def runTest(self): r = HttpResponse("", "text/plain") cookies = {} files = {} for key in self._req.COOKIES.keys(): cookies[key] = self._req.COOKIES[key].value for key in self._req.FILES.keys(): files[key] = { 'name': self._req.FILES[key]['name'], 'size': self._req.FILES[key]['size'] } r_dict = {} r_dict['GET'] = self._req.GET r_dict['POST'] = self._req.POST r_dict['COOKIES'] = cookies r_dict['FILES'] = files #self.logger.debug("REQUEST received: %s" % str(vars(self._req))) session_items = self._req.session.items() session_attributes = {} map(lambda d: session_attributes.update(d), [{ items[0]: items[1] } for items in session_items]) r_dict['SESSION'] = session_attributes r.write(str(r_dict)) return r
def save_result(req, scan_id): if req.POST: scan = req.session.get("scan_result_" + scan_id, None) parser = NmapParser() fname = mktemp() ftemp = open(fname, "a", 0) ftemp.write(scan) ftemp.close() parser.set_xml_file(fname) parser.parse() parser.scan_name = req.POST['filename'] parser.write_xml(open(fname, "w", 0)) ftemp = open(fname, "r") scan = ftemp.read() if not scan: raise Http404 if req.POST['destination'] == "database": Scans(scan_name=parser.scan_name, nmap_xml_output=scan, date=time()) return HttpResponse("{'result': 'OK'}", "text/plain") else: response = HttpResponse(scan, "text/xml") response['Content-disposition'] = "attachment; filename=" + quote( req.POST['filename'].replace(" ", "_")) + ".usr" return response else: raise HttpError(400, "Invalid GET request.")
def runTest(self): r = HttpResponse("", "text/plain") try: self._req.session.destroy() r.write("{'result': 'OK'}") except Exception, ex: r.write("{'result': 'FAIL', 'message': '%s'}" % str(ex))
def test_ajax(req): if req.POST: return HttpResponse(req.FILES['file']['name'], 'text/plain') else: r = HttpResponse() r['Content-type'] = "text/plain" r.loadTemplate('ajax_form.html') return r
def runTest(self): r = HttpResponse("", "text/plain") try: test_attr = self._req.GET.get("name", "test") test_str = self._req.GET.get("value", "test_value") self._req.session[test_attr] = test_str r.write("{'result': 'OK'}") except Exception, ex: r.write("{'result': 'FAIL', 'message': '%s'}" % str(ex))
def runTest(self): r = HttpResponse("", "text/plain") try: test_attr = self._req.GET.get("name", "test") del self._req.session[test_attr] r.write("{'result': 'OK'}") except Exception, ex: r.write("{'result': 'FAIL', 'message': '%s'}" % str(ex).replace("'", "\""))
def get_profiles(req): profile = CommandProfile() profiles = profile.sections() response = HttpResponse() response['Content-type'] = "text/plain" ret = [] for section in profiles: ret.append([section, profile.get_command(section) % "<target>"]) response.write(str(ret)) return response
def diff_colors(req): response = HttpResponse("", "text/plain") dc = DiffColors() data = [] toHex = lambda value: "%0.2x" % floor(sqrt(value)) logger.debug(tuple(map(toHex, dc.unchanged))) data.append("'unchanged': '#%s%s%s'" % tuple(map(toHex, dc.unchanged))) data.append("'added': '#%s%s%s'" % tuple(map(toHex, dc.added))) data.append("'modified': '#%s%s%s'" % tuple(map(toHex, dc.modified))) data.append("'not_present': '#%s%s%s'" % tuple(map(toHex, dc.not_present))) response.write("var diff_colors = {%s}" % ",".join(data)) return response
def login(req): logger.debug("aeeeeeeeee") response = HttpResponse() error = "" errorclass = "hide" if req.POST: ctx = Context() user = ctx.get_user(req.POST['login'], req.POST['password']) if user: req.session['umit_user'] = user return HttpResponseRedirect("/html/") else: error = "Incorrect username or password" errorclass = "" response.loadTemplate("html/login.html") return response % {"error": error, "errorclass": errorclass}
def permissions_search(req): if not req.POST: raise HttpError(400, "Invalid Request") search = req.POST.get("search", "") ctx = Context() permissions = [ p for p in ctx.permissions if search.lower() in p.id.lower() ] data = [] for p in permissions: pdata = [] pdata.append("'id': '%s'" % p.id.replace("'", "\\'")) pdata.append("'description': '%s'" % p.description.replace("'", "\\'")) pdata.append("'type': '%s'" % p.type.replace("'", "\\'")) cdata = [] for c in p.constraints: ccdata = [] ccdata.append("'type': '%s'" % c.type.replace("'", "\\'")) ccdata.append("'content': '%s'" % c.content.replace("'", "\\'").replace("\\", "\\\\")) cdata.append("{%s}" % ",".join(ccdata)) pdata.append("'constraints': [%s]" % ",".join(cdata)) data.append("{%s}" % ",".join(pdata)) return HttpResponse("[%s]" % ",".join(data), "text/plain")
def edit_permission(req, id): ctx = Context() found = False p = ctx.get_permission(id) if p is None: raise Http404 p.description = req.POST['description'] p.type = req.POST['type'] constraint_types = req.POST["constraint_types"].strip() and \ req.POST['constraint_types'].split("\n") or [] constraints = req.POST["constraints"].strip() and \ req.POST['constraints'].split("\n") or [] p.constraints = [] for i, t in enumerate(constraint_types): p.add_constraint(t, constraints[i]) for i in xrange(len(ctx.permissions)): if ctx.permissions[i].id == id: ctx.permissions[i] = p break ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def roles_get_all(req): ctx = Context() return HttpResponse("[%s]" % ",".join([ "{'value': '%s', 'description': '%s'}" % (r.id.replace("'", "\\'"), r.description.replace("'", "\\'")) for r in ctx.roles ]))
def add_role(req): ctx = Context() if not req.POST: raise HttpError(400, "Invalid Request") id = req.POST['id'] description = req.POST['description'] permissions = req.POST['permissions'].strip( ) and req.POST['permissions'].split(",") or [] if id in [p.id for p in ctx.roles]: return HttpResponse( "{'result': 'FAIL', 'error': 'This id already exists. Please, choose other.'}" ) ctx.add_role(id, description, permissions) ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def get_options(req): options = NmapOptions(Path.options) opt_list = [options.get_option(id) for id in options.get_options_list() \ if req.POST.get("search", "").lower() in id.lower()] str_opt = [] for option in opt_list: data = ["'%s': '%s'" % item for item in option.items()] str_opt.append("{%s}" % ",".join(data)) return HttpResponse("[%s]" % ",".join(str_opt))
def delete_scan(req, scan_id): db = UmitDB() cursor = db.cursor if int(scan_id) not in db.get_scans_ids(): raise Http404 try: cursor.execute("DELETE FROM scans WHERE scans_id=%d" % int(scan_id)) except Exception, e: return HttpResponse("{'result': 'FAIL', 'error': '%s'}" % str(e))
def add_user(req): ctx = Context() if not req.POST: raise HttpError(400, "Invalid Request") login = req.POST['login'] name = req.POST['name'] roles = req.POST['roles'].strip() and req.POST['roles'].split(",") or [] superuser = (req.POST['superuser'] == "yes") password = req.POST['password'] if login in [u.login for u in ctx.users]: return HttpResponse( "{'result': 'FAIL', 'error': 'This login name already exists. Please, choose other.'}" ) ctx.add_user(name, login, password, superuser, roles) ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def users_search(req): ctx = Context() users = [] search = req.POST['search'] for u in ctx.users: if (search.lower() in u.login.lower()) or (search.lower() in u.name.lower()): users.append(u) return HttpResponse(__users_to_json(users))
def upload_result(req): if req.POST: if req.POST['type'] == "file": try: parser = NmapParser() parser.set_xml_file(req.FILES['scan_result']['temp_file']) parser.parse() parsed_scan = ScanJsonParser(parser).parse() junk = r"odpojfsdkjfpisudŕij208u-0w9rsdnfkdfçwrtwqr/fsasd~/???çds" key = md5.new(str(random.randint(0, sys.maxint-1)) \ + str(random.randint(1, sys.maxint-1)//2) \ + junk).hexdigest() req.session['scan_result_' + key] = open( req.FILES['scan_result']['temp_name'], 'r').read() text_out = parser.nmap_output.replace("'", "\\'").replace( "\r", "").replace("\n", "\\n' + \n'") parsed_scan = parsed_scan.replace("\n", "\\n' + \n'") return HttpResponse(("{'result': 'OK', 'id': '%s', 'output': " + \ "{'plain': '%s', 'full': %s}}") % \ (key, text_out, parsed_scan), "text/plain") except Exception, ex: logger.error("ERROR PARSING SCAN: %s" % str(ex)) return HttpResponse( "{'result': 'FAIL', 'output': '%s'}" % str(ex).replace("'", "\\'"), "text/plain") else: scan_id = req.POST['scanId'] db = UmitDB() if scan_id not in [str(sid) for sid in db.get_scans_ids()]: return HttpResponse( "{'result': 'FAIL', 'output': 'Scan not found!'}") scan = Scans(scans_id=scan_id) ftemp = open(mktemp(), "w", 0) ftemp.write(scan.nmap_xml_output) ftemp.flush() parser = NmapParser(ftemp.name) parser.parse() return HttpResponse("{'result': 'OK', 'output': {'plain': '%s', 'full': %s}}" % \ (parser.get_nmap_output().replace("'", "\\'").\ replace("\r", "").replace("\n", "\\n' + \n'"), ScanJsonParser(parser).parse()), "text/plain")
def get_user(req, id): ctx = Context() user = ctx.get_user(id=id) if not user: raise Http404 resp = [] resp.append("'name': '%s'" % user.name.replace("'", "\\'")) resp.append("'login': '******'" % user.login.replace("'", "\\'")) resp.append("'superuser': %s" % str(user.superuser).lower()) resp.append("'roles': ['%s']" % "','".join([r.id for r in user.roles])) return HttpResponse("{%s}" % ",".join(resp))
def serve_media(req, path): response = HttpResponse() filename = join(Path.media_dir, *(path.split("/"))) if not exists(filename): raise Http404 response['Content-type'] = mimetypes.guess_type(filename)[0] or 'application/octet-stream' response['Content-type'] += '; charset=utf-8' cntFile = None if sys.platform == 'win32': if response['Content-type'].startswith("text"): cntFile = open(filename, 'r') else: cntFile = open(filename, 'rb') else: cntFile = open(filename, 'r') response.write(cntFile.read()) return response
def main(req, path): testClasses = [x[1] for x in globals().items() \ if hasattr(x[1], '__bases__') and BaseTest in x[1].__bases__] resp = HttpResponse() for klass in [k for k in testClasses if k._path == path]: resp += klass(req).runTest() if resp.data: return resp else: raise Http404
def get_saved_scans(req): db = UmitDB() data = [{ "id": str(s.scans_id), "name": str(s.scan_name).replace("'", "\\'"), "date": datetime.datetime.fromtimestamp(s.date).strftime("%Y-%m-%d %H:%M:%S") } for s in db.get_scans() if req.POST.get("search", "").lower() in s.scan_name.lower()] return HttpResponse(str(data))
def delete_user(req, id): ctx = Context() found = False for i in xrange(len(ctx.users)): if ctx.users[i].login == id: del ctx.users[i] found = True break if not found: raise Http404 ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def new(req): response = HttpResponse() response['Content-type'] = "text/plain" #Replace dangerous commands command = re.sub(r"[\\;|`&]", "", req.POST['command']) if req.session.user.is_permitted(command): try: nmap_version = os.system("nmap --version") nmapCommand = NmapCommand(command) instance = server.currentInstance resourceID = instance.addResource(nmapCommand) assert isinstance(instance, UmitWebServer) th = server.currentInstance.fireResourceEvent( resourceID, "run_scan") #instance.updateResource(resourceID, [nmapCommand, th]) req.session['command_' + resourceID] = command req.session['profile_' + resourceID] = req.POST['profile_name'] req.session['target_' + resourceID] = req.POST['target'] response.write( "{'result': 'OK', 'status': 'RUNNING', 'id': '%s'}" % resourceID) except Exception, e: response.write("{'result': 'FAIL', 'status': '%s'}" % str(e).replace("'", "\\'")) return response
def check(req, resource_id): response = HttpResponse() response['Content-type'] = "text/javascript" nmapCommand = server.currentInstance.getResource(resource_id) server_thread = None if isinstance(nmapCommand, list): nmapCommand, server_thread = nmapCommand assert isinstance(server_thread, ServerThread) assert isinstance(nmapCommand, NmapCommand) if nmapCommand is None: raise Http404 if server_thread and len(server_thread.exceptions) > 0: server.currentInstance.removeResource(resource_id) raise Http500("Nmap command raised an exception!\n%s" % \ "\n".join(str(e) for e in server_thread.exceptions)) output = nmapCommand.get_output() error = nmapCommand.get_error() if nmapCommand.scan_state(): response.write("{'result': 'OK', 'status': 'RUNNING', " + \ "'output': {'text': '%s', 'error': '%s'}}" % \ (output.replace("'", "\\'").replace("\n", "\\n' + \n'"), error.replace("'", "\\'").replace("\n", "\\n' + \n'"))) else: profile = CommandProfile() parser = NmapParser() parser.set_xml_file(nmapCommand.get_xml_output_file()) parser.parse() parser.profile_name = req.session['profile_' + resource_id] parser.target = req.session['target_' + resource_id] parser.nmap_command = req.session['command_' + resource_id] parser.profile = profile.get_command(parser.profile_name) parser.profile_hint = profile.get_hint(parser.profile_name) parser.profile_description = profile.get_description( parser.profile_name) parser.profile_annotation = profile.get_annotation(parser.profile_name) parser.profile_options = profile.get_options(parser.profile_name) try: parser.nmap_output = nmapCommand.get_raw_output() except: parser.nmap_output = "\\n".join( self.scan_result.get_nmap_output().split("\n")) #del parser['nmap'] #parsed_scan = #str(__scan_to_json(parser)) parsed_scan = ScanJsonParser(parser).parse() text_out = nmapCommand.get_output().replace("'", "\\'").replace( "\n", "\\n' + \n'") response.write("{'result': 'OK', 'status': 'FINISHED', 'output':" + \ " {'full': %s, 'plain': '%s'}}" % (parsed_scan, text_out)) server.currentInstance.removeResource(resource_id) fname = mktemp() fresult = open(fname, "w", 0) parser.write_xml(fresult) req.session['scan_result_' + resource_id] = open(fname, 'r').read() return response
def runTest(self): r = HttpResponse("", "text/plain") cookies = {} files = {} for key in self._req.COOKIES.keys(): cookies[key] = self._req.COOKIES[key].value for key in self._req.FILES.keys(): files[key] = {'name': self._req.FILES[key]['name'], 'size': self._req.FILES[key]['size']} r_dict = {} r_dict['GET'] = self._req.GET r_dict['POST'] = self._req.POST r_dict['COOKIES'] = cookies r_dict['FILES'] = files #self.logger.debug("REQUEST received: %s" % str(vars(self._req))) session_items = self._req.session.items() session_attributes = {} map(lambda d: session_attributes.update(d), [{items[0]: items[1]} for items in session_items]) r_dict['SESSION'] = session_attributes r.write(str(r_dict)) return r
def add_permission(req): ctx = Context() id = req.POST["id"] description = req.POST["description"] type = req.POST["type"] constraint_types = req.POST["constraint_types"].strip() and \ req.POST['constraint_types'].split("\n") or [] constraints = req.POST["constraints"].strip() and \ req.POST['constraints'].split("\n") or [] if id in [p.id for p in ctx.permissions]: return HttpResponse( "{'result': 'FAIL', 'error': 'This id already exists. Please, choose other.'}" ) p = Permission(id, type) p.description = description for i, t in enumerate(constraint_types): p.add_constraint(t, constraints[i]) ctx.permissions.append(p) ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def new(req): response = HttpResponse() response["Content-type"] = "text/plain" # Replace dangerous commands command = re.sub(r"[\\;|`&]", "", req.POST["command"]) if req.session.user.is_permitted(command): try: nmap_version = os.system("nmap --version") nmapCommand = NmapCommand(command) instance = server.currentInstance resourceID = instance.addResource(nmapCommand) assert isinstance(instance, UmitWebServer) th = server.currentInstance.fireResourceEvent(resourceID, "run_scan") # instance.updateResource(resourceID, [nmapCommand, th]) req.session["command_" + resourceID] = command req.session["profile_" + resourceID] = req.POST["profile_name"] req.session["target_" + resourceID] = req.POST["target"] response.write("{'result': 'OK', 'status': 'RUNNING', 'id': '%s'}" % resourceID) except Exception, e: response.write("{'result': 'FAIL', 'status': '%s'}" % str(e).replace("'", "\\'")) return response
def get_role(req, id): ctx = Context() role = ctx.get_role(id) if role is None: raise Http404 data = [] data.append("'id': '%s'" % role.id) data.append("'description': '%s'" % role.description) data.append( "'permissions': ['%s']" % "','".join([p.id.replace("'", "\\'") for p in role.permissions])) return HttpResponse("{%s}" % ",".join(data), "text/plain")
def delete_permission(req, id): ctx = Context() found = False for i in xrange(len(ctx.permissions)): if ctx.permissions[i].id == id: del ctx.permissions[i] found = True break if not found: raise Http404 for i in xrange(len(ctx.roles)): for j in xrange(len(ctx.roles[i].permissions)): if ctx.roles[i].permissions[j].id == id: del ctx.roles[i].permissions[j] ctx.write_xml() return HttpResponse("{'result': 'OK'}")
def get_scan(req, scan_id): db = UmitDB() if scan_id not in [str(sid) for sid in db.get_scans_ids()]: raise Http404 scan = Scans(scans_id=scan_id) ftemp = open(mktemp(), "w", 0) ftemp.write(scan.nmap_xml_output) ftemp.flush() parser = NmapParser(ftemp.name) parser.parse() return HttpResponse("{'result': 'OK', 'output': '%s', 'xml': '%s'}" % \ (parser.get_nmap_output().replace("'", "\\'").\ replace("\r", "").replace("\n", "\\n' + \n'"), open(ftemp.name).read().replace('"', "'").\ replace("'", "\\'").\ replace("\n", "\\n' + \n'")), "text/plain")
def output_highlight(req): response = HttpResponse() response['Content-type'] = "text/javascript; charset=utf-8" highlight = JsOutputHighlight() attrDic = {} response.write("highlights = {};\n") for attr in ["closed_port", "date", "details", "filtered_port", "hostname", "ip", "open_port", "port_list"]: attribute = getattr(highlight, attr) response.write("highlights['%s'] = {};\n" % attr) for index, value in enumerate(['bold', 'italic', 'underline', 'text', 'highlight', 'regex']): if type(attribute[index]) == ListType: propValue = "#%s%s%s" % tuple(map(lambda value: "%0.2x" % floor(sqrt(value)), attribute[index])) elif type(attribute[index]) == StringType: propValue = attribute[index].replace("\\", "\\\\") else: propValue = attribute[index] response.write("highlights['%s']['%s'] = '%s';\n" % (attr, value, propValue)) return response
def login(req): resp = HttpResponse() ctx = Context() if req.POST: resp['Content-type'] = "text/plain" user = ctx.get_user(req.POST['login'], req.POST['password']) if req.GET.has_key("json"): if user: req.session['umit_user'] = user resp.write('OK') else: resp.write('FAIL') return resp else: if user: req.session['umit_user'] = user return HttpResponseRedirect("/") else: resp.loadTemplate("login.html") return resp
def index(req): response = HttpResponse() response.loadTemplate("compare_results.html") return response
def check(req, resource_id): response = HttpResponse() response["Content-type"] = "text/javascript" nmapCommand = server.currentInstance.getResource(resource_id) server_thread = None if isinstance(nmapCommand, list): nmapCommand, server_thread = nmapCommand assert isinstance(server_thread, ServerThread) assert isinstance(nmapCommand, NmapCommand) if nmapCommand is None: raise Http404 if server_thread and len(server_thread.exceptions) > 0: server.currentInstance.removeResource(resource_id) raise Http500("Nmap command raised an exception!\n%s" % "\n".join(str(e) for e in server_thread.exceptions)) output = nmapCommand.get_output() error = nmapCommand.get_error() if nmapCommand.scan_state(): response.write( "{'result': 'OK', 'status': 'RUNNING', " + "'output': {'text': '%s', 'error': '%s'}}" % ( output.replace("'", "\\'").replace("\n", "\\n' + \n'"), error.replace("'", "\\'").replace("\n", "\\n' + \n'"), ) ) else: profile = CommandProfile() parser = NmapParser() parser.set_xml_file(nmapCommand.get_xml_output_file()) parser.parse() parser.profile_name = req.session["profile_" + resource_id] parser.target = req.session["target_" + resource_id] parser.nmap_command = req.session["command_" + resource_id] parser.profile = profile.get_command(parser.profile_name) parser.profile_hint = profile.get_hint(parser.profile_name) parser.profile_description = profile.get_description(parser.profile_name) parser.profile_annotation = profile.get_annotation(parser.profile_name) parser.profile_options = profile.get_options(parser.profile_name) try: parser.nmap_output = nmapCommand.get_raw_output() except: parser.nmap_output = "\\n".join(self.scan_result.get_nmap_output().split("\n")) # del parser['nmap'] # parsed_scan = #str(__scan_to_json(parser)) parsed_scan = ScanJsonParser(parser).parse() text_out = nmapCommand.get_output().replace("'", "\\'").replace("\n", "\\n' + \n'") response.write( "{'result': 'OK', 'status': 'FINISHED', 'output':" + " {'full': %s, 'plain': '%s'}}" % (parsed_scan, text_out) ) server.currentInstance.removeResource(resource_id) fname = mktemp() fresult = open(fname, "w", 0) parser.write_xml(fresult) req.session["scan_result_" + resource_id] = open(fname, "r").read() return response
def roles(req): response = HttpResponse() response.loadTemplate("roles.html") return response
def main(req): response = HttpResponse() response.loadTemplate("html/main.html") return response
def index(req): r = HttpResponse() r.loadTemplate("preferences.html") return r
def permissions(req): response = HttpResponse() response.loadTemplate("permissions.html") return response
def users(req): response = HttpResponse() response.loadTemplate("users.html") return response
def index(req): response = HttpResponse() response.loadTemplate("index.html") return response