Ideone.com

fork download

copy

from http.server import BaseHTTPRequestHandler, HTTPServer
import time
import re
import subprocess
import random
import string
import urllib.parse as urlparse
# git history password storage
HOST = '0.0.0.0'
PORT = 7009
 
challenge_file = open('flag19.txt', 'r')  # open the file to read
challenge_data = challenge_file.readlines()  # stores a list of lines from the file
 
usernameANDpassword_file = open('usernameANDpassword.txt', 'r')
creds_data = usernameANDpassword_file.readlines()
creds_username = creds_data[0].strip()
creds_password = creds_data[1].strip()
 
log_file = open('git.log', 'r')
log_data = log_file.readlines()
 
# create an HTTP handler based on the existing BaseHTTPRequestHandler
class HTTPHandler(BaseHTTPRequestHandler):
 
    def do_GET(self):  # generate the status code for the GET request
        self.respond({'status': 200})
 
    def handle_http(self, status_code, path):  # handle the request
        self.send_response(status_code)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
 
        output = ''
 
        # this will define how many lines of data the user can read from the file
        # read about GET parameters here: https://e...content-available-to-author-only...e.com/wiki/GET_Parameter
        get_params = urlparse.urlparse(path) # read the GET parameters from the URL that user requested
        # if the username and password match the ones in the creds_data, then show the secret information
        if 'username' in urlparse.parse_qs(get_params.query) and 'password' in urlparse.parse_qs(get_params.query):
            username = urlparse.parse_qs(get_params.query)['username'][0]
            password = urlparse.parse_qs(get_params.query)['password'][0]
 
            # do not allow the user to use the default admin/password credentials
            if creds_username == username and creds_password == password:
                # read the file and show it to the user if the credentials are correct
                for line in challenge_data:
                    output += line + '<br>'
            else:
                output = 'Wrong admin credentials!'
        # process git commands
        elif 'git' in urlparse.parse_qs(get_params.query):
            cmd = urlparse.parse_qs(get_params.query)['git'][0]
            # if the user requests viewing logs, show the logs
            if cmd == 'log':
                for line in log_data:
                    output += line + '<br>'
            # if the user requests to checkout a specific commit, allow to do that only if the hash is specified as well
            elif cmd == 'checkout' and 'hash' in urlparse.parse_qs(get_params.query):
                commit_hash = urlparse.parse_qs(get_params.query)['hash'][0]
                try:
                    commit_file = open('commits/' + commit_hash, 'r')  # open the file corresponding to that commit
                    commit_file_data = commit_file.readlines()  # stores a list of lines from the file
                    commit_file.close()
                    for line in commit_file_data:
                        output += line + '<br>'
                except:
                    output = 'File not found'
 
        # generate the output to show to the user
        current_output = '''<p>{}</p>'''.format(output)
 
        # make the HTML page to show the user and insert current_output there
        content = ''.join(open('index.html', 'r')).replace('CONTENT_PLACEMENT', current_output)
 
        return bytes(content, 'UTF-8')
 
    def respond(self, opts):
        response = self.handle_http(opts['status'], self.path)
        self.wfile.write(response)
 
if __name__ == '__main__':
    server = HTTPServer
    httpd = server((HOST, PORT), HTTPHandler)
    print(time.asctime(), 'Server Starts - %s:%s' % (HOST, PORT))
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass
    httpd.server_close()
    print(time.asctime(), 'Server Stops - %s:%s' % (HOST, PORT))

ZnJvbSBodHRwLnNlcnZlciBpbXBvcnQgQmFzZUhUVFBSZXF1ZXN0SGFuZGxlciwgSFRUUFNlcnZlcgppbXBvcnQgdGltZQppbXBvcnQgcmUKaW1wb3J0IHN1YnByb2Nlc3MKaW1wb3J0IHJhbmRvbQppbXBvcnQgc3RyaW5nCmltcG9ydCB1cmxsaWIucGFyc2UgYXMgdXJscGFyc2UKIyBnaXQgaGlzdG9yeSBwYXNzd29yZCBzdG9yYWdlCkhPU1QgPSAnMC4wLjAuMCcKUE9SVCA9IDcwMDkKCmNoYWxsZW5nZV9maWxlID0gb3BlbignZmxhZzE5LnR4dCcsICdyJykgICMgb3BlbiB0aGUgZmlsZSB0byByZWFkCmNoYWxsZW5nZV9kYXRhID0gY2hhbGxlbmdlX2ZpbGUucmVhZGxpbmVzKCkgICMgc3RvcmVzIGEgbGlzdCBvZiBsaW5lcyBmcm9tIHRoZSBmaWxlCgp1c2VybmFtZUFORHBhc3N3b3JkX2ZpbGUgPSBvcGVuKCd1c2VybmFtZUFORHBhc3N3b3JkLnR4dCcsICdyJykKY3JlZHNfZGF0YSA9IHVzZXJuYW1lQU5EcGFzc3dvcmRfZmlsZS5yZWFkbGluZXMoKQpjcmVkc191c2VybmFtZSA9IGNyZWRzX2RhdGFbMF0uc3RyaXAoKQpjcmVkc19wYXNzd29yZCA9IGNyZWRzX2RhdGFbMV0uc3RyaXAoKQoKbG9nX2ZpbGUgPSBvcGVuKCdnaXQubG9nJywgJ3InKQpsb2dfZGF0YSA9IGxvZ19maWxlLnJlYWRsaW5lcygpCgojIGNyZWF0ZSBhbiBIVFRQIGhhbmRsZXIgYmFzZWQgb24gdGhlIGV4aXN0aW5nIEJhc2VIVFRQUmVxdWVzdEhhbmRsZXIKY2xhc3MgSFRUUEhhbmRsZXIoQmFzZUhUVFBSZXF1ZXN0SGFuZGxlcik6CgogICAgZGVmIGRvX0dFVChzZWxmKTogICMgZ2VuZXJhdGUgdGhlIHN0YXR1cyBjb2RlIGZvciB0aGUgR0VUIHJlcXVlc3QKICAgICAgICBzZWxmLnJlc3BvbmQoeydzdGF0dXMnOiAyMDB9KQoKICAgIGRlZiBoYW5kbGVfaHR0cChzZWxmLCBzdGF0dXNfY29kZSwgcGF0aCk6ICAjIGhhbmRsZSB0aGUgcmVxdWVzdAogICAgICAgIHNlbGYuc2VuZF9yZXNwb25zZShzdGF0dXNfY29kZSkKICAgICAgICBzZWxmLnNlbmRfaGVhZGVyKCdDb250ZW50LXR5cGUnLCAndGV4dC9odG1sJykKICAgICAgICBzZWxmLmVuZF9oZWFkZXJzKCkKCiAgICAgICAgb3V0cHV0ID0gJycKCiAgICAgICAgIyB0aGlzIHdpbGwgZGVmaW5lIGhvdyBtYW55IGxpbmVzIG9mIGRhdGEgdGhlIHVzZXIgY2FuIHJlYWQgZnJvbSB0aGUgZmlsZQogICAgICAgICMgcmVhZCBhYm91dCBHRVQgcGFyYW1ldGVycyBoZXJlOiBodHRwczovL2UuLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLmUuY29tL3dpa2kvR0VUX1BhcmFtZXRlcgogICAgICAgIGdldF9wYXJhbXMgPSB1cmxwYXJzZS51cmxwYXJzZShwYXRoKSAjIHJlYWQgdGhlIEdFVCBwYXJhbWV0ZXJzIGZyb20gdGhlIFVSTCB0aGF0IHVzZXIgcmVxdWVzdGVkCiAgICAgICAgIyBpZiB0aGUgdXNlcm5hbWUgYW5kIHBhc3N3b3JkIG1hdGNoIHRoZSBvbmVzIGluIHRoZSBjcmVkc19kYXRhLCB0aGVuIHNob3cgdGhlIHNlY3JldCBpbmZvcm1hdGlvbgogICAgICAgIGlmICd1c2VybmFtZScgaW4gdXJscGFyc2UucGFyc2VfcXMoZ2V0X3BhcmFtcy5xdWVyeSkgYW5kICdwYXNzd29yZCcgaW4gdXJscGFyc2UucGFyc2VfcXMoZ2V0X3BhcmFtcy5xdWVyeSk6CiAgICAgICAgICAgIHVzZXJuYW1lID0gdXJscGFyc2UucGFyc2VfcXMoZ2V0X3BhcmFtcy5xdWVyeSlbJ3VzZXJuYW1lJ11bMF0KICAgICAgICAgICAgcGFzc3dvcmQgPSB1cmxwYXJzZS5wYXJzZV9xcyhnZXRfcGFyYW1zLnF1ZXJ5KVsncGFzc3dvcmQnXVswXQoKICAgICAgICAgICAgIyBkbyBub3QgYWxsb3cgdGhlIHVzZXIgdG8gdXNlIHRoZSBkZWZhdWx0IGFkbWluL3Bhc3N3b3JkIGNyZWRlbnRpYWxzCiAgICAgICAgICAgIGlmIGNyZWRzX3VzZXJuYW1lID09IHVzZXJuYW1lIGFuZCBjcmVkc19wYXNzd29yZCA9PSBwYXNzd29yZDoKICAgICAgICAgICAgICAgICMgcmVhZCB0aGUgZmlsZSBhbmQgc2hvdyBpdCB0byB0aGUgdXNlciBpZiB0aGUgY3JlZGVudGlhbHMgYXJlIGNvcnJlY3QKICAgICAgICAgICAgICAgIGZvciBsaW5lIGluIGNoYWxsZW5nZV9kYXRhOgogICAgICAgICAgICAgICAgICAgIG91dHB1dCArPSBsaW5lICsgJzxicj4nCiAgICAgICAgICAgIGVsc2U6CiAgICAgICAgICAgICAgICBvdXRwdXQgPSAnV3JvbmcgYWRtaW4gY3JlZGVudGlhbHMhJwogICAgICAgICMgcHJvY2VzcyBnaXQgY29tbWFuZHMKICAgICAgICBlbGlmICdnaXQnIGluIHVybHBhcnNlLnBhcnNlX3FzKGdldF9wYXJhbXMucXVlcnkpOgogICAgICAgICAgICBjbWQgPSB1cmxwYXJzZS5wYXJzZV9xcyhnZXRfcGFyYW1zLnF1ZXJ5KVsnZ2l0J11bMF0KICAgICAgICAgICAgIyBpZiB0aGUgdXNlciByZXF1ZXN0cyB2aWV3aW5nIGxvZ3MsIHNob3cgdGhlIGxvZ3MKICAgICAgICAgICAgaWYgY21kID09ICdsb2cnOgogICAgICAgICAgICAgICAgZm9yIGxpbmUgaW4gbG9nX2RhdGE6CiAgICAgICAgICAgICAgICAgICAgb3V0cHV0ICs9IGxpbmUgKyAnPGJyPicKICAgICAgICAgICAgIyBpZiB0aGUgdXNlciByZXF1ZXN0cyB0byBjaGVja291dCBhIHNwZWNpZmljIGNvbW1pdCwgYWxsb3cgdG8gZG8gdGhhdCBvbmx5IGlmIHRoZSBoYXNoIGlzIHNwZWNpZmllZCBhcyB3ZWxsCiAgICAgICAgICAgIGVsaWYgY21kID09ICdjaGVja291dCcgYW5kICdoYXNoJyBpbiB1cmxwYXJzZS5wYXJzZV9xcyhnZXRfcGFyYW1zLnF1ZXJ5KToKICAgICAgICAgICAgICAgIGNvbW1pdF9oYXNoID0gdXJscGFyc2UucGFyc2VfcXMoZ2V0X3BhcmFtcy5xdWVyeSlbJ2hhc2gnXVswXQogICAgICAgICAgICAgICAgdHJ5OgogICAgICAgICAgICAgICAgICAgIGNvbW1pdF9maWxlID0gb3BlbignY29tbWl0cy8nICsgY29tbWl0X2hhc2gsICdyJykgICMgb3BlbiB0aGUgZmlsZSBjb3JyZXNwb25kaW5nIHRvIHRoYXQgY29tbWl0CiAgICAgICAgICAgICAgICAgICAgY29tbWl0X2ZpbGVfZGF0YSA9IGNvbW1pdF9maWxlLnJlYWRsaW5lcygpICAjIHN0b3JlcyBhIGxpc3Qgb2YgbGluZXMgZnJvbSB0aGUgZmlsZQogICAgICAgICAgICAgICAgICAgIGNvbW1pdF9maWxlLmNsb3NlKCkKICAgICAgICAgICAgICAgICAgICBmb3IgbGluZSBpbiBjb21taXRfZmlsZV9kYXRhOgogICAgICAgICAgICAgICAgICAgICAgICBvdXRwdXQgKz0gbGluZSArICc8YnI+JwogICAgICAgICAgICAgICAgZXhjZXB0OgogICAgICAgICAgICAgICAgICAgIG91dHB1dCA9ICdGaWxlIG5vdCBmb3VuZCcKCiAgICAgICAgIyBnZW5lcmF0ZSB0aGUgb3V0cHV0IHRvIHNob3cgdG8gdGhlIHVzZXIKICAgICAgICBjdXJyZW50X291dHB1dCA9ICcnJzxwPnt9PC9wPicnJy5mb3JtYXQob3V0cHV0KQoKICAgICAgICAjIG1ha2UgdGhlIEhUTUwgcGFnZSB0byBzaG93IHRoZSB1c2VyIGFuZCBpbnNlcnQgY3VycmVudF9vdXRwdXQgdGhlcmUKICAgICAgICBjb250ZW50ID0gJycuam9pbihvcGVuKCdpbmRleC5odG1sJywgJ3InKSkucmVwbGFjZSgnQ09OVEVOVF9QTEFDRU1FTlQnLCBjdXJyZW50X291dHB1dCkKCiAgICAgICAgcmV0dXJuIGJ5dGVzKGNvbnRlbnQsICdVVEYtOCcpCgogICAgZGVmIHJlc3BvbmQoc2VsZiwgb3B0cyk6CiAgICAgICAgcmVzcG9uc2UgPSBzZWxmLmhhbmRsZV9odHRwKG9wdHNbJ3N0YXR1cyddLCBzZWxmLnBhdGgpCiAgICAgICAgc2VsZi53ZmlsZS53cml0ZShyZXNwb25zZSkKCmlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAgICBzZXJ2ZXIgPSBIVFRQU2VydmVyCiAgICBodHRwZCA9IHNlcnZlcigoSE9TVCwgUE9SVCksIEhUVFBIYW5kbGVyKQogICAgcHJpbnQodGltZS5hc2N0aW1lKCksICdTZXJ2ZXIgU3RhcnRzIC0gJXM6JXMnICUgKEhPU1QsIFBPUlQpKQogICAgdHJ5OgogICAgICAgIGh0dHBkLnNlcnZlX2ZvcmV2ZXIoKQogICAgZXhjZXB0IEtleWJvYXJkSW50ZXJydXB0OgogICAgICAgIHBhc3MKICAgIGh0dHBkLnNlcnZlcl9jbG9zZSgpCiAgICBwcmludCh0aW1lLmFzY3RpbWUoKSwgJ1NlcnZlciBTdG9wcyAtICVzOiVzJyAlIChIT1NULCBQT1JUKSk=

Runtime error #stdin #stdout #stderr 0.21s 24808KB

stdin

copy

Standard input is empty

stdout

copy

Standard output is empty

stderr

copy

Traceback (most recent call last):
  File "./prog.py", line 12, in <module>
FileNotFoundError: [Errno 2] No such file or directory: 'flag19.txt'

https://ideone.com/yPaE6a

language:

Python 3 (python 3.9.5)

created:

visibility:

public

Share or Embed source code

Discover > Sphere Engine API

The brand new service which powers Ideone!

Discover > IDE Widget

Widget for compiling and running the source code in a web browser!

Discover > Sphere Engine API

Discover > IDE Widget

Choose your language