Paul
/
Security-Quiz
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Saving data via Javascript, evading the Avans firewall (hopefully)

Browse Source
Paul Wagener 11 years ago
parent db59273825
commit 347ead3536
6 changed files with 60 additions and 20 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      securityquiz/urls.py
  2. 4
      static/js/jquery-2.1.0.min.js
  3. 1
      static/js/jquery.base64.min.js
  4. 33
      static/js/quiz.js
  5. 8
      templates/base.html
  6. 32
      views.py

2
securityquiz/urls.py
Unescape View File

@ -7,7 +7,7 @@ urlpatterns = patterns('',
# Examples: # Examples:
url(r'^callback$', 'views.avans_callback'), url(r'^callback$', 'views.avans_callback'),
url(r'^logout$', 'views.avans_logout'), url(r'^logout$', 'views.avans_logout'),
url(r'^pull$', 'views.pull'),
url(r'^admin/', include(admin.site.urls)), url(r'^admin/', include(admin.site.urls)),
url(r'^save$', 'views.save'),
url(r'^(.*)$', 'views.home', name='home'), url(r'^(.*)$', 'views.home', name='home'),
) )

4
static/js/jquery-2.1.0.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
static/js/jquery.base64.min.js vendored
Unescape View File

@ -0,0 +1 @@
"use strict";jQuery.base64=(function($){var _PADCHAR="=",_ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_VERSION="1.0";function _getbyte64(s,i){var idx=_ALPHA.indexOf(s.charAt(i));if(idx===-1){throw"Cannot decode base64"}return idx}function _decode(s){var pads=0,i,b10,imax=s.length,x=[];s=String(s);if(imax===0){return s}if(imax%4!==0){throw"Cannot decode base64"}if(s.charAt(imax-1)===_PADCHAR){pads=1;if(s.charAt(imax-2)===_PADCHAR){pads=2}imax-=4}for(i=0;i<imax;i+=4){b10=(_getbyte64(s,i)<<18)|(_getbyte64(s,i+1)<<12)|(_getbyte64(s,i+2)<<6)|_getbyte64(s,i+3);x.push(String.fromCharCode(b10>>16,(b10>>8)&255,b10&255))}switch(pads){case 1:b10=(_getbyte64(s,i)<<18)|(_getbyte64(s,i+1)<<12)|(_getbyte64(s,i+2)<<6);x.push(String.fromCharCode(b10>>16,(b10>>8)&255));break;case 2:b10=(_getbyte64(s,i)<<18)|(_getbyte64(s,i+1)<<12);x.push(String.fromCharCode(b10>>16));break}return x.join("")}function _getbyte(s,i){var x=s.charCodeAt(i);if(x>255){throw"INVALID_CHARACTER_ERR: DOM Exception 5"}return x}function _encode(s){if(arguments.length!==1){throw"SyntaxError: exactly one argument required"}s=String(s);var i,b10,x=[],imax=s.length-s.length%3;if(s.length===0){return s}for(i=0;i<imax;i+=3){b10=(_getbyte(s,i)<<16)|(_getbyte(s,i+1)<<8)|_getbyte(s,i+2);x.push(_ALPHA.charAt(b10>>18));x.push(_ALPHA.charAt((b10>>12)&63));x.push(_ALPHA.charAt((b10>>6)&63));x.push(_ALPHA.charAt(b10&63))}switch(s.length-imax){case 1:b10=_getbyte(s,i)<<16;x.push(_ALPHA.charAt(b10>>18)+_ALPHA.charAt((b10>>12)&63)+_PADCHAR+_PADCHAR);break;case 2:b10=(_getbyte(s,i)<<16)|(_getbyte(s,i+1)<<8);x.push(_ALPHA.charAt(b10>>18)+_ALPHA.charAt((b10>>12)&63)+_ALPHA.charAt((b10>>6)&63)+_PADCHAR);break}return x.join("")}return{decode:_decode,encode:_encode,VERSION:_VERSION}}(jQuery));

33
static/js/quiz.js
Unescape View File

@ -0,0 +1,33 @@
$(function() {
var changed = false;
$('.question-input').change(function() {
changed = true;
});
$('#save-button').click(function() {
var data = $.base64.encode($('#form-quiz').serialize())
console.log(data);
$.post('save', data, function(data) {
if(data == 'ok') {
$('#js-message').text('Antwoorden zijn opgeslagen').slideDown().delay(1000).slideUp();
changed = false;
} else {
alert('Er is iets misgegaan bij het opslaan, bewaar je antwoorden lokaal voordat je deze tab afsluit');
}
});
return false;
});
window.onbeforeunload = function() {
if(changed) {
return 'Er zijn niet opgeslagen wijzigingen. Weet je zeker dat je de pagina wilt verlaten?';
}
}
});

8
templates/base.html
Unescape View File

@ -4,9 +4,12 @@
<title>Security 1</title> <title>Security 1</title>
<link href="/static/css/bootstrap.min.css" rel="stylesheet" type="text/css"> <link href="/static/css/bootstrap.min.css" rel="stylesheet" type="text/css">
<link href="/static/css/style.css" rel="stylesheet" type="text/css"> <link href="/static/css/style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/static/js/jquery-2.1.0.min.js"></script>
<script type="text/javascript" src="/static/js/jquery.base64.min.js"></script>
<script type="text/javascript" src="/static/js/quiz.js"></script>
</head> </head>
<body> <body>
<form method="POST"> <form method="POST" id="form-quiz">
{% csrf_token %} {% csrf_token %}
<div class="row-fluid"> <div class="row-fluid">
@ -19,7 +22,8 @@
</ul> </ul>
<a href="/logout" class="btn">Uitloggen</a> <a href="/logout" class="btn">Uitloggen</a>
<button class="btn-primary" type="submit">Opslaan</button> <button class="btn-primary" type="submit" id="save-button">Opslaan</button>
<div class="alert alert-info" id="js-message" style="display: none;"></div>
</div> </div>
<div id="quiz" class="span8 offset2"> <div id="quiz" class="span8 offset2">

32
views.py
Unescape View File

@ -2,11 +2,12 @@ from django.shortcuts import render
from django.http import HttpResponse from django.http import HttpResponse
from django.http import HttpResponseRedirect from django.http import HttpResponseRedirect
from django.http import HttpResponseNotFound from django.http import HttpResponseNotFound
from django.views.decorators.csrf import csrf_exempt
from django.contrib.auth import authenticate, login, logout from django.contrib.auth import authenticate, login, logout
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib import messages from django.contrib import messages
from quiz.models import Answer from quiz.models import Answer
import oauth2 as oauth, cgi, json, git, os, signal import oauth2 as oauth, cgi, json, base64, urlparse
import securityquiz.secrets as secrets import securityquiz.secrets as secrets
import securityquiz.settings as settings import securityquiz.settings as settings
@ -64,29 +65,26 @@ def avans_logout(request):
logout(request) logout(request)
return HttpResponse('Je bent nu uitgelogd... <a href="/">Opnieuw inloggen</a>') return HttpResponse('Je bent nu uitgelogd... <a href="/">Opnieuw inloggen</a>')
def pull(request): @csrf_exempt
if request.method == 'POST': def save(request):
g = git.cmd.Git(settings.PROJECT_PATH) data = dict(urlparse.parse_qsl(base64.b64decode(request.body), True))
output = str(g.pull()) print data
save_data(data, request.user)
# Reload source code return HttpResponse('ok')
os.kill(os.getpid(), signal.SIGINT)
return HttpResponse(output)
else:
return HttpResponseRedirect('/')
def save_data(data, user):
for key in data:
if key.startswith('answer'):
answer, created = Answer.objects.get_or_create(user=user, question=key)
answer.string = data[key]
answer.save()
def home(request, url): def home(request, url):
if not request.user.is_authenticated(): if not request.user.is_authenticated():
return avans_login(request) return avans_login(request)
if request.method == 'POST': if request.method == 'POST':
for key in request.POST: save_data(request.POST, request.user)
if key.startswith('answer'):
answer, created = Answer.objects.get_or_create(user=request.user, question=key)
answer.string = request.POST[key]
answer.save()
messages.add_message(request, messages.INFO, 'Je antwoorden zijn opgeslagen') messages.add_message(request, messages.INFO, 'Je antwoorden zijn opgeslagen')
return HttpResponseRedirect('/' + url) return HttpResponseRedirect('/' + url)

Write Preview
Loading…
Cancel
Save