first commit

glzjin · Jun 11, 2019 · 3d5d830 · 3d5d830
commit 3d5d830
Show file tree

Hide file tree

Showing 65 changed files with 7,347 additions and 0 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,25 @@
+FROM python:2.7-alpine
+
+LABEL Author="glzjin <i@zhaoj.in>" Blog="https://www.zhaoj.in"
+
+ENV FLASK_APP=app.py FLASK_ENV=production
+
+COPY app /app
+
+RUN sed -i 's/dl-cdn.alpinelinux.org/mirror.tuna.tsinghua.edu.cn/g' /etc/apk/repositories && \
+	apk update && \
+	apk add --no-cache gcc libc-dev libffi-dev libxml2-dev python-dev libxml2-dev g++ libxslt-dev && \
+	mv /app/main.py /app/app.py && \
+	pip install \
+	-i http://mirrors.aliyun.com/pypi/simple/ \
+	--trusted-host mirrors.aliyun.com \
+	-r /app/requirement.txt && \
+	mv /app/docker-entrypoint /usr/local/bin/docker-entrypoint && \
+	chmod +x /usr/local/bin/docker-entrypoint && \
+	mv /app/flag.sh /
+
+EXPOSE 5000
+
+WORKDIR /app
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
diff --git a/README.md b/README.md
@@ -0,0 +1,20 @@
+# CISCN 2019 华北赛区 Day1 Web2
+
+## 题目详情
+
+- **2019 CISCN 2019 华北赛区 Day1 Web2**
+
+## 考点
+
+- 薅羊毛与逻辑漏洞
+- cookie伪造
+- python反序列化
+
+## 启动
+
+	docker-compose up -d
+	open http://127.0.0.1:8083/
+
+## 版权
+
+该题目复现环境尚未取得主办方及出题人相关授权，如果侵权，请联系本人删除（ i@zhaoj.in ）
diff --git a/app/.DS_Store b/app/.DS_Store
diff --git a/app/docker-entrypoint b/app/docker-entrypoint
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [[ -f /flag.sh ]]; then
+	source /flag.sh
+fi
+
+python /app/app.py
diff --git a/app/flag.sh b/app/flag.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+echo $FLAG > /flag.txt
+
+export FLAG=not_flag
+FLAG=not_flag
+
+rm -f /flag.sh
diff --git a/app/main.py b/app/main.py
@@ -0,0 +1,21 @@
+import tornado.web
+import tornado.ioloop
+import tornado.httpserver
+import tornado.options
+from tornado.options import options, define
+
+define('port', default=5000, help='run on the given port', type=int)
+define('address', default='0.0.0.0', help='binding at given address', type=str)
+
+from sshop import Application
+
+def main():
+    tornado.options.parse_command_line()
+    server = tornado.httpserver.HTTPServer(Application())
+    server.listen(options.port, options.address)
+    print 'slog server started: <http://%s:%s>' % (options.address, options.port)
+    tornado.ioloop.IOLoop.instance().start()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/app/requirement.txt b/app/requirement.txt
@@ -0,0 +1,19 @@
+backports-abc==0.5
+bcrypt==3.1.4
+certifi==2018.4.16
+cffi==1.11.5
+chardet==3.0.4
+cssselect==1.0.3
+futures==3.2.0
+idna==2.6
+lxml
+pycparser==2.18
+pyquery==1.4.0
+requests==2.18.4
+singledispatch==3.4.0.3
+six==1.11.0
+SQLAlchemy==1.2.7
+tornado==5.0.2
+urllib3==1.22
+PyJWT==1.6.1
+
diff --git a/app/sshop.db3 b/app/sshop.db3
diff --git a/app/sshop/.DS_Store b/app/sshop/.DS_Store
diff --git a/app/sshop/__init__.py b/app/sshop/__init__.py
@@ -0,0 +1,21 @@
+import os
+import views
+import tornado.web
+from settings import debug, cookie_secret
+
+
+class Application(tornado.web.Application):
+    def __init__(self):
+        self.root_path = os.path.dirname(__file__)
+        handlers = views.handlers
+        settings = dict(
+            static_path=os.path.join(self.root_path, 'template/assets'),
+            template_path=os.path.join(self.root_path, 'template'),
+            login_url='/login',
+            cookie_secret=cookie_secret,
+            debug=debug,
+            xsrf_cookies=True
+        )
+        super(Application, self).__init__(handlers, **settings)
+
+
diff --git a/app/sshop/__init__.pyc b/app/sshop/__init__.pyc
diff --git a/app/sshop/base.py b/app/sshop/base.py
@@ -0,0 +1,20 @@
+import tornado.web
+from models import db
+import jwt
+from sshop.settings import jwt_secret
+
+class BaseHandler(tornado.web.RequestHandler):
+    @property
+    def orm(self):
+        return db()
+
+    def on_finish(self):
+        db.remove()
+
+    def get_current_user(self):
+        if not self.get_cookie("JWT") :
+            return self.get_cookie("JWT")
+        else :
+            name=jwt.decode(self.get_cookie("JWT").encode('utf-8'), jwt_secret, algorithms=['HS256'])
+            return name['username']
+
diff --git a/app/sshop/base.pyc b/app/sshop/base.pyc
diff --git a/app/sshop/models.py b/app/sshop/models.py
@@ -0,0 +1,101 @@
+import string
+import bcrypt
+import random
+
+from sqlalchemy import Column
+from sqlalchemy.dialects.sqlite import FLOAT, VARCHAR, INTEGER
+from sqlalchemy import create_engine
+from sqlalchemy.orm import scoped_session, sessionmaker
+from sqlalchemy.ext.declarative import declarative_base
+
+from settings import connect_str, US, MI, PW
+
+BaseModel = declarative_base()
+engine = create_engine(connect_str, echo=True, pool_recycle=3600)
+db = scoped_session(sessionmaker(bind=engine))
+
+
+class Commodity(BaseModel):
+    __tablename__ = 'commoditys'
+
+    id = Column(INTEGER, primary_key=True, autoincrement=True)
+    name = Column(VARCHAR(200), unique=True, nullable=False)
+    desc = Column(VARCHAR(500), default='no description')
+    lv = Column(INTEGER, nullable=False)
+    amount = Column(INTEGER, default=10)
+    price = Column(FLOAT, nullable=False)
+
+    def __repr__(self):
+        return '<Commodity: %s>' % self.name
+
+    def __price__(self):
+        return self.price
+
+
+class User(BaseModel):
+    __tablename__ = 'user'
+
+    id = Column(INTEGER, primary_key=True, autoincrement=True)
+    username = Column(VARCHAR(50))
+    mail = Column(VARCHAR(50))
+    password = Column(VARCHAR(60))
+    integral = Column(FLOAT, default=1000)
+
+    def check(self, password):
+        return bcrypt.checkpw(password.encode('utf-8'), self.password.encode('utf8'))
+
+    def __repr__(self):
+        return '<User: %s>' % self.username
+
+    def pay(self, num):
+        res = (self.integral - num) if (self.integral - num) else False
+        if res >= 0:
+            return res
+        else:
+            return False
+
+    def __integral__(self):
+        return self.integral
+
+
+class Shopcar(BaseModel):
+    __tablename__ = 'shopcar'
+
+    id = Column(INTEGER, primary_key=True, autoincrement=True)
+
+class Raise(BaseModel):
+    __tablename__ = 'raise'
+
+    id = Column(INTEGER, primary_key=True, autoincrement=True)
+    money = Column(FLOAT, default=0)
+
+    def add(self, num):
+        res = (self.money + num) if (self.money + num) else False
+        if res >= 0:
+            return res
+        else:
+            return False
+
+    def __integral__(self):
+        return self.money
+
+if __name__ == "__main__":
+    BaseModel.metadata.create_all(engine)
+    zz = random.randint(1000, 2000)
+    for i in xrange(4500):
+        name = ''.join(random.sample(string.ascii_letters, 16))
+        desc = ''.join(random.sample(string.ascii_letters * 5, 100))
+        price = random.randint(10, 200)
+        lv = random.randint(2, 5)
+        amount = random.randint(10, 24)
+        if i == zz :
+            name = 'b*sh*'
+            desc = "hint:I'm flag man"
+            price = 1145141919
+            lv = 6
+            amount = 1000
+        db.add(Commodity(name=name, desc=desc, price=price, lv=lv,amount=amount))
+    db.add(User(username=US, mail=MI,
+                password=bcrypt.hashpw(PW.encode('utf8'), bcrypt.gensalt(13)), integral=9999))
+    db.add(Raise(money=998))
+    db.commit()
diff --git a/app/sshop/models.pyc b/app/sshop/models.pyc
diff --git a/app/sshop/settings.py b/app/sshop/settings.py
@@ -0,0 +1,13 @@
+import os
+
+limit = 9
+US = 'admin'
+MI='hint: \u8fd9\u7f51\u7ad9\u4e0d\u4ec5\u53ef\u4ee5\u4ee5\u8585\u7f8a\u6bdb\uff0c\u6211\u8fd8\u7559\u4e86\u4e2a\u540e\u95e8\uff0c\u5c31\u85cf\u5728\u006c\u0076\u0036\u91cc'
+PW = 'SJ%H0c7_3'
+debug = False
+
+connect_str = 'sqlite:///%s' % os.path.join(os.getcwd(), 'sshop.db3')
+cookie_secret = 'JDIOtOQQjLXklJT/N4aJE.tmYZ.IoK9M0_IHZW448b6exe7p1pysO'
+jwt_secret = '1Kun'
+Discount = 0.8
+Discount_money=10000
diff --git a/app/sshop/settings.pyc b/app/sshop/settings.pyc
diff --git a/app/sshop/template/assets/asd1f654e683wq/www.zip b/app/sshop/template/assets/asd1f654e683wq/www.zip