We Keep Coding

Request over https using R shiny and a python server

I have a python server that runs using an ssl wrapped socket. I am trying to send an https GET and POST request from an R-shiny client to the python server, yet I get the following error:
Listening on http://127.0.0.1:6565
Warning: Error in curl::curl_fetch_memory: schannel: Failed to get certificate location for >c/cygwin64/home/user/Documents/server/cert.pem
My overarching goal is to type a text into the shiny R text input, send this text to the python server in the form of a POST request over a secure channel. The python server I will run the interpreter() function on the string I just sent and return to the R-shiny client the appropriate response.
This setup has worked when not using ssl-certificates, however, after implementing the python ssl wrapped socket, I have been getting this error.
I hope some of you might be able to illuminate me on this matter.
This is my python server
import ssl
from http.server import HTTPServer, BaseHTTPRequestHandler
from io import BytesIO
def interpreter(val):
if val == "Search":
return "Searched"
elif val == "Add":
return "Added"
else:
return "Invalid statement"
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-type", "text/csv")
self.end_headers()
self.wfile.write(bytes(
"<html><body><h1>HELLO world!</h1></body></html>", "utf-8"))
def do_POST(self):
content_length = int(self.headers['Content-Length'])
body = self.rfile.read(content_length)
print(body.decode())
modified_body = interpreter(body.decode())
print(modified_body)
self.send_response(200)
self.end_headers()
response = BytesIO()
response.write(b'Received: ')
response.write(body)
response.write(b' End of request')
self.wfile.write(response.getvalue())
httpd = HTTPServer(('localhost', 8000), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, keyfile="key.pem",
certfile="cert.pem", server_side=True)
print("Server Running Now...")
httpd.serve_forever()
httpd.server_close()
print("Server Stopped")
And my shiny-R application is as follows
library(shiny)
library(httr)
ui <- fluidPage(
titlePanel("Request Module"),
fluidRow(
column(3,
textInput(inputId = "request", label="Enter Request Term"),
actionButton(inputId = "getRequest", label="Get"),
actionButton(inputId = "postRequest", label="Post")
)
),
fluidRow(
wellPanel(
htmlOutput(outputId = "resultOutput")
)
)
)
server <- function(input, output) {
url <- "http://127.0.0.1:8000"
s_url <- "https://127.0.0.1:8000"
httr::set_config(config(ssl_verifypeer = 0L))
certfile="c/cygwin64/home/user/Documents/server/cert.pem"
keyfile="c/cygwin64/home/user/Documents/server/key.pem"
observeEvent(input$getRequest,{
getResponse <- GET(url = s_url,
config(sslcert=certfile, sslkey=keyfile))
output$resultOutput <- renderPrint({
getResponse$content
})
})
observeEvent(input$postRequest,{
reqMessage <- input$request
postResult <- POST(url = s_url,
body = reqMessage,
content_type("text/csv"),
encoding = "UTF-8",
config(sslcert=certfile, sslkey=keyfile))
processedResponse <- content(postResult, as="text", encoding = "UTF-8")
output$resultOutput <- renderPrint({
processedResponse
})
})
}
shinyApp(ui = ui, server = server)

The Python Request module does not function when including a proxy

I have recently tried the python request module and it seems to work fine up until the point when I include a proxy in the command. I am using the Burp Suite proxy, when I run the code the program gets stuck on the line of code with the request module.
import requests
import sys
import urllib3
#input = "https://0a0100660376e8efc04b1a7600880072.web-security-academy.net/"
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
def exploit_sqli_column_number(URL):
path = "filter?category=Tech+gifts"
for i in range(1,51):
sql_payload = "'+order+by+%s--" %i
r = requests.get(url + path + sql_payload, verify = False, proxies = proxies)
res = r.text
if "Internal Server Error" in res:
return i - 1
return False
if __name__ == "__main__":
try:
url = sys.argv[1]
except IndexError:
print("[-] Usage: %s <url>" % sys.argv[0])
print("[-] Example: %s www.example.com" % sys.argv[0])
sys.exit(-1)
print("[+] Figuring out number of columns.")
num_col = exploit_sqli_column_number(URL)
if num_col:
print("[+] The number of columns is " + str(num_col)
+ ".")
else:
print("[-] The SQL Injection was not successful.")
I have tried other scripts where I just make the request without using the proxy and it works just fine, I have also checked the IP address and the Port, so there should be no issues with that.
Thank you for help in advance.

This code works for me:
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8085', 'https': 'https://127.0.0.1:8085'}
r = requests.get('https://www.google.com', verify = False, proxies = proxies)
print(r)
I'd make sure you set the correct ports in Burp Suite under Proxy -> Options, and make sure you turn off intercept. If your code is just hanging and not giving any error then the issues is you have not turned off intercept. I would try using a port other than the default 8080 for your proxy.

Disabling gunicorn certificate validation

i'm creating an application with Flask and i'm using gunicorn as my application server. I enabled the verification of the client's certificate, and i would like to know if there is a way to disable the validation of client's certificate for a specific user or if there is a way to use two address:1 that uses https and another that uses http.
gunicorn configuration
import ssl
bind = "0.0.0.0:8080"
ca_certs = "certs/ca-crt.pem"
certfile = "certs/server-crt.pem"
keyfile = "certs/server-key.pem"
cert_reqs = ssl.CERT_REQUIRED
worker_class = 'proto_worker.CustomSyncWorker'
from gunicorn.workers.sync import SyncWorker
import werkzeug.serving
import OpenSSL
class CustomSyncWorker(SyncWorker):
def handle_request(self, listener, req, client, addr):
cert = client.getpeercert()
try:
key = client.get_password()
except:
key = ''
headers = dict(req.headers)
#headers['CERT'] = dict(cert)
headers['CERT'] = str(cert)+str(key)
req.headers = list(headers.items())
super(CustomSyncWorker, self).handle_request(listener, req, client, addr)

How to send UDP requests via asyncio in python 3

I would like to send UDP messages to my InfluxDB server using asyncio. This is my synchronous code:
import socket
import requests
from logger import get_logger
log = get_logger(__name__)
class InfluxDB(object):
def __init__(self, username, password, host, port, udp=True, udp_port=4444):
log.info("InfluxDBClient()")
self.udp = udp
if self.udp:
self.udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.udp_port_tuple = (host, udp_port)
self.session = requests.session()
self.session.auth = (username, password)
self.base_url = "http://{}:{}".format(host, port)
def _query(self, payload, endpoint="/query"):
log.debug(payload)
return self.session.post(self.base_url + endpoint, params=payload)
def _write(self, db, data, endpoint="/write"):
log.debug("{} \t {}".format(db, data))
return self.session.post(self.base_url + endpoint, params={"db": db}, data=data)
def write_udp(self, data_str):
if self.udp:
return self.udp_socket.sendto(data_str.encode("utf-8"), self.udp_port_tuple)
else:
raise Exception("UDP disabled")
How do I rewrite the "write_udp" function using the async/await syntax?
-- edit 7/5/2018 --
To be more specific, I am unsure how to reference the asyncio equivalent of "socket". Presumably there is a version of an asyncio based socket, which I would reference as self.udp_socket = socket.socket_asyncio, and then I would fire off messages via await socket.socket_asyncio.sendto(....) what I need to understand is how to reference this asyncio based socket object.

How do I find out which socket client send the message?

I am working on a chat program. I have a server and client, multiple users can connect to the server. Currently, I just have the server send back whatever message the clients send to the server. I would like to add on an authentication so that I can accept/decline the connection if the authentication fails.
client:
class Network:
# initialize the socket
def __init__(self, client, host=host, port=port):
self.client = client;
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
self.port = port;
self.host = host;
self.addr = (host, port);
# conenct to the server
def connect(self):
self.socket.connect(self.addr);
# receive data from server if there is any
def read(self):
while True:
time.sleep(0.1)
try:
data = self.socket.recv(1024);
except:
break;
# instead of breaking, create "connection lost" then open the login form again
print "in client: ", data;
data_split = data.split("\r\n");
for ds in data_split:
self.client.msgbox.addMsg(ds);
# send chat message to the server
def send(self, msg):
self.socket.send(msg);
# authenticate user
# if
def authenticate(self, info):
self.socket.send(info);
server:
class Server:
# init the socket
def __init__(self, host=host, port=port):
self.host = host;
self.port = port;
self.addr = (host, port);
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
# send data to client
def send(self, soc, data):
try:
soc.send(data);
except:
return "couldn't send message";
# receive data from client
def receive(self, soc):
while True:
try:
return soc.recv(size);
except:
return disconnect;
# connect client
def connect(self):
self.socket.bind(self.addr);
self.socket.listen(5);
self.socket_s = [self.socket];
self.read_socs = [self.socket];
self.write_socs = [];
self.user_addr = {};
# validate the user
def validate(self, username, password):
if username in users:
sha = s256.new();
sha.update(password);
password = sha.hexdigest();
if password == users[username]:
print "in server: true";
return True;
else:
print "in server: false";
return False;
# server
def serve(self):
while True:
r_socs, w_socs, exceptions = select.select(self.read_socs, [], []);
for s in r_socs:
if s in self.socket_s:
print "accepting socket connect";
soc, address = s.accept();
print "in server: ", soc, address;
self.read_socs.append(soc);
self.write_socs.append(soc);
for ws in self.write_socs:
self.send(ws, "len(users) == " + str(len(self.write_socs)) + "\n");
print connection;
else:
data = self.receive(s);
print "in server: " + data;
if auth in data:
ds = data.split(" ");
res = self.validate(ds[1], ds[2]);
elif data == disconnect:
s.close();
self.read_socs.remove(s);
self.write_socs.remove(s);
for ws in self.write_socs:
print "in server: " + ws
self.send(ws, "len(users) == " + str(len(self.write_socs)) + "\n");
else:
for ws in self.write_socs:
print "in server: " + ws;
self.send(ws, data);

Your design is not actually going to work, because the data in a TCP message received doesn't necessarily correlate with a single send from the other side—it could be half a message, or 3 messages, or 5-1/2 messages. If you're just testing on localhost, with small messages, it will often seem to work in your tests, and then completely fail when you put it on the internet. That's why you need to build some kind of protocol on top of TCP that uses delimiters (like newlines), length prefixes (like netstrings), or self-delimiting objects (like JSON).
At any rate, you know the socket each message comes in on. You can map sockets to users, or just use the sockets themselves, or their fds, to make decisions. So, just as you keep track of all the known sockets to pass to select, you also keep track of all sockets known to be authenticated. If the socket a message comes in on is in that list, it's authenticated; otherwise, the message is rejected unless it's an auth message.
Let's say you've got a simple line protocol:
def __init__(self):
self.sockets = [] # add clients here, along with listener
self.authsockets = [] # add authenticated clients here
self.buffers = defaultdict(str)
def loop(self):
r, w, x = select.select([sockets], [sockets], [sockets])
for sock in r:
buffers[sock] = buffers[sock] + sock.recv(4096)
lines = buffers[sock].split('\n')
if buffers[sock][-1] != '\n':
buffers[sock], lines = lines[-1], lines[:-1]
else:
buffers[sock] = ''
for line in lines:
processCommand(sock, line)
# etc.
def processCommand(self, sock, command):
if self.isAuthCommand(command):
if self.isValidAuthCommand(command):
self.authsockets.append(sock)
return
if not sock in self.authsockets:
return # ignore commands before auth
self.doNormalThing(command)
I've stripped out all of the irrelevant stuff—handling accepts, disconnects, errors, writes, etc. But you've got a similar problem there to your reads. First, you're assuming that sockets are always writable, which is not true. You need to queue up a write buffer for each socket, and write when select tells you it's OK. Again, this may seem to work on localhost, but it will fall apart on the internet. Second, writing to a socket may not send the entire buffer, so you need to look at how many bytes got written and keep buffer[bytecount:] around until next time.