155.  
156. @app.route('/supersecretpage_5f4dcc3b5aa7', methods=['GET', 'POST'])
157. def supersecret():
158.     User.query.filter_by(username=session.get('username', ''),
159.                          access=True).first_or_404()
160.     if request.form:
161.         post = request.form.get('comment', '')
162.         db.session.add(Post(name=session.get('name', ''), post=post))
163.         db.session.commit()
164.     posts = Post.query.all()
165.     data = []
166.     for i, post in enumerate(posts):
167.         # Double '{' to protect against various injecion
168.         # Pass posts in as a variable to the template injection to stop
169.         # template injection which let Crash get shell
170.         # post.name is directly from the db which I control so that's fine
171.         # no need to waste processing encoding that
172.         s = post.name + ' : {{ posts[%d].post }}' % i
173.         data.append(s)
174.     data = "<br>\n".join(data)
175.     try:
176.         return render_template_string(secret_template % data, posts=posts)
177.     except:
178.         # Something went wrong DELETE IT ALL
179.         Post.query.delete()
180.         db.session.commit()
181.         return redirect(url_for('supersecret'))
182.  
183.  
184. if __name__ == '__main__':
185.     app.run(debug=True)