aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 14:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bugfixes and architectural changes

Browse Source 
Moved some folders around, starting to remove subdomain handling,
blueprints, custom css, removed digital ocean interface, fixed some bugs
This commit is contained in:
CodeKevin
2015-09-13 23:55:15 -04:00
parent 5f6e610f2d
commit 7d766372df
53 changed files with 1191 additions and 1151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
CTFd/__init__.py
View File

@@ -3,22 +3,14 @@ from flask.ext.sqlalchemy import SQLAlchemy
from flask.ext.mail import Mail, Message
from logging.handlers import RotatingFileHandler
from flask.ext.session import Session
import logging
import os
import sqlalchemy
def create_app(subdomain="", username="", password=""):
app = Flask("CTFd", static_folder="../static", template_folder="../templates")
with app.app_context():
app.config.from_object('CTFd.config')
if subdomain:
app.config.update(
SQLALCHEMY_DATABASE_URI = 'mysql://'+username+':'+password+'@localhost:3306/' + subdomain + '_ctfd',
HOST = subdomain + app.config["HOST"],
SESSION_FILE_DIR = app.config['SESSION_FILE_DIR'] + "/" + subdomain,
DEBUG = True
)
def create_app(config='CTFd.config'):
app = Flask("CTFd")
with app.app_context():
app.config.from_object(config)
from CTFd.models import db, Teams, Solves, Challenges, WrongKeys, Keys, Tags, Files, Tracking
@@ -26,52 +18,27 @@ def create_app(subdomain="", username="", password=""):
db.create_all()
app.db = db
# app.setup = True
global mail
mail = Mail(app)
Session(app)
from CTFd.views import init_views
init_views(app)
from CTFd.errors import init_errors
init_errors(app)
from CTFd.challenges import init_challenges
init_challenges(app)
from CTFd.scoreboard import init_scoreboard
init_scoreboard(app)
from CTFd.auth import init_auth
init_auth(app)
from CTFd.admin import init_admin
init_admin(app)
from CTFd.utils import init_utils
from CTFd.views import views
from CTFd.challenges import challenges
from CTFd.scoreboard import scoreboard
from CTFd.auth import auth
from CTFd.admin import admin
from CTFd.utils import init_utils, init_errors, init_logs
init_utils(app)
init_errors(app)
init_logs(app)
app.register_blueprint(views)
app.register_blueprint(challenges)
app.register_blueprint(scoreboard)
app.register_blueprint(auth)
app.register_blueprint(admin)
return app
# logger_keys = logging.getLogger('keys')
# logger_logins = logging.getLogger('logins')
# logger_regs = logging.getLogger('regs')
# logger_keys.setLevel(logging.INFO)
# logger_logins.setLevel(logging.INFO)
# logger_regs.setLevel(logging.INFO)
# try:
# parent = os.path.dirname(__file__)
# except:
# parent = os.path.dirname(os.path.realpath(sys.argv[0]))
# key_log = RotatingFileHandler(os.path.join(parent, 'logs', 'keys.log'), maxBytes=10000)
# login_log = RotatingFileHandler(os.path.join(parent, 'logs', 'logins.log'), maxBytes=10000)
# register_log = RotatingFileHandler(os.path.join(parent, 'logs', 'registers.log'), maxBytes=10000)
# logger_keys.addHandler(key_log)
# logger_logins.addHandler(login_log)
# logger_regs.addHandler(register_log)
# logger_keys.propagate = 0
# logger_logins.propagate = 0
# logger_regs.propagate = 0

245
CTFd/admin.py
View File

@@ -1,5 +1,5 @@
from flask import render_template, request, redirect, abort, jsonify, url_for, session
from CTFd.utils import sha512, is_safe_url, authed, admins_only, is_admin, unix_time, unix_time_millis, get_config, set_config, get_digitalocean, sendmail, rmdir
from flask import render_template, request, redirect, abort, jsonify, url_for, session, Blueprint
from CTFd.utils import sha512, is_safe_url, authed, admins_only, is_admin, unix_time, unix_time_millis, get_config, set_config, sendmail, rmdir
from CTFd.models import db, Teams, Solves, Challenges, WrongKeys, Keys, Tags, Files, Tracking, Pages, Config
from itsdangerous import TimedSerializer, BadTimeSignature
from werkzeug.utils import secure_filename
@@ -14,15 +14,17 @@ import re
import os
import json
def init_admin(app):
@app.route('/admin', methods=['GET', 'POST'])
def admin():
admin = Blueprint('admin', __name__)
@admin.route('/admin', methods=['GET', 'POST'])
def admin_view():
if request.method == 'POST':
username = request.form.get('name')
password = request.form.get('password')
admin = Teams.query.filter_by(name=request.form['name'], admin=True).first()
if admin and bcrypt_sha256.verify(request.form['password'], admin.password):
admin_user= Teams.query.filter_by(name=request.form['name'], admin=True).first()
if admin_user and bcrypt_sha256.verify(request.form['password'], admin.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
@@ -39,14 +41,16 @@ def init_admin(app):
return render_template('admin/login.html')
@app.route('/admin/graphs')
@admins_only
def admin_graphs():
@admin.route('/admin/graphs')
@admins_only
def admin_graphs():
return render_template('admin/graphs.html')
@app.route('/admin/config', methods=['GET', 'POST'])
@admins_only
def admin_config():
@admin.route('/admin/config', methods=['GET', 'POST'])
@admins_only
def admin_config():
if request.method == "POST":
try:
start = int(request.form['start'])
@@ -73,7 +77,6 @@ def init_admin(app):
ctf_name = set_config("ctf_name", request.form.get('ctf_name', None))
mg_api_key = set_config("mg_api_key", request.form.get('mg_api_key', None))
do_api_key = set_config("do_api_key", request.form.get('do_api_key', None))
max_tries = set_config("max_tries", request.form.get('max_tries', None))
@@ -91,15 +94,11 @@ def init_admin(app):
ctf_name = get_config('ctf_name')
if not ctf_name:
set_config('do_api_key', None)
set_config('ctf_name', None)
mg_api_key = get_config('do_api_key')
mg_api_key = get_config('mg_api_key')
if not mg_api_key:
set_config('do_api_key', None)
do_api_key = get_config('do_api_key')
if not do_api_key:
set_config('do_api_key', None)
set_config('mg_api_key', None)
max_tries = get_config('max_tries')
if not max_tries:
@@ -137,14 +136,27 @@ def init_admin(app):
return render_template('admin/config.html', ctf_name=ctf_name, start=start, end=end,
max_tries=max_tries,
view_challenges_unregistered=view_challenges_unregistered,
prevent_registration=prevent_registration, do_api_key=do_api_key, mg_api_key=mg_api_key,
prevent_registration=prevent_registration, mg_api_key=mg_api_key,
prevent_name_change=prevent_name_change,
view_after_ctf=view_after_ctf)
@app.route('/admin/pages', defaults={'route': None}, methods=['GET', 'POST'])
@app.route('/admin/pages/<route>', methods=['GET', 'POST'])
@admins_only
def admin_pages(route):
@admin.route('/admin/css', methods=['GET', 'POST'])
@admins_only
def admin_css():
if request.method == 'POST':
css = request.form['css']
css = set_config('css', css)
print css
return "1"
return "0"
@admin.route('/admin/pages', defaults={'route': None}, methods=['GET', 'POST'])
@admin.route('/admin/pages/<route>', methods=['GET', 'POST'])
@admins_only
def admin_pages(route):
if request.method == 'GET' and request.args.get('mode') == 'create':
return render_template('admin/editor.html')
if route and request.method == 'GET':
page = Pages.query.filter_by(route=route).first()
return render_template('admin/editor.html', page=page)
@@ -167,38 +179,22 @@ def init_admin(app):
db.session.add(page)
db.session.commit()
return redirect('/admin/pages')
if not route and request.method == 'POST':
return render_template('admin/editor.html')
pages = Pages.query.all()
return render_template('admin/pages.html', routes=pages)
return render_template('admin/pages.html', routes=pages, css=get_config('css'))
@app.route('/admin/page/<pageroute>/delete', methods=['POST'])
@admins_only
def delete_page(pageroute):
@admin.route('/admin/page/<pageroute>/delete', methods=['POST'])
@admins_only
def delete_page(pageroute):
page = Pages.query.filter_by(route=pageroute).first()
db.session.delete(page)
db.session.commit()
return '1'
@app.route('/admin/hosts', methods=['GET'])
@admins_only
def admin_hosts():
m = get_digitalocean()
errors = []
if not m:
errors.append("Your Digital Ocean API key is not set")
return render_template('admin/hosts.html', errors=errors)
hosts = m.get_all_droplets()
slugs = m.get_all_sizes()
images = m.get_all_images()
regions = m.get_all_regions()
return render_template('admin/hosts.html', hosts=hosts, slugs=slugs, images=images, regions=regions)
@app.route('/admin/chals', methods=['POST', 'GET'])
@admins_only
def admin_chals():
@admin.route('/admin/chals', methods=['POST', 'GET'])
@admins_only
def admin_chals():
if request.method == 'POST':
chals = Challenges.query.add_columns('id', 'name', 'value', 'description', 'category').order_by(Challenges.value).all()
@@ -211,9 +207,10 @@ def init_admin(app):
else:
return render_template('admin/chals.html')
@app.route('/admin/keys/<chalid>', methods=['POST', 'GET'])
@admins_only
def admin_keys(chalid):
@admin.route('/admin/keys/<chalid>', methods=['POST', 'GET'])
@admins_only
def admin_keys(chalid):
if request.method == 'GET':
keys = Keys.query.filter_by(chal=chalid).all()
json = {'keys':[]}
@@ -235,9 +232,10 @@ def init_admin(app):
db.session.close()
return '1'
@app.route('/admin/tags/<chalid>', methods=['GET', 'POST'])
@admins_only
def admin_tags(chalid):
@admin.route('/admin/tags/<chalid>', methods=['GET', 'POST'])
@admins_only
def admin_tags(chalid):
if request.method == 'GET':
tags = Tags.query.filter_by(chal=chalid).all()
json = {'tags':[]}
@@ -254,9 +252,10 @@ def init_admin(app):
db.session.close()
return '1'
@app.route('/admin/tags/<tagid>/delete', methods=['POST'])
@admins_only
def admin_delete_tags(tagid):
@admin.route('/admin/tags/<tagid>/delete', methods=['POST'])
@admins_only
def admin_delete_tags(tagid):
if request.method == 'POST':
tag = Tags.query.filter_by(id=tagid).first_or_404()
db.session.delete(tag)
@@ -265,9 +264,9 @@ def init_admin(app):
return "1"
@app.route('/admin/files/<chalid>', methods=['GET', 'POST'])
@admins_only
def admin_files(chalid):
@admin.route('/admin/files/<chalid>', methods=['GET', 'POST'])
@admins_only
def admin_files(chalid):
if request.method == 'GET':
files = Files.query.filter_by(chal=chalid).all()
json = {'files':[]}
@@ -310,15 +309,17 @@ def init_admin(app):
db.session.close()
return redirect('/admin/chals')
@app.route('/admin/teams')
@admins_only
def admin_teams():
@admin.route('/admin/teams')
@admins_only
def admin_teams():
teams = Teams.query.all()
return render_template('admin/teams.html', teams=teams)
@app.route('/admin/team/<teamid>', methods=['GET', 'POST'])
@admins_only
def admin_team(teamid):
@admin.route('/admin/team/<teamid>', methods=['GET', 'POST'])
@admins_only
def admin_team(teamid):
user = Teams.query.filter_by(id=teamid).first()
solves = Solves.query.filter_by(teamid=teamid).all()
addrs = Tracking.query.filter_by(team=teamid).group_by(Tracking.ip).all()
@@ -328,8 +329,8 @@ def init_admin(app):
if request.method == 'GET':
return render_template('admin/team.html', solves=solves, team=user, addrs=addrs, score=score, place=place)
elif request.method == 'POST':
admin = request.form.get('admin', "false")
admin = 1 if admin == "true" else 0
admin_user = request.form.get('admin', "false")
admin_user = 1 if admin_user == "true" else 0
if admin:
user.admin = 1
db.session.commit()
@@ -367,9 +368,10 @@ def init_admin(app):
db.session.close()
return jsonify({'data':['success']})
@app.route('/admin/team/<teamid>/mail', methods=['POST'])
@admins_only
def email_user(teamid):
@admin.route('/admin/team/<teamid>/mail', methods=['POST'])
@admins_only
def email_user(teamid):
message = request.form.get('msg', None)
team = Teams.query.filter(Teams.id == teamid).first()
if message and team:
@@ -377,34 +379,37 @@ def init_admin(app):
return "1"
return "0"
@app.route('/admin/team/<teamid>/ban', methods=['POST'])
@admins_only
def ban(teamid):
@admin.route('/admin/team/<teamid>/ban', methods=['POST'])
@admins_only
def ban(teamid):
user = Teams.query.filter_by(id=teamid).first()
user.banned = 1
db.session.commit()
return redirect('/admin/scoreboard')
@app.route('/admin/team/<teamid>/unban', methods=['POST'])
@admins_only
def unban(teamid):
@admin.route('/admin/team/<teamid>/unban', methods=['POST'])
@admins_only
def unban(teamid):
user = Teams.query.filter_by(id=teamid).first()
user.banned = None
db.session.commit()
return redirect('/admin/scoreboard')
@app.route('/admin/team/<teamid>/delete', methods=['POST'])
@admins_only
def delete_team(teamid):
@admin.route('/admin/team/<teamid>/delete', methods=['POST'])
@admins_only
def delete_team(teamid):
user = Teams.query.filter_by(id=teamid).first()
db.session.delete(user)
db.session.commit()
return '1'
@app.route('/admin/graphs/<graph_type>')
@admins_only
def admin_graph(graph_type):
@admin.route('/admin/graphs/<graph_type>')
@admins_only
def admin_graph(graph_type):
if graph_type == 'categories':
categories = db.session.query(Challenges.category, db.func.count(Challenges.category)).group_by(Challenges.category).all()
json = {'categories':[]}
@@ -418,18 +423,20 @@ def init_admin(app):
json[chal.chal.name] = count
return jsonify(json)
@app.route('/admin/scoreboard')
@admins_only
def admin_scoreboard():
@admin.route('/admin/scoreboard')
@admins_only
def admin_scoreboard():
score = db.func.sum(Challenges.value).label('score')
quickest = db.func.max(Solves.date).label('quickest')
teams = db.session.query(Solves.teamid, Teams.name, Teams.banned, score).join(Teams).join(Challenges).group_by(Solves.teamid).order_by(score.desc(), quickest)
db.session.close()
return render_template('admin/scoreboard.html', teams=teams)
@app.route('/admin/scores')
@admins_only
def admin_scores():
@admin.route('/admin/scores')
@admins_only
def admin_scores():
score = db.func.sum(Challenges.value).label('score')
quickest = db.func.max(Solves.date).label('quickest')
teams = db.session.query(Solves.teamid, Teams.name, score).join(Teams).join(Challenges).filter(Teams.banned == None).group_by(Solves.teamid).order_by(score.desc(), quickest)
@@ -439,9 +446,10 @@ def init_admin(app):
json['teams'].append({'place':i+1, 'id':x.teamid, 'name':x.name,'score':int(x.score)})
return jsonify(json)
@app.route('/admin/solves/<teamid>', methods=['GET'])
@admins_only
def admin_solves(teamid="all"):
@admin.route('/admin/solves/<teamid>', methods=['GET'])
@admins_only
def admin_solves(teamid="all"):
if teamid == "all":
solves = Solves.query.all()
else:
@@ -453,17 +461,18 @@ def init_admin(app):
return jsonify(json)
@app.route('/admin/solves/<teamid>/<chalid>/delete', methods=['POST'])
@admins_only
def delete_solve(teamid, chalid):
@admin.route('/admin/solves/<teamid>/<chalid>/delete', methods=['POST'])
@admins_only
def delete_solve(teamid, chalid):
solve = Solves.query.filter_by(teamid=teamid, chalid=chalid).first()
db.session.delete(solve)
db.session.commit()
return '1'
@app.route('/admin/statistics', methods=['GET'])
@admins_only
def admin_stats():
@admin.route('/admin/statistics', methods=['GET'])
@admins_only
def admin_stats():
db.session.commit()
teams_registered = db.session.query(db.func.count(Teams.id)).first()[0]
@@ -483,9 +492,10 @@ def init_admin(app):
least_solved=least_solved_chal
)
@app.route('/admin/wrong_keys/<page>', methods=['GET'])
@admins_only
def admin_wrong_key(page='1'):
@admin.route('/admin/wrong_keys/<page>', methods=['GET'])
@admins_only
def admin_wrong_key(page='1'):
page = abs(int(page))
results_per_page = 50
page_start = results_per_page * ( page - 1 )
@@ -500,9 +510,10 @@ def init_admin(app):
return render_template('admin/wrong_keys.html', wrong_keys=wrong_keys, pages=pages)
@app.route('/admin/correct_keys/<page>', methods=['GET'])
@admins_only
def admin_correct_key(page='1'):
@admin.route('/admin/correct_keys/<page>', methods=['GET'])
@admins_only
def admin_correct_key(page='1'):
page = abs(int(page))
results_per_page = 50
page_start = results_per_page * (page - 1)
@@ -517,9 +528,10 @@ def init_admin(app):
return render_template('admin/correct_keys.html', solves=solves, pages=pages)
@app.route('/admin/fails/<teamid>', methods=['GET'])
@admins_only
def admin_fails(teamid='all'):
@admin.route('/admin/fails/<teamid>', methods=['GET'])
@admins_only
def admin_fails(teamid='all'):
if teamid == "all":
fails = WrongKeys.query.count()
solves = Solves.query.count()
@@ -534,9 +546,8 @@ def init_admin(app):
return jsonify(json)
@app.route('/admin/chal/new', methods=['POST'])
def admin_create_chal():
@admin.route('/admin/chal/new', methods=['POST'])
def admin_create_chal():
files = request.files.getlist('files[]')
# Create challenge
@@ -568,8 +579,9 @@ def init_admin(app):
db.session.close()
return redirect('/admin/chals')
@app.route('/admin/chal/delete', methods=['POST'])
def admin_delete_chal():
@admin.route('/admin/chal/delete', methods=['POST'])
def admin_delete_chal():
challenge = Challenges.query.filter_by(id=request.form['id']).first()
if challenge:
WrongKeys.query.filter_by(chal=challenge.id).delete()
@@ -586,8 +598,9 @@ def init_admin(app):
db.session.close()
return '1'
@app.route('/admin/chal/update', methods=['POST'])
def admin_update_chal():
@admin.route('/admin/chal/update', methods=['POST'])
def admin_update_chal():
challenge = Challenges.query.filter_by(id=request.form['id']).first()
challenge.name = request.form['name']
challenge.description = request.form['desc']

32
CTFd/auth.py
View File

@@ -1,4 +1,4 @@
from flask import render_template, request, redirect, abort, jsonify, url_for, session
from flask import render_template, request, redirect, abort, jsonify, url_for, session, Blueprint
from CTFd.utils import sha512, is_safe_url, authed, mailserver, sendmail, can_register
from CTFd.models import db, Teams
@@ -11,16 +11,12 @@ import time
import re
import os
def init_auth(app):
@app.context_processor
def inject_user():
if authed():
return dict(session)
return dict()
auth = Blueprint('auth', __name__)
@app.route('/reset_password', methods=['POST', 'GET'])
@app.route('/reset_password/<data>', methods=['POST', 'GET'])
def reset_password(data=None):
@auth.route('/reset_password', methods=['POST', 'GET'])
@auth.route('/reset_password/<data>', methods=['POST', 'GET'])
def reset_password(data=None):
if data is not None and request.method == "GET":
return render_template('reset_password.html', mode='set')
if data is not None and request.method == "POST":
@@ -47,15 +43,16 @@ Did you initiate a password reset?
{0}/reset_password/{1}
""".format(app.config['HOST'], token.encode('base64'))
""".format(app.config['HOST'], token.encode('base64'))
sendmail(email, text)
return render_template('reset_password.html', errors=['Check your email'])
return render_template('reset_password.html')
@app.route('/register', methods=['POST', 'GET'])
def register():
@auth.route('/register', methods=['POST', 'GET'])
def register():
if not can_register():
return redirect('/login')
if request.method == 'POST':
@@ -102,8 +99,9 @@ Did you initiate a password reset?
else:
return render_template('register.html')
@app.route('/login', methods=['POST', 'GET'])
def login():
@auth.route('/login', methods=['POST', 'GET'])
def login():
if request.method == 'POST':
errors = []
name = request.form['name']
@@ -134,8 +132,8 @@ Did you initiate a password reset?
return render_template('login.html')
@app.route('/logout')
def logout():
@auth.route('/logout')
def logout():
if authed():
session.clear()
return redirect('/')

47
CTFd/challenges.py
View File

@@ -1,4 +1,4 @@
from flask import current_app as app, render_template, request, redirect, abort, jsonify, json as json_mod, url_for, session
from flask import current_app as app, render_template, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint
from CTFd.utils import ctftime, view_after_ctf, authed, unix_time, get_kpm, can_view_challenges, is_admin, get_config
from CTFd.models import db, Challenges, Files, Solves, WrongKeys, Keys
@@ -7,9 +7,11 @@ import time
import re
import logging
def init_challenges(app):
@app.route('/challenges', methods=['GET'])
def challenges():
challenges = Blueprint('challenges', __name__)
@challenges.route('/challenges', methods=['GET'])
def challenges_view():
if not is_admin():
if not ctftime():
if view_after_ctf():
@@ -21,8 +23,9 @@ def init_challenges(app):
else:
return redirect(url_for('login', next="challenges"))
@app.route('/chals', methods=['GET'])
def chals():
@challenges.route('/chals', methods=['GET'])
def chals():
if not is_admin():
if not ctftime():
if view_after_ctf():
@@ -43,8 +46,9 @@ def init_challenges(app):
db.session.close()
return redirect('/login')
@app.route('/chals/solves')
def chals_per_solves():
@challenges.route('/chals/solves')
def chals_per_solves():
if can_view_challenges():
solves = Solves.query.add_columns(db.func.count(Solves.chalid)).group_by(Solves.chalid).all()
json = {}
@@ -53,9 +57,10 @@ def init_challenges(app):
return jsonify(json)
return redirect(url_for('login', next="/chals/solves"))
@app.route('/solves')
@app.route('/solves/<teamid>')
def solves(teamid=None):
@challenges.route('/solves')
@challenges.route('/solves/<teamid>')
def solves(teamid=None):
if teamid is None:
if authed():
solves = Solves.query.filter_by(teamid=session['id']).all()
@@ -69,8 +74,9 @@ def init_challenges(app):
json['solves'].append({ 'chal':x.chal.name, 'chalid':x.chalid,'team':x.teamid, 'value': x.chal.value, 'category':x.chal.category, 'time':unix_time(x.date)})
return jsonify(json)
@app.route('/maxattempts')
def attempts():
@challenges.route('/maxattempts')
def attempts():
chals = Challenges.query.add_columns('id').all()
json = {'maxattempts':[]}
for chal, chalid in chals:
@@ -79,24 +85,27 @@ def init_challenges(app):
json['maxattempts'].append({'chalid':chalid})
return jsonify(json)
@app.route('/fails/<teamid>', methods=['GET'])
def fails(teamid):
@challenges.route('/fails/<teamid>', methods=['GET'])
def fails(teamid):
fails = WrongKeys.query.filter_by(team=teamid).count()
solves = Solves.query.filter_by(teamid=teamid).count()
db.session.close()
json = {'fails':str(fails), 'solves': str(solves)}
return jsonify(json)
@app.route('/chal/<chalid>/solves', methods=['GET'])
def who_solved(chalid):
@challenges.route('/chal/<chalid>/solves', methods=['GET'])
def who_solved(chalid):
solves = Solves.query.filter_by(chalid=chalid)
json = {'teams':[]}
for solve in solves:
json['teams'].append({'id':solve.team.id, 'name':solve.team.name, 'date':solve.date})
return jsonify(json)
@app.route('/chal/<chalid>', methods=['POST'])
def chal(chalid):
@challenges.route('/chal/<chalid>', methods=['POST'])
def chal(chalid):
if not ctftime():
return redirect('/challenges')
if authed():

18
CTFd/errors.py
View File

@@ -1,18 +0,0 @@
from flask import current_app as app, render_template
def init_errors(app):
@app.errorhandler(404)
def page_not_found(error):
return render_template('errors/404.html'), 404
@app.errorhandler(403)
def forbidden(error):
return render_template('errors/403.html'), 403
@app.errorhandler(500)
def general_error(error):
return render_template('errors/500.html'), 500
@app.errorhandler(502)
def gateway_error(error):
return render_template('errors/502.html'), 502

3
CTFd/models.py
View File

@@ -1,4 +1,3 @@
#from CTFd import db
from flask.ext.sqlalchemy import SQLAlchemy
from socket import inet_aton, inet_ntoa
@@ -79,7 +78,6 @@ class Keys(db.Model):
key_type = db.Column(db.Integer)
flag = db.Column(db.Text)
def __init__(self, chal, flag, key_type):
self.chal = chal
self.flag = flag
@@ -181,6 +179,7 @@ class Tracking(db.Model):
def __repr__(self):
return '<ip %r>' % self.team
class Config(db.Model):
id = db.Column(db.Integer, primary_key=True)
key = db.Column(db.Text)

20
CTFd/scoreboard.py
View File

@@ -1,18 +1,21 @@
from flask import current_app as app, session, render_template, jsonify
from flask import current_app as app, session, render_template, jsonify, Blueprint
from CTFd.utils import unix_time
from CTFd.models import db, Teams, Solves, Challenges
def init_scoreboard(app):
@app.route('/scoreboard')
def scoreboard():
scoreboard = Blueprint('scoreboard', __name__)
@scoreboard.route('/scoreboard')
def scoreboard_view():
score = db.func.sum(Challenges.value).label('score')
quickest = db.func.max(Solves.date).label('quickest')
teams = db.session.query(Solves.teamid, Teams.name, score).join(Teams).join(Challenges).filter(Teams.banned == None).group_by(Solves.teamid).order_by(score.desc(), quickest)
db.session.close()
return render_template('scoreboard.html', teams=teams)
@app.route('/scores')
def scores():
@scoreboard.route('/scores')
def scores():
score = db.func.sum(Challenges.value).label('score')
quickest = db.func.max(Solves.date).label('quickest')
teams = db.session.query(Solves.teamid, Teams.name, score).join(Teams).join(Challenges).filter(Teams.banned == None).group_by(Solves.teamid).order_by(score.desc(), quickest)
@@ -22,8 +25,9 @@ def init_scoreboard(app):
json['teams'].append({'place':i+1, 'id':x.teamid, 'name':x.name,'score':int(x.score)})
return jsonify(json)
@app.route('/top/<count>')
def topteams(count):
@scoreboard.route('/top/<count>')
def topteams(count):
try:
count = int(count)
except:

0
static/admin/css/style.css → CTFd/static/admin/css/style.css
View File

0
static/admin/js/chalboard.js → CTFd/static/admin/js/chalboard.js
View File

0
static/admin/js/team.js → CTFd/static/admin/js/team.js
View File

0
static/css/style.css → CTFd/static/css/style.css
View File

0
static/img/ctfd.ai → CTFd/static/img/ctfd.ai
View File

0
static/img/ctfd.svg → CTFd/static/img/ctfd.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.0 KiB

After

Width:  |  Height:  |  Size: 2.0 KiB

0
static/img/favicon.ico → CTFd/static/img/favicon.ico
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.1 KiB

After

Width:  |  Height:  |  Size: 1.1 KiB

0
static/img/logo.png → CTFd/static/img/logo.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

0
static/img/logo_old.png → CTFd/static/img/logo_old.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

0
static/js/chalboard.js → CTFd/static/js/chalboard.js
View File

0
static/js/scoreboard.js → CTFd/static/js/scoreboard.js
View File

0
static/js/team.js → CTFd/static/js/team.js
View File

0
static/uploads/index.html → CTFd/static/uploads/index.html
View File

25
templates/admin/base.html → CTFd/templates/admin/base.html
View File

@@ -9,7 +9,7 @@
<link rel="icon" href="/static/img/favicon.ico" type="image/x-icon">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/normalize.min.css" />
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/foundation/5.4.7/css/foundation.min.css" />
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" />
<link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="/static/admin/css/style.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
</head>
@@ -32,22 +32,13 @@
<!-- Left Nav Section -->
<ul class="left">
<li><a href="/admin/graphs">Graphs</a>
</li>
<li><a href="/admin/pages">Pages</a>
</li>
<li><a href="/admin/hosts">Hosts</a>
</li>
<li><a href="/admin/teams">Teams</a>
</li>
<li><a href="/admin/scoreboard">Scoreboard</a>
</li>
<li><a href="/admin/chals">Challenges</a>
</li>
<li><a href="/admin/statistics">Statistics</a>
</li>
<li><a href="/admin/config">Config</a>
</li>
<li><a href="/admin/graphs">Graphs</a></li>
<li><a href="/admin/pages">Pages</a></li>
<li><a href="/admin/teams">Teams</a></li>
<li><a href="/admin/scoreboard">Scoreboard</a></li>
<li><a href="/admin/chals">Challenges</a></li>
<li><a href="/admin/statistics">Statistics</a></li>
<li><a href="/admin/config">Config</a></li>
</ul>
</section>
</nav>

0
templates/admin/chals.html → CTFd/templates/admin/chals.html
View File

5
templates/admin/config.html → CTFd/templates/admin/config.html
View File

@@ -22,11 +22,6 @@
<input id='mg_api_key' name='mg_api_key' type='text' placeholder="Mailgun API Key" {% if mg_api_key is defined and mg_api_key != None %}value="{{ mg_api_key }}"{% endif %}>
</div>
<div class="row">
<label for="start">Digital Ocean API Key:</label>
<input id='do_api_key' name='do_api_key' type='text' placeholder="Digital Ocean API Key" {% if do_api_key is defined and do_api_key != None %}value="{{ do_api_key }}"{% endif %}>
</div>
<div class="row">
<label for="start">Start Date:</label>
<input id='start' name='start' type='text' placeholder="Start Date (UTC timestamp)" {% if start is defined and start != None %}value="{{ start }}"{% endif %}>

0
templates/admin/correct_keys.html → CTFd/templates/admin/correct_keys.html
View File

0
templates/admin/editor.html → CTFd/templates/admin/editor.html
View File

0
templates/admin/graphs.html → CTFd/templates/admin/graphs.html
View File

0
templates/admin/hosts.html → CTFd/templates/admin/hosts.html
View File

0
templates/admin/login.html → CTFd/templates/admin/login.html
View File

29
templates/admin/pages.html → CTFd/templates/admin/pages.html
View File

@@ -16,6 +16,14 @@
</form>
<a class="close-reveal-modal">&#215;</a>
</div>
<div class="small-6 columns">
<h3>CSS editor <a onclick="save_css()"><i class="fa fa-floppy-o"></i></a></h3>
<div style="height: 500px;" id="admin-css-editor" name="css">{{ css }}</div>
</div>
<div class="small-6 columns">
<h3>HTML Pages <a href="/admin/pages?mode=create"><i class="fa fa-plus"></i></a></h3>
<table id="pages">
<thead>
<tr>
@@ -32,14 +40,14 @@
{% endfor %}
</tbody>
</table>
<form method="POST">
<input name='nonce' type='hidden' value="{{ nonce }}">
<button class="radius" type='submit'>New Page</button>
</form>
</div>
</div>
{% endblock %}
{% block scripts %}
<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/theme-github.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-css.js"></script>
<script>
$('#delete-route').click(function(e){
e.preventDefault();
@@ -60,10 +68,23 @@ function load_confirm_modal(route){
$('#confirm').foundation('reveal', 'open');
}
function save_css(){
var css = editor.getValue();
var nonce = $('#nonce').val();
$.post('/admin/css', {'css':css, 'nonce':nonce}, function(){
console.log('saved');
});
}
$('.fa-times').click(function(){
var elem = $(this).parent().parent();
var name = elem.find('.route-name').text().trim();
load_confirm_modal(name)
});
var editor = ace.edit("admin-css-editor");
editor.setTheme("ace/theme/github");
editor.getSession().setMode("ace/mode/css");
</script>
{% endblock %}

0
templates/admin/scoreboard.html → CTFd/templates/admin/scoreboard.html
View File

0
templates/admin/static/css/style.css → CTFd/templates/admin/static/css/style.css
View File

0
templates/admin/statistics.html → CTFd/templates/admin/statistics.html
View File

0
templates/admin/team.html → CTFd/templates/admin/team.html
View File

0
templates/admin/teams.html → CTFd/templates/admin/teams.html
View File

0
templates/admin/wrong_keys.html → CTFd/templates/admin/wrong_keys.html
View File

25
templates/base.html → CTFd/templates/base.html
View File

@@ -11,6 +11,7 @@
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" />
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/8.3/styles/railscasts.min.css">
<link rel="stylesheet" type="text/css" href="/static/css/style.css">
<link rel="stylesheet" type="text/css" href="/static/user.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.5.1/moment.min.js"></script>
</head>
<body>
@@ -40,29 +41,9 @@
{%else %}
<li class="has-form">
{% if can_register() %}
<li class="has-dropdown">
<a href="/register">Register</a>
<ul class="dropdown">
<form method="POST" action="/register">
<li><input type='text' name='name' placeholder='Name'></li>
<li><input type='text' name='email' placeholder='Email'></li>
<li><input type='password' name='password' placeholder='Password'></li>
<li><button type='submit'>Register</button></li>
</form>
</ul>
</li>
<li><a href="/register">Register</a></li>
{% endif %}
<li class="has-dropdown">
<a href="/login">Login</a>
<ul class="dropdown">
<form method="POST" action="/login">
<li><input type='text' name='name' placeholder='Name'></li>
<li><input type='password' name='password' placeholder='Password'></li>
<li><button type='submit'>Login</button></li>
<li><a href="/reset_password" class="text-center">Forgot?</a></li>
</form>
</ul>
</li>
<li><a href="/login">Login</a></li>
{% endif %}
</li>
</ul>

0
templates/chals.html → CTFd/templates/chals.html
View File

0
templates/ctf.html → CTFd/templates/ctf.html
View File

0
templates/errors/403.html → CTFd/templates/errors/403.html
View File

0
templates/errors/404.html → CTFd/templates/errors/404.html
View File

0
templates/errors/500.html → CTFd/templates/errors/500.html
View File

0
templates/errors/502.html → CTFd/templates/errors/502.html
View File

1
templates/login.html → CTFd/templates/login.html
View File

@@ -19,6 +19,7 @@
<input class="radius" type='text' name='name' placeholder='Name'><br/>
<input class="radius" type='password' name='password' placeholder='Password'><br/>
<p><a href="/reset_password">Forgot your password?</a></p>
<input type="hidden" name="nonce" value="{{nonce}}">
<button class="radius" type='submit'>Login</button>
</form>
</div>

0
templates/profile.html → CTFd/templates/profile.html
View File

0
templates/register.html → CTFd/templates/register.html
View File

0
templates/reset_password.html → CTFd/templates/reset_password.html
View File

0
templates/scoreboard.html → CTFd/templates/scoreboard.html
View File

1
templates/setup.html → CTFd/templates/setup.html
View File

@@ -37,6 +37,7 @@
<h4 class="text-center"><a href="/admin">Click here</a> to login and setup your CTF</h4>
</div>
</textarea><br>
<input type="hidden" name="nonce" value="{{nonce}}"> {# This nonce is implemented specially in the route itself #}
<button class="radius" type='submit'>Login</button>
</form>
</div>

0
templates/team.html → CTFd/templates/team.html
View File

0
templates/teams.html → CTFd/templates/teams.html
View File

84
CTFd/utils.py
View File

@@ -3,7 +3,7 @@ from CTFd import mail
from urlparse import urlparse, urljoin
from functools import wraps
from flask import current_app as app, g, request, redirect, url_for, session
from flask import current_app as app, g, request, redirect, url_for, session, render_template
from flask.ext.mail import Message
from socket import inet_aton, inet_ntoa
from struct import unpack, pack
@@ -11,11 +11,71 @@ from struct import unpack, pack
import time
import datetime
import hashlib
import digitalocean
import shutil
import requests
import logging
import os
import sys
def init_logs(app):
logger_keys = logging.getLogger('keys')
logger_logins = logging.getLogger('logins')
logger_regs = logging.getLogger('regs')
logger_keys.setLevel(logging.INFO)
logger_logins.setLevel(logging.INFO)
logger_regs.setLevel(logging.INFO)
try:
parent = os.path.dirname(__file__)
except:
parent = os.path.dirname(os.path.realpath(sys.argv[0]))
log_dir = os.path.join(parent, 'logs')
if not os.path.exists(log_dir):
os.makedirs(log_dir)
logs = [
os.path.join(parent, 'logs', 'keys.log'),
os.path.join(parent, 'logs', 'logins.log'),
os.path.join(parent, 'logs', 'registers.log')
]
for log in logs:
if not os.path.exists(log):
open(log, 'a').close()
key_log = logging.handlers.RotatingFileHandler(os.path.join(parent, 'logs', 'keys.log'), maxBytes=10000)
login_log = logging.handlers.RotatingFileHandler(os.path.join(parent, 'logs', 'logins.log'), maxBytes=10000)
register_log = logging.handlers.RotatingFileHandler(os.path.join(parent, 'logs', 'registers.log'), maxBytes=10000)
logger_keys.addHandler(key_log)
logger_logins.addHandler(login_log)
logger_regs.addHandler(register_log)
logger_keys.propagate = 0
logger_logins.propagate = 0
logger_regs.propagate = 0
def init_errors(app):
@app.errorhandler(404)
def page_not_found(error):
return render_template('errors/404.html'), 404
@app.errorhandler(403)
def forbidden(error):
return render_template('errors/403.html'), 403
@app.errorhandler(500)
def general_error(error):
return render_template('errors/500.html'), 500
@app.errorhandler(502)
def gateway_error(error):
return render_template('errors/502.html'), 502
def init_utils(app):
app.jinja_env.filters['unix_time'] = unix_time
app.jinja_env.filters['unix_time_millis'] = unix_time_millis
@@ -25,6 +85,19 @@ def init_utils(app):
app.jinja_env.globals.update(mailserver=mailserver)
app.jinja_env.globals.update(ctf_name=ctf_name)
@app.context_processor
def inject_user():
if authed():
return dict(session)
return dict()
@app.before_request
def needs_setup():
if request.path == '/setup' or request.path.startswith('/static'):
return
if not is_setup():
return redirect('/setup')
def ctf_name():
name = get_config('ctf_name')
@@ -205,10 +278,3 @@ def validate_url(url):
def sha512(string):
return hashlib.sha512(string).hexdigest()
def get_digitalocean():
token = get_config('do_api_key')
if token:
return digitalocean.Manager(token=token)
else:
return False

67
CTFd/views.py
View File

@@ -1,5 +1,5 @@
from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session
from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config
from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint, Response
from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config, sha512
from CTFd.models import db, Teams, Solves, Challenges, WrongKeys, Keys, Tags, Files, Tracking, Pages, Config
from jinja2.exceptions import TemplateNotFound
@@ -13,9 +13,11 @@ import sys
import json
import os
def init_views(app):
@app.before_request
def tracker():
views = Blueprint('views', __name__)
@views.before_request
def tracker():
if authed():
if not Tracking.query.filter_by(ip=ip2long(request.remote_addr)).first():
visit = Tracking(request.remote_addr, session['id'])
@@ -23,26 +25,24 @@ def init_views(app):
db.session.commit()
db.session.close()
@app.before_request
def csrf():
if authed() and request.method == "POST":
@views.before_request
def csrf():
if request.method == "POST":
if session['nonce'] != request.form.get('nonce'):
abort(403)
@app.before_request
def redirect_setup():
@views.before_request
def redirect_setup():
if request.path == "/static/css/style.css":
return
if not is_setup() and request.path != "/setup":
return redirect('/setup')
@app.before_first_request
def needs_setup():
if not is_setup():
return redirect('/setup')
@app.route('/setup', methods=['GET', 'POST'])
def setup():
@views.route('/setup', methods=['GET', 'POST'])
def setup():
# with app.app_context():
# admin = Teams.query.filter_by(admin=True).first()
@@ -51,6 +51,9 @@ def init_views(app):
ctf_name = request.form['ctf_name']
ctf_name = Config('ctf_name', ctf_name)
## CSS
css = Config('start', '')
## Admin user
name = request.form['name']
email = request.form['email']
@@ -86,17 +89,25 @@ def init_views(app):
db.session.add(end)
db.session.add(view_challenges_unregistered)
db.session.add(prevent_registration)
db.session.add(css)
db.session.add(setup)
db.session.commit()
app.setup = False
return redirect('/')
return render_template('setup.html')
return render_template('setup.html', nonce=session.get('nonce'))
return redirect('/')
# Static HTML files
@app.route("/", defaults={'template': 'index'})
@app.route("/<template>")
def static_html(template):
# Custom CSS handler
@views.route('/static/user.css')
def custom_css():
return Response(get_config("css"), mimetype='text/css')
# Static HTML files
@views.route("/", defaults={'template': 'index'})
@views.route("/<template>")
def static_html(template):
try:
return render_template('%s.html' % template)
except TemplateNotFound:
@@ -106,13 +117,15 @@ def init_views(app):
else:
abort(404)
@app.route('/teams')
def teams():
@views.route('/teams')
def teams():
teams = Teams.query.all()
return render_template('teams.html', teams=teams)
@app.route('/team/<teamid>', methods=['GET', 'POST'])
def team(teamid):
@views.route('/team/<teamid>', methods=['GET', 'POST'])
def team(teamid):
user = Teams.query.filter_by(id=teamid).first()
solves = Solves.query.filter_by(teamid=teamid).all()
score = user.score()
@@ -128,8 +141,8 @@ def init_views(app):
return jsonify(json)
@app.route('/profile', methods=['POST', 'GET'])
def profile():
@views.route('/profile', methods=['POST', 'GET'])
def profile():
if authed():
if request.method == "POST":
errors = []

1
requirements.txt
View File

@@ -8,5 +8,4 @@ passlib==1.6.2
bcrypt
six==1.8.0
itsdangerous==0.24
python-digitalocean==1.4.2
requests==2.3.0