• Search by Module
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• password_pwncheck-master
  • pwned_password_server
    • pwnpass.py
    • python27.old
      • script.js
      • image.svg
      • styles.css
      • form.html
      • pwn_web.service
      • pwned-password-server.py
    • password-pwncheck.py
    • requirements.txt
    • static
      • script.js
      • image.svg
      • styles.css
      • form.html
  • kerberos
    • src
      • config.h
      • config.c
      • harness.c
      • krb_password_pwncheck.c
    • build-debug.sh
    • build-release.sh
    • build.sh
  • LICENSE
  • common
    • curl.c
    • constants.h
    • curl.h
  • pam
    • src
      • pam_password_pwncheck.c
    • build.sh
  • README.md
  • activedirectory
    • pwned-password-ad-cpl.reg
    • ad_password_pwncheck
      • ad_password_pwncheck.cpp
      • ad_password_pwncheck.vcxproj
      • ad_password_pwncheck.vcxproj.filters
      • resbuilder.bat
      • pwncheck_winevent_resources.rc
      • ad_password_pwncheck.sln
      • pwncheck_winevent_resources.man
      • targetver.h
      • pwncheck_winevent_resources.res
      • stdafx.cpp
      • dllmain.cpp
      • ad_password_pwncheck.h
      • ReadMe.txt
      • wevtinstall.bat
      • pwncheck_winevent_resources.h
      • stdafx.h
    • ad_password_pwncheck_harness
      • targetver.h
      • ad_password_pwncheck_harness.cpp
      • stdafx.cpp
      • ad_password_pwncheck_harness.vcxproj
      • ad_password_pwncheck_harness.vcxproj.filters
      • x64
        • Release
          • ad_password_pwncheck_harness.obj
          • ad_passw.273B22AF.tlog
            • link.read.1.tlog
            • CL.read.1.tlog
            • link.write.1.tlog
            • ad_password_pwncheck_harness.lastbuildstate
            • CL.command.1.tlog
            • link.command.1.tlog
            • CL.write.1.tlog
          • ad_password_pwncheck_harness.log
          • stdafx.obj
      • Debug
        • ad_password_pwncheck_harness.obj
        • ad_passw.273B22AF.tlog
          • link.read.1.tlog
          • CL.read.1.tlog
          • link.write.1.tlog
          • ad_password_pwncheck_harness.lastbuildstate
          • CL.command.1.tlog
          • link.command.1.tlog
          • CL.write.1.tlog
        • ad_password_pwncheck_harness.log
        • stdafx.obj
      • ReadMe.txt
      • stdafx.h

#!/usr/bin/python3

from werkzeug.serving import WSGIRequestHandler
from flask import Flask,request,send_from_directory,redirect,abort
from flask.logging import default_handler
from datetime import datetime
from platform import system
import logging
import time
import ssl
import os
import pwnpass
import threading
import re

app = Flask(__name__)
cfg = None 
pwn = None
logStore = threading.local()
logLock = threading.RLock()

def logmsg(request,type,message,args):
    is_dst = time.daylight and time.localtime().tm_isdst > 0
    tz =  - (time.altzone if is_dst else time.timezone) / 36
    if tz>=0:
        tz="+%04d"%tz
    else:
        tz="%05d"%tz
    datestr = '%d/%b/%Y %H:%M:%S'
    user = getattr(logStore,'user','')
    isValid = getattr(logStore,'isValid','')
    code = getattr(logStore,'code','')
    args = getLogDateTime(args)
    log = '%s %s,%s,%s,%s,%s,%s' % (datetime.now().strftime(datestr),tz,request.address_string(),user,isValid,code, message % args)
    with logLock:
        with open(cfg.logpath,'a') as fw:
            fw.write(log+os.linesep)
    return log

def getLogDateTime(args):
    if not cfg.debug:
        try:
            if len(args) == 3:
                args = (re.sub(r'p=.* HTTP',r'p=<redacted> HTTP',args[0]),args[1],args[2])
            elif len(args) == 2:
                args = (re.sub(r'p=.* HTTP',r'p=<redacted> HTTP',args[0]),args[1])
        except TypeError as e:
            print("arg0: %s"%type(args[0]))
            print("arg1: %s"%type(args[1]))
            if len(args) == 3:
                print("arg2: %s"%type(args[2]))
            print(args)
            raise e
#       args = (re.sub(r'p=.* HTTP',r'p=<redacted> HTTP',args[0]),args[1],args[2])
    return args

#"/" "GET" -> form.html
@app.route('/', methods = ['GET'])
def v1form():
    return open('%s/form.html'%(cfg.staticdir)).read()

@app.route('/checkpwd', methods = ['GET','POST'])
def v1CheckPassword():
    username = ''
    password = ''
    if request.method == 'GET':
        username = request.args.get('u','')
        password = request.args.get('p','')
        reserve = True
    elif request.method == 'POST':
        username = request.form.get('u','')
        password = request.form.get('p','')
        reserve = False
    (isGood,code,reason) = pwn.verifyPasswordGood(username,
                                              password,
                                              reserve=reserve,
                                              always_true=cfg.yesman)
    logStore.code = code
    logStore.isValid = isGood
    logStore.user = username

    message = u','.join(map(str,[isGood,code,reason]))
    return message

@app.route("/test", methods = [ "GET" ] )
def v1Test():
    return ""

@app.route("/styles.css")
@app.route("/script.js")
@app.route("/image.svg")
def StaticRequests():
    reqfile = request.path[1:]
    sp = os.path.join(app.root_path,cfg.staticdir) 
    mimetype=None
    if reqfile == 'image.svg':
        mimetype = 'image/svg+xml'
    return send_from_directory(sp,reqfile,mimetype=mimetype)

@app.route("/favicon.ico")
def NoSuchFile():
    abort(404)

#ELSE 301 to 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'
@app.route('/<path:path>')
def catch_all(path):
    return redirect('https://www.youtube.com/watch?v=dQw4w9WgXcQ' ,code=301)

###########################################################
##################### MAIN ################################
###########################################################
if __name__ == "__main__":
    werkzeug_logger = logging.getLogger('werkzeug')
    WSGIRequestHandler.log = lambda self, type, message, *args: getattr(werkzeug_logger, type)(logmsg(self,type,message,args))

    args = pwnpass.pwnargparse()
    args.add_argument('-c','--sslcert',help='SSL Public Certificate for the HTTPS Web Server')
    args.add_argument('-k','--sslkey',help='SSL Private Key for the HTTPS Web Server')
    args.add_argument('--sslkeypass',help='Passphrase to decrypt the SSL Private Key', default=None)
    if system() == 'Windows':
        args.add_argument('-l','--logpath',help='Path to the logfile',default=None)
    else:
        args.add_argument('-l','--logpath',help='Path to the logfile',default='/var/log/pwnedpass-access.log')
    args.add_argument('-p','--port',help='TCP Port to for web server to listen on', default=443, type=int)
    args.add_argument('-i','--interface',help='TCP Bind interface for web server to listen on', default='0.0.0.0')
    args.add_argument('-s','--staticdir',help='Path to the static files supporting the web UI', default='static')

    cfg = args.parse_args()
    pwn = pwnpass.PwnPass(cfg)
    pwn.debug = cfg.debug

    ssl_context = 'adhoc'
    if cfg.sslcert and cfg.sslkey:
        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
        ssl_context.load_cert_chain(certfile=cfg.sslcert, keyfile=cfg.sslkey, password=cfg.sslkeypass)

    app.run(host=cfg.interface, port=cfg.port, ssl_context=ssl_context,debug=cfg.debug)