Sindbad~EG File Manager
--[[
Entrypoint for the o2switch cgi : /o2s-cgi/api.cgi
a=get-chl : Return the JS Challenge to be executed by the browser
a=verify : Verify the response (for the JS Challenge and also the Captcha challenge)
--]]
local jsChl = require "lib/o2switch_js_challenge_v2"
local captchaChl = require "lib/o2switch_captcha"
local o2debug = require "lib/o2switch_debug"
local o2utils = require "lib/o2switch_utils"
local o2counter = require "lib/o2switch_counter"
local o2config = require "lib/o2switch_config"
local ngx = ngx
local domain = o2utils.extractDomain(o2utils.extractDomainWww(ngx.var.host))
local clientIp = ngx.var.remote_addr
local binaryClientIp = ngx.var.binary_remote_addr
local ua = ngx.var.http_user_agent or '-'
local uniqueId = ngx.var.request_id
local httpMethod = ngx.var.request_method
local type = type
local tostring = tostring
local arg_a = ngx.var.arg_a or nil
ngx.header.cache_control = "private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
ngx.header.expires = "Thu, 01 Jan 1970 00:00:01 GMT"
ngx.header_referer_policy = "same-origin"
--[[
Generate and send the JS Challenge
The challenge.html page first call this page to retrieve a JS Payload (the challenge) to execute
--]]
if arg_a == 'get-chl' then
if httpMethod ~= 'POST' then
o2debug.debugErr('Wrong HTTP method on this endpoint')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Wrong HTTP method',
}, 200)
end
local data = ngx.req.get_post_args()
if type(data) ~= 'table' or type(data['chl-hash']) ~= 'string' or type(data['chl-type']) ~= 'string' then
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Invalid form, data missing',
}, 200)
end
local expectedHash = jsChl.getAntiTamperingHash(clientIp, ua)
if expectedHash ~= data['chl-hash'] then
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Invalid hash',
}, 200)
end
local numberToGuess = jsChl.getRandomNumber()
if (type(numberToGuess) ~= 'string') then
o2debug.debugErr('Failed to generate a random number')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '001',
}, 200)
end
local hashingMethodsCollection = jsChl.getHashingMethod()
if(type(hashingMethodsCollection) ~= 'table') then
o2debug.debugErr('Failed to generate the hashing collection')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '002',
}, 200)
end
local hashToFound = jsChl.getHash(numberToGuess, hashingMethodsCollection)
if(type(hashToFound) ~= 'string') then
o2debug.debugErr('Failed to generate the hash to found')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '003',
}, 200)
end
local challengeId = jsChl.generateChallengeId(uniqueId)
if (type(challengeId) ~= 'string') then
o2debug.debugErr('Failed to generate the challenge ID')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '004',
}, 200)
end
local jsPayload = jsChl.getChallengeJsPayload(hashToFound, hashingMethodsCollection, challengeId)
if (type(jsPayload) ~= 'string') then
o2debug.debugErr('Failed to generate the JS Payload')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '005',
}, 200)
end
local ok, err = jsChl.persist(domain, clientIp, numberToGuess, challengeId)
if not ok or err ~= nil then
o2debug.debugErr('Persisting error')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Internal err',
["code"] = '006',
}, 200)
end
o2utils.sendJsonResponse({
["success"] = true,
["payload"] = jsPayload,
}, 200)
end
--[[
In here, we check the result of the response for the JS Challenge
If the response is alright, it will return a 301 redirect to the requeted page with a bypass cookie to be set
--]]
if arg_a == 'verify-response' then
if httpMethod ~= 'POST' then
o2debug.debugErr('Wrong HTTP method on this endpoint')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Wrong HTTP method',
}, 200)
end
local data = ngx.req.get_post_args()
if type(data) ~= 'table' or type(data['chl-hash']) ~= 'string' or type(data['chl-type']) ~= 'string'
or type(data['js-chl-id']) ~= 'string' or type(data['chl-current-url']) ~= 'string' or type(data['js-chl-response']) ~= 'string' then
--o2debug.debug('Wrong challenge response, data missing');
o2utils.sendRedirectResponse()
end
local antiTamperingHash = jsChl.getAntiTamperingHash(clientIp, ua, 'js')
if type(antiTamperingHash) ~= 'string' or antiTamperingHash ~= data['chl-hash'] then
--o2debug.debug('Anti-tempering hash is invalid');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
local challengeData, err = jsChl.retrieve(domain, data['js-chl-id'])
if type(challengeData) ~= 'table' or err ~= nil then
--o2debug.debug('Cant retrieve the challenge data : ' .. (err or 'no err msg'));
o2utils.sendRedirectResponse(data['chl-current-url'])
end
-- Access from the wrong IP address. Someone is trying to fuck us.
if challengeData['i'] ~= clientIp then
--o2debug.debug('Cant validate the challenge response, the IP address of the user changed');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
-- Verify the response
if data['js-chl-response'] ~= tostring(challengeData['n']) then
--o2debug.debug('Invalid response. Excepected result is "' .. challengeData['n'] .. '" and we got "' .. tostring(data['js-chl-response']) .. '"');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
local bypassCookieVal = jsChl.getBypassCookieValue(clientIp, ua, domain)
if type(bypassCookieVal) ~= 'string' then
--o2debug.debug('Error while trying to create a bypass cookie value');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
o2counter.decrement('i', binaryClientIp, o2config.reqCredit, true);
jsChl.sendSuccessRedirectResponse(data['chl-current-url'], domain, 'o2s-chl', bypassCookieVal)
end
-- Verifying the captcha response
if arg_a == 'verify-captcha-response' then
if httpMethod ~= 'POST' then
o2debug.debugErr('Wrong HTTP method on this endpoint')
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Wrong HTTP method',
}, 200)
end
local data = ngx.req.get_post_args()
if type(data) ~= 'table' or type(data['chl-hash']) ~= 'string' or type(data['chl-type']) ~= 'string'
or type(data['chl-current-url']) ~= 'string' or type(data['js-chl-response']) ~= 'string' then
--o2debug.debug('Wrong captcha response, data missing');
o2utils.sendRedirectResponse()
end
local antiTamperingHash = captchaChl.getAntiTamperingHash(clientIp, ua)
if type(antiTamperingHash) ~= 'string' or antiTamperingHash ~= data['chl-hash'] then
--o2debug.debug('Anti-tempering hash is invalid');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
local captchaPassed = captchaChl.validate(data['js-chl-response'], clientIp)
if not captchaPassed then
--o2debug.debug('Invalid captcha response');
o2utils.sendRedirectResponse(data['chl-current-url'])
end
o2counter.decrement('i', binaryClientIp, o2config.reqCredit * o2config.captchaMultiplier, true);
captchaChl.sendSuccessRedirectResponse(data['chl-current-url'], domain, 'o2s-chl', captchaChl.getBypassCookieValue(clientIp, ua, domain))
end
o2utils.sendJsonResponse({
["success"] = false,
["reason"] = 'Invalid endpoint',
["code"] = '001',
}, 200)
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists