def mail_compose():
if request.method == 'POST':
receiver = User.query.get(request.form['receiver'])
if not receiver:
abort(400, 'Invalid receiver.')
content = request.form['content']
subject = request.form['subject']
letter = Mail(content=content,
subject=subject,
sender=g.user,
receiver=receiver)
db.session.add(letter)
db.session.commit()
# generate automated Administrator response
if receiver.role == 0:
content = ADMIN_RESPONSE
letter = Mail(content=content,
subject='RE: ' + subject,
sender=receiver,
receiver=g.user)
db.session.add(letter)
db.session.commit()
flash('Mail sent.')
return redirect(url_for('core.mail'))
users = User.query.filter(User.id != g.user.id).order_by(
User.username.asc()).all()
return render_template('mail_compose.html', users=users)
def post(self):
receiver = User.query.get(request.json.get('receiver'))
if not receiver:
abort(400, 'Invalid receiver.')
subject = request.json.get('subject')
content = request.json.get('content')
letter = Mail(
content=content,
subject=subject,
sender=g.user,
receiver=receiver,
)
db.session.add(letter)
db.session.commit()
# generate automated Administrator response
if receiver.role == 0:
content = ADMIN_RESPONSE
auto_letter = Mail(
content=content,
subject='RE:' + subject,
sender=receiver,
receiver=g.user,
)
db.session.add(auto_letter)
db.session.commit()
return letter.serialize()
def submissions_edit(bid):
submission = Bug.query.get_or_404(bid)
if submission.is_validated or submission.submitter != g.user:
abort(403)
if request.method == 'POST':
submission.title = request.form['title']
submission.vuln_id = request.form['vuln_id']
submission.severity = request.form['severity']
submission.description = request.form['description']
submission.impact = request.form['impact']
# send message to reviewer
sender = User.query.get(1)
receiver = submission.reviewer
subject = 'Submission Updated'
bug_href = url_for('core.submissions_view',
bid=submission.id,
_external=True)
content = UPDATE_NOTIFICATION.format(bug_href, submission.id)
mail = Mail(content=content,
subject=subject,
sender=sender,
receiver=receiver)
db.session.add(submission)
db.session.add(mail)
db.session.commit()
flash('Submission updated.')
return redirect(url_for('core.submissions_view', bid=submission.id))
return render_template('submissions_edit.html',
submission=submission,
vulnerabilities=VULNERABILITIES,
severity=SEVERITY)
def create_bug_for_reviewer(reviewer):
# bug
title = 'Credientals Over GET method in plain Text'
vuln_id = 12
severity = 2
description = 'While I was testing the application i found this bug where the application is sending the credentials over Plain text in the URL of a GET request: `https://auth.ratelimited.me/login?username=testqaz%40grr.la&password=D33vanh%40h%40h%40`'
impact = 'If the application is sending the credentials over GET request it will be saved in the history of the Browser.'
submitter = User.query.get(3)
submission = Bug(title=title,
vuln_id=vuln_id,
severity=severity,
description=description,
impact=impact,
submitter=submitter,
reviewer=reviewer)
# mail
sender = User.query.get(1)
receiver = reviewer
subject = 'New Submission for Review'
bug_href = url_for('core.submissions_view',
bid=submission.id,
_external=True)
content = REVIEW_NOTIFICATION.format(bug_href, submission.id)
mail = Mail(content=content,
subject=subject,
sender=sender,
receiver=receiver)
# write to the database
db.session.add(submission)
db.session.add(mail)
db.session.commit()
def create_welcome_message(user):
sender = User.query.get(1)
receiver = user
subject = 'Welcome to PwnedHub!'
content = "We're glad you've chosen PwnedHub to help you take your next step in becoming a more efficient security consultant. We're here to help. If you have any questions or concerns, please don't hesitate to reach out to this account for assistance. Together, we can make security testing great again!"
mail = Mail(content=content,
subject=subject,
sender=sender,
receiver=receiver)
db.session.add(mail)
db.session.commit()
def send(self):
if settings.DEBUG:
self.recipient = '*****@*****.**'
self.subject = '[TEST] ' + self.subject
msg = EmailMessage(self.subject, self.message, 'Car Battle <*****@*****.**>', [self.recipient])
msg.content_subtype = "html"
msg.send()
mm = MailModel()
mm.user = self.user
mm.sender = '*****@*****.**'
mm.receiver = self.recipient
mm.subject = self.subject
mm.content = self.message
mm.is_send = True
mm.save()
def send(self):
if settings.DEBUG:
self.recipient = '*****@*****.**'
self.subject = '[TEST] ' + self.subject
msg = EmailMessage(self.subject, self.message,
'Car Battle <*****@*****.**>',
[self.recipient])
msg.content_subtype = "html"
msg.send()
mm = MailModel()
mm.user = self.user
mm.sender = '*****@*****.**'
mm.receiver = self.recipient
mm.subject = self.subject
mm.content = self.message
mm.is_send = True
mm.save()
def submissions_new():
if request.method == 'POST':
title = request.form['title']
vuln_id = request.form['vuln_id']
severity = request.form['severity']
description = request.form['description']
impact = request.form['impact']
signature = ' '.join((title, description, impact))
if Bug.is_unique(signature):
# only basic users can be reviewers
reviewer = User.query.filter(
User.id != g.user.id,
User.status == 1,
User.role == 1,
).order_by(func.random()).first()
submission = Bug(title=title,
vuln_id=vuln_id,
severity=severity,
description=description,
impact=impact,
submitter=g.user,
reviewer=reviewer)
# send message to reviewer
sender = User.query.get(1)
receiver = reviewer
subject = 'New Submission for Review'
bug_href = url_for('core.submissions_view',
bid=submission.id,
_external=True)
content = REVIEW_NOTIFICATION.format(bug_href, submission.id)
mail = Mail(content=content,
subject=subject,
sender=sender,
receiver=receiver)
db.session.add(submission)
db.session.add(mail)
db.session.commit()
flash('Submission created.')
return redirect(url_for('core.submissions_view',
bid=submission.id))
else:
flash('Similar submission already exists.')
return render_template('submissions_new.html',
vulnerabilities=VULNERABILITIES,
severity=SEVERITY)
def submissions_action(action, bid):
submission = Bug.query.get_or_404(bid)
if submission.is_validated or submission.reviewer != g.user:
abort(403)
if [
status for status in BUG_STATUSES.values()
if status.startswith(action)
]:
# passing previous check guarantees at least one result
submission.status = [
aid for aid, status in BUG_STATUSES.items()
if status.startswith(action)
][0]
# send message to submitter
sender = User.query.get(1)
receiver = submission.submitter
subject = 'Submission #{:05d} {}'.format(
submission.id, BUG_STATUSES[submission.status].title())
bug_href = url_for('core.submissions_view',
bid=submission.id,
_external=True)
if submission.status == 1:
content = BUG_NOTIFICATIONS[submission.status].format(
bug_href, submission.id)
if submission.status == 2:
content = BUG_NOTIFICATIONS[submission.status].format(
bug_href, submission.id, submission.bounty)
if submission.status == 3:
content = BUG_NOTIFICATIONS[submission.status].format(
bug_href, submission.id)
mail = Mail(content=content,
subject=subject,
sender=sender,
receiver=receiver)
db.session.add(submission)
db.session.add(mail)
db.session.commit()
flash('Bug status changed.')
else:
flash('Invalid action.')
return redirect(url_for('core.submissions_view', bid=bid))