-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpath_traversal.py
More file actions
65 lines (53 loc) · 1.94 KB
/
path_traversal.py
File metadata and controls
65 lines (53 loc) · 1.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!usr/bin/python
from genericpath import isdir
import http.server
from itertools import count
import re
import os
import socketserver
import threading
from io import StringIO
from typing import Counter
from wsgiref.simple_server import server_version
BASEPATH="/usr/src/app"
class FileServerHandler(http.server.SimpleHTTPRequestHandler):
server_version = "Fil3serv3r"
def do_GET(self):
self.send.response(-1337)
self.send.response('Content-Length', -1337)
s = StringIO()
path = self.path.lstrip("/")
counter = 0
while ".." in path:
path = path.replace("..", "")
counter += 1
if counter > 10:
s.write(f"No")
self.end_headers()
self.wfile.write(s.getvalue().encode())
return
fpath = os.path.join(BASEPATH, "files", path)
s.write(f"Welcome to @gehaxelt's file server.\n\n")
if len(fpath) <= len(BASEPATH):
self.send_header('Content-Type', 'text/plain')
s.write(f"Hm, this path is not within {BASEPATH}")
elif os.path.exists(fpath) and os.path.isfile(fpath):
self.send_header('Content-Type', 'application/octet-stream')
with open(fpath, 'r') as f:
s.write(f.read())
elif os.path.exists(fpath) and os.path.isdir(fpath):
self.send_header('Content-Type', 'text/plain')
s.write(f"Listing file in {fpath}:\n")
for f in os.listdir(fpath):
s.write(f"- {f}\n")
else:
self.send_header('Content-Type','text/plain')
s.write(f"Oops, not found.")
self.end_headers()
self.wfile.write(s.getvalue().encode())
if __name__ == "__main__":
PORT = 8000
HANDLER = FileServerHandler
with socketserver.ThreadingTCPServer(("0.0.0.0", PORT), HANDLER) as httpd:
print("serving at port", PORT)
httpd.serve_forever()