Guest User

evlzctf-web-chal

a guest
Feb 2nd, 2019
661
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. """
  2. Web App with file based ACL.
  3. """
  4.  
  5. import os
  6. import struct
  7.  
  8. from flask import Flask, request, render_template, abort, flash, redirect, url_for
  9.  
  10. """
  11. Flask Config
  12. """
  13. app = Flask(__name__)
  14. app = Flask(__name__)
  15. app.config['DEBUG'] = False
  16. app.secret_key = ""
  17.  
  18. FLAG = '??'
  19.  
  20. class ACL(object):
  21. """
  22. Intent:
  23. ACL for the Application
  24.  
  25. Responsibilities:
  26. - Add New Records to ACL
  27. - Verify existing records in ACL
  28.  
  29. Data Structures
  30. - record
  31. {
  32. 'username': <str>username[100],
  33. 'password': <str>password[100],
  34. 'admin': <str:`true/false`>admin
  35. }
  36. """
  37.  
  38. DEFAULT_ACL_FILE = 'acl.data'
  39.  
  40. def __init__(self, *args, **kwargs):
  41. """
  42. ACL(, [file_name, ])
  43. :param str file_name kwarg
  44. """
  45. self.acl_file = kwargs.get('acl_file', self.DEFAULT_ACL_FILE)
  46. self.acl_lines = self._read_acl_file()
  47.  
  48. """
  49. Writing Methods
  50. """
  51. @staticmethod
  52. def _pack_data(data_dict):
  53. """
  54. Pack data with data_structure.
  55. """
  56. return '{}:{}:{}'.format(
  57. data_dict['username'],
  58. data_dict['password'],
  59. data_dict['admin']
  60. )
  61.  
  62. @staticmethod
  63. def _append_data(filename, data):
  64. """
  65. write `data` to filename as binary data.
  66. """
  67. with open(filename, 'a') as f:
  68. f.write(data)
  69. f.write('\n') # New Line Delimiter
  70.  
  71. def _append_record(self, data_dict, *args, **kwargs):
  72. """
  73. Pack data and append to file.
  74. """
  75. bin_data = self._pack_data(data_dict)
  76.  
  77. self._append_data(self.acl_file, bin_data)
  78.  
  79. def add_record(self, username, password, admin, *args, **kwargs):
  80. """
  81. Add record to ACL.
  82. - Client Facing
  83. """
  84. record = {
  85. 'username': username,
  86. 'password': password,
  87. 'admin': admin
  88. }
  89.  
  90. self._append_record(data_dict=record)
  91.  
  92. return record
  93.  
  94. def _read_acl_file(self):
  95. """
  96. Read all the lines in `self.acl_file`
  97. """
  98. if not os.path.exists(self.acl_file):
  99. return None
  100.  
  101. with open(self.acl_file, 'r') as f:
  102. lines = f.readlines()
  103.  
  104. return lines
  105.  
  106.  
  107. def _unpack_data(self, buffer):
  108. """
  109. Unpack the buffer and extract contents.
  110. """
  111. unpacked_data = buffer.strip()
  112. unpacked_data = unpacked_data.split(':')
  113.  
  114. record = {
  115. 'username': unpacked_data[0],
  116. 'password': unpacked_data[1],
  117. 'admin': unpacked_data[2],
  118. }
  119. return record
  120.  
  121.  
  122. def verify(self, username, password):
  123. """
  124. Verify if username and password exist in ACL.
  125. - Client Facing
  126. """
  127. for line in self.acl_lines:
  128. try:
  129. data = self._unpack_data(line)
  130. except:
  131. continue
  132.  
  133. if username == data['username'] and password == data['password']:
  134. return True, data
  135.  
  136. return False
  137.  
  138.  
  139. acl = ACL()
  140.  
  141. @app.route('/', methods=['GET', 'POST'])
  142. def index():
  143. if request.method == 'GET':
  144. return render_template('index.html', admin=False, flag=FLAG)
  145. elif request.method == 'POST':
  146. try:
  147. username = request.form.get('username')
  148. password = request.form.get('password')
  149. is_user, record = acl.verify(username, password)
  150. print(is_user)
  151. if is_user:
  152. admin = True if record['admin'] == 'true' else False
  153. else:
  154. raise Exception()
  155. return render_template('index.html', admin=admin, flag=FLAG, record=record)
  156. except:
  157. return redirect(url_for('index'))
  158.  
  159. @app.route('/register', methods=['GET', 'POST'])
  160. def register():
  161. if request.method == 'GET':
  162. return render_template('register.html')
  163. elif request.method == 'POST':
  164. username = request.form.get('username')
  165. password = request.form.get('password')
  166. acl.add_record(username, password, 'false')
  167.  
  168. return redirect(url_for('index'))
  169.  
  170. if __name__ == '__main__':
  171. app.run(port=5000, debug=True)
RAW Paste Data