Guest User

smartcat3

a guest
Mar 19th, 2016
81
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python3
  2. # encoding: utf-8
  3.  
  4. import cgi
  5. import subprocess
  6. import string
  7. import os
  8.  
  9. # FWIW: The same vulnerability was found in the real world ;)
  10. #       Devs have crazy ideas sometimes...
  11.  
  12. # The firewall only allows the strict minimum required for this chall, aka
  13. # OUTPUT on udp/53 and icmp. INPUT is port 80 only.
  14.  
  15. def sanity_check(txt):
  16.     charset = list(string.ascii_letters + string.digits + string.punctuation)
  17.  
  18.     for _ in r"$&\;`|*":
  19.         charset.remove(_)
  20.  
  21.     return any(c not in charset for c in txt)
  22.  
  23. print("Content-type: text/html")
  24. print
  25. print("""
  26. <html>
  27. <head>
  28.      <title>Can I haz Smart Cat ???</title>
  29.      <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.1.0/styles/github.min.css">
  30.      <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.1.0/highlight.min.js"></script>
  31.      <style>code { border: 1px solid black; padding: 10px; }</style>
  32. </head>
  33. <body>
  34.  <h3> Smart Cat interface [<a href="ping.cgi?src=1">source</a>]</h3>
  35. """)
  36.  
  37. form = cgi.FieldStorage()
  38. dest = form.getvalue("dest", "127.0.0.1")
  39. src = form.getvalue("src")
  40.  
  41.  
  42. if sanity_check(dest):
  43.     out = "Invalid characters!"
  44.     color = "red"
  45. else:
  46.     # No env tricks this time, find something that is not CGI-specific :)
  47.  
  48.     os.environ.clear()
  49.     try:
  50.         status = subprocess.call("ping -c1 " + dest,
  51.                                  timeout=2,
  52.                                  shell=True,
  53.                                  executable="/bin/bash",
  54.                                  stdin=None,
  55.                                  stdout=subprocess.PIPE,
  56.                                  stderr=subprocess.PIPE)
  57.     except subprocess.TimeoutExpired:
  58.         status = 1
  59.  
  60.     out = "Host is " + ("down" if status else "up")
  61.     color = "red" if status else "green"
  62.  
  63. print("""
  64.  <form method="post" action="ping.cgi">
  65.    <p>Host to check: <input type="text" name="dest" placeholder="127.0.0.1" /></p>
  66.  </form>
  67.  
  68.  <p>Status: <tt style="color: %s;">%s</tt></p>
  69.  <img src="../img/cat.jpg"/><!-- grimmlin loves cats -->
  70. """ % (color, cgi.escape(out)))
  71.  
  72. if src:
  73.     with open(__file__, "rb") as f:
  74.         print('<script>hljs.initHighlightingOnLoad();</script>')
  75.         print('''<pre><code class="python hljs">%s</code></pre>''' % cgi.escape(f.read().decode()))
  76.  
  77. print("</body></html>")
RAW Paste Data