g/cyberchallenge-modem
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added required password for update system

Browse Source
This commit is contained in:
Giulio 2020-09-13 23:59:49 +02:00
parent 76728e78e4
commit c01cd28458
3 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/etc/sudoers
View File

@ -1,4 +1,5 @@
Defaults env_reset
Defaults env_keep = "clearpassword"
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults logfile="/var/log/sudo.log"

38
update/update.sh
View File

@ -1,29 +1,39 @@
#!/bin/sh
/bin/echo "Usage: clearpassword=<password> sudo -E update.sh"
password=`/bin/cat /etc/txtpwd`
auth=`/bin/echo -n $clearpassword | /bin/sha512sum | /bin/cut -d' ' -f 1`
if [ "$auth" != "$password" ]; then
/bin/echo "Wrong password"
exit 1
fi
pubkey="/pub.pem"
file="/tmp/update.tgz.cc"
echo "### ccOS Update Script ###"
echo "[+] Starting"
sleep 1
echo "[+] Extracting Signature"
/bin/echo "### ccOS Update Script ###"
/bin/echo "[+] Starting"
/usr/bin/sleep 1
/bin/echo "[+] Extracting Signature"
skip=$(expr $(stat -c '%s' $file) - 256)
if [[ -L $file ]]
then
exit 0
fi
dd if=/tmp/update.tgz.cc of=sig bs=1 count=256 skip=$skip > /dev/null 2>&1
truncate -s $skip update.tgz.cc
check=`openssl dgst -sha256 -verify $pubkey -signature /tmp/sig /tmp/update.tgz.cc`
/usr/bin/dd if=/tmp/update.tgz.cc of=sig bs=1 count=256 skip=$skip > /dev/null 2>&1
/usr/bin/truncate -s $skip update.tgz.cc
check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig /tmp/update.tgz.cc`
if [ "$check" == "Verified OK" ]
then
echo "[+] Signature is valid!"
echo "[+] Upgrading..."
tar -xvzf /tmp/update.tgz.cc -C /
rm /tmp/update.tgz.cc /tmp/sig
echo "[+] Done"
/bin/echo "[+] Signature is valid!"
/bin/echo "[+] Upgrading..."
/usr/bin/tar -xvzf /tmp/update.tgz.cc -C /
/bin/rm /tmp/update.tgz.cc /tmp/sig
/bin/echo "[+] Done"
exit 0
else
echo "[-] Signature error, exiting..."
rm /tmp/update.tgz.cc /tmp/sig
/bin/echo "[-] Signature error, exiting..."
/bin/rm /tmp/update.tgz.cc /tmp/sig
exit 1
fi

7
webpanel/update.php
View File

@ -4,9 +4,9 @@ require_once("includes/config.php");
require_once("includes/header.php");
require_once("includes/nav.php");
if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000) {
if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) {
move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc');
exec("/usr/bin/sudo /update.sh", $result);
exec("clearpassword='.escapeshellarg($_POST['password']).' /usr/bin/sudo /update.sh", $result);
}
?>
@ -14,7 +14,8 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['
<h2>System Update</h2>
<form id="update" enctype="multipart/form-data" method="post" action="">
<fieldset>
<input type="file" name="update">
<input type="file" name="update" required>
<input type="password" name="password" placeholder="Update password" required>
<input type="submit" class="btn btn-b btn-sm smooth" value="Upload">
<p>
<ul>