def send_verification_mail(userId):
# generate new link with type email, then load email texts
link = db.add_verification_link(userId, 'email', str(uuid.uuid4().hex))
htmlfile = open('website/templates/mailVerifikation.html',
'r',
encoding="utf8")
htmltext = htmlfile.read()
htmlfile.close()
mailfile = open('website/templates/mailVerifikation.txt',
'r',
encoding="utf8")
mailtext = mailfile.read()
mailfile.close()
# replace placeholders
placeholders = {
'LINK':
'http://malwaremuehle.dynip.online/nowVerify/' +
db.get_model(VerificationLink, link).link
}
htmlmail = replace_placeholder(htmltext, placeholders)
txtmail = replace_placeholder(mailtext, placeholders)
# send mail
send_mail(
db.get_model(User, userId).email,
'Bitte verifiziere Deine E-Mail-Adresse', txtmail, htmlmail)
def is_anon_tid(tid):
try:
if tid:
task = db.get_model(Task, tid)
if task and task.ticket_id:
uid = db.get_model(Ticket, task.ticket_id).user_id
return uid is None or uid is session.get('logged_in')
else:
return True
except AttributeError:
return True
def is_anon_task(sample):
try:
if sample["task_id"]:
task = db.get_model(Task, sample["task_id"])
if task and task.ticket_id:
uid = db.get_model(Ticket, task.ticket_id).user_id
return uid is None or uid is session.get('logged_in')
else:
return True
except AttributeError:
return True
def loginRegister():
if request.method == 'GET':
return render_template('LoginRegister.html')
if request.method == 'POST':
# check if its a login request
if 'emailLogin' in request.form:
email = request.form['emailLogin']
password = request.form['passwordLogin']
userId = db.get_user_by_email(email)
if not userId:
return render_template('LoginRegister.html', loginError=True)
if check_password_hash(
db.get_model(User, userId).password, password):
if db.get_model(User, userId).email_authenticated:
session['logged_in'] = userId
else:
return redirect(url_for('nowVerify'))
return redirect(url_for('account'))
else:
return render_template('LoginRegister.html', loginError=True)
# check if its a registration request
elif 'emailRegister' in request.form:
email = request.form['emailRegister']
password = request.form['passwordRegister']
passwordRep = request.form['passwordRepeatRegister']
passwordhash = generate_password_hash(password)
# check if E-Mail matches e-mail-pattern
if not match(r'[^@]+@[^@]+\.[^@]+', email):
return render_template('LoginRegister.html', mailFormat=True)
# check if password fits policies
if not checkpw(password):
return render_template('LoginRegister.html', weakPw=True)
# check if email is already taken
if db.get_user_by_email(email):
return render_template('LoginRegister.html', emailTaken=True)
else:
# check if password and password repeat match and if yes create account
if password == passwordRep:
newUserId = db.add_user(email, passwordhash, 0)
send_verification_mail(newUserId)
return render_template('verification.html', send=True)
else:
return render_template('LoginRegister.html',
matchError=True)
else:
return render_template('LoginRegister.html')
def forgotPW():
# TODO send email with reset link
if 'email' in request.form:
email = request.form['email']
userId = db.get_user_by_email(email)
if userId:
# generate a new link and add it to database with type password
link = db.add_verification_link(userId, 'password',
str(uuid.uuid4().hex))
#load email texts
htmlfile = open('website/templates/passwordReset.html',
'r',
encoding="utf8")
htmltext = htmlfile.read()
htmlfile.close()
mailfile = open('website/templates/passwordReset.txt',
'r',
encoding="utf8")
mailtext = mailfile.read()
mailfile.close()
# replace placeholders
placeholders = {
'LINK':
'http://malwaremuehle.dynip.online/resetpw/' +
db.get_model(VerificationLink, link).link
}
htmlmail = replace_placeholder(htmltext, placeholders)
txtmail = replace_placeholder(mailtext, placeholders)
# send mail
send_mail(email, 'Dein Link zur Passwortänderung', txtmail,
htmlmail)
return render_template('forgotpw.html', emailsent=True)
else:
return render_template('forgotpw.html', emailsent=True)
return render_template('forgotpw.html')
def account():
userId = session.get('logged_in')
if userId:
tickets = db.get_tickets_by_user(userId)
ticketval_list = []
for ticket in tickets:
ticketval_list.append(ticket['ticket_val'])
# if user sends form for reset
if 'passwordreset' in request.form and 'passwordrep' in request.form:
password = request.form['passwordreset']
passwordrep = request.form['passwordrep']
if not checkpw(password):
return render_template('account.html',
tickets=ticketval_list,
weakPw=True)
# change password
user = db.get_model(User, userId)
if user:
if check_password_hash(user.password, password):
return render_template('account.html',
tickets=ticketval_list,
samepass=True)
elif password == passwordrep:
db.update_password(userId,
generate_password_hash(password))
return render_template('account.html',
tickets=ticketval_list,
passreset=True)
else:
return render_template('account.html',
tickets=ticketval_list,
matchError=True)
return render_template('account.html', notauth=True)
def index():
# A dictionary that translates the selected Operating System Value to the platform name used in cuckoo
# TODO: Use the names that are used inside cuckoo
osStringDict = {
'0': 'notSelected',
'1': 'cuckoo_Win7_Home_64bit_ma',
'2': 'cuckoo_Win7_Prof_64b_ma',
'3': 'cuckoo_Win10_Home_64bit_ma',
'4': 'cuckoo_Win10_Pro_64bit_ma',
'5': 'cuckoo_Win10_Education_64bit_ma',
'6': 'cuckoo_Win10_Pro_Education_64bit_ma',
# '7': 'cuckoo_Ubuntu_18.04_64bit_ma',
'7': 'cuckoo_Debian_64bit_ma',
'8': 'cuckoo_Debian_64bit_ma'
}
if request.method == 'GET':
return render_template('index.html')
if request.method == 'POST':
# check if a URL analysis has been requested
if 'url' in request.form:
url = request.form['url']
# getting the selected OS out of the form and translating it to the platform name used in cuckoo
selectedOS = request.form['os2']
if selectedOS == '0':
return render_template('error.html',
typeError=False,
unknownTicket=False,
noURL=False,
noOS=True)
else:
# setting the platform option for the cuckoo submit function
options = {'machine': osStringDict[selectedOS]}
# submit to cuckoo
cuckooticketID = submit([],
url,
options,
user_id=session.get('logged_in'))
if cuckooticketID:
return redirect(
url_for('analysisstarted',
ticket=db.get_model(
Ticket, cuckooticketID).ticket_val))
else:
return render_template('error.html',
typeError=False,
unknownTicket=False,
noURL=True,
noOS=False)
# check if the post request contains a file / a file analysis has been requested
if 'file[0]' not in request.files:
return redirect(request.url)
file = request.files['file[0]']
# if user did not select a file, or it has no name
if file.filename == '':
return redirect(request.url)
if file:
# sanitising filename
filename = secure_filename(file.filename)
# safe file inside the upload folder
path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
file.save(path)
# getting the selected OS out of the form and translating it to the platform name used in cuckoo
selectedOS = request.form['os1']
if selectedOS == '0':
return render_template('error.html',
typeError=False,
unknownTicket=False,
noURL=False,
noOS=True)
else:
# setting the platform option for the cuckoo submit function
options = {'machine': osStringDict[selectedOS]}
# submit file to cuckoo
cuckooticketID = submit(path, [],
options,
user_id=session.get('logged_in'))
os.remove(path)
if cuckooticketID:
return db.get_model(Ticket, cuckooticketID).ticket_val
else:
return 'Error'
def admin():
user = session.get('logged_in')
if not user:
abort(404)
# check if a admin is logged in, if not pretend there is no page /admin
if db.get_model(User, user).privilege_level != 99:
abort(404)
if request.method == 'GET':
dbconnection = True
# make a list of lists with size 4 of all running tasks to display at the admin page
try:
runningTasks = db.list_tasks(status='running')
except:
dbconnection = False
runningTasks = [task.to_dict() for task in runningTasks]
# shorten tagret path so its only the filename
for task in runningTasks:
task['target'] = os.path.basename(task['target'])
runningTasks4Packs = [
runningTasks[x:x + 4] for x in range(0, len(runningTasks), 4)
]
status = get_cuckoo_status()
totalram = to_gb(status['memtotal'])
freeram = to_gb(status['memavail'])
# get free disk space and turn bytes into gigabytes
totalspace = str(
round(
status['diskspace']['analyses']['total'] / 1024 / 1024 / 1024,
2))
freespace = str(
round(status['diskspace']['analyses']['free'] / 1024 / 1024 / 1024,
2))
usedspace = str(
round(status['diskspace']['analyses']['used'] / 1024 / 1024 / 1024,
2))
#get the cpuusage and the nr. of machines connected to cuckoo and analyzing right now
cpuload = status['cpuload']
machinesavailable = status['machines']['available']
machinestotal = status['machines']['total']
adminlist = db.get_users_by_privilege(99)
adminlist = [adminuser['email'] for adminuser in adminlist]
return render_template('admin.html',
tasklist=runningTasks4Packs,
db=dbconnection,
totalram=totalram,
freeram=freeram,
cpuload=cpuload,
machinesavailable=machinesavailable,
machinestotal=machinestotal,
totalspace=totalspace,
freespace=freespace,
usedspace=usedspace,
adminlist=adminlist)
elif request.method == 'POST':
userId = db.get_user_by_email(request.form['email'])
privilege_level = request.form['priv']
if userId:
db.set_user_privilege(privilege_level, userId)
return redirect(url_for('admin'))