Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import os
- import subprocess
- from flask import Flask, render_template_string, request, redirect, url_for, \
- session, send_file, abort
- from flask_sqlalchemy import SQLAlchemy
- app = Flask(__name__)
- app.config['SECRET_KEY'] = 'supersecretysecret'
- app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///sqlite.db'
- db = SQLAlchemy(app)
- class User(db.Model):
- id = db.Column(db.Integer, primary_key=True)
- username = db.Column(db.String(256), unique=True)
- password = db.Column(db.String(256))
- display_name = db.Column(db.String(256))
- access = db.Column(db.Boolean)
- class Post(db.Model):
- id = db.Column(db.Integer, primary_key=True)
- name = db.Column(db.String(256))
- post = db.Column(db.String(256))
- class Flag(db.Model):
- id = db.Column(db.Integer, primary_key=True)
- flag = db.Column(db.String(36))
- pwd = os.getcwd()
- ls = subprocess.check_output(['ls', '-lap'])
- index_template = '''
- <html>
- <head>
- <title>
- My Super Duper Site
- </title>
- </head>
- <body>
- <a href='{{ url_for('login') }}'>
- Login
- </a>
- <a href='{{ url_for('download', downloadFile='test.txt') }}'>
- Download
- </a>
- <h1>
- Welcome to my super duper site
- </h1>
- Yaii, I have finally moved away from PHP *yuck* <br>
- My friend introduced me to Python Flask and it is *sings* awesome!!! \
- <br>
- This entire site pages are all in a single file! <br>
- Don't believe me ??? <br>
- Take a look for yourself ! <br>
- <pre>
- $ pwd
- %s
- $ ls -lap
- %s
- </pre>
- Ignore the uploads/ folder and the sqlite db, all the actual website \
- pages and stuff are in the <b>single</b> py file
- </body>
- </html>
- ''' % (pwd, ls)
- login_template = '''
- <html>
- <head>
- <title>
- Login
- </title>
- </head>
- <body>
- <form action='' method='POST'>
- Username : <input type='text' name='username'><br>
- Password : <input type='password' name='password'><br>
- <input type='submit' value='Submit'>
- </form>
- </body>
- </html>
- '''
- download_template = '''
- <html>
- <head>
- <title>
- Login
- </title>
- </head>
- <body>
- <pre>
- %s
- </pre>
- </body>
- </html>'''
- secret_template = '''
- <html>
- <head>
- <title>
- Super Secret Comments Page
- </title>
- </head>
- <body>
- %s
- <form action='' method='POST'>
- Comment : <input type='text' name='comment'><br>
- <input type='submit' value='Submit'>
- </form>
- </body>
- </html>
- '''
- @app.route('/')
- def index():
- return render_template_string(index_template)
- @app.route('/login', methods=['GET', 'POST'])
- def login():
- if request.form:
- username = request.form.get('username', '')
- password = request.form.get('password', '')
- user = User.query.filter_by(username=username,
- password=password).first()
- if user:
- session['username'] = user.username
- session['name'] = user.display_name
- return redirect(url_for('index'))
- return render_template_string(login_template)
- @app.route('/download/')
- def downloadList():
- output = subprocess.check_output(['ls', '-lapR', 'uploads'])
- return render_template_string(download_template % output)
- @app.route('/download/<path:downloadFile>')
- def download(downloadFile):
- path = 'uploads/' + downloadFile
- if os.path.isfile(path):
- return send_file(path)
- else:
- abort(404)
- @app.route('/supersecretpage_5f4dcc3b5aa7', methods=['GET', 'POST'])
- def supersecret():
- User.query.filter_by(username=session.get('username', ''),
- access=True).first_or_404()
- if request.form:
- post = request.form.get('comment', '')
- db.session.add(Post(name=session.get('name', ''), post=post))
- db.session.commit()
- posts = Post.query.all()
- data = []
- for i, post in enumerate(posts):
- # Double '{' to protect against various injecion
- # Pass posts in as a variable to the template injection to stop
- # template injection which let Crash get shell
- # post.name is directly from the db which I control so that's fine
- # no need to waste processing encoding that
- s = post.name + ' : {{ posts[%d].post }}' % i
- data.append(s)
- data = "<br>\n".join(data)
- try:
- return render_template_string(secret_template % data, posts=posts)
- except:
- # Something went wrong DELETE IT ALL
- Post.query.delete()
- db.session.commit()
- return redirect(url_for('supersecret'))
- if __name__ == '__main__':
- app.run(debug=True)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement