def requests(self, post={}, get={}): global conf access = False self.send_response(200) self.head.write("<head>") self.body.write("<body>") lite = func.sql_connect(conf['db_path']) if 'uName' in post and 'uPass' in post: # holt User anhand des usernamens ipaddr = func.no_inject(self.client_address[0]) blocktime = func.timestamp(conf['ipblock']) log = func.sql( lite, "SELECT timecode FROM log WHERE ipAddr = '%s' AND answere = 'X' AND timecode > '%s'" % (ipaddr, blocktime)) print(log) if (len(log) < 3): que = "SELECT uPass, uSalt, uID FROM users WHERE uName LIKE '%s'" % post[ "uName"][0] data = func.sql(lite, que) if len(data) == 1: # Prüft ob Passwort stimmt nMD5 = "%s%s" % (post["uPass"][0], data[0][1]) if func.md5(nMD5) == data[0][0]: # erstelle neues uSalt und uPass uSalt = func.random(75) nMD5 = "%s%s" % (post["uPass"][0], uSalt) uPass = func.md5(nMD5) session = func.random(32) expire = func.timestamp(conf['expire']) que = "UPDATE users SET uSalt = '%s',uPass='******',uSession='%s',expire='%s'" % ( uSalt, uPass, session, expire) if func.sql(lite, que): # db update erfolgreich session = session access = True else: # update fehlgeschlagen self.body.write( '''<p>Schreiben in DB Fehlgeschlagen</p>''') else: # Passwort stimmt nicht self.body.write('''<p>Passwort nicht Korrekt</p>''') dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql( lite, "DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql( lite, "INSERT INTO log (tokenID, answere, timecode, ipAddr) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now, ipaddr)) else: #user existiert nicht self.body.write('''<p>User nicht Korrekt</p>''') dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql(lite, "DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql( lite, "INSERT INTO log (tokenID, answere, timecode, ipAddr) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now, ipaddr)) else: #ip gesperrt self.body.write('''<p>Die IP-Adresse wurde gesperrt</p>''') else: #token prüfen und gleich expire erneuern print(get) if 's' in get: if "logout" in get: expire = '0000-00-00- 00:00:00' else: expire = func.timestamp(conf['expire']) now = func.timestamp() session = func.no_inject(get['s']) que = "UPDATE users SET expire='%s' WHERE uSession = '%s'" % ( expire, session) print(que) if func.sql(lite, que): if "logout" in get: self.body.write('''<p>Session beendet.</p>''') access = False else: access = True else: # Token abgelaufen self.body.write('''<p>Session abgelaufen</p>''') else: # Token nicht existent self.body.write('''<p>Keine Session gefunden</p>''') #TODO pass # Content if access == True: # hier kommt alles rein was nur erreichbar ist, wenn man angemeldet ist # Navigation navi = '''<a href="/stats/index/s/%s">Statistik</a> <a href="/user/list/s/%s">Userliste</a> <a href="/user/create/s/%s">User erstellen</a> <a href="/logout/index/s/%s">Logout</a> <hr/>''' % (session, session, session, session) self.body.write(navi) if 'user' in get: if get["user"] == '': get["user"] = '******' if get["user"] == 'create': if "submit" in post: #TODO pass else: content = '''<form action="/user/create/s/%s" method="post">Name<input type="text" name="uName" /><br/>Passwort <input type="password" name="uPass" />(Nur ausfüllen, wenn der user admin zugriff haben soll.)<br/><input type="submit" name="submit" value="Erstellen" /></form>''' % session self.body.write(content) if get["user"] == 'edit': pass #TODO if get["user"] == 'del': pass #TODO if get["user"] == 'detail': pass #TODO if get["user"] == 'list': pass #TODO if "token" in get: #token list gibts in user details schon #token create #token deleter pass if "log" in get: #todo pass else: # hier sieht man nur wenn man abgemeldet ist # Navigation self.body.write(''' <a href="/stats">Statistik</a> <a href="/login">Login</a> <hr/>''') if "login" in get: self.body.write('''<form action="" method="post"> User: <input type="text" name="uName" /><br/> Pass: <input type="password" name="uPass" /></br> <input type="submit" name="submit" value="Login" /> </form>''') #TODO self.body.write('''Abgemeldet''') if "stats" in get: self.body.write("stats chosen") pass #TODO tmp = urlsplit(self.path) print(tmp.path) if tmp.path == "/favicon.ico": #todo self.send_header('Content-Type', 'image/ico') self.end_headers() with open('favicon.ico', 'rb') as f: self.wfile.write(f.read()) f.close pass if "style.css" in get: pass #todo #Aufräumen func.sql_close(lite) self.body.write("</body></html>")
def requests(self,post={},get={}): global conf access = False self.send_response(200) self.head.write("<head>") self.body.write("<body>") lite = func.sql_connect(conf['db_path']) if 'uName' in post and 'uPass' in post: # holt User anhand des usernamens ipaddr = func.no_inject(self.client_address[0]) blocktime = func.timestamp(conf['ipblock']) log = func.sql(lite,"SELECT timecode FROM log WHERE ipAddr = '%s' AND answere = 'X' AND timecode > '%s'" % (ipaddr,blocktime)) print(log) if(len(log) < 3): que = "SELECT uPass, uSalt, uID FROM users WHERE uName LIKE '%s'" % post["uName"][0] data = func.sql(lite,que) if len(data) == 1: # Prüft ob Passwort stimmt nMD5 = "%s%s" % (post["uPass"][0],data[0][1]) if func.md5(nMD5) == data[0][0]: # erstelle neues uSalt und uPass uSalt = func.random(75) nMD5 = "%s%s" % (post["uPass"][0],uSalt) uPass = func.md5(nMD5) session = func.random(32) expire = func.timestamp(conf['expire']) que = "UPDATE users SET uSalt = '%s',uPass='******',uSession='%s',expire='%s'" % (uSalt,uPass,session,expire) if func.sql(lite,que): # db update erfolgreich session = session access = True else: # update fehlgeschlagen self.body.write('''<p>Schreiben in DB Fehlgeschlagen</p>''') else: # Passwort stimmt nicht self.body.write('''<p>Passwort nicht Korrekt</p>''') dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql(lite,"DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql(lite,"INSERT INTO log (tokenID, answere, timecode, ipAddr) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now,ipaddr)); else: #user existiert nicht self.body.write('''<p>User nicht Korrekt</p>''') dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql(lite,"DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql(lite,"INSERT INTO log (tokenID, answere, timecode, ipAddr) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now,ipaddr)); else: #ip gesperrt self.body.write('''<p>Die IP-Adresse wurde gesperrt</p>''') else: #token prüfen und gleich expire erneuern print(get) if 's' in get: if "logout" in get: expire = '0000-00-00- 00:00:00' else: expire = func.timestamp(conf['expire']) now = func.timestamp() session = func.no_inject(get['s']) que = "UPDATE users SET expire='%s' WHERE uSession = '%s'" % (expire,session) print(que) if func.sql(lite,que): if "logout" in get: self.body.write('''<p>Session beendet.</p>''') access = False else: access = True else: # Token abgelaufen self.body.write('''<p>Session abgelaufen</p>''') else: # Token nicht existent self.body.write('''<p>Keine Session gefunden</p>''') #TODO pass # Content if access == True: # hier kommt alles rein was nur erreichbar ist, wenn man angemeldet ist # Navigation navi = '''<a href="/stats/index/s/%s">Statistik</a> <a href="/user/list/s/%s">Userliste</a> <a href="/user/create/s/%s">User erstellen</a> <a href="/logout/index/s/%s">Logout</a> <hr/>''' % (session,session,session,session) self.body.write(navi) if 'user' in get: if get["user"] == '': get["user"] = '******' if get["user"] == 'create': if "submit" in post: #TODO pass else: content = '''<form action="/user/create/s/%s" method="post">Name<input type="text" name="uName" /><br/>Passwort <input type="password" name="uPass" />(Nur ausfüllen, wenn der user admin zugriff haben soll.)<br/><input type="submit" name="submit" value="Erstellen" /></form>''' % session self.body.write(content) if get["user"] == 'edit': pass #TODO if get["user"] == 'del': pass #TODO if get["user"] == 'detail': pass #TODO if get["user"] == 'list': pass #TODO if "token" in get: #token list gibts in user details schon #token create #token deleter pass if "log" in get: #todo pass else: # hier sieht man nur wenn man abgemeldet ist # Navigation self.body.write(''' <a href="/stats">Statistik</a> <a href="/login">Login</a> <hr/>''') if "login" in get: self.body.write('''<form action="" method="post"> User: <input type="text" name="uName" /><br/> Pass: <input type="password" name="uPass" /></br> <input type="submit" name="submit" value="Login" /> </form>''') #TODO self.body.write('''Abgemeldet''') if "stats" in get: self.body.write("stats chosen"); pass #TODO tmp = urlsplit(self.path) print(tmp.path) if tmp.path == "/favicon.ico": #todo self.send_header('Content-Type','image/ico') self.end_headers() with open('favicon.ico', 'rb') as f: self.wfile.write(f.read()) f.close pass if "style.css" in get: pass #todo #Aufräumen func.sql_close(lite); self.body.write("</body></html>")
def requests(self,post={},get={}): global conf html = False access = False self.send_response(200) self.send_header('Content-Type','text/html') self.end_headers() if 'style.css' not in get.keys() and 'favicon.ico' not in get.keys(): html = True self.wfile.write(bytes("<html><head><title>Web-Administration Zuul</title><link href='/style.css' type='text/css' rel='stylesheet'/></head><body>","UTF-8")) lite = func.sql_connect(conf['db_path']) # session erzeugen if bytes('u',"UTF-8") in post.keys() and bytes('p',"UTF-8") in post.keys(): # holt User anhand des usernamens ipaddr = func.no_inject(self.client_address[0]) blocktime = func.timestamp(conf['ipblock']) log = func.sql(lite,"SELECT timecode FROM log WHERE addInfo = '%s' AND answere = 'X' AND timecode > '%s'" % (ipaddr,blocktime)) if(len(log) < 5): que = "SELECT uPass, uSalt, uID FROM users WHERE uName LIKE '%s'" % post[b"u"][0].decode("utf-8") print(que) data = func.sql(lite,que) if len(data) == 1: # Prüft ob Passwort stimmt nMD5 = "%s%s" % (post[b"p"][0].decode("utf-8") ,data[0][1]) if func.md5(nMD5) == data[0][0]: # erstelle neues uSalt und uPass uSalt = func.random(75) nMD5 = "%s%s" % (post[b"p"][0].decode("utf-8") ,uSalt) uPass = func.md5(nMD5) session = func.random(32) expire = func.timestamp(conf['expire']) que = "UPDATE users SET uSalt = '%s',uPass='******',uSession='%s',expire='%s'" % (uSalt,uPass,session,expire) if func.sql(lite,que): # db update erfolgreich session = session access = True else: # update fehlgeschlagen self.wfile.write(bytes('''<p>Schreiben in DB Fehlgeschlagen</p>''',"UTF-8")) else: # Passwort stimmt nicht self.wfile.write(bytes('''<p>Passwort nicht Korrekt</p>''',"UTF-8")) dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql(lite,"DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql(lite,"INSERT INTO log (tokenID, answere, timecode, addInfo) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now,ipaddr)); else: #user existiert nicht self.wfile.write(bytes('''<p>User nicht Korrekt</p>''',"UTF-8")) dellog = func.timestamp(conf['dellog']) now = func.timestamp() func.sql(lite,"DELETE FROM log WHERE timecode < '%s';" % dellog) func.sql(lite,"INSERT INTO log (tokenID, answere, timecode, addInfo) VALUES ('fffffffffffffffffffffffffffffffff','X','%s','%s')" % (now,ipaddr)); else: #ip gesperrt self.wfile.write(bytes('''<p>Die IP-Adresse wurde gesperrt</p>''',"UTF-8")) else: # laufende session #token prüfen und gleich expire erneuern if 's' in get.keys(): if 'logout' in get.keys(): expire = '0000-00-00- 00:00:00' else: expire = func.timestamp(conf['expire']) now = func.timestamp() session = func.no_inject(get['s']) que = "UPDATE users SET expire='%s' WHERE uSession = '%s'" % (expire,session) if func.sql(lite,que): if 'logout' in get.keys(): self.wfile.write(bytes('''<p>Session beendet.</p>''',"UTF-8")) access = False else: access = True else: # Token abgelaufen self.wfile.write(bytes('''<p>Session abgelaufen</p>''',"UTF-8")) else: # Token nicht existent self.wfile.write(bytes('''<p>Keine Session gefunden</p>''',"UTF-8")) # Content if access == True: # hier kommt alles rein was nur erreichbar ist, wenn man angemeldet ist # Navigation navi = '''<div><a href="/stats/index/s/%s">Statistik</a> <a href="/user/list/s/%s">Userliste</a> <a href="/user/create/s/%s">User erstellen</a> <a href="/logout/index/s/%s">Logout</a></div> <hr/>''' % (session,session,session,session) self.wfile.write(bytes(navi,"UTF-8")) if 'token' in get.keys(): #token search #TODO #token create #ungeprüft if get['token'] == 'add': if 'tid' in get.keys(): tid = func.no_inject(get['tid']) id = func.no_inject(get['id']) if func.sql(lite,"INSERT INTO token (tID,userID,tKey) VALUES ('"+tid+"','"+id+"','')"): self.wfile.write(bytes('''<p>Anlegen erfolgreich</p>''',"UTF-8")) else: self.wfile.write(bytes('''<p>Anlegen fehlgeschlagen</p>''',"UTF-8")) get['user'] = '******' else: data = func.sql(lite,"SELECT tokenID,timecode FROM log WHERE answere = 'D' ORDER BY timecode DESC LIMIT 10") for d in data: self.wfile.write(bytes("[<a href='/token/add/id/"+get['id']+"/tid/"+d[0]+"/s/"+session+"'>Add to User</a>] "+ d[0] +"("+d[1]+")","UTF-8")) #token deleter if get['token'] == 'del': if 'tid' in get.keys(): tid = func.no_inject(get['tid']) if func.sql(lite,"DELETE FROM token WHERE tID = '"+tid+"';"): self.wfile.write(bytes('''<p>Löschen erfolgreich</p>''',"UTF-8")) else: self.wfile.write(bytes('''<p>Löschen fehlgeschlagen</p>''',"UTF-8")) get['user'] = '******' else: data = func.sql(lite,"SELECT tokenID,timecode FROM log WHERE answere = 'D' ORDER BY timecode DESC LIMIT 10") for d in data: self.wfile.write(bytes("[<a href='/token/add/id/"+get['id']+"/tid/"+d[0]+"/s/"+session+"'>Add to User</a>] "+ d[0] +"("+d[1]+")","UTF-8")) #token an anderen user geben if get['token'] == 'change': pass #TODO if 'log' in get.keys(): pass #todo if 'user' in get.keys(): #ungeprüft if get["user"] == '': get["user"] = '******' #ungeprüft if get["user"] == 'create': if bytes('submit',"UTF-8") in post.keys(): uName = func.no_inject(post[b'uName'][0].decode("utf-8") ) uMember = func.no_inject(post[b'uMember'][0].decode("utf-8") ) if(post[b'uPass'][0].decode("utf-8") != ''): uSalt = func.random(75) uPass = func.md5(post[b'uPass'][0].decode("utf-8") +uSalt) else: uSalt = '' uPass = '' if func.sql(lite,"INSERT INTO users (uName,uPass,uSalt,uMember,uSession) VALUES ('"+uName+"','"+uPass+"','"+uSalt+"','"+uMember+"','')"): self.wfile.write(bytes('''<p>User angelegt</p>''',"UTF-8")) get["id"] = func.sql(lite,"SELECT uID FROM users ORDER BY uID DESC LIMIT 1")[0][0] get["user"] = '******' else: self.wfile.write(bytes('''<p>Anlegen fehlgeschlagen</p>''',"UTF-8")) else: content = '''<form action="/user/create/s/%s" method="post"><div><span>Name</span><input type="text" name="uName" /></div><div><span>Passwort</span><input type="password" name="uPass" />(Nur ausfüllen, wenn der user admin zugriff haben soll.)</div><div><span>Member-ID</span><input type="text" name="uMember" /></div><div><input type="submit" name="submit" value="Erstellen" /></div></form>''' % session self.wfile.write(bytes(content,"UTF-8")) #ungeprüft if get["user"] == 'edit': if bytes('submit',"UTF-8") in post.keys(): uName = func.no_inject(post[b'uName'][0].decode("utf-8") ) uMember = func.no_inject(post[b'uMember'][0].decode("utf-8") ) id = func.no_inject(get['id']) if(post[b'uPass'][0].decode("utf-8") != ''): uSalt = func.random(75) uPass = func.md5(post[b'uPass'][0].decode("utf-8") +uSalt) res = func.sql(lite,"UPDATE users SET uName = '"+uName+"',uPass = '******',uSalt = '"+uSalt+"',uMember = '"+uMember+"' WHERE uID = '"+id+"'") else: res = func.sql(lite,"UPDATE users SET uName = '"+uName+"',uMember = '"+uMember+"' WHERE uID = '"+id+"'") if res == True: self.wfile.write(bytes('''<p>User editiert</p>''',"UTF-8")) else: self.wfile.write(bytes('''<p>Editieren fehlgeschlagen</p>''',"UTF-8")) get["user"] = '******' else: id = func.no_inject(get['id']) #user daten werden in form, geladen self.wfile.write(bytes("<table><thead><tr><th>Feld</th><th>Daten</th></tr></thead><tbody>","UTF-8")) ud = func.sql(lite,"SELECT uName, uPass, uMember FROM users WHERE uID = %s" % id) if len(ud) == 1: if ud[0][1] == '': admin = 'User' else: admin = 'Admin' content = '''<form action="/user/edit/id/%s/s/%s" method="post"><div><span>Name</span><input type="text" name="uName" value="%s" /></div><div><span>Gruppe:</span> %s</div><div><span>Passwort</span><input type="password" name="uPass" />(bleibt unverändert wenn leer.)</div><div><span>Member-ID</span><input type="text" name="uMember" value="%s" /></div><div><input type="submit" name="submit" value="Erstellen" /></div></form>''' % (id,session,ud[0][0],admin,ud[0][2]) self.wfile.write(bytes(content,"UTF-8")) self.wfile.write(bytes("</tbody></table>[<a href='/token/add/id/"+id+"/s/"+session+"'>AddToken</a>]<table><thead><tr><th>ID</th><th>zuletzt benutzt</th><th>Optionen</th></tr></thead><tbody>","UTF-8")) #zugehörige tokens gelistet data = func.sql(lite,"SELECT tID,tActive,lastUsed FROM token WHERE userID = '%s';" % id) for d in data: if d[1] == 1: active = 'Aktiv' else: active = 'Deaktiviert' self.wfile.write(bytes("<tr><td>"+d[0]+"</td><td>"+d[3]+"</td><td>"+active+"</td><td>[De/Aktivieren][Löschen][Weitergeben]</td></tr>","UTF-8")) self.wfile.write(bytes("</tbody></table>","UTF-8")) #geprüft if get["user"] == 'del': id = func.no_inject(get['id']) if bytes('submit',"UTF-8") in post.keys(): func.sql(lite,"DELETE FROM token WHERE userID = '%s'" % id) func.sql(lite,"DELETE FROM users WHERE uID = '%s'" % id) get["user"] = '******' else: self.wfile.write(bytes("<form action='/user/del/id/"+id+"/s/"+session+"' method='post'>Sicher? <input type='submit' name='submit' value='Ja, klar' /></form>","UTF-8")) #ungeprüft if get["user"] == 'list': data = func.sql(lite,"SELECT uId,uName,uPass,uMember FROM users ORDER BY uName") self.wfile.write(bytes('''<table><thead><tr><th>ID</th><th>Name</th><th>Optionen</th></tr></thead><tbody>''',"UTF-8")) for d in data: if d[2] != '': ismod = '*' else: ismod = '' self.wfile.write(bytes("<tr><td>"+str(d[0])+"</td><td>"+d[1]+" "+ismod+"</td><td>[<a href='/user/edit/id/"+str(d[0])+"/s/"+session+"'>Edit</a>][De/Aktivieren][<a href='/user/del/id/"+str(d[0])+"/s/"+session+"'>Löschen</a>]</td></tr>","UTF-8")) self.wfile.write(bytes("</tbody></table>","UTF-8")) #TODO else: # hier sieht man nur wenn man abgemeldet ist # Navigation self.wfile.write(bytes(''' <div><a href="/stats">Statistik</a> <a href="/login">Login</a> </div> <hr/>''',"UTF-8")) if 'login' in get.keys(): self.wfile.write(bytes('''<form action="" method="post"> <div><span>User:</span> <input type="text" name="u" /></div> <div><span>Pass:</span> <input type="password" name="p" /></div> <div><input type="submit" name="submit" value="Login" /></div> </form>''',"UTF-8")) #TODO self.wfile.write(bytes('''Abgemeldet''',"UTF-8")) if 'stats' in get.keys(): self.wfile.write(bytes('''Statistik<br/> was soll hier alles rein????''',"UTF-8")) #todo if 'favicon.ico' in get.keys(): #todo pass #ungeprüft if 'style.css' in get.keys(): self.wfile.write(bytes('''p {background-color: #000000; display: block; color: #ffffff;} span {display: block; width: 200px; float:left;} input {display:block; float:left;} div{width:100%; clear: both;}''',"UTF-8")) #Aufräumen if html == True: self.wfile.write(bytes("</body></html>","UTF-8")) func.sql_close(lite);