Esempio n. 1
0
def show_registration():
    user = utils.get_user_from_cookie(request)
    page_name = 'register'

    if request.method.lower() == 'get':
        page_content = render_template("register.html")
        return render_page(page_content, "register", user=user)

    if request.method.lower() == 'post':
        username = request.form.get("username") or ""
        password = request.form.get("password") or ""
        if not username or not password:
            page_content = render_template("register.html",
                                           message='Missing field')
            return render_page(page_content, page_name)

        if utils.check_username(username):
            page_content = render_template("register.html",
                                           message='That username is taken!')
            return render_page(page_content, page_name)

        seed = utils.generate_seed(username, request.remote_addr)
        totp_key = utils.get_totp_key(seed)
        utils.register_user(username, password, request.remote_addr)
        qr_url = 'http://api.qrserver.com/v1/create-qr-code/?data=otpauth://totp/%s?secret=%s&size=220x220&margin=0' % (
            username, totp_key)
        page_content = render_template(
            "register.html",
            message=
            "Success! <a href='/login'>login here</a><br />TOTP Key: %s<br /><img src='%s' />"
            % (totp_key, qr_url))

        return render_page(page_content, page_name)
Esempio n. 2
0
def show_registration():
    user = utils.get_user_from_cookie(request)
    page_name = 'register'

    if request.method.lower() == 'get':
        page_content = render_template("register.html")
        return render_page(page_content, "register", user=user)

    if request.method.lower() == 'post':
        username = request.form.get("username") or ""
        password = request.form.get("password") or ""
        if not username or not password :
            page_content = render_template("register.html", message='Missing field')
            return render_page(page_content, page_name)

        if utils.check_username(username):
            page_content = render_template("register.html", message='That username is taken!')
            return render_page(page_content, page_name)

        seed = utils.generate_seed(username, request.remote_addr)
        totp_key = utils.get_totp_key(seed)
        utils.register_user(username, password, request.remote_addr)
        qr_url = 'http://api.qrserver.com/v1/create-qr-code/?data=otpauth://totp/%s?secret=%s&amp;size=220x220&amp;margin=0'%(username, totp_key)
        page_content = render_template(
            "register.html",
            message="Success! <a href='/login'>login here</a><br />TOTP Key: %s<br /><img src='%s' />" % (totp_key, qr_url)
        )

        return render_page(page_content, page_name)
Esempio n. 3
0
def show_registration():
    user = utils.get_user_from_cookie(request)
    page_name = "register"

    if request.method.lower() == "get":
        page_content = render_template('register.html')
        return render_page(page_content, 'register', user=user)

    if request.method.lower() == "post":
        username = request.form.get('username') or ''
        password = request.form.get('password') or ''
        if not username or not password :
            page_content = render_template('register.html', message="Missing field")
            return render_page(page_content, page_name)

        if utils.check_username(username):
            page_content = render_template('register.html', message="That username is taken!")
            return render_page(page_content, page_name)

        seed = utils.generate_seed(username, request.remote_addr)
        totp_key = utils.get_totp_key(seed)
        utils.register_user(username, password, request.remote_addr)
        qr_url = "http://api.qrserver.com/v1/create-qr-code/?data=otpauth://totp/%s?secret=%s&size=220x220&margin=0"%(username, totp_key)
        page_content = render_template(
            'register.html',
            message='Success! <a href="/login">login here</a><br />TOTP Key: %s<br /><img src="%s" />' % (totp_key, qr_url)
        )

        return render_page(page_content, page_name)
Esempio n. 4
0
def show_login():
    page_name = 'login'

    if request.method.lower() == 'get':
        page_content = render_template("login.html")
        return render_page(page_content, "login")

    username = request.form.get("username") or ""
    password = request.form.get("password") or ""
    verification_code = request.form.get("verification_code") or ""

    if not (username and password and verification_code):
        page_content = render_template("login.html", message='Missing field')
        return render_page(page_content, page_name)

    if not utils.auth_user(username, password):
        page_content = render_template("login.html",
                                       message='Invalid credentials')
        return render_page(page_content, page_name)

    user = utils.check_username(username)
    seed = utils.generate_seed(username, user["user_ip"])
    totp_key = utils.get_totp_key(seed)
    totp = pyotp.TOTP(totp_key)

    if verification_code != totp.now():
        page_content = render_template("login.html",
                                       message='Invalid verification code')
        return render_page(page_content, page_name)

    # user/pass/totp all valid by now
    session_cookie = utils.make_cookie(app.config["COOKIE_SECRET"], username,
                                       request.remote_addr)
    response = app.make_response(redirect("/"))
    response.set_cookie('session', session_cookie)
    return response

    page_content = render_template("login.html")
    return render_page(page_content, page_name)
Esempio n. 5
0
def show_login():
    page_name = 'login'

    if request.method.lower() == 'get':
        page_content = render_template("login.html")
        return render_page(page_content, "login")

    username = request.form.get("username") or ""
    password = request.form.get("password") or ""
    verification_code = request.form.get("verification_code") or ""

    if not (username and password and verification_code):
        page_content = render_template("login.html", message='Missing field')
        return render_page(page_content, page_name)

    if not utils.auth_user(username, password):
        page_content = render_template("login.html", message='Invalid credentials')
        return render_page(page_content, page_name)

    user = utils.check_username(username)
    seed = utils.generate_seed(username, user["user_ip"])
    totp_key = utils.get_totp_key(seed)
    totp = pyotp.TOTP(totp_key)

    if verification_code != totp.now():
        page_content = render_template("login.html", message='Invalid verification code')
        return render_page(page_content, page_name)

    # user/pass/totp all valid by now
    session_cookie = utils.make_cookie(app.config["COOKIE_SECRET"], username, request.remote_addr)
    response = app.make_response(redirect("/"))
    response.set_cookie('session', session_cookie)
    return response

    page_content = render_template("login.html")
    return render_page(page_content, page_name)
Esempio n. 6
0
def show_login():
    page_name = "login"

    if request.method.lower() == "get":
        page_content = render_template('login.html')
        return render_page(page_content, 'login')

    username = request.form.get('username') or ''
    password = request.form.get('password') or ''
    verification_code = request.form.get('verification_code') or ''

    if not (username and password and verification_code):
        page_content = render_template('login.html', message="Missing field")
        return render_page(page_content, page_name)

    if not utils.auth_user(username, password):
        page_content = render_template('login.html', message="Invalid credentials")
        return render_page(page_content, page_name)

    user = utils.check_username(username)
    seed = utils.generate_seed(username, user['user_ip'])
    totp_key = utils.get_totp_key(seed)
    totp = pyotp.TOTP(totp_key)

    if verification_code != totp.now():
        page_content = render_template('login.html', message="Invalid verification code")
        return render_page(page_content, page_name)

    # user/pass/totp all valid by now
    session_cookie = utils.make_cookie(app.config['COOKIE_SECRET'], username, request.remote_addr)
    response = app.make_response(redirect('/'))
    response.set_cookie("session", session_cookie)
    return response

    page_content = render_template('login.html')
    return render_page(page_content, page_name)
Esempio n. 7
0
import hashlib

from utils import generate_seed, get_totp_key

username = "******"
password_hash = "22e59a7a2792b25684a43d5f5229b2b5caf7abf8fa9f186249f35cae53387fa3"
ip_addr = "64.124.192.210"

seed = generate_seed(username, ip_addr)
totp = get_totp_key(seed)
print "[*] Found TOTP KEY: %s" % totp

passwords = None
with open('/usr/share/john/password.lst', 'r') as fd:
    passwords = fd.read().split()

password = None
for p in passwords:
    p_hash = hashlib.sha256(username+p).hexdigest()
    if p_hash == password_hash:
        password = p
        print "[*] Found password: %s" % p
        break

if password and totp:
    flag = hashlib.md5(totp+password).hexdigest()
    print "[+] Found flag: %s" % flag