├── 0cms_server ├── utils │ ├── __init__.py │ └── function.py ├── action │ ├── __init__.py │ ├── rss.py │ ├── upload.py │ ├── flag.py │ ├── admin.py │ ├── comment.py │ ├── install.py │ ├── cms.py │ ├── index.py │ └── base.py ├── model │ ├── db │ │ ├── __init__.py │ │ ├── database.py │ │ └── sqlite.py │ ├── __init__.py │ ├── flag.py │ ├── cms.py │ ├── comment.py │ └── base.py ├── restart.sh ├── templates │ ├── admin │ │ ├── footer.htm │ │ ├── index.htm │ │ ├── login.htm │ │ ├── uploadFile.htm │ │ ├── rss.htm │ │ ├── header.htm │ │ ├── commentList.htm │ │ ├── cmsList.htm │ │ ├── error.htm │ │ ├── copyText.htm │ │ ├── success.htm │ │ ├── cmsAdd.htm │ │ └── cmsEdit.htm │ └── default │ │ ├── footer.htm │ │ ├── show.htm │ │ ├── error.htm │ │ ├── success.htm │ │ ├── index.htm │ │ ├── comments.htm │ │ └── header.htm ├── data │ ├── 0ctf.db │ └── public.pem ├── static │ ├── admin │ │ ├── copy.swf │ │ ├── mainnavbg.gif │ │ ├── sub_arrow.gif │ │ ├── editor │ │ │ ├── icons.png │ │ │ ├── resize.gif │ │ │ ├── header-bg.gif │ │ │ ├── style.css │ │ │ └── tinyeditor.js │ │ └── common.css │ └── default │ │ ├── 404.png │ │ ├── bg.png │ │ ├── rss.png │ │ ├── favicon.ico │ │ ├── mainbg.jpg │ │ ├── search.png │ │ ├── default_user.jpg │ │ ├── search_hover.png │ │ ├── comment-reply.min.js │ │ ├── html5.js │ │ ├── bin.js │ │ └── style.css ├── settings.py └── app.py ├── 0cms_checker ├── private.pem ├── 0cms_normal_check.py └── 0cms_full_check.py └── README.md /0cms_server/utils/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /0cms_server/action/__init__.py: -------------------------------------------------------------------------------- 1 | __author__ = 'md5_salt' 2 | -------------------------------------------------------------------------------- /0cms_server/model/db/__init__.py: -------------------------------------------------------------------------------- 1 | __author__ = 'md5_salt' -------------------------------------------------------------------------------- /0cms_server/restart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | find . -name "*.pyc" | xargs rm -f 3 | python app.py 4 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/footer.htm: -------------------------------------------------------------------------------- 1 |

2 | 3 | -------------------------------------------------------------------------------- /0cms_server/data/0ctf.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/data/0ctf.db -------------------------------------------------------------------------------- /0cms_server/static/admin/copy.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/copy.swf -------------------------------------------------------------------------------- /0cms_server/static/default/404.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/404.png -------------------------------------------------------------------------------- /0cms_server/static/default/bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/bg.png -------------------------------------------------------------------------------- /0cms_server/static/default/rss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/rss.png -------------------------------------------------------------------------------- /0cms_server/static/admin/mainnavbg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/mainnavbg.gif -------------------------------------------------------------------------------- /0cms_server/static/admin/sub_arrow.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/sub_arrow.gif -------------------------------------------------------------------------------- /0cms_server/static/default/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/favicon.ico -------------------------------------------------------------------------------- /0cms_server/static/default/mainbg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/mainbg.jpg -------------------------------------------------------------------------------- /0cms_server/static/default/search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/search.png -------------------------------------------------------------------------------- /0cms_server/static/admin/editor/icons.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/editor/icons.png -------------------------------------------------------------------------------- /0cms_server/model/__init__.py: -------------------------------------------------------------------------------- 1 | __author__ = 'md5_salt' 2 | from cms import * 3 | from base import * 4 | from comment import * 5 | from flag import * -------------------------------------------------------------------------------- /0cms_server/static/admin/editor/resize.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/editor/resize.gif -------------------------------------------------------------------------------- /0cms_server/static/default/default_user.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/default_user.jpg -------------------------------------------------------------------------------- /0cms_server/static/default/search_hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/default/search_hover.png -------------------------------------------------------------------------------- /0cms_server/static/admin/editor/header-bg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/0CTF2015Final0cms/master/0cms_server/static/admin/editor/header-bg.gif -------------------------------------------------------------------------------- /0cms_server/templates/default/footer.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /0cms_server/model/flag.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import web, time 4 | import settings 5 | from model.base import base as BaseModel 6 | from utils.function import * 7 | @singleton 8 | class flag(BaseModel): 9 | def __init__(self): 10 | pass -------------------------------------------------------------------------------- /0cms_server/utils/function.py: -------------------------------------------------------------------------------- 1 | def singleton(className): 2 | def wrapped(): 3 | it = className.__dict__.get('__it__') 4 | if it is not None: 5 | return it 6 | 7 | className.__it__=className() 8 | return className.__it__ 9 | return wrapped -------------------------------------------------------------------------------- /0cms_server/data/public.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PUBLIC KEY----- 2 | MIGJAoGBAIDvfXgMHxgyRDb+1f8PKlru63FVE/K0wUZnrvpbUd8mnGiJWHkhgO2q 3 | jMDA0dy30mvup9JMs89y0Tylx9EOVGF92Tcs120h7OH0C/OJe/ru4lUYMy/8jusb 4 | n/P5ZUSe/3/4NUFY+0Z/uYamNDA4u8Bq0dIKLRlOy0/+9d79dID1AgMBAAE= 5 | -----END RSA PUBLIC KEY----- 6 | -------------------------------------------------------------------------------- /0cms_server/model/cms.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import web, time 4 | 5 | import settings 6 | from model.base import base as BaseModel 7 | from utils.function import * 8 | @singleton 9 | class cms(BaseModel): 10 | def __init__(self): 11 | pass -------------------------------------------------------------------------------- /0cms_server/model/comment.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import web, time 4 | import settings 5 | from model.base import base as BaseModel 6 | from utils.function import * 7 | @singleton 8 | class comment(BaseModel): 9 | def __init__(self): 10 | pass -------------------------------------------------------------------------------- /0cms_server/templates/admin/index.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header() 3 | Welcome

4 | IP:$:tplData['info']['clientIp']

5 | Server IP:$:tplData['info']['serverIp']

6 | UA:$:tplData['info']['ua']

7 | Time:$:tplData['info']['date']

8 | $:tplData['render'].footer() -------------------------------------------------------------------------------- /0cms_server/action/rss.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #coding=utf-8 3 | import web,time,settings 4 | from action.base import base as baseAction 5 | import model 6 | class rss(baseAction): 7 | def __init__(self): 8 | baseAction.__init__(self) 9 | settings = self.getSettings() 10 | self.assignTplDir(settings.ADMIN_TPL_DIR) 11 | def index(self): 12 | cmsList = model.cms().getList('*',{},'id desc') 13 | self.assign('cmsList',cmsList) 14 | return self.display('rss') -------------------------------------------------------------------------------- /0cms_server/templates/admin/login.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | Login 6 | 7 | 8 | 9 | 10 | 11 | 16 | 17 | -------------------------------------------------------------------------------- /0cms_server/templates/default/show.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header(tplData) 3 | 4 |

5 |

6 | 7 |

$:tplData['atl']['name']

13 | 14 | $:tplData['render'].comments(tplData) 15 |

16 | $:tplData['render'].footer(tplData) -------------------------------------------------------------------------------- /0cms_server/templates/admin/uploadFile.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | 6 | upload 7 | 8 | 9 | 13 | 14 | -------------------------------------------------------------------------------- /0cms_server/templates/default/error.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header(tplData) 3 |

4 | $:tplData['jump']['msg'] (jump after $:tplData['jump']['timeout'] seconds）

5 | 6 | 19 | $:tplData['render'].footer(tplData) -------------------------------------------------------------------------------- /0cms_server/templates/default/success.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header(tplData) 3 |

4 | $:tplData['jump']['msg'] (jump after $:tplData['jump']['timeout']seconds）

5 | 6 | 19 | $:tplData['render'].footer(tplData) -------------------------------------------------------------------------------- /0cms_server/templates/admin/rss.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | $:tplData['webTitle'] 6 | $:tplData['webUrl'] 7 | $:tplData['webDescription'] 8 | $for i in tplData['cmsList']: 9 | 10 | $:i['name'] 11 | 12 | 13 | 14 | $:i['createTime'] 15 | $makeUrl('index','show',{'id':i['id']}) 16 | 17 | 18 | -------------------------------------------------------------------------------- /0cms_server/static/default/comment-reply.min.js: -------------------------------------------------------------------------------- 1 | addComment={moveForm:function(d,f,i,c){var m=this,a,h=m.I(d),b=m.I(i),l=m.I("cancel-comment-reply-link"),j=m.I("comment_parent"),k=m.I("comment_post_ID");if(!h||!b||!l||!j){return}m.respondId=i;c=c||false;if(!m.I("wp-temp-form-div")){a=document.createElement("div");a.id="wp-temp-form-div";a.style.display="none";b.parentNode.insertBefore(a,b)}h.parentNode.insertBefore(b,h.nextSibling);if(k&&c){k.value=c}j.value=f;l.style.display="";l.onclick=function(){var n=addComment,e=n.I("wp-temp-form-div"),o=n.I(n.respondId);if(!e||!o){return}n.I("comment_parent").value="0";e.parentNode.insertBefore(o,e);e.parentNode.removeChild(e);this.style.display="none";this.onclick=null;return false};try{m.I("comment").focus()}catch(g){}return false},I:function(a){return document.getElementById(a)}}; 2 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/header.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Manage 6 | 7 | 8 | 9 |

10 |

17 |

-------------------------------------------------------------------------------- /0cms_server/model/base.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #coding=utf-8 4 | from model.db.database import * 5 | class base: 6 | def getTable(self): 7 | return self.__class__.__name__ 8 | 9 | def getDb(self): 10 | return database() 11 | 12 | def insert(self,data): 13 | return self.getDb().insert(self.getTable(),data) 14 | 15 | def delete(self,condition): 16 | return self.getDb().delete(self.getTable(), condition) 17 | 18 | def getList(self,colums,condition,orders='',limits=''): 19 | return self.getDb().getList(self.getTable(),colums,condition,orders,limits) 20 | 21 | def getOne(self,colums,condition,orders='',limits=''): 22 | return self.getDb().getOne(self.getTable(),colums,condition,orders,limits) 23 | 24 | def update(self, data,condition): 25 | return self.getDb().update(self.getTable(),data,condition) 26 | -------------------------------------------------------------------------------- /0cms_server/templates/default/index.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header(tplData) 3 |

4 |

5 | $for i in tplData['cmsList']: 6 |

7 |

$:i['name']

view all »

11 |

12 |

13 | 16 |

17 | 18 | $:tplData['render'].footer(tplData) -------------------------------------------------------------------------------- /0cms_checker/private.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICYAIBAAKBgQCA7314DB8YMkQ2/tX/Dypa7utxVRPytMFGZ676W1HfJpxoiVh5 3 | IYDtqozAwNHct9Jr7qfSTLPPctE8pcfRDlRhfdk3LNdtIezh9AvziXv67uJVGDMv 4 | /I7rG5/z+WVEnv9/+DVBWPtGf7mGpjQwOLvAatHSCi0ZTstP/vXe/XSA9QIDAQAB 5 | AoGAesgVWmFopvkPPrPUg0wk0G1ephEXqvN4bhxEY8Lcpz00itPn/YnrJehYmyHD 6 | d4VRi1i8VaaXQICdQjy4Df87e5Z3UTj/Y9Tir51Hue5w7f7dK16Y6H570ZPzwszU 7 | ZW94GOJ94vHagb+qwv+rDxbFuM3nP9HMTdQMg1V6ZU3ZuCECRQCRjmdN0Ix7L2pN 8 | vH1K/IBwAkNIa1boLnnTdKo9JnC7mJr0NAZacPGo9+47oJkPs8Wjy8KKCtvPVQ7D 9 | cV4WYC/vhQl4XQI9AOLElexWO9/N6aYcjgZFNgDSUDIGrAt+OVty8/K98WUzbj20 10 | rzBm9KvYZiT8fUYBGGClNC+i8Ub682dBeQJEaOmQUgkASIXLhE5YrKTE2nb3Egq0 11 | MFPXYW9UiRDc7oo3Hc8lyShhNp3Fa9r8l9HGoaHrDV54Qr+XDY339/7KbkSgp80C 12 | PQCuBz4jZL6IcCcqoulf6IecM8r1yWcJXvI3u0158ckq6EBnPJ3h4HFO3EDvi5G8 13 | QqTprn8RO9Q8q+RWTskCRBIEohqPwrP/O1pH109MYdQQRCHQvIhPLc8GWl/rXZrY 14 | EGWhwU9HNhfKdZmLSWUdaV5+EaZAE7Wmj1d1vCQqATG3y0wB 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 0CTF2015Final_0cms 2 | 3 | This program is used for 0CTF 2015 Final named 0cms. 4 | Use this only for code auditing practice and avoid being accessed by other people. 5 | 6 | ## installation 7 | 8 | ``` 9 | sudo pip install rsa 10 | sudo pip install web.py 11 | ``` 12 | 13 | ## ussage 14 | 15 | If you are using ubuntu, just run: 16 | 17 | `sh restart.sh` 18 | 19 | For mac or other platform, you need to modify `settings.py` and set `WEB_URL` based on your own ip address instead of using `get_local_ip()` function. 20 | 21 | For cheker, you need to modify `0cms_full_check.py` and set variable `flag` base your own flag.(I just use an api to get real flag.) 22 | 23 | ## acknowledgement 24 | 25 | 0cms is based on `webpyCMS0.1` 26 | https://github.com/taogogo/webpyCMS 27 | 28 | Thanks taogogo for developing such good blog management system! 29 | 30 | ## contact 31 | 32 | http://5alt.me 33 | 34 | md5_salt [AT] qq.com 35 | 36 | Hope you enjoy this! :) 37 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/commentList.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header() 3 |

Manage Comments

4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | $for i in tplData['commentList']: 15 | 16 | 17 | 18 | 19 | 20 | 21 |

ID	Name	Content	IP	Email	Post	Manage
$:i['id']	$:i['name']	$:i['content']	$:i['ip']	$:i['email']	$:i['atl']['name']	delete

22 | 25 | $:tplData['render'].footer() -------------------------------------------------------------------------------- /0cms_server/settings.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | import os 4 | 5 | def get_local_ip(ifname): 6 | import socket, fcntl, struct 7 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 8 | inet = fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15])) 9 | ret = socket.inet_ntoa(inet[20:24]) 10 | return ret 11 | 12 | WEB_URL='http://'+get_local_ip('eth0')+':8080/' 13 | WEB_TITLE='0CMS' 14 | WEB_DESCRIPTION='0CMS Written By md5_salt' 15 | TEMPLATE_THEME='default' 16 | PER_PAGE_COUNT = 10 17 | 18 | ADMIN_USERNAME = 'admin' 19 | ADMIN_PASSWORD='salt' 20 | 21 | DEFAULT_PATH='/index/index' 22 | DEBUG_SWITCH=True 23 | STATUS_LIST = {1:'publish',0:'private'} 24 | 25 | ROOT_PATH=os.getcwd()+'/' 26 | DATA_DIR_PATH=ROOT_PATH+'data/' 27 | TMP_DIR_PATH=ROOT_PATH+'data/cache/' 28 | 29 | UPLOAD_DIR='uploads/' 30 | TPL_DIR = 'templates' 31 | ADMIN_TPL_DIR='admin' 32 | 33 | #cannot change 34 | DB_TYPE='sqlite' 35 | DB_STRING=DATA_DIR_PATH+'0ctf.db' 36 | 37 | PUB_KEY=DATA_DIR_PATH+'public.pem' 38 | -------------------------------------------------------------------------------- /0cms_server/action/upload.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #coding=utf-8 4 | import web,time 5 | from action.base import base as baseAction 6 | import model 7 | class upload(baseAction): 8 | def __init__(self): 9 | baseAction.__init__(self) 10 | if self.isLogin() != True: 11 | raise web.seeother('/') 12 | settings = self.getSettings() 13 | self.assignTplDir(settings.ADMIN_TPL_DIR) 14 | def index(self): 15 | return self.display('uploadFile') 16 | def upload(self): 17 | inputParams = web.input(uploadFile={}) 18 | settings = self.getSettings() 19 | filedir = settings.ROOT_PATH+settings.UPLOAD_DIR 20 | if 'uploadFile' in inputParams: 21 | fout = open(filedir +'/'+ inputParams.uploadFile.filename,'w') 22 | fout.write(inputParams.uploadFile.file.read()) 23 | fout.close() 24 | self.assign('text',settings.WEB_URL+settings.UPLOAD_DIR+inputParams.uploadFile.filename) 25 | return self.display('copyText') -------------------------------------------------------------------------------- /0cms_server/templates/admin/cmsList.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header() 3 |

Manage Posts Add

4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | $for i in tplData['cmsList']: 13 | 14 | 15 | 21 | 22 |

ID	Title	Status	Order	Manage
$:i['id']	$:i['name']	$:tplData['statusList'][i['status']]	$:i['orders']	16 \| View 17 \| \| 18 \| Edit 19 \| \| Delete 20 \|

23 |

26 | $:tplData['render'].footer() -------------------------------------------------------------------------------- /0cms_server/templates/admin/error.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | $:tplData['jump']['msg'] 6 | 7 | 8 | 9 | 10 |

11 | $:tplData['jump']['msg'] (delete after $:tplData['jump']['timeout'] seconds）

12 | 13 | 26 | 27 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/copyText.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | 6 | copy 7 | 8 | 9 | file url:

click to copy→ 10 |

←click to copy 16 | 17 | 18 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/success.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | $:tplData['jump']['msg'] 6 | 7 | 8 | 9 | 10 |

11 | $:tplData['jump']['msg'] (jump after $:tplData['jump']['timeout'] seconds）

12 | 13 | 26 | 27 | -------------------------------------------------------------------------------- /0cms_server/static/admin/editor/style.css: -------------------------------------------------------------------------------- 1 | .te {border:1px solid #bbb; padding:0 1px 1px; font:12px Verdana,Arial; margin:1px} 2 | .te iframe {border:none} 3 | .teheader {height:31px; border-bottom:1px solid #bbb; background:url(/static/admin/editor/header-bg.gif) repeat-x; padding-top:1px} 4 | .teheader select {float:left; margin-top:5px} 5 | .tefont {margin-left:12px} 6 | .tesize {margin:0 3px} 7 | .testyle {margin-right:12px} 8 | .tedivider {float:left; width:1px; height:30px; background:#ccc} 9 | .tecontrol {float:left; width:34px; height:30px; cursor:pointer; background-image:url(/static/admin/editor/icons.png)} 10 | .tecontrol:hover {background-color:#fff; background-position:30px 0} 11 | .tefooter {height:32px; border-top:1px solid #bbb; background:#f5f5f5} 12 | .toggle {float:left; background:url(/static/admin/editor/icons.png) -34px 2px no-repeat; padding:9px 13px 0 31px; height:23px; border-right:1px solid #ccc; cursor:pointer; color:#666} 13 | .toggle:hover {background-color:#fff} 14 | .resize {float:right; height:32px; width:32px; background:url(/static/admin/editor/resize.gif) 15px 15px no-repeat; cursor:s-resize} 15 | #editor {cursor:text; margin:10px} 16 | -------------------------------------------------------------------------------- /0cms_server/action/flag.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import rsa 4 | import web 5 | from action.base import base as baseAction 6 | import model 7 | class flag(baseAction): 8 | def __init__(self): 9 | baseAction.__init__(self) 10 | settings = self.getSettings() 11 | self.assignTplDir(settings.TEMPLATE_THEME) 12 | 13 | def index(self): 14 | if self.isLogin(): 15 | flagObj = model.flag() 16 | realFlag = flagObj.getOne('*',{}) 17 | return realFlag['flag'] 18 | else: 19 | settings = self.getSettings() 20 | web.seeother(settings.WEB_URL) 21 | 22 | def check(self): 23 | #for checker 24 | inputParams = self.getInput() 25 | if not inputParams.has_key('flag') : 26 | settings = self.getSettings() 27 | web.seeother(settings.WEB_URL) 28 | flag = inputParams['flag'] 29 | flagObj = model.flag() 30 | realFlag = flagObj.getOne('*',{})['flag'] 31 | if realFlag == flag: 32 | return '1' 33 | else: 34 | return '0' 35 | 36 | def crypto(self): 37 | #for checker 38 | settings = self.getSettings() 39 | with open(settings.PUB_KEY) as publickfile: 40 | p = publickfile.read() 41 | pubkey = rsa.PublicKey.load_pkcs1(p) 42 | message = settings.ADMIN_USERNAME+'|'+settings.ADMIN_PASSWORD 43 | return rsa.encrypt(message, pubkey).encode('base64') 44 | -------------------------------------------------------------------------------- /0cms_server/model/db/database.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | import sqlite3 as db 4 | import os 5 | import settings 6 | class database : 7 | dbObj = None 8 | def __init__(self): 9 | modelName=settings.DB_TYPE 10 | if os.path.exists(settings.ROOT_PATH+'model/db/'+modelName+'.py') == False: 11 | raise Exception,'db class file not exists' 12 | dbList = __import__('model.db.'+modelName,{},{},modelName) 13 | if hasattr(dbList, modelName): 14 | modelObj = getattr(dbList, modelName)() 15 | else: 16 | raise Exception,'db class not exists' 17 | self.dbObj=modelObj 18 | 19 | def fetchAll(self,sql): 20 | return self.dbObj.fetchAll(sql) 21 | 22 | def fetchOne(self,sql): 23 | return self.dbObj.fetchOne(sql) 24 | 25 | def insert(self,tableName, data): 26 | return self.dbObj.insert(tableName,data) 27 | 28 | def delete(self, tableName, condition): 29 | return self.dbObj.delete(tableName,condition) 30 | 31 | def update(self, tableName, data,condition): 32 | return self.dbObj.update(tableName,data,condition) 33 | 34 | def execute(self,sql): 35 | return self.dbObj.execute(sql) 36 | 37 | def getList(self,tableName,colums,condition,orders='',limits=''): 38 | return self.dbObj.getList(tableName,colums,condition,orders,limits) 39 | 40 | def getOne(self,tableName,colums,condition,orders='',limits=''): 41 | return self.dbObj.getOne(tableName,colums,condition,orders,limits) 42 | -------------------------------------------------------------------------------- /0cms_server/action/admin.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import web,time 4 | from action.base import base as baseAction 5 | 6 | class admin(baseAction): 7 | def __init__(self): 8 | baseAction.__init__(self) 9 | settings = self.getSettings() 10 | self.assignTplDir(settings.ADMIN_TPL_DIR) 11 | def check(self): 12 | from web import form 13 | validList=( 14 | form.Textbox("username",form.regexp(r".{3,20}$", 'username length 3-20')), 15 | form.Password("password", form.regexp(r".{3,20}$", 'password 3-20')), 16 | ) 17 | if not self.validates(validList): 18 | return self.error(self.errorMessage) 19 | inputData = self.getInput() 20 | settings = self.getSettings() 21 | if settings.ADMIN_USERNAME == inputData['username'] and settings.ADMIN_PASSWORD == inputData['password']: 22 | userData={'username':inputData['username']} 23 | self.setLogin(userData) 24 | return self.success('success',self.makeUrl('cms','list')) 25 | else: 26 | return self.error('username or password error',self.makeUrl('admin','')) 27 | 28 | def index(self): 29 | serverInfo = { 30 | 'clientIp': web.ctx.ip, 31 | 'date': str(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())), 32 | 'ua': web.ctx.environ['HTTP_USER_AGENT'], 33 | 'serverIp': web.ctx.environ['REMOTE_ADDR'] 34 | } 35 | self.assign('info',serverInfo) 36 | if self.isLogin(): 37 | return self.display('index') 38 | else: 39 | return self.display('login') 40 | 41 | def logout(self): 42 | self.setLogin() 43 | return self.success('successfully logout',self.makeUrl('index')) -------------------------------------------------------------------------------- /0cms_server/action/comment.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | 4 | import web 5 | from action.base import base as baseAction 6 | import model 7 | class comment(baseAction): 8 | def __init__(self): 9 | baseAction.__init__(self) 10 | if self.isLogin() != True: 11 | raise web.seeother('/') 12 | settings = self.getSettings() 13 | self.assignTplDir(settings.ADMIN_TPL_DIR) 14 | def list(self): 15 | inputParams = self.getInput() 16 | page = int(inputParams['page']) if inputParams.has_key('page') else 1 17 | settings = self.getSettings() 18 | count = settings.PER_PAGE_COUNT 19 | offset= (page-1)*count if page > 0 else 0 20 | commentObj = model.comment() 21 | condition = {} 22 | listData = commentObj.getOne('COUNT(*) AS `total`',condition) 23 | totalCount = listData['total'] 24 | commentList = commentObj.getList('*',condition,'id desc',str(offset)+','+str(count)) 25 | cmsObj = model.cms() 26 | for k,v in enumerate(commentList): 27 | atl=cmsObj.getOne('name,id',{'id':v['cmsId']}) 28 | commentList[k]['atl'] =atl 29 | 30 | self.assign('commentList',commentList) 31 | pageString = self.getPageStr(self.makeUrl('comment','list'),page,count,totalCount) 32 | self.assign('pageString',pageString) 33 | return self.display('commentList') 34 | def delete(self): 35 | inputParams = self.getInput() 36 | if not inputParams.has_key('id'): 37 | settings = self.getSettings() 38 | web.seeother(settings.WEB_URL) 39 | id=inputParams['id'] 40 | condition={'id':str(id)} 41 | result=model.comment().delete(condition) 42 | if result: 43 | return self.success('delete success',self.makeUrl('comment','list')) 44 | else: 45 | return self.error('delete failed') -------------------------------------------------------------------------------- /0cms_server/action/install.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #coding=utf-8 4 | import web 5 | from model.db.database import * 6 | from action.base import base as baseAction 7 | class install(baseAction): 8 | def __init__(self): 9 | baseAction.__init__(self) 10 | settings = self.getSettings() 11 | self.assignTplDir(settings.ADMIN_TPL_DIR) 12 | def index(self): 13 | return '''click to install''' 14 | def do(self): 15 | dbFilePath = settings.DB_STRING 16 | if os.path.exists(dbFilePath): 17 | return web.seeother('/') 18 | else: 19 | self.conn = db.connect(dbFilePath) 20 | self.cursor = self.conn.cursor() 21 | sqlList = [""" 22 | CREATE TABLE 'comment' ( 23 | 'id' INTEGER PRIMARY KEY, 24 | 'cmsId' INT, 'name' VARCHAR(32), 25 | 'email' VARCHAR(64), 26 | 'content' TEXT, 'ip' VARCHAR(16) , 27 | 'createTime' TIMESTAMP , 28 | 'status' INT 29 | ); 30 | 31 | """, 32 | """ 33 | CREATE TABLE 'cms' ( 34 | 'id' INTEGER PRIMARY KEY, 35 | 'name' VARCHAR(120), 36 | 'content' TEXT, 37 | 'commentCount' INT, 38 | 'orders' INT, 39 | 'views' INT, 40 | 'createTime' TIMESTAMP, 41 | 'status' INT 42 | ); 43 | 44 | """, 45 | """ 46 | CREATE TABLE 'flag' ( 47 | 'flag' TEXT PRIMARY KEY 48 | ); 49 | """, 50 | """ 51 | INSERT INTO flag(flag) VALUES('0ctf{md5_salt}') 52 | """ 53 | ] 54 | for sql in sqlList: 55 | status = self.cursor.execute(sql) 56 | self.conn.commit() 57 | if status: 58 | return self.success('success',self.makeUrl('index')) 59 | else: 60 | return self.success('failed') -------------------------------------------------------------------------------- /0cms_server/templates/default/comments.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 |

3 |

$:tplData['atl']['commentCount'] comments

4 |

7 |
8 | 9 | 10 | 11 | 12 | 13 | $:i['name'] 14 | @ $:i['createTime'] 15 |
$:i['content']
16 |
17 | replay 18 |
19 |
20 |

23 |

24 |

comment

25 | 38 |

39 |

-------------------------------------------------------------------------------- /0cms_server/app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | import web, settings 4 | 5 | urls = ( 6 | '/uploads/(.*)', 'download', 7 | '([a-z0-9\/]*)', 'dispatcher' 8 | ) 9 | 10 | class dispatcher: 11 | def __init__(self): 12 | pass 13 | def GET(self, path): 14 | return self.__request(path) 15 | 16 | def POST(self, path): 17 | return self.__request(path) 18 | 19 | def __request(self, path=''): 20 | try: 21 | libName = 'action' 22 | controllerName = 'index' 23 | if path.count('/') < 2: 24 | path = settings.DEFAULT_PATH 25 | if path.count('/') == 2: 26 | modelName, controllerName = path.strip()[1:].split('/', 1) 27 | else: 28 | libName, modelName, controllerName = path.strip()[1:].split('/', 2) 29 | if not modelName: 30 | return 'controller missing' 31 | moduleList = __import__(libName + '.' + modelName, {}, {}, [modelName]) 32 | modelObj = getattr(moduleList, modelName)() 33 | if hasattr(modelObj, controllerName): 34 | result = getattr(modelObj, controllerName)() 35 | else: 36 | result = 'no such controller' 37 | return result 38 | except Exception ,e: 39 | from action.base import base as baseAction 40 | baseObj=baseAction() 41 | if e.message == 'db not exists' : 42 | return baseObj.error('To be installed',baseObj.makeUrl('install')) 43 | return baseObj.error(e.message,baseObj.makeUrl('index')) 44 | #raise Exception,e.message 45 | 46 | class download: 47 | def GET(self, filepath): 48 | try: 49 | with open("./uploads/%s" % filepath, "rb") as f: 50 | content = f.read() 51 | return content 52 | except: 53 | return web.notfound("Sorry, the file you were looking for was not found.") 54 | 55 | 56 | if __name__ == "__main__": 57 | app = web.application(urls, globals()) 58 | app.run() -------------------------------------------------------------------------------- /0cms_server/templates/default/header.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | 3 | 4 | 5 | 6 | 7 | $:tplData['webTitle'] 8 | 9 | 10 | 11 | 12 | 15 | 16 | 17 | 18 | 19 | 25 |

26 | 35 | 45 | -------------------------------------------------------------------------------- /0cms_server/static/default/html5.js: -------------------------------------------------------------------------------- 1 | /*! HTML5 Shiv vpre3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed 2 | Uncompressed source: https://github.com/aFarkas/html5shiv */ 3 | (function(a,b){function h(a,b){var c=a.createElement("p"),d=a.getElementsByTagName("head")[0]||a.documentElement;return c.innerHTML="x",d.insertBefore(c.lastChild,d.firstChild)}function i(){var a=l.elements;return typeof a=="string"?a.split(" "):a}function j(a){var b={},c=a.createElement,f=a.createDocumentFragment,g=f();a.createElement=function(a){if(!l.shivMethods)return c(a);var f;return b[a]?f=b[a].cloneNode():e.test(a)?f=(b[a]=c(a)).cloneNode():f=c(a),f.canHaveChildren&&!d.test(a)?g.appendChild(f):f},a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+i().join().replace(/\w+/g,function(a){return c(a),g.createElement(a),'c("'+a+'")'})+");return n}")(l,g)}function k(a){var b;return a.documentShived?a:(l.shivCSS&&!f&&(b=!!h(a,"article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio{display:none}canvas,video{display:inline-block;*display:inline;*zoom:1}[hidden]{display:none}audio[controls]{display:inline-block;*display:inline;*zoom:1}mark{background:#FF0;color:#000}")),g||(b=!j(a)),b&&(a.documentShived=b),a)}var c=a.html5||{},d=/^<|^(?:button|form|map|select|textarea|object|iframe|option|optgroup)$/i,e=/^<|^(?:a|b|button|code|div|fieldset|form|h1|h2|h3|h4|h5|h6|i|iframe|img|input|label|li|link|ol|option|p|param|q|script|select|span|strong|style|table|tbody|td|textarea|tfoot|th|thead|tr|ul)$/i,f,g;(function(){var c=b.createElement("a");c.innerHTML="",f="hidden"in c,f&&typeof injectElementWithStyles=="function"&&injectElementWithStyles("#modernizr{}",function(b){b.hidden=!0,f=(a.getComputedStyle?getComputedStyle(b,null):b.currentStyle).display=="none"}),g=c.childNodes.length==1||function(){try{b.createElement("a")}catch(a){return!0}var c=b.createDocumentFragment();return typeof c.cloneNode=="undefined"||typeof c.createDocumentFragment=="undefined"||typeof c.createElement=="undefined"}()})();var l={elements:c.elements||"abbr article aside audio bdi canvas data datalist details figcaption figure footer header hgroup mark meter nav output progress section summary time video",shivCSS:c.shivCSS!==!1,shivMethods:c.shivMethods!==!1,type:"default",shivDocument:k};a.html5=l,k(b)})(this,document) -------------------------------------------------------------------------------- /0cms_server/static/default/bin.js: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /0cms_server/templates/admin/cmsAdd.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header() 3 |

4 | 5 | 6 | 7 | 8 | 9 | 10 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 53 | 54 | 55 | 56 | 57 | $:tplData['render'].footer() -------------------------------------------------------------------------------- /0cms_server/action/cms.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import web,time 4 | from action.base import base as baseAction 5 | import model 6 | class cms(baseAction): 7 | def __init__(self): 8 | baseAction.__init__(self) 9 | settings = self.getSettings() 10 | self.assignTplDir(settings.ADMIN_TPL_DIR) 11 | def save(self): 12 | userInput= self.getInput() 13 | date = time.strftime("%Y-%m-%d %H:%M:%S",time.localtime()) 14 | data={ 15 | 'content':userInput['content'], 16 | 'name':userInput['name'], 17 | 'createTime':date, 18 | 'status':userInput['status'], 19 | 'orders':userInput['orders'], 20 | 'views':0, 21 | 'commentCount':0 22 | } 23 | status = model.cms().insert(data) 24 | if status: 25 | return self.success('save success, post id '+str(status)+'~', self.makeUrl('cms','list')) 26 | else: 27 | return self.error('save failed') 28 | def modify(self): 29 | userInput= self.getInput() 30 | data={ 31 | 'content':userInput['content'], 32 | 'name':userInput['name'], 33 | 'status':userInput['status'], 34 | 'orders':userInput['orders'], 35 | } 36 | condition = {'id':userInput['id']} 37 | status = model.cms().update(data,condition) 38 | if status: 39 | return self.success('modify success',self.makeUrl('cms','list')) 40 | else: 41 | return self.error('modify failed') 42 | def list(self): 43 | inputParams = self.getInput() 44 | page = int(inputParams['page']) if inputParams.has_key('page') else 1 45 | settings = self.getSettings() 46 | count = settings.PER_PAGE_COUNT 47 | offset= (page-1)*count if page > 0 else 0 48 | cmsObj = model.cms() 49 | condition = {} 50 | listData = cmsObj.getOne('COUNT(*) AS `total`',condition) 51 | totalCount = listData['total'] 52 | cmsList = cmsObj.getList('*',condition,'id desc',str(offset)+','+str(count)) 53 | self.assign('cmsList',cmsList) 54 | pageString = self.getPageStr(self.makeUrl('cms','list'),page,count,totalCount) 55 | self.assign('pageString',pageString) 56 | return self.display('cmsList') 57 | 58 | def add(self): 59 | return self.display('cmsAdd') 60 | def edit(self): 61 | inputParams = self.getInput() 62 | if not inputParams.has_key('id') : 63 | return self.error('not exist') 64 | id=inputParams['id'] 65 | condition={'id':str(id)} 66 | atl=model.cms().getOne('*',condition) 67 | self.assign('atl',atl) 68 | return self.display('cmsEdit') 69 | 70 | def delete(self): 71 | inputParams = self.getInput() 72 | if not inputParams.has_key('id') : 73 | return self.error('not exist') 74 | id=inputParams['id'] 75 | condition={'id':str(id)} 76 | result=model.cms().delete(condition) 77 | if result: 78 | return self.success('delete success',self.makeUrl('cms','list')) 79 | else: 80 | return self.error('delete failed') -------------------------------------------------------------------------------- /0cms_server/static/admin/common.css: -------------------------------------------------------------------------------- 1 | *{margin:0; padding:0;} 2 | small,cite{ text-decoration:none;} 3 | body{font:13px/160% "",Arial,sans-serif; font-size:14px; } 4 | h1 {font-size:140%;} 5 | h2{ font-size:130%; margin-bottom:10px;} 6 | h3 {font-size:120%; border-bottom:1px solid #D2D2D2; padding:5px 0;} 7 | ul,li{ list-style-type:none;} 8 | img { border:none; vertical-align:top;} 9 | strong{font-weight:normal;} 10 | a{ margin:0; padding:0; color:#283347;text-decoration:none;} 11 | a:hover{ color:#BD0800; text-decoration:underline; } 12 | #logo{ background:url(images/logo.gif); } 13 | /*common*/ 14 | blockquote{ margin:15px auto 15px 20px; padding-left:15px; background:#f6f6f6; border-left:1px solid #91b24f} 15 | code, .code { font: 100% "Courier New", Courier, monospace; color: #000000; background: #FAFDE1;margin: 5px 10px;padding: 10px;display:block;border: 1px dashed #818141;} 16 | .alert{ color:#FF0000;} 17 | .clear{ clear:both;} 18 | .corner{ -moz-border-radius: 4px;-khtml-border-radius: 4px;-webkit-border-radius: 4px;border-radius: 4px;} 19 | .floatLeft{ float:left;} 20 | .floatRight{ float:right;} 21 | .disNone{ display:none;} 22 | #bodyDiv{ width:810px;margin:1px auto;border: 1px gray solid;padding: 1px 2px;} 23 | a{text-decoration: none;border-bottom:1px dotted gray;} 24 | #nav{margin:2px auto;} 25 | #nav a{float: left;display: inline; padding:10px 20px;margin: 0px 1px;} 26 | #nav a:hover{color: #fff;background:#000;} 27 | .addtable a,.list a{ border-bottom:1px dotted #999999;} 28 | .addtable a:hover,.list a:hover{ border-bottom:none;} 29 | .addtable{ border:#999999 1px solid;} 30 | .addtable th,.list th{word-break: keep-all;white-space:nowrap;} 31 | .addtable td,.list td{border-bottom:#999999 1px solid; padding:2px 4px;word-break: keep-all;white-space:nowrap;} 32 | .list td{border-left:#999999 1px solid; padding:2px 4px;} 33 | .list{ clear:both;border-right:#999999 1px solid;border-top:#999999 1px solid;float:left; margin:1px 0px;} 34 | .list th{border-left:#999999 1px solid;border-bottom:#999999 1px solid; height:23px; background:url(mainnavbg.gif) 0px -84px;} 35 | .addtable input{ width:400px; border:#333333 1px solid; height:22px; line-height:22px; font-size:14px;} 36 | .addtable .sinput{ width:100px; border:#333333 1px solid; height:22px; line-height:22px; font-size:14px;} 37 | .addtable textarea{ width:400px; border:#333333 1px solid; height:100px; font-size:14px;} 38 | .normaltable{ border:#999999 1px solid;} 39 | .normaltable td,.list td{border-bottom:#999999 1px solid; padding:2px 4px;} 40 | .normaltable input{ width:60%; border:#333333 1px solid; height:22px; line-height:22px; font-size:14px;} 41 | .normaltable .sex input{width:auto;} 42 | .normaltable textarea{width:60%; border:#333333 1px solid; height:100px; font-size:14px;} 43 | .uploadbtn{ padding:2px 8px; margin:4px 12px; font-size:16px; background:#666666; color:#FFFFFF;border:#999999 1px solid;} 44 | .uploadbtn:hover{ color:#FFFFFF; background:#999999; border:#666666 1px solid; text-decoration:none;} 45 | #submits{ width:100px; height:26px; cursor:pointer; font-weight:bold;border-radius:2px;} 46 | #submits{ width:100px; height:26px;cursor:pointer; font-weight:bold;border-radius:2px;} 47 | #submits:hover{ border:#66C5FF 1px solid; color:#0055CC;} 48 | #allowcmt{ width:50px; border:none;} -------------------------------------------------------------------------------- /0cms_server/templates/admin/cmsEdit.htm: -------------------------------------------------------------------------------- 1 | $def with (tplData) 2 | $:tplData['render'].header() 3 | 4 |

Title:
11 \| 12 \| 13 \| 14 \| 36 \|
Order:
Status:	45 \| 52 \|

5 | 6 | 7 | 8 | 9 | 10 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 53 | 54 | 57 | 58 | 59 | $:tplData['render'].footer() -------------------------------------------------------------------------------- /0cms_server/action/index.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | 4 | import web,time 5 | from action.base import base as baseAction 6 | import model 7 | class index(baseAction): 8 | def __init__(self): 9 | baseAction.__init__(self) 10 | settings = self.getSettings() 11 | self.assignTplDir(settings.TEMPLATE_THEME) 12 | def index(self): 13 | settings = self.getSettings() 14 | count = settings.PER_PAGE_COUNT 15 | inputParams = self.getInput() 16 | page = int(inputParams['page']) if inputParams.has_key('page') else 1 17 | offset= (page-1)*count if page > 0 else 0 18 | cmsObj = model.cms() 19 | condition = {'status':1} 20 | listData = cmsObj.getOne('COUNT(*) AS `total`',condition) 21 | totalCount = listData['total'] 22 | cmsList = cmsObj.getList('*',condition,'orders desc,createTime desc',str(offset)+','+str(count)) 23 | self.assign('cmsList',cmsList) 24 | pageString = self.getPageStr(self.makeUrl('index','index'),page,count,totalCount) 25 | self.assign('pageString',pageString) 26 | commentObj=model.comment() 27 | commentList = commentObj.getList('*',{'status':1},'id desc',str(offset)+','+str(count)) 28 | self.assign('commentList',commentList) 29 | return self.display('index') 30 | 31 | 32 | def show(self): 33 | inputParams = self.getInput() 34 | if not inputParams.has_key('id') : 35 | settings = self.getSettings() 36 | web.seeother(settings.WEB_URL) 37 | id = inputParams['id'] 38 | cmsObj = model.cms() 39 | condition = {'status':1,'id':str(id)} 40 | atl = cmsObj.getOne('*',condition) 41 | if atl == None: 42 | raise web.notfound('not found') 43 | atl['views']+=1 44 | updateData = {'views':(atl['views'])} 45 | #view count incr 46 | cmsObj.update(updateData,condition) 47 | commentList=model.comment().getList('*',{'status':1,'cmsId':int(id)}) 48 | self.assign('atl',atl) 49 | self.assign('commentList',commentList) 50 | return self.display('show') 51 | def comment(self): 52 | userInput= self.getInput() 53 | cmsObj = model.cms() 54 | cmsId = userInput['cmsId'] 55 | condition = {'status':1,'id':cmsId} 56 | atl = cmsObj.getOne('*',condition) 57 | if atl == None: 58 | return self.error('not exist') 59 | from web import form 60 | validList=( 61 | form.Textbox("name",form.regexp(r".{3,100}$", 'name length 3-100')), 62 | form.Textbox("content",form.regexp(r".{1,200}$", 'comment length 1-200')), 63 | form.Textbox("email", form.regexp(r".*@.*", 'error email format')), 64 | form.Textbox("email",form.regexp(r".{5,100}$", 'email length 5-100')), 65 | ) 66 | if not self.validates(validList): 67 | return self.error(self.errorMessage) 68 | date = time.strftime("%Y-%m-%d %H:%M:%S",time.localtime()) 69 | ip=web.ctx.ip 70 | data={ 71 | 'cmsId':cmsId, 72 | 'content':userInput['content'], 73 | 'name':userInput['name'], 74 | 'email':userInput['email'], 75 | 'createTime':date, 76 | 'ip':ip, 77 | 'status':1 78 | } 79 | commentid = model.comment().insert(data) 80 | data = {'commentCount':atl['commentCount']+1} 81 | model.cms().update(data,condition) 82 | return self.success('comment success, comment id '+str(commentid)+'~',self.referer) 83 | -------------------------------------------------------------------------------- /0cms_server/model/db/sqlite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | import sqlite3 as db 4 | import os 5 | import settings 6 | 7 | class sqlite: 8 | def __init__(self): 9 | dbFilePath = settings.DB_STRING 10 | if os.path.exists(dbFilePath): 11 | self.conn = db.connect(dbFilePath) 12 | self.cursor = self.conn.cursor() 13 | else: 14 | raise Exception,'db not exists' 15 | 16 | def fetchAll(self, sql,data=[]): 17 | result = None 18 | if self.cursor.execute(sql,data): 19 | result = self.cursor.fetchall() 20 | if len(result) > 0: 21 | return [dict(zip([j[0] for j in self.cursor.description], i)) for i in result] 22 | return result 23 | 24 | def fetchOne(self, sql,data=[]): 25 | result = None 26 | if self.cursor.execute(sql,data): 27 | result = self.cursor.fetchone() 28 | if result != None: 29 | return dict(zip([j[0] for j in self.cursor.description], result)) 30 | return result 31 | def getList(self,tableName,colums,condition,orders='',limits=''): 32 | sql = "SELECT "+colums+" FROM " + tableName + " WHERE 1=1" 33 | if type(condition) == dict: 34 | for i in condition.keys(): 35 | sql = sql + " AND "+i+"=?" 36 | else: 37 | sql = sql + condition 38 | if orders !='': 39 | sql = sql+' order by '+orders 40 | if limits != '': 41 | sql = sql+' limit '+limits 42 | result = self.fetchAll(sql,condition.values()) 43 | result = [] if result == None else result 44 | return result 45 | def getOne(self,tableName,colums,condition,orders='',limits=''): 46 | sql = "SELECT "+colums+" FROM " + tableName + " WHERE 1=1" 47 | if type(condition) == dict: 48 | for i in condition.keys(): 49 | sql = sql + " AND "+i+"=?" 50 | else: 51 | sql = sql + condition 52 | if orders !='': 53 | sql = sql+' order by '+orders 54 | if limits != '': 55 | sql = sql+' limit '+limits 56 | return self.fetchOne(sql,condition.values()) 57 | def insert(self, tableName, data): 58 | sql = "INSERT INTO " + tableName + " ("+','.join(data.keys())+") VALUES ("+("?,"*len(data))[:-1]+")" 59 | status = self.cursor.execute(sql, data.values()) 60 | self.conn.commit() 61 | return self.cursor.lastrowid 62 | def delete(self, tableName, condition): 63 | sql = "DELETE FROM " + tableName + " WHERE 1=1" 64 | if type(condition) == dict: 65 | for i in condition.keys(): 66 | sql = sql + " AND "+i+"=?" 67 | else: 68 | sql = sql + condition 69 | status = self.cursor.execute(sql, condition.values()) 70 | self.conn.commit() 71 | return status 72 | def update(self, tableName, data,condition): 73 | sql = "UPDATE " + tableName + " SET " 74 | #update data 75 | if type(data) == dict: 76 | for i in data.keys(): 77 | sql = sql + " "+i+"=?," 78 | else: 79 | sql = sql + data 80 | #condition 81 | sql = sql[:-1] + " WHERE 1=1 " 82 | if type(condition) == dict: 83 | for i in condition.keys(): 84 | sql = sql + " AND "+i+"=?" 85 | else: 86 | sql = sql + condition 87 | status = self.cursor.execute(sql, data.values()+condition.values()) 88 | self.conn.commit() 89 | return status 90 | def execute(self,sql,data=[]): 91 | status = self.cursor.execute(sql,data=[]) 92 | self.conn.commit() 93 | return status -------------------------------------------------------------------------------- /0cms_server/action/base.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | import web, time,math 4 | import settings 5 | class base: 6 | tplData = {} 7 | globalsTplFuncs = {} 8 | tplDir = '' 9 | referer = '' 10 | settings = {} 11 | errorMessage = '' 12 | cookie = {} 13 | def __init__(self): 14 | self.settings = settings 15 | self.tplData = { 16 | 'webTitle' : self.settings.WEB_TITLE, 17 | 'webUrl' : self.settings.WEB_URL, 18 | 'webDescription' : self.settings.WEB_DESCRIPTION, 19 | 'statusList':self.settings.STATUS_LIST 20 | } 21 | self.globalsTplFuncs = {} 22 | self.tplDir = '' 23 | self.initCommonTplFunc() 24 | self.referer= web.ctx.env.get('HTTP_REFERER', self.settings.WEB_URL) 25 | self.loadCookie() 26 | 27 | def initCommonTplFunc(self): 28 | subStr=lambda strings,offset,length : self.subText(strings,offset,length) 29 | makeUrl= lambda action,method='index',params={} : self.makeUrl(action,method,params) 30 | self.assignTplFunc({'subStr':subStr,'makeUrl':makeUrl}) 31 | 32 | def subText(self,strings,offset,length): 33 | return self.strip_tags(strings)[offset:length] 34 | 35 | def strip_tags(self,html): 36 | from HTMLParser import HTMLParser 37 | html=html.strip() 38 | html=html.strip("\n") 39 | result=[] 40 | parse=HTMLParser() 41 | parse.handle_data=result.append 42 | parse.feed(html) 43 | parse.close() 44 | return "".join(result) 45 | 46 | def assign(self,key,value=''): 47 | if type(key) == dict: 48 | self.tplData = dict(self.tplData,**key) 49 | else: 50 | self.tplData[key] = value 51 | 52 | def display(self,tplName): 53 | if self.tplDir == '': 54 | self.assignTplDir(settings.TEMPLATE_THEME) 55 | self.tplData['render'] = web.template.render(self.tplDir,globals=self.globalsTplFuncs) 56 | return getattr(self.tplData['render'], tplName)(self.tplData) 57 | 58 | def assignTplDir(self,tplDir): 59 | self.tplDir = settings.TPL_DIR+'/'+tplDir+'/' 60 | 61 | def assignTplFunc(self,funcs): 62 | self.globalsTplFuncs = dict(self.globalsTplFuncs,**funcs) 63 | 64 | def success(self,msg,url,timeout=5): 65 | tplData = {'msg': msg, 'url': url,'timeout':timeout} 66 | self.assign('jump',tplData) 67 | return self.display('success') 68 | 69 | def error(self,msg,url=None,timeout=5): 70 | if url ==None: 71 | url= web.ctx.env.get('HTTP_REFERER', self.settings.WEB_URL) 72 | tplData={'msg':msg,'url':url,'timeout':timeout} 73 | self.assign('jump',tplData) 74 | return self.display('error') 75 | 76 | def makeUrl(self,action,method='index',params={}): 77 | import urllib 78 | paramsStr = '?'+urllib.urlencode(params) if len(params)>0 else '' 79 | return self.settings.WEB_URL+action+'/'+method+paramsStr 80 | 81 | def loadCookie(self): 82 | if web.cookies().get('auth'): 83 | self.cookie = web.session.Store().decode(web.cookies().get('auth')) 84 | 85 | def setCookie(self): 86 | web.setcookie('auth', web.session.Store().encode(self.cookie), expires=86400, domain=None, secure=False) 87 | 88 | def isLogin(self): 89 | return 'login' in self.cookie and self.cookie['login'] == True 90 | 91 | def setLogin(self,userData=None): 92 | if userData == None: 93 | self.cookie['login'] = False 94 | else: 95 | self.cookie['login'] = True 96 | self.cookie['username'] = userData['username'] 97 | self.setCookie() 98 | 99 | def getInput(self): 100 | return web.input() 101 | 102 | def getPageStr(self,url,currentPage,perPageCount,totalCount=10000): 103 | totalPage = int(math.ceil(totalCount/perPageCount)) 104 | if '?' in url: 105 | url=url+'&page=' 106 | else: 107 | url=url+'?page=' 108 | pageString= '' 109 | 110 | if currentPage > 1: 111 | pageString += ''' 112 | « previous page 113 | ''' 114 | if totalPage>currentPage: 115 | pageString = pageString+''' 116 | next page » 117 | ''' 118 | return pageString 119 | 120 | def getSettings(self): 121 | return self.settings 122 | 123 | def validates(self,validList): 124 | userInput=self.getInput() 125 | for i in validList: 126 | if not i.validate(userInput[i.name]): 127 | self.errorMessage=i.note 128 | return False 129 | return True 130 | -------------------------------------------------------------------------------- /0cms_checker/0cms_normal_check.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import random 4 | import re 5 | import string 6 | import rsa 7 | 8 | service = '0cms' 9 | timeout = 10 # define timeout here 10 | author = 'md5_salt' # author 11 | 12 | def genRandomUserAgent(): 13 | user_agent_list = [\ 14 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1",\ 15 | "Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11",\ 16 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6",\ 17 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6",\ 18 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1",\ 19 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",\ 20 | "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5",\ 21 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 22 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 23 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 24 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",\ 25 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",\ 26 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 27 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 28 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 29 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.0 Safari/536.3",\ 30 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24",\ 31 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24" 32 | ] 33 | return random.choice(user_agent_list) 34 | 35 | def genRandomWord(): 36 | word_list = ["join the student union select the department where you like to stay in", 37 | "this script will alert 1 onload", 38 | "haha you are (rm -rf /)ed", 39 | "important notice, system eval user data is not allowed"] 40 | return random.choice(word_list) 41 | def genRandomLetters(length): 42 | return ''.join([random.choice(string.letters) for i in xrange(length)]) 43 | 44 | def exploit(host, port): 45 | url = 'http://'+host+':8080' 46 | headers = {'User-Agent':genRandomUserAgent()} 47 | 48 | r = requests.get(url, headers=headers).text 49 | 50 | if not 'md5_salt' in r: 51 | return 'access index error' 52 | 53 | pattern = '

.)\">' 54 | search = re.compile(pattern).search(r) 55 | 56 | if not search: 57 | with open('private.pem') as privatefile: 58 | p = privatefile.read() 59 | privkey = rsa.PrivateKey.load_pkcs1(p) 60 | #add a post 61 | crypto = requests.get('http://'+host+':8080/flag/crypto', headers=headers).text 62 | data = rsa.decrypt(crypto.decode('base64'), privkey) 63 | 64 | if len(data.split('|')) != 2: 65 | return 'get admin/pass error' 66 | (username, password) = tuple(data.split('|',2)) 67 | 68 | #check login 69 | s = requests.Session() 70 | payload={'username':username, 'password':password} 71 | url = 'http://'+host+':8080/admin/check' 72 | if not 'success' in s.post(url, payload, headers=headers).text: 73 | return 'login check error' 74 | 75 | #check add post 76 | post_name = genRandomLetters(10) 77 | post_content = genRandomWord()+', only for test' 78 | orders = 0 79 | status = 1 80 | payload = {'name':post_name, 'content':post_content, 'orders':orders, 'status':status} 81 | url = 'http://'+host+':8080/cms/save' 82 | r = s.post(url, payload, headers=headers).text 83 | pattern = "post id (?P[0-9]+)~" 84 | search = re.compile(pattern).search(r) 85 | if not search: 86 | return 'get post id error' 87 | 88 | postid = search.group('id') 89 | if not 'success' in r: 90 | return 'post success error' 91 | else: 92 | postid = search.group('id') 93 | 94 | #check comment 95 | #name=sa&email=as%40dsc.com&content=asdsad&cmsId=6 96 | comment_name = genRandomLetters(10) 97 | comment_content = genRandomWord() 98 | email = genRandomLetters(5)+'@'+genRandomLetters(3)+'.com' 99 | payload = {'cmsId':postid,'name':comment_name, 'content':comment_content, 'email':email} 100 | url = 'http://'+host+':8080/index/comment' 101 | r = requests.post(url, payload, headers=headers).text 102 | pattern = "comment id (?P[0-9]+)~" 103 | search = re.compile(pattern).search(r) 104 | if not search: 105 | return 'get comment id error' 106 | commentid = search.group('id') 107 | if not 'success' in r: 108 | return 'comment error' 109 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 110 | if not comment_name in r: 111 | return 'check comment error' 112 | 113 | return 'OK' 114 | 115 | if name == 'main': 116 | print exploit('127.0.0.1', 8080) 117 | -------------------------------------------------------------------------------- /0cms_server/static/default/style.css: -------------------------------------------------------------------------------- 1 | body,h1,h2,h3,p,blockquote,dl,dt,dd,ul,ol,li,button,input,textarea {margin: 0; padding: 0;} 2 | header,footer,article,section,nav,menu,hgroup {display:block;} 3 | body {font-family:"Hiragino Sans GB","Microsoft Yahei",Tahoma, Helvetica, Arial, "SimSun", sans-serif; line-height:1.6; background:#1a1a1a url(bg.png) repeat;} 4 | h1,h2,h3 {font-weight:400;} 5 | h1,h2 {font-size:24px;} 6 | h3 {font-size:14px;} 7 | img {border:none;} 8 | a img:hover {background:none; border:none;} 9 | a {color:#07b; text-decoration:none;} 10 | a:hover {text-decoration:underline;} 11 | ol,ul {list-style:none;} 12 | p {margin-bottom:20px;} 13 | input,textarea,button {outline:none;} 14 | input[type^="text"],input[type^="password"],textarea {box-shadow:inset 2px 3px 5px #eee; border:1px solid #bbb; background:#fafafa;} 15 | input:focus,textarea:focus {background:#fff; border-color:#999;} 16 | input {vertical-align:middle;} 17 | input[type^="radio"] {border:none; background:none; width:auto;} 18 | ::selection {color:#fff; background:#444; text-shadow:none;} 19 | code {background:rgb(255,255,255); border-left:3px dashed rgb(230,230,230); padding:10px 10px 10px 13px; font:12px/1.5 "Hiragino Sans GB",Tahoma,Helvetica,Arial; display:block;} 20 | #wrap,#footer_box {background:#fcfbf7 url(mainbg.jpg) repeat; border-radius:8px; box-shadow:0 0 10px rgba(0,0,0,1),0 4px 0 rgba(255,255,255,.8),0 5px 0 rgba(100,100,100,.4),0 8px 0 rgba(255,255,255,0.4),inset 0 0 1px rgba(255,255,255,1); width:800px; margin:30px auto; padding:40px 50px;} 21 | #content {overflow:hidden; color:#555; text-shadow:1px 1px #fff; margin-top:30px; clear:both;} 22 | #header {text-align:center; color:rgb(162, 166, 170);} 23 | #logo {margin:20px auto 10px;} 24 | #logo a {color:#ddd;} 25 | #header h2 {font-size:14px;} 26 | #toolbar {height:24px; font-size:12px;} 27 | #searchform {background:#fafafa; border:1px solid #ccc; border-radius:15px; box-shadow:inset 1px 1px 5px rgba(100,100,100,.3); padding:3px 5px; height:16px; float:right;} 28 | #searchform label {display:none;} 29 | #searchform input {border:none; background:none; box-shadow:none; width:150px; height:16px; line-height:16px; vertical-align:top;} 30 | #searchform button {background:url(search.png) no-repeat; width:16px; height:16px; text-indent:-999px; vertical-align:top; border:none; cursor:pointer; margin-left:-5px; font-size:0;} 31 | #searchform button:hover {background:url(search_hover.png) no-repeat;} 32 | #rss {float:right; margin-left:8px; margin-top:4px;} 33 | #rss a {background:url(rss.png) no-repeat; width:16px; height:16px; overflow:hidden;display:block; text-indent:-999px;} 34 | #menu {float:left; font-size:14px; line-height:30px; height:22px; overflow:hidden;} 35 | #menu li {float:left; margin-right:10px;} 36 | #menu a {display:block; text-decoration:none; color:#999;} 37 | #menu a:hover {color:#5f767f;} 38 | #menu .current-menu-item a,#menu .current-menu-parent a {color:#444; font-size:20px; line-height:22px;} 39 | #menu li ul {display:none;} 40 | #post_list section {border-bottom:1px dashed #bbb; margin-bottom:20px;} 41 | .meta {font-size:12px; margin-bottom:20px; color:#999; display:block;} 42 | #post_content {padding-top:10px;} 43 | .post,.page {font-size:16px;letter-spacing:1px;} 44 | .page h1 {margin-bottom:20px;} 45 | .post {margin-bottom:20px; border-bottom:1px dashed #bbb;} 46 | .post h2 {font-size:18px; margin-bottom:15px;} 47 | .post ul,.post ol {list-style-position:inside; margin-left:20px; margin-bottom:15px;} 48 | .post ul {list-style-type:disc;} 49 | .post ol {list-style-type:decimal;} 50 | .post li {font-size:14px; margin-bottom:5px;} 51 | .post img {max-width:100%;} 52 | .post input {height:22px; line-height:22px;} 53 | .post del {color:#999;} 54 | blockquote {border:1px dashed #ccc; border-radius:5px; background:#fafafa; padding:10px; margin:10px 0; font-size:14px;} 55 | blockquote p {margin-bottom:10px;} 56 | blockquote p:last-child {margin-bottom:0;} 57 | .wp-caption {border-radius:3px; border:1px solid #ccc; background:#f9f9f9; box-shadow:1px 1px 2px #d3d3d3; margin-bottom:10px; text-align:center; padding:4px 0;} 58 | .post .wp-caption img {max-width:630px;} 59 | .wp-caption-text,.gallery-caption {text-align:center; font-size:12px; margin-bottom:0;} 60 | .navigation {height:20px; line-height:20px; font-size:12px;} 61 | .navigation a {color:#666;} 62 | #nopage {text-align:center; padding:180px 0 100px; background:url(404.png) no-repeat center 70px;} 63 | #comments {margin-top:30px; font-size:14px;} 64 | #comments h3 {border-bottom:1px solid #ddd; padding-bottom:5px;} 65 | #comments .navigation {margin-top:10px;} 66 | .comment-form-comment label {display:none;} 67 | .comment_list {border-top:1px solid #fff; margin-bottom:20px;} 68 | .comment-author {float:left; line-height:24px; height:24px; font-size:12px; margin-bottom:10px;} 69 | .comment-meta {float:right; font-size:12px;} 70 | .comment-meta a {color:#999;} 71 | .says {display:none;} 72 | #respond {margin-top:10px;} 73 | #respond textarea {width:97%; padding:1%;} 74 | .comment_list li #respond {margin-left:30px;} 75 | #commentform {border-top:1px solid #f9f9f9; padding-top:10px;} 76 | #commentform input {width:230px; padding:5px; display:block;} 77 | #comments input,#comments textarea,#comments button {border-radius:3px;} 78 | #submit {padding:5px 10px; cursor:pointer; font-size:14px; border:1px solid #333; box-shadow:1px 1px 3px #d3d3d3; background:#444; background:-moz-linear-gradient(top, #444, #333); background: -webkit-gradient(linear, 0 0, 0 100%, from(#444), to(#333)); color:#fff; text-shadow:1px 1px #111;} 79 | #submit:hover {color:#555; text-shadow:1px 1px #fff; border:1px solid #ccc; background:#f1f1f1; background:-moz-linear-gradient(top, #fff, #f1f1f1); background: -webkit-gradient(linear, 0 0, 0 100%, from(#f3f3f3), to(#eee));} 80 | .reply {padding-bottom:10px; font-size:12px;} 81 | .comment_list li {border-bottom:1px dashed #ccc; padding:10px 5px 0;} 82 | .comment_list li li {border-bottom:none; border-top:1px dashed #ccc; padding-top:10px;} 83 | .comment_list li p {clear:both; margin-bottom:5px;} 84 | .children li {padding-left:20px;} 85 | .bypostauthor {background:#fff6ed;} 86 | .thread-odd {background:#eee;} 87 | .comment-form-author,.comment-form-email,.comment-form-url {float:left; width:265px;} 88 | .comment-notes {font-size:12px;} 89 | .form-allowed-tags {display:none;} 90 | #footer_box {font-size:12px;} 91 | #linkcat a {margin-right:10px; color:#666;} 92 | #sponsor {margin-bottom:10px; padding-bottom:10px; border-bottom:1px dashed #ccc;} 93 | #footer {margin-bottom:30px; text-align:center; font-size:12px; color:#5d6673; text-shadow:-1px -1px #000;} 94 | #footer a {color:#5d6673;} 95 | .aligncenter {display:block; margin-left:auto; margin-right:auto;} 96 | .alignleft {float:left;} 97 | .alignright {float:right;} 98 | .post .alignleft,.post .alignleft {margin-right:10px; display:inline;} 99 | .adbanner {text-align:center;} 100 | #antiarea{display:block;} 101 | #antirbt{width:60px !important;display:inline !important;text-align:center;} 102 | #digit{ text-align:center; height:55; line-height:55px;} 103 | #digit span{ font-size:30px; font-weight:bold; padding:0px 5px;} 104 | #digit a{ padding:10px 10px;background:#FFFFCC; border:solid 2px #CCCCCC;border-radius: 5px;} 105 | #digit a:hover{background:#FFFFEC; text-decoration:none;} 106 | .alertBox{width: 600px; word-wrap: break-word; margin: 20px auto; border: #FD8A08 4px solid; text-align: center; padding: 20px 4px;background:#F3F1EB;border-radius: 0.5em;} -------------------------------------------------------------------------------- /0cms_checker/0cms_full_check.py: -------------------------------------------------------------------------------- 1 | # -- coding: utf-8 -- 2 | import requests 3 | import rsa 4 | import random 5 | import string 6 | import re 7 | import os 8 | import secretagent#you need change this 9 | import time 10 | import sys 11 | reload(sys) 12 | sys.setdefaultencoding('utf-8') 13 | 14 | 15 | service = '0cms' 16 | timeout = 10 # define timeout here 17 | author = 'md5_salt' # author 18 | 19 | 20 | def genRandomChars(length): 21 | return ''.join([random.choice(string.punctuation+string.letters) for i in xrange(length)]) 22 | def genRandomLetters(length): 23 | return ''.join([random.choice(string.letters) for i in xrange(length)]) 24 | def genRandomUserAgent(): 25 | user_agent_list = [\ 26 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1",\ 27 | "Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11",\ 28 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6",\ 29 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6",\ 30 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1",\ 31 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",\ 32 | "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5",\ 33 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 34 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 35 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",\ 36 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",\ 37 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",\ 38 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 39 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 40 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",\ 41 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.0 Safari/536.3",\ 42 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24",\ 43 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24" 44 | ] 45 | return random.choice(user_agent_list) 46 | def getTeamID(host): 47 | return int(host[8:10]) 48 | 49 | 50 | def exploit(host, port): 51 | """ 52 | if the service is OK then return 'OK', other message means DOWN. 53 | """ 54 | ############ 55 | # init part 56 | ############ 57 | #not check for first 2 min 58 | if (int(time.time()) % 600) < 120: 59 | return 'OK' 60 | 61 | global service 62 | 63 | flag = secretagent.flag(service, getTeamID(host))#you need change this 64 | 65 | with open('private.pem') as privatefile: 66 | p = privatefile.read() 67 | privkey = rsa.PrivateKey.load_pkcs1(p) 68 | 69 | headers = {'User-Agent':genRandomUserAgent()} 70 | ################ 71 | # begin check 72 | ################ 73 | #get admin 74 | crypto = requests.get('http://'+host+':8080/flag/crypto', headers=headers).text 75 | data = rsa.decrypt(crypto.decode('base64'), privkey) 76 | 77 | if len(data.split('|')) != 2: 78 | return 'get admin/pass error' 79 | (username, password) = tuple(data.split('|',2)) 80 | 81 | #check flag 82 | #flag = 'md5_salt' 83 | result = requests.get('http://'+host+':8080/flag/check?flag='+flag, headers=headers).text 84 | if result != '1': 85 | return 'check flag error' 86 | 87 | #check login 88 | s = requests.Session() 89 | payload={'username':username, 'password':password} 90 | url = 'http://'+host+':8080/admin/check' 91 | if not 'success' in s.post(url, payload, headers=headers).text: 92 | return 'login check error' 93 | 94 | if flag != s.get('http://'+host+':8080/flag/index', headers=headers).text: 95 | return 'get flag using admin error' 96 | 97 | #check upload 98 | ext = ['py', 'sh', 'php', 'txt'] 99 | filename = genRandomLetters(10)+'.'+random.choice(ext) 100 | filecontent = genRandomChars(100) 101 | f = open(filename, 'wb') 102 | f.write(filecontent) 103 | f.close() 104 | files = {'uploadFile': open(filename, 'rb')} 105 | url = 'http://'+host+':8080/upload/upload' 106 | r = s.post(url, files=files, headers=headers).text 107 | if not 'uploads' in r: 108 | return 'upload file error' 109 | os.remove(filename) 110 | 111 | #get file url 112 | pattern = 'onclick=\"this.select;\" value=\"(?P.)\" />
' 113 | search = re.compile(pattern).search(r) 114 | if not search: 115 | return 'get file url error' 116 | 117 | file_url = search.group('url') 118 | #no admin privilege 119 | #url = 'http://'+host+':8080/uploads/'+filename 120 | url = file_url 121 | r = requests.get(url, headers=headers).text 122 | if r != filecontent: 123 | return 'access uploaded file error' 124 | 125 | #check add post 126 | post_name = genRandomLetters(10) 127 | post_content = genRandomChars(100) 128 | orders = 0 129 | status = 1 130 | payload = {'name':post_name, 'content':post_content, 'orders':orders, 'status':status} 131 | url = 'http://'+host+':8080/cms/save' 132 | r = s.post(url, payload, headers=headers).text 133 | pattern = "post id (?P[0-9]+)~" 134 | search = re.compile(pattern).search(r) 135 | if not search: 136 | return 'get post id error' 137 | 138 | postid = search.group('id') 139 | if not 'success' in r: 140 | return 'post success error' 141 | 142 | #check post 143 | r = requests.get('http://'+host+':8080', headers=headers).text 144 | if not post_name in r: 145 | return 'find post name in index error' 146 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 147 | if not post_name in r: 148 | return 'get post using id error' 149 | 150 | #check modify 151 | post_name = genRandomLetters(10) 152 | post_content = genRandomChars(100) 153 | orders = 0 154 | status = 1 155 | payload = {'id':postid,'name':post_name, 'content':post_content, 'orders':orders, 'status':status} 156 | url = 'http://'+host+':8080/cms/modify' 157 | r = s.post(url, payload, headers=headers).text 158 | if not 'success' in r: 159 | return 'modify error' 160 | #check modify 161 | r = requests.get('http://'+host+':8080', headers=headers).text 162 | if not post_name in r: 163 | return 'check modify error' 164 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 165 | if not post_name in r: 166 | return 'check modify by id error' 167 | #check comment 168 | #name=sa&email=as%40dsc.com&content=asdsad&cmsId=6 169 | comment_name = genRandomLetters(10) 170 | comment_content = genRandomChars(100) 171 | email = genRandomLetters(5)+'@'+genRandomLetters(3)+'.com' 172 | payload = {'cmsId':postid,'name':comment_name, 'content':comment_content, 'email':email} 173 | url = 'http://'+host+':8080/index/comment' 174 | r = requests.post(url, payload, headers=headers).text 175 | pattern = "comment id (?P[0-9]+)~" 176 | search = re.compile(pattern).search(r) 177 | if not search: 178 | return 'get comment id error' 179 | commentid = search.group('id') 180 | if not 'success' in r: 181 | return 'comment error' 182 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 183 | if not comment_name in r: 184 | return 'check comment error' 185 | #delete comment 186 | r = s.get('http://'+host+':8080/comment/delete?id='+commentid, headers=headers).text 187 | if not 'success' in r: 188 | return 'delete comment error' 189 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 190 | if comment_name in r: 191 | return 'check comment error' 192 | #delete post 193 | r = s.get('http://'+host+':8080/cms/delete?id='+postid, headers=headers).text 194 | if not 'success' in r: 195 | return 'delete post error' 196 | r = requests.get('http://'+host+':8080/index/show?id='+postid, headers=headers).text 197 | if post_name in r: 198 | return 'check delete post error' 199 | 200 | return 'OK' 201 | 202 | if name == 'main': 203 | print exploit('127.0.0.1', 8080) 204 | -------------------------------------------------------------------------------- /0cms_server/static/admin/editor/tinyeditor.js: -------------------------------------------------------------------------------- 1 | TINY={}; 2 | 3 | function T$(i){return document.getElementById(i)} 4 | function T$$$(){return document.all?1:0} 5 | var uploadexc=""; 6 | var colorswitch=""; 7 | var editorobj; 8 | var bodyevent; 9 | TINY.editor=function(){ 10 | var c=[], offset=-30; 11 | c['cut']=[1,'剪切','a','cut',1]; 12 | c['copy']=[2,'复制','a','copy',1]; 13 | c['paste']=[3,'粘贴','a','paste',1]; 14 | c['bold']=[4,'粗体','a','bold']; 15 | c['italic']=[5,'斜体','a','italic']; 16 | c['underline']=[6,'下划线','a','underline']; 17 | c['strikethrough']=[7,'删除线','a','strikethrough']; 18 | c['subscript']=[8,'下标','a','subscript']; 19 | c['superscript']=[9,'上标','a','superscript']; 20 | c['orderedlist']=[10,'数字列表','a','insertorderedlist']; 21 | c['unorderedlist']=[11,'符号列表','a','insertunorderedlist']; 22 | c['outdent']=[12,'减少缩进','a','outdent']; 23 | c['indent']=[13,'增加缩进','a','indent']; 24 | c['leftalign']=[14,'左对齐','a','justifyleft']; 25 | c['centeralign']=[15,'居中','a','justifycenter']; 26 | c['rightalign']=[16,'右对齐','a','justifyright']; 27 | c['blockjustify']=[17,'两端对齐','a','justifyfull']; 28 | c['undo']=[18,'撤销','a','undo']; 29 | c['redo']=[19,'重做','a','redo']; 30 | c['image']=[20,'插入图片','i','insertimage','输入图片地址:','http://']; 31 | 32 | c['hr']=[21,'插入分隔线','a','inserthorizontalrule']; 33 | c['link']=[22,'插入超链接','i','createlink','输入地址:','http://']; 34 | c['unlink']=[23,'移除链接','a','unlink']; 35 | c['unformat']=[24,'移除格式','a','removeformat']; 36 | c['print']=[25,'打印','a','print']; 37 | c['swf']=[26,'插入Flash','i','insertswf','输入Flash地址:','http://']; 38 | c['media']=[27,'插入视频','i','insertmedia','输入视频地址L:','http://']; 39 | c['upload']=[28,'上传文件','a','uploadfile']; 40 | c['forecolor']=[29,'文字颜色','a','forecolor']; 41 | c['backcolor']=[30,'文字背景','a','backcolor']; 42 | function edit(n,obj){ 43 | this.n=n; window[n]=this; this.t=T$(obj.id); this.obj=obj; this.xhtml=obj.xhtml; 44 | var p=document.createElement('div'), w=document.createElement('div'), h=document.createElement('div'), 45 | l=obj.controls.length, i=0; 46 | this.i=document.createElement('iframe'); this.i.frameBorder=0; 47 | //添加iframe的id 48 | this.i.id=obj.iframeid||'editoriframe'; 49 | subbtn=obj.subbutton||'subit'; 50 | //添加结束 51 | this.i.width=obj.width||'500'; this.i.height=obj.height||'250'; this.ie=T$$$(); 52 | h.className=obj.rowclass||'teheader'; p.className=obj.cssclass||'te'; p.style.width=this.i.width+'px'; p.appendChild(h); 53 | for(i;i'],['Header 1','
'],['Header 2','
'],['Header 3','
'],['Header 4','
'],['Header 5','
'],['Header 6','
']], 79 | sl=styles.length, x=0; 80 | sel.className='testyle'; sel.onchange=new Function(this.n+'.ddaction(this,"formatblock")'); 81 | for(x;x'} 121 | if(obj.css){m+=''} 122 | m+=''+(obj.content||this.t.value); 123 | m+=''; 124 | this.e.write(m); 125 | this.e.close(); this.e.designMode='on'; this.d=1; 126 | if(this.xhtml){ 127 | try{this.e.execCommand("styleWithCSS",0,0)} 128 | catch(e){try{this.e.execCommand("useCSS",0,1)}catch(e){}} 129 | } 130 | }; 131 | edit.prototype.print=function(){ 132 | this.i.contentWindow.print() 133 | }, 134 | edit.prototype.hover=function(div,pos,dir){ 135 | div.style.backgroundPosition=(dir?'34px ':'0px ')+(pos)+'px' 136 | }, 137 | edit.prototype.ddaction=function(dd,a){ 138 | var i=dd.selectedIndex, v=dd.options[i].value; 139 | //选择完毕，恢复 140 | dd.options[0].selected = true; 141 | this.action(a,v); 142 | }, 143 | edit.prototype.action=function(cmd,val,ie){ 144 | if(ie&&!this.ie){ 145 | alert('您的浏览器不支持此项操作') 146 | }else{ 147 | switch(cmd){ 148 | case 'uploadfile': 149 | if(!window.open(uploadexc,'newwindow', 'height=200, width=350,toolbar=no, menubar=no, scrollbars=no,resizable=no,status=no,left=400,top=200')){ 150 | alert('请禁用浏览器弹出窗口拦截或者同时按住键盘Ctrl和Alt按键，再点击上传按钮');}; 151 | break; 152 | case 'forecolor': 153 | //alert(window.event); 154 | coloropen(this.e,cmd); 155 | break; 156 | case 'backcolor': 157 | coloropen(this.e,cmd); 158 | break; 159 | default: 160 | this.e.execCommand(cmd,0,val||null); 161 | break; 162 | } 163 | 164 | } 165 | }, 166 | edit.prototype.insert=function(pro,msg,cmd){ 167 | var val=prompt(pro,msg); 168 | if(val!=null&&val!=''){ 169 | switch(cmd) 170 | { 171 | case 'insertswf': 172 | var swfdata=''; 173 | if(!-[1,]){ 174 | ooo= this.e.selection.createRange(); 175 | ooo.pasteHTML(swfdata); 176 | }else{ 177 | this.e.execCommand("insertHTML",false,swfdata); 178 | } 179 | break 180 | case'insertmedia': 181 | var swfdata=''; 182 | if(!-[1,]){ 183 | ooo= this.e.selection.createRange(); 184 | ooo.pasteHTML(swfdata); 185 | }else{ 186 | this.e.execCommand("insertHTML",false,swfdata); 187 | } 188 | break; 189 | default: 190 | this.e.execCommand(cmd,0,val) 191 | } 192 | } 193 | }, 194 | edit.prototype.setfont=function(){ 195 | execCommand('formatblock',0,hType) 196 | }, 197 | edit.prototype.resize=function(e){ 198 | if(this.mv){this.freeze()} 199 | this.i.bcs=TINY.cursor.top(e); 200 | this.mv=new Function('event',this.n+'.move(event)'); 201 | this.sr=new Function(this.n+'.freeze()'); 202 | if(this.ie){ 203 | document.attachEvent('onmousemove',this.mv); document.attachEvent('onmouseup',this.sr) 204 | }else{ 205 | document.addEventListener('mousemove',this.mv,1); document.addEventListener('mouseup',this.sr,1) 206 | } 207 | }, 208 | edit.prototype.move=function(e){ 209 | var pos=TINY.cursor.top(e); 210 | this.i.height=parseInt(this.i.height)+pos-this.i.bcs; 211 | this.i.bcs=pos 212 | }, 213 | edit.prototype.freeze=function(){ 214 | if(this.ie){ 215 | document.detachEvent('onmousemove',this.mv); document.detachEvent('onmouseup',this.sr) 216 | }else{ 217 | document.removeEventListener('mousemove',this.mv,1); document.removeEventListener('mouseup',this.sr,1) 218 | } 219 | }, 220 | edit.prototype.toggle=function(post,div){ 221 | if(!this.d){ 222 | var v=this.t.value; 223 | if(div){div.innerHTML=this.obj.toggletext||'代码'} 224 | if(this.xhtml&&!this.ie){ 225 | v=v.replace(/(.)<\/strong>/gi,'$1'); 226 | v=v.replace(/(.)<\/em>/gi,'$1') 227 | } 228 | this.e.body.innerHTML=v; 229 | this.t.style.display='none'; this.i.style.display='block'; this.d=1 230 | }else{ 231 | var v=this.e.body.innerHTML; 232 | if(this.xhtml){ 233 | v=v.replace(/(.)<\/span>/gi,'$1'); 234 | v=v.replace(/ class="apple-style-span"/gi,''); 235 | v=v.replace(//gi,''); 236 | v=v.replace(/
/gi,'
'); 237 | v=v.replace(/
$/gi,''); 238 | v=v.replace(/^
/gi,''); 239 | v=v.replace(/(]+[^\/])>/gi,'$1 />'); 240 | v=v.replace(/]>(.?)<\/b[^>]>/gi,'$1'); 241 | v=v.replace(/]>(.?)<\/i[^>]>/gi,'$1'); 242 | v=v.replace(/]>(.?)<\/u[^>]>/gi,'$1'); 243 | v=v.replace(/<(b|strong|em|i|u) style="font-weight: normal;?">(.)<\/(b|strong|em|i|u)>/gi,'$2'); 244 | v=v.replace(/<(b|strong|em|i|u) style="(.)">(.)<\/(b|strong|em|i|u)>/gi,'<$4>$3'); 245 | v=v.replace(/(.)<\/span>/gi,'$1'); 246 | v=v.replace(/(.)<\/span>/gi,'$1'); 247 | v=v.replace(/(.)<\/span>/gi,'$1'); 248 | v=v.replace(/(.)<\/span>|]>(.?)<\/b[^>]>/gi,'$1') 249 | } 250 | if(div){div.innerHTML=this.obj.toggletext||'设计'} 251 | this.t.value=v; 252 | if(!post){ 253 | this.t.style.height=this.i.height+'px'; 254 | this.i.style.display='none'; this.t.style.display='block'; this.d=0 255 | } 256 | } 257 | }, 258 | edit.prototype.post=function(){ 259 | if(this.d){this.toggle(1)} 260 | }; 261 | return{edit:edit} 262 | }(); 263 | //颜色选择器开始 264 | document.write('
'); 265 | var ColorHex=new Array('00','33','66','99','CC','FF'); 266 | var SpColorHex=new Array('FF0000','00FF00','0000FF','FFFF00','00FFFF','FF00FF'); 267 | var current=null; 268 | function initcolor(evt) 269 | { 270 | var colorTable=''; 271 | for (i=0;i<2;i++) 272 | { 273 | for (j=0;j<6;j++) 274 | { 275 | colorTable=colorTable+'

'; 276 | if (i==0){ 277 | colorTable=colorTable+'

Title:

11 | 12 | 13 | 14 | 36 |

Order:

Status:

45 | 52 |

55 | 56 |

';} 278 | else{ 279 | colorTable=colorTable+'

';} 280 | for (k=0;k<3;k++){ 281 | for (l=0;l<6;l++){ 282 | colorTable=colorTable+'

'; 283 | } 284 | } 285 | } 286 | } 287 | colorTable='

点击此处关闭[X]

'+colorTable+'

'; 288 | T$("colorpane").innerHTML=colorTable; 289 | } 290 | function changecolor(obj){ 291 | if(colorswitch=='backcolor'&&navigator.userAgent.indexOf("Firefox")!=-1){ 292 | editorobj.execCommand('hilitecolor',0,obj); 293 | return false; 294 | } 295 | T$('colorshow').innerHTML='点击关闭[X]'; 296 | editorobj.execCommand(colorswitch,0,obj); 297 | } 298 | function colorclose(){ 299 | T$("colorpane").style.display = "none"; 300 | } 301 | function coloropen(obj,swit){ 302 | editorobj=obj; 303 | colorswitch=swit; 304 | T$("colorpane").style.left=bodyevent.clientX+"px"; 305 | T$("colorpane").style.top=bodyevent.clientY+"px"; 306 | T$("colorpane").style.display = "block"; 307 | } 308 | //颜色选择器结束 309 | TINY.cursor=function(){ 310 | //js加载后先执行这个 311 | initcolor(); 312 | window.document.onmousemove=function colorpanemove(evt){ 313 | bodyevent=evt || window.event; 314 | } 315 | return{ 316 | top:function(e){ 317 | return T$$$()?window.event.clientY+document.documentElement.scrollTop+document.body.scrollTop:e.clientY+window.scrollY 318 | } 319 | 320 | } 321 | }(); 322 | 323 | //document.getElementById("MyIFrame").contentDocument.getElementById("s").style.color="blue"; --------------------------------------------------------------------------------