def post(self, id):
weblog.info("%s.", self._request_summary())
Projectname = self.get_argument("Projectname", None)
passowrd = self.get_argument("passowrd", None)
Projectemail = self.get_argument("Projectemail", None)
Projectrole = self.get_argument("Projectrole")
msg = []
if Projectname is None or Projectname == "":
msg.append(msg_define.ProjectNAME_IS_EMPTY)
if passowrd is None or check_passord(passowrd) is None:
msg.append(msg_define.ProjectPASSWORD_INVALID)
if Projectemail is None or Projectemail == "":
msg.append(msg_define.ProjectEMAIL_IS_EMPTY)
elif check_email(Projectemail) is None:
msg.append(msg_define.ProjectEMAIL_INVALID)
if msg:
return self.render('admin/Projectedit.html', message=msg)
else:
try:
old_Project = get_project_by_id(self, id)
old_Project.Projectname = Projectname
old_Project.password = passowrd
old_Project.email = Projectemail
old_Project.Projectrole = Projectrole
self.mysqldb().commit()
return self.redirect('/Project/list')
except:
weblog.exception("Edit Project error!")
self.mysqldb().rollback()
return self.render('admin/Projectedit.html', message=msg)
def get(self):
parsed = urlparse(self.request.uri)
params = parse_qs(parsed.query)
uuid = params.get('uuid')
if uuid is None:
self.write("give me your uuid man... :/")
return
cookie = self.get_secure_cookie(COOKIE_KEY)
if not cookie:
self.write("your cookie missing or maybe you don't know what HMAC"
" means :(")
return
try:
cookie = cookie.decode()
except Exception as e:
access_log.exception("An exception occurred...")
self.write("why did you change your cookie...")
return
expected_cookie = '{}[{}]'.format(uuid[0], self.request.remote_ip)
if cookie != expected_cookie:
self.write("you're almost done... i got a uuid and a cookie... "
"but they don't match.")
return
self.write("here is your reward my dear: {}".format(self.flag))
def post(self):
weblog.info("%s.", self._request_summary())
cur_login_name = self.get_secure_cookie('user_account')
# 用户是否存在
cur_user_id = self.mysqldb().query(
TblAccount.id, TblAccount.userstate).filter(
TblAccount.username == cur_login_name).first()
project_name = self.get_argument("project_name", None)
top_project_id = self.get_argument("top_project_id", 0)
project_describe = self.get_argument("project_describe", None)
peers = self.get_arguments("peer")
msg = ''
try:
new_project = TblProject()
new_project.project_name = project_name
new_project.progress = 0
new_project.describe = project_describe
new_project.status = msg_define.USER_NORMAL
new_project.top_project_id = top_project_id
new_project.created_by = cur_user_id.id
self.mysqldb().add(new_project)
self.mysqldb().commit()
# 添加项目关联人员
self.relation_project_user(project_name, peers)
# return self.render('project/projectlist.html', projects=get_project_list(self),
# project_map=get_project_map(self))
return self.redirect('/project/list')
except:
weblog.exception("Add new Project error!")
self.mysqldb().rollback()
return self.render('project/projectadd.html',
message="",
users=get_user_list(self),
projects=get_project_list(self))
def post(self, id):
weblog.info("%s.", self._request_summary())
username = self.get_argument("username", None)
passowrd = self.get_argument("passowrd", None)
useremail = self.get_argument("useremail", None)
userrole = self.get_argument("userrole")
msg = []
if username is None or username == "":
msg.append(msg_define.USERNAME_IS_EMPTY)
if passowrd is None or check_passord(passowrd) is None:
msg.append(msg_define.USERPASSWORD_INVALID)
if useremail is None or useremail == "":
msg.append(msg_define.USEREMAIL_IS_EMPTY)
elif check_email(useremail) is None:
msg.append(msg_define.USEREMAIL_INVALID)
if msg:
return self.render('admin/useredit.html', message=msg)
else:
try:
old_user = get_user_by_id(self, id)
old_user.username = username
old_user.password = passowrd
old_user.email = useremail
old_user.userrole = userrole
self.mysqldb().commit()
return self.redirect('/user/list')
except:
weblog.exception("Edit user error!")
self.mysqldb().rollback()
return self.render('admin/useredit.html', message=msg)
def handle_request(self, request_data):
try:
proxy_request = yield self._make_proxy_request(request_data)
if not proxy_request:
raise gen.Return()
yield self._fetch_proxy_request(proxy_request)
except RequestParamsError as err:
self.set_status(400, str(err))
except Exception as err:
logger.exception(err)
raise gen.Return()
def post(self):
data = self.request.body
# VULN: do not truncate input size
try:
client_ip = self.request.headers.get("X-Real-IP") or self.request.remote_ip
if client_ip:
ipaddress.ip_address(client_ip)
output = run(['./docker_wrapper.sh', client_ip], input=data, stdout=PIPE).stdout
except Exception as e:
access_log.exception("An exception occurred...")
output = b"Exception raised."
self.write(output)
self.finish()
def post(self):
fg_color = random.randint(0, 255), random.randint(0,
255), random.randint(
0, 255)
try:
mstream, strs = generate_verify_image(save_img=False,
fg_color=fg_color,
font_type="method/Arial.ttf")
# self.write(simplejson.dumps({'code': 0, 'img': stream.getvalue().encode('base64')}))
# self.set_cookie("code", strs)
self.set_secure_cookie("code", strs)
weblog.info("%s , imgage code:%s", self._request_summary(), strs)
# img = mstream.getvalue().encode('base64')
img = base64.b64encode(mstream.getvalue()).decode()
return self.write(json_dumps({'code': strs, 'img': img}))
except:
weblog.exception("verify image code error")
return
def __exit__(self, exc_type, exc_val, exc_tb):
if exc_type == toro.Timeout:
access_log.debug("[uid: %s] connection timeout" % self.client_uid)
elif exc_type == StreamClosedError:
access_log.warning("[uid: %s] stream closed unexpectedly" % self.client_uid)
elif exc_type == ConnectError:
self.stream.close()
access_log.info("[uid: %s] connection refused: %s" % (self.client_uid, exc_val.message))
elif exc_type == Exception:
access_log.exception("[uid: %s] error handling stream" % self.client_uid, exc_info=True)
if exc_val is not None:
if self.client is not None:
self.client.disconnect()
return True # suppress the raised exception
def browsing_history(self):
login_name = self.get_current_user()
if login_name is None:
return
if type(login_name) == bytes:
login_name = bytes.decode(login_name)
try:
self.mysqldb().execute(
"INSERT INTO tbl_browsing_history (user_ip,user_account,request_method,"
"uri,status,browsing_date,browsing_time,user_agent) "
"VALUES(\'%s\',\'%s\',\'%s\',\'%s\',\'%s\',\'%s\',\'%s\',\'%s\');"
%(self.request.remote_ip, login_name, self.request.uri,self.request.method,
self.get_status(),datetime.datetime.now().strftime('%Y%m%d'),
datetime.datetime.now().strftime('%H%M%S'), self.request.headers.get("User-Agent"))
)
self.mysqldb().commit()
except:
weblog.exception("BaseHandler:visit_history error")
self.mysqldb().rollback()
def post(self, id):
weblog.info("%s.", self._request_summary())
bug_name = self.get_argument("bug_name", None)
bug_describe = self.get_argument("bug_describe", None)
bug_solution = self.get_argument("bug_solution", None)
bug_date_plan = self.get_argument("bug_date_plan",None)
bug_date_done = self.get_argument("bug_date_done",None)
bug_status = self.get_argument("bug_status", None)
# print(bug_name, bug_describe, bug_status)
msg = []
if bug_name is None:
msg.append(u"bug名称不能为空")
if bug_describe is None or bug_solution is None:
msg.append(u"bug描述或解决方案不能空")
if bug_date_plan is None or bug_date_done is None:
msg.append(u"bug计划解决日期或解决日期不能为空")
if bug_status is None:
msg.append(u"bug状态不能为空")
else:
bug_status = int(bug_status)
old_bug = self.mysqldb().query(TblBugList).filter_by(bug_id=id).first()
if old_bug is None:
msg.append(u"根据bug id获取bug信息失败")
if msg:
return self.render('bug/bugedit.html', message=msg, bug=get_bug_by_id(self, id))
else:
try:
# edit_bug = get_bug_by_id(self,id)
old_bug.bug_name = bug_name
old_bug.bug_describe = bug_describe
old_bug.bug_solution = bug_solution
old_bug.bug_date_plan = bug_date_plan
old_bug.bug_date_done = bug_date_done
old_bug.bug_status = bug_status
# print(bug_status, bug_describe)
self.mysqldb().commit()
return self.redirect('/bug/list')
except Exception as e:
weblog.exception("Edit Bug error!", e)
self.mysqldb().rollback()
msg.append(e)
return self.render('bug/bugedit.html', message=msg)
async def get(self, *args, **kwargs):
try:
method_info = self.methods.get('get')
if method_info is None:
self.send_error(status_code=404, reason="not found")
return
call_func = method_info['func']
filter_funcs = method_info['filters']
request_obj = MetaRequest(self)
for each_filter in filter_funcs:
view_obj = each_filter(request_obj)
if not isinstance(view_obj, BasicView):
self.send_error(status_code=500, reason="internal error")
return
if isinstance(view_obj, ChainView):
continue
view_obj.render(request=self)
return
try:
view_obj = await call_func(request_obj, *args, **kwargs)
except CoreError as e:
logger.error('%s:%s' % (e.__class__.__name__, e.message))
if getattr(e, "can_out_put", None):
msg = e.message
else:
msg = ""
view_obj = JsonView({'code': 'ERROR', 'msg': msg, 'data': {}})
view_obj.render(request=self)
return
if not isinstance(view_obj, BasicView):
self.send_error(status_code=500, reason="internal error")
return
view_obj.render(request=self)
except Exception as e:
logger.exception(e)
self.send_error(status_code=500, reason='internal error')
def post(self):
weblog.info("%s.", self._request_summary())
cur_login_name = self.get_secure_cookie('user_account')
# 用户是否存在
bug_name = self.get_argument("bug_name",None)
project_id = self.get_argument("project_name", None)
bug_find_by = self.get_argument("bug_find_by", None)
bug_user_done = self.get_argument("bug_user_done", None)
bug_describe = self.get_argument("bug_describe", None)
bug_solution = self.get_argument("bug_solution", None)
bug_date_plan = self.get_argument("bug_date_plan", None)
bug_date_done = self.get_argument("bug_date_done", None)
msg = []
if bug_name is None:
msg.append(u"bug名称不能为空")
if bug_solution is None or bug_describe is None:
msg.append(u"bug描述或解决方案为空")
if bug_date_plan is None or bug_date_done is None:
msg.append(u"bug计划日期或解决日期为空")
if msg:
return self.render('bug/bugadd.html', message=msg, users=get_user_list(self),
projects=get_project_list(self))
try:
new_bug = TblBugList()
new_bug.bug_name = bug_name
new_bug.bug_find_by = bug_find_by
new_bug.bug_user_done = bug_user_done
new_bug.bug_describe = bug_describe
new_bug.bug_solution = bug_solution
new_bug.bug_date_plan = bug_date_plan
new_bug.bug_date_done = bug_date_done
new_bug.bug_project_id = project_id
self.mysqldb().add(new_bug)
self.mysqldb().commit()
return self.render('bug/buglist.html', bugs=get_bug_list(self))
except:
weblog.exception("Add new bug error!")
self.mysqldb().rollback()
return self.render('bug/bugadd.html', message=msg, users=get_user_list(self),
projects=get_project_list(self))
def post(self):
weblog.info("%s.", self._request_summary())
username = self.get_argument("username", None)
passowrd = self.get_argument("passowrd", None)
useremail = self.get_argument("useremail", None)
userrole = self.get_argument("userrole")
msg = []
if get_user_by_name(self, username) is not None:
msg.append(msg_define.USER_IS_EXIST)
if username is None or username == "":
msg.append(msg_define.USERNAME_IS_EMPTY)
if passowrd is None or check_passord(passowrd) is None:
msg.append(msg_define.USERPASSWORD_INVALID)
if useremail is None or useremail == "":
msg.append(msg_define.USEREMAIL_IS_EMPTY)
elif check_email(useremail) is None:
msg.append(msg_define.USEREMAIL_INVALID)
if msg:
return self.render('admin/useradd.html', message=msg)
else:
try:
new_user = TblAccount()
new_user.username = username
new_user.password = MD5(passowrd)
new_user.email = useremail
new_user.userrole = userrole
new_user.userstate = msg_define.USER_NORMAL
self.mysqldb().add(new_user)
self.mysqldb().commit()
users, total_page = get_user_pagination(self, FIRST_PAGE)
return self.render('admin/usermanage.html',
users=users,
total_page=total_page,
current_page=FIRST_PAGE)
except:
weblog.exception("Add new user error!")
self.mysqldb().rollback()
return self.render('admin/useradd.html', message=msg)
def __exit__(self, exc_type, exc_val, exc_tb):
if exc_type == toro.Timeout:
access_log.debug("[uid: %s] connection timeout" % self.client_uid)
elif exc_type == StreamClosedError:
access_log.warning('[uid: %s] stream closed unexpectedly' %
self.client_uid)
elif exc_type == ConnectError:
self.stream.close()
access_log.info('[uid: %s] connection refused: %s' %
(self.client_uid, exc_val.message))
elif exc_type == Exception:
access_log.exception('[uid: %s] error handling stream' %
self.client_uid,
exc_info=True)
if exc_val is not None:
if self.client is not None:
self.client.disconnect()
return True # suppress the raised exception
async def __print(self):
files = self.request.files['f']
if len(files) != 1:
self.__reject("/print expects exactly one image file.")
return
img_data = files[0]['body']
try:
result = print_img(img_data, self.__remote_ip())
except Exception as e:
access_log.exception("An exception occurred...")
self.__reject("[print_img:exception] service failed to process "
"your image. Try with another one.\nIf the problem "
"persists with other images, please contact an "
"admin.")
return
if not result['status']:
self.__reject(result['error'])
return
page_data = result['data']
secret = result['b64sn']
try:
await self.__save_secret(secret)
except Exception as e:
access_log.exception("An exception occurred...")
self.__reject("[__save_secret:exception] service failed to save "
"the secret. Request timed-out.\nPlease contact an "
"admin. Redis server might be down.")
return
self.__accept(page_data)
def wraps(*args, **kwg):
try:
return func(*args, **kwg)
except Exception as err:
logger.exception(err)
raise
def post(self):
key = self.request.body[:EO_SZ**3]
try:
output = check_output(['./emergency_override', 'check'], input=key)
except Exception as e:
access_log.exception("An exception occurred...")
self.set_status(500)
self.write("An exception occurred, feel free to contact an admin.")
self.finish()
return
if b'OK' in output:
msg = """
Well done! You've just prevented doomsday... Awesome!
888888ba dP dP dP dP .88888.
dP dP 88 `8b 88 88 88 88 d8' `8b
8888888 a88aaaa8P' 88d888b. .d8888b. 88aaaaa88a 88aaa88 dP. .dP 88 88 88d888b.
88 88 88 88' `88 88' `88 88 88 88 `8bd8' 88 88 88' `88
8888888 88 88 88. .88 88 88 88 .d88b. Y8. .8P 88
dP dP dP dP `88888P' dP dP dP dP' `dP `8888P' dP
Good job! You must have this flag : {}
""".format(self.flag)
else:
msg = """
.ed''' '''$$$$be.
-' ^''**$$$e.
.' '$$$c
/ '4$$b
d 3 $$$$
$ * .$$$$$$
.$ ^c $$$$$e$$$$$$$$.
d$L 4. 4$$$$$$$$$$$$$$b
$$$$b ^ceeeee. 4$$ECL.F*$$$$$$$
e$''=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$
z$$b. ^c 3$$$F '$$$$b $'$$$$$$$ $$$$*' .=''$c
4$$$$L $$P' '$$b .$ $$$$$...e$$ .= e$$$.
^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$
'**$$$ec ' ece'' $$$ $$$$$$$$$$* .r' =$$$$P''
'*$b. 'c *$e. *** d$$$$$'L$$ .d' e$$***'
^*$$c ^$c $$$ 4J$$$$$% $$$ .e*'.eeP'
'$$$$$$''$=e....$*$$**$cz$$' '..d$*'
'*$$$ *=%4.$ L L$ P3$$$F $$$P'
'$ 'e*ebJLzb$e$$$$$b $P'
%.. 4$$$$$$$$$$ '
$$$e z$$$$$$$$$$%
'*$c '$$$$$$$P'
.'''*$$$$$$$$bc
.-'' .$***$$$'''*e.
.-' .e' '*$c ^*b.
.=*'''' .e$*' '*bc '*$e..
.$' .z*' ^*$e. '*****e.
$$ee$c .d' '*$. 3.
^*$E')$..$' * .ee==d%
$.d$$$* * J$$$e*
''''' ''$$$'
R.I.P.
You failed to save the world !!! Try again !
"""
self.write(msg.encode())
self.finish()
