from flask import Flask, request, render_template_string, make_response
from flask_basicauth import BasicAuth
import subprocess
import os
import sqlite3
import json
import pprint

app = Flask(__name__)
app.config['BASIC_AUTH_USERNAME'] = os.environ.get('AUTH_USERNAME')
app.config['BASIC_AUTH_PASSWORD'] = os.environ.get('AUTH_PASSWORD')
basic_auth = BasicAuth(app)

@app.route('/', methods=['GET'])
def index():
    response = make_response('Nothing to see here')
    response.headers['Content-Type'] = 'text/plain'
    return response

@app.route('/crash', methods=['GET'])
def crash():
    output = "SOMETHING WENT WRONG\n\n"
    for i, l in os.environ.items():
        output += i + ':' + l + "\n"
    output += "ENV=" + str(os.environ) + "\n\n"
    output += str(request.headers) + "\n\n"
    output += str(request.endpoint) + "\n\n"
    output += str(request.method) + "\n\n"
    output += str(request.remote_addr) + "\n\n"

    response = make_response(output)
    response.headers['Content-Type'] = 'text/plain'
    return response
    

@app.route('/admin', methods=['GET', 'POST'])
@basic_auth.required
def admin():
    output = ''
    # SQL Injection?
    db = sqlite3.connect("tutorial.db")
    cursor = db.cursor()
    username = ''
    password = ''
    try:
        #the % is what makes it bad, instead of passing them in as parameters
        #Example Exploit: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1'
        cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password))
    except:
        pass
    if request.method == 'POST':
        if 'command' in request.form:
            cmd = request.form['command']
            process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            stdout, stderr = process.communicate()
            if process.returncode == 0:
                output = stdout.decode('utf-8')
            else:
                output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}"
        elif 'file' in request.files:
            uploaded_file = request.files['file']
            uploaded_file.save(os.path.join('/uploads', uploaded_file.filename))
            output = f"File {uploaded_file.filename} uploaded successfully!"
        elif 'sql' in request.form:
            sql = request.form['sql']
            res = cursor.execute(sql)
            output = json.dumps(res.fetchall())


    return render_template_string("""
        <h1>Admin panel.  If your name is not Frank, you should not be here.</h1>
        <form action="/admin" method="post">
            Run a command: <input type="text" name="command">
            <input type="submit" value="Run">
        </form>
        <br>
        <form action="/admin" method="post" enctype="multipart/form-data">
            Upload a file: <input type="file" name="file">
            <input type="submit" value="Upload">
        </form>
        <br>
        <form action="/admin" method="post">
            Inject some SQL <input type="text" name="sql">
            <input type="submit" value="Run">
        </form>
        <pre>{{output}}</pre>
    """, output=output)


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080, debug=True)