Merge commit '52dce8ae1e7441315638e61362f04d2e662b4ed0' as 'Dirbusting'

CUEH · Oct 5, 2021 · 26fc500b57c6582eae67a0338812511dd73579cb · 26fc500
2 parents 854e331 + 52dce8a
commit 26fc500b57c6582eae67a0338812511dd73579cb
Show file tree

Hide file tree

Showing 40 changed files with 22,707 additions and 0 deletions.
diff --git a/Dirbusting/.gitignore b/Dirbusting/.gitignore
@@ -0,0 +1,2 @@
+*~
+__pycache__
diff --git a/Dirbusting/Dockerfile b/Dirbusting/Dockerfile
@@ -0,0 +1,15 @@
+#FROM cueh/flask
+FROM python:3-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends ncat
+
+#Install the Selenium Driver
+COPY REQUIREMENTS.txt /tmp/REQUIREMENTS.txt
+RUN pip install -r /tmp/REQUIREMENTS.txt
+
+#RUN useradd -r flask
+#USER flask
+WORKDIR /opt
+ADD ./app /opt/app
+
+CMD ["flask", "run", "--host=0.0.0.0"]
diff --git a/Dirbusting/README.md b/Dirbusting/README.md
@@ -0,0 +1,10 @@
+# REquests and HTTP TRainer
+git subtree add --prefix Tasks/Requests git@github.coventry.ac.uk:aa9863/245_RequestTraner.git main --squash 
+git subtree pull --prefix Tasks/Requests git@github.coventry.ac.uk:aa9863/245_RequestTraner.git main --squash 
+
+## Basics Requesty Stff
+
+Now with added Dirbusting
+
+## Challenges
+
diff --git a/Dirbusting/REQUIREMENTS.txt b/Dirbusting/REQUIREMENTS.txt
@@ -0,0 +1,5 @@
+flask
+flask-sqlalchemy
+jinja-markdown
+flask-httpauth
+
diff --git a/Dirbusting/app/__init__.py b/Dirbusting/app/__init__.py
@@ -0,0 +1,10 @@
+from .meta import *
+
+from .app import *
+
+from .mappingViews import *
+#from .requestViews import *
+#from .requestChals import *
+
+#from .sessionViews import *
+#from .sessionChals import *
diff --git a/Dirbusting/app/app.py b/Dirbusting/app/app.py
@@ -0,0 +1,297 @@
+"""
+Very simple Flask App.  For Testing
+"""
+
+
+import json
+import re
+
+import flask
+
+from .meta import app
+#from .objects import *
+from .models import *
+from .objects import *
+
+HTTP_METHODS = ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH']
+
+import logging
+
+
+@app.route("/")
+def index():
+
+    logging.warning("Initial Population")
+
+    bookQry = Item.query.filter_by(hidden = False)
+    if bookQry.count() == 0:
+        logging.warning("Need some Books")
+        populateBookTable()
+
+    userQry = User.query.count()
+    logging.warning("User Count %d", userQry)
+    if userQry == 0:
+        logging.warning("Need some Users")
+        populateUserTable()
+
+
+    return flask.render_template("index.html",
+                                 bookList = bookQry)
+
+
+@app.route("/about")
+def about():
+    return flask.render_template("about.html")
+
+
+
+@app.route("/secrets")
+@app.route("/admin")
+@app.route("/phpmyadmin")
+@app.route("/backups")
+@app.route("/secrets/system_administration")
+def dirForbidden():
+    """
+    Return a Forbidden Page
+    """
+    flask.abort(403)
+
+
+@app.route("/.gitignore")
+def gitIgnore():
+    robots = """
+*~
+*#
+*.bak
+*.sql
+"""
+    response = flask.make_response(robots, 200)
+    response.mimetype = "text/plain"
+    return response
+
+
+@app.route("/backups/db.sql")
+def returnDB():
+    robots = """
+FLAG{ENUM_BACKUP_FILES}
+"""
+    response = flask.make_response(robots, 200)
+    response.mimetype = "text/plain"
+    return response
+
+
+@app.route("/secrets/system_administration/flag")
+def dirbuster():
+    """
+    Show the flag file
+    """
+    return flask.render_template("reconflag.html")
+
+@app.route("/accountsettings")
+def parametersSearch():
+
+    flag = None
+    params = flask.request.args.get("remind_password", None)
+    logging.warning("PARAMETERS ARE")
+    logging.warning(params)
+    if params:
+        logging.warning("IS CORRECT")
+        flag = "CUEH{PARAMETER_BUSTING}"
+
+    return flask.render_template("parameters.html",
+                                 flag = flag)
+
+
+@app.route("/login", methods=["GET", "POST"])
+def login():
+
+    prev = flask.request.args.get("prev")
+    if not prev:
+        prev == "index"
+
+    if flask.request.method == "POST":
+        #Get data
+        user = flask.request.form.get("email")
+        password = flask.request.form.get("password")
+
+        userQry = User.query.filter_by(email = user).first()
+        if userQry is None:
+            flask.flash("No Such User")
+        else:
+            if userQry.password == password:
+                flask.session["user"] = userQry.id
+                flask.session["role"] = userQry.level
+                flask.flash("Login Successful")
+                return (flask.redirect(flask.url_for(prev)))
+
+            else:
+                flask.flash("Incorrect password for {0}".format(user))
+
+
+    return flask.render_template("login.html",
+                                 prev = prev)
+
+@app.route("/logout")
+def logout():
+    flask.session.clear()
+    return flask.redirect(flask.url_for("index"))
+
+
+@app.route("/user/create", methods=["GET","POST"])
+def create():
+    """ Create a new account,
+    we will redirect to a homepage here
+    """
+
+    if flask.request.method == "GET":
+        return flask.render_template("create_account.html")
+
+    #Get the form data
+    name = flask.request.form.get("name")
+    email = flask.request.form.get("email")
+    password = flask.request.form.get("password")
+    password2 = flask.request.form.get("password2")
+
+    if password != password2:
+        flask.flash("Passwords do not match")
+        return flask.render_template("create_account.html",
+                                     name = name,
+                                     email = email)
+
+    logging.warning("Name >%s< %s", name, name == None)
+    #Sanity check do we have a name, email and password
+    if not name or not email or not password: 
+        flask.flash("Not all info supplied")
+        return flask.render_template("create_account.html",
+                                     name = name,
+                                     email = email)
+    #And check we have an email
+    emailre = re.compile(r"^[\w\.\+\-]+\@[\w]+\.([a-z]{2,3})+$")
+
+    if not emailre.match(email):
+        flask.flash("Bad Email Address")
+        return flask.render_template("create_account.html",
+                                     name = name)
+
+    #Otherwise we can add the user
+    userQry = User.query.filter_by(email = email).first()
+    if userQry:
+        flask.flash("A User with that Email Exists")
+        return flask.render_template("create_account.html",
+                                     name = name,
+                                     email = email)
+
+    else:
+        #Crate the user
+        theUser = User(name=name,
+                       email=email,
+                       password=password)
+
+        db.session.add(theUser)
+        db.session.commit()
+        flask.flash("Account Created, you can now Login")
+        return flask.redirect(flask.url_for("login"))
+
+
+
+@app.route("/user/<userId>/settings")
+def settings(userId):
+
+    #Yes its silly that I forgot cookies, let pretend its an API
+    thisUser = User.query.filter_by(id=userId).first()
+    if not thisUser:
+        flask.flash("No Such User")
+        return flask.redirect(flask.url_for("index"))
+
+    return flask.render_template("usersettings.html",
+                                 user = thisUser)
+
+@app.route("/user/<userId>/update", methods=["GET","POST"])
+def updateUser(userId):
+
+    thisUser = User.query.filter_by(id = userId).first()
+    if not thisUser:
+        flask.flash("No Such User")
+        return flask.redirect(flask_url_for("index"))
+
+    #otherwise we want to do the checks
+    if flask.request.method == "POST":
+        logging.warning("------------------------")
+        current = flask.request.form.get("current")
+        password = flask.request.form.get("password")
+        if current:
+            if current == thisUser.password:
+                thisUser.password = password
+                db.session.commit()
+            else:
+                flask.flash("Current Password is incorrect")
+            return flask.redirect(flask.url_for("settings",
+                                                userId = thisUser.id))
+
+        adminSubmit = flask.request.form.get("updateadmin")
+        logging.warning("Admin Submit %s", adminSubmit)
+        if adminSubmit:
+            admin = flask.request.form.get("admin")
+            logging.warning("Admin Box is %s", admin)
+
+            if admin:
+                admin = "admin"
+            else:
+                admin = "user"
+
+            thisUser.level = admin
+            #And update the Session
+            flask.session["role"] = admin
+            db.session.commit()
+            logging.warning(" UPDATING THE ADMIN ")
+            logging.warning("Level %s ", thisUser.level)
+            return flask.redirect(flask.url_for("settings", userId=userId))
+
+    #if thisUser.id != flask.session["user"]
+    #And then update the settings
+    #if
+    flask.flash("Update Error")
+
+    return flask.redirect(flask.url_for("settings", userId=userId))
+
+
+
+@app.errorhandler(404)
+def page_not_found(e):
+    # note that we set the 404 status explicitly
+    return flask.render_template('404.html', e = e), 404
+
+
+# @app.route('/')
+# def main():
+#     #payload = flask.request.args.get("payload")
+#     return flask.render_template('index.html')
+
+
+# @app.route("/admin")
+# def admin():
+#     return flask.render_template('admin.html')
+
+
+# @app.route("/my")
+# @app.route("/my/admin/")
+
+# def enum():
+#     return flask.render_template('enum.html')
+
+
+# @app.route("/my-sql")
+# def badEnum():
+#     flask.abort(403)
+#     return "foo"
+
+# @app.route("/my-sql/admin")
+# @app.route("/my/admin/spider")
+# def enumSuccess():
+
+#     #Can i get the route
+# #    flask.request.route
+
+#     return flask.render_template('enum.html',
+#                                  success=True)
+
diff --git a/Dirbusting/app/mappingViews.py b/Dirbusting/app/mappingViews.py
@@ -0,0 +1,40 @@
+"""
+Views for the mapping task
+"""
+
+import flask
+
+from .meta import app
+
+
+from .models import *
+
+
+
+@app.route("/products")
+def products():
+    """
+    Single Page Application for Products
+    """
+    theItem = flask.request.args.get("item")
+    if theItem:
+        #We Do A Query for It
+        itemQry = Item.query.filter_by(id=theItem).first()
+        if itemQry is None:
+            flask.abort(404, "No Such Item")
+
+        return flask.render_template("showItem.html",
+                                     item = itemQry)
+    else:
+        #flask.abort(404, "No Args Specified")
+        #return "No such product"
+
+        books = Item.query.filter_by(category="book")
+        books.filter_by(hidden=False)
+
+        return flask.render_template("allItems.html",
+                                     books = books)
+
+#def listItems(itemId = None, category=None, hidden=False):
+
+