refactor level2

web-security/level-2/DESCRIPTION.md

@@ -0,0 +1,3 @@
+Calling shell commands to carry out work, or "shelling out" as it is often termed, is dangerous.
+Any part of a shell command is potentially injectible!
+In this level, we'll practice injecting into a slightly different part of a slightly different command.

web-security/level-2/server

@@ -0,0 +1,31 @@
+#!/opt/pwn.college/python
+
+import subprocess
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+@app.route("/", methods=["GET", "POST"])
+def challenge():
+    timezone = flask.request.args.get("timezone", "MST")
+    result = subprocess.run(
+        f"TZ={timezone} date",  # the command to run
+        shell=True,                 # use the shell to run this command
+        stdout=subprocess.PIPE,     # capture the standard output
+        stderr=subprocess.STDOUT,   # 2>&1
+        encoding="latin"            # capture the resulting output as text
+    )
+
+    return f"""
+        <html><body>
+        Welcome to the timezone service! Please choose a timezone to get the time there.
+        <form><input type=text name=timezone><input type=submit value=Submit></form>
+        <hr>
+        <b>Output of: TZ={timezone} date</b><br>
+        <pre>{result.stdout.replace("\n", "<br>")}</pre>
+        </body></html>
+        """
+
+app.secret_key = open("/flag").read().strip()
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))