complete sqli

Author: YangSeungWon

.gitignore

@@ -1,6 +1,9 @@
 # virtualenv
 core/.env/
 
+# volume
+core/data
+
 # django
 core/**/*.log
 core/**/*.pot

core/README.md

@@ -12,7 +12,7 @@ need token
 **Response:** 
 ```javascript
 {
-  "username" : string,
+  "name" : string,
   "score" : int,
   "money" : int
 }
@@ -34,7 +34,7 @@ POST /register
 
 ### Login
 ```http
-POST /Login
+POST /login
 ```
 | Parameter | Type | Description |
 | :--- | :--- | :--- |
@@ -130,3 +130,50 @@ needs token
 - Already Bought : 409
 - Not Enough balance : 402
 - Success : 200
+
+
+## Flag
+### Auth
+```http
+POST /flag/
+```
+| Parameter | Type | Description |
+| :--- | :--- | :--- |
+| `flag` | `string` |  |
+
+needs token
+**Response:** 
+- Invalid Form : 400
+- No Such Flag : 404
+- Success : 200
+```javascript
+{
+    "score" : int
+}
+```
+
+
+## Sqli
+### Query
+```http
+POST /sqli/
+```
+| Parameter | Type | Description |
+| :--- | :--- | :--- |
+| `flag` | `string` |  |
+
+needs token
+**Response:** 
+- Invalid Form : 400
+- "Attacked yourself", 400
+- "No Such Team", 404
+- "Too Long Query", 400
+- "Blocked by Regex", 400
+- Success : 200 -> with results!
+```javascript
+{
+    'success': success,
+    'message': result
+}
+```
+

core/base/admin.py

@@ -1,7 +1,9 @@
 from django.contrib import admin
-from .models import Team, SqliFilter, XssFilter, RegexRule, CspRule, LenRule
+from .models import Team, create_new_database, SqliFilter, XssFilter, RegexRule, CspRule, LenRule
+        
 
 admin.site.register(Team)
+admin.site.add_action(create_new_database, "Create New Victim Database for SQL injection.")
 admin.site.register(SqliFilter)
 admin.site.register(XssFilter)
 admin.site.register(RegexRule)

core/base/apps.py

@@ -23,4 +23,5 @@ def get_latest_attack(team, category):
     return {
         "to_team": latest.to_team,
         "is_success": latest.succeed
-    }
+    }
+

core/base/models.py

@@ -2,16 +2,23 @@
 from django.contrib.auth.models import AbstractUser
 
 
-
 class Team(AbstractUser):
     balance = models.BigIntegerField(default=0)
     score = models.BigIntegerField(default=0)
 
+    actions = ['create_new_database', ]
+
     class Meta:
         verbose_name = '팀'
         verbose_name_plural = '팀들'
 
 
+from sqli.apps import generate_db
+
+def create_new_database(Team, request, queryset):
+    for team in queryset:
+        generate_db(team.username)
+
 
 class Rule(models.Model):
     title = models.CharField(max_length=50)

core/flag/__init__.py

@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.

core/flag/admin.py

@@ -0,0 +1,24 @@
+from django.apps import AppConfig
+from django.contrib.auth import get_user_model
+
+from .models import Flag
+
+
+class FlagConfig(AppConfig):
+    name = 'flag'
+
+
+Team = get_user_model()
+
+
+def check_flag(team: Team, flag_str: str):
+    flag = Flag.objects.filter(flag=flag_str).exclude(teams__username=team.username)
+    if not flag:
+        return False, None
+    flag = flag[0]
+    
+    team.add_score(flag.score)
+    team.save()
+    flag.teams.add(team)
+
+    return True, flag

core/flag/apps.py

@@ -0,0 +1,30 @@
+# Generated by Django 3.1.5 on 2021-01-17 09:53
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Flag',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('flag', models.TextField(unique=True)),
+                ('score', models.IntegerField()),
+                ('category', models.CharField(choices=[('sqli', 'SQLi'), ('xss', 'XSS')], max_length=20)),
+                ('teams', models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'Flag',
+                'verbose_name_plural': 'Flag들',
+            },
+        ),
+    ]

core/flag/migrations/0001_initial.py

@@ -0,0 +1,19 @@
+from django.db import models
+from django.contrib.auth import get_user_model
+from env.environ import CATEGORY
+
+Team = get_user_model()
+
+
+class Flag(models.Model):
+    flag = models.TextField(unique=True)
+    score = models.IntegerField()
+    category = models.CharField(max_length=20, choices=CATEGORY)
+    teams = models.ManyToManyField(Team, blank=True)
+
+    class Meta:
+        verbose_name = "Flag"
+        verbose_name_plural = "Flag들"
+
+    def __str__(self):
+        return '%s' % self.flag

core/flag/migrations/__init__.py

@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.

core/flag/models.py

@@ -0,0 +1,31 @@
+#from django.shortcuts import render
+from django.http import JsonResponse, HttpResponse
+from django import forms
+from django.views import View
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth import authenticate, login
+import json
+from utils.validator import flag_format
+from .apps import check_flag
+
+
+class FlagAuthForm(forms.Form):
+    flag = forms.CharField(validators=[flag_format])
+
+
+class FlagAuthView(LoginRequiredMixin, View):
+    def post(self, request):
+        form = FlagAuthForm(json.loads(request.body.decode("utf-8")))
+        user = request.user
+
+        if not form.is_valid():
+            return HttpResponse(status=400)
+
+        is_ok, flag = check_flag(user, form.cleaned_data['flag'])
+
+        if is_ok:
+            return JsonResponse({
+                'score': flag.score
+            }, status=200)
+        else:
+            return HttpResponse(status=404)

core/flag/tests.py

@@ -20,4 +20,5 @@
     path('admin/', admin.site.urls),
     path('', include('base.urls')),
     path('shop/', include('shop.urls')),
+    path('sqli/', include('sqli.urls')),
 ]

core/flag/views.py

@@ -1,5 +1,225 @@
 from django.apps import AppConfig
+from django.contrib.auth import get_user_model
+
+import pymysql
+import random
+
+from utils.generator import random_string, random_flag
+from utils.mysql import sqli_db
+from utils.mysql import raw_query
+
+from flag.models import Flag
+from env.environ import ITEM_CATEGORY_SQLI
+from env.credential import MYSQL_PASS
+
+
+Team = get_user_model()
+
 
 
 class SqliConfig(AppConfig):
     name = 'sqli'
+
+
+SCORE = 200
+
+NUM_TEAM = 6
+NUM_TABLE_FLAG = 1
+NUM_COLUMN_FLAG = 2
+NUM_ELEMENT_FLAG = 7
+NUM_FLAG = NUM_TABLE_FLAG + NUM_ELEMENT_FLAG + NUM_COLUMN_FLAG
+
+NUM_TABLE = 10
+NUM_COLUMN = 5
+NUM_ROW = 100
+
+TABLE_SHOW_INTERVAL = 10
+
+FLAG_MAX_LEN = 50
+
+
+class Element:
+    def __init__(self):
+        self.name: str = random_string()
+        self.size: int = 1
+        self.child: list = []
+
+    def insert_flag(self, flag: str):
+        count = 0
+        candidates = [i for i,value in enumerate(self.child) if not str(value).startswith("PLUS{")]
+        if not candidates:
+            return False 
+        self.child[random.choice(candidates)].name = flag
+        return True
+
+
+class Column(Element):
+    def __init__(self):
+        super().__init__()
+        self.elements: list = [Element() for _ in range(NUM_ROW)]
+        self.child = self.elements
+        self.size: int = NUM_ROW
+
+    def __repr__(self):
+        return self.name
+
+    def __str__(self):
+        return self.name
+
+
+class Table(Element):
+    def __init__(self):
+        super().__init__()
+        self.columns: list = [Column() for _ in range(NUM_COLUMN)]
+        self.child = self.columns
+        self.size: int = NUM_COLUMN
+
+        names = []
+
+        for c in self.columns:
+            while True:
+                name = random_string()
+                if name not in names:
+                    c.name = name
+                    names.append(name)
+                    break
+
+    def __repr__(self):
+        return self.name
+
+    def __str__(self):
+        return self.name
+
+    def show(self):
+        print(self.name)
+        print("-" * (NUM_COLUMN * 13))
+        for i in self.columns:
+            print("%10s |" % (i.name[:10]), end=' ')
+        print()
+        print("-" * (NUM_COLUMN * 13))
+        for e_idx in range(NUM_ROW):
+            for col in self.columns:
+                print("{:10s} |".format(col.elements[e_idx].name[:10]), end=' ')
+            print()
+        print("-" * (NUM_COLUMN * 13))
+        print()
+
+    def to_sql(self, db_name: str):
+        result = "CREATE TABLE " + db_name + ".`" + self.name + "` (" + " VARCHAR(100), ".join("`"+c.name+"`" for c in self.columns) + " VARCHAR(100)); \n"
+        cols = "`, `".join(c.name for c in self.columns)
+
+        for e_idx in range(NUM_ROW):
+            data = "', '".join(c.elements[e_idx].name for c in self.columns)
+            result += f"INSERT INTO {db_name}.`{self.name}` (`{cols}`) VALUES ('{data}'); \n"
+        print(result)
+        return result
+
+
+class DB(Element):
+    def __init__(self, _name: str):
+        super().__init__()
+        self.name: str = _name
+        self.size: int = NUM_TABLE
+        self.tables: list = [Table() for _ in range(NUM_TABLE)]
+        self.child = self.tables
+
+    def __repr__(self):
+        return self.name
+
+    def __str__(self):
+        return self.name
+
+    def show(self):
+        print(f"[+] DB: {self.name}")
+        for t in self.tables:
+            t.show()
+
+    def to_sql(self):
+        result = ""
+        for table in self.tables:
+            result += table.to_sql(self.name)
+        return result
+        
+
+
+def add_flag(max_len):
+    flag = random_flag(max_len)
+    Flag.objects.create(flag=flag, score=SCORE, category=ITEM_CATEGORY_SQLI)
+    return flag
+
+
+def get_flag_set(max_len):
+    return [add_flag(FLAG_MAX_LEN) for _ in range(NUM_FLAG)]
+
+
+def generate_db(team_name: str):
+    idx = 0
+    db = DB(team_name)
+    team_flag_set = get_flag_set(60)
+
+    for _ in range(NUM_TABLE_FLAG):
+        db.insert_flag(team_flag_set[idx])
+        idx += 1
+
+    for _ in range(NUM_COLUMN_FLAG):
+        table = random.choice(db.tables)
+        table.insert_flag(team_flag_set[idx])
+        idx += 1
+
+    for _ in range(NUM_ELEMENT_FLAG):
+        table = random.choice(db.tables)
+        col = random.choice(table.columns)
+        col.insert_flag(team_flag_set[idx])
+        idx += 1
+
+
+    query = f"DROP DATABASE IF EXISTS {team_name};\n"
+    query += f"CREATE DATABASE {team_name};\n"
+    query += f"CREATE USER {team_name}@'%' IDENTIFIED BY '{MYSQL_PASS}';\n"
+    query += f"GRANT SELECT ON {team_name}.* TO {team_name}@'%';\n"
+    query += f"FLUSH privileges;"
+
+    raw_query(sqli_db(), query)
+    raw_query(sqli_db(), db.to_sql())
+
+
+
+def query_sql(attack_team_name: str, target_team_name: str, query: str):
+    if attack_team_name == target_team_name:
+        return False, "Attacked yourself", 400
+    
+    try:
+        target_team = Team.objects.get(username=target_team_name)
+    except model.DoesNotExist:
+        return False, "No Such Team", 404
+
+    ok, message, status_code = is_valid_query(target_team, query)
+    if not ok:
+        return False, message, status_code
+
+    succeed, res = raw_query(sqli_db(target_team_name, MYSQL_PASS), query)
+
+    sqli_log = SqliLog.objects.create()
+    sqli_log.from_team = attack_team_name
+    sqli_log.to_team = target_team_name
+    sqli_log.query = query
+    sqli_log.succeed = succeed
+    sqli_log.return_value = res
+    sqli_log.save()
+
+    return succeed, res, 200
+
+
+
+def is_valid_query(target_team: Team, query: str):
+    max_len = target_team.sqli_filter.max_len
+    if max_len < len(query):
+        return False, "Too Long Query", 400
+
+    regex_filter_list = target_team.sqli_filter.regex_rule_list.all()
+    for r in regex_filter_list:
+        p = re.compile(r.regexp, re.I)
+        if p.match(query):
+            return False, "Blocked by Regex", 400
+
+    return True, "", 200

core/plt/urls.py

@@ -0,0 +1,20 @@
+"""plt URL Configuration
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/3.0/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.urls import path
+from . import views
+
+urlpatterns = [
+    path('', views.SqliView.as_view(), name='sqli'),
+]

core/sqli/apps.py

@@ -1,3 +1,29 @@
-from django.shortcuts import render
+from django.http import JsonResponse, HttpResponse
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.views import View
+from django import forms
+from .apps import query_sql
+import json
 
-# Create your views here.
+
+class SqlQueryForm(forms.Form):
+    query = forms.CharField()
+    team = forms.CharField()
+
+
+class SqliView(LoginRequiredMixin, View):
+    def post(self, request):
+        form = SqlQueryForm(json.loads(request.body.decode("utf-8")))
+
+        if not form.is_valid():
+            return JsonResponse({
+                'success': False,
+                'message': 'Invalid Form'
+            }, status=400)
+
+        success, result, status_code = query_sql(request.user.username, form.cleaned_data['team'], form.cleaned_data['query'])
+
+        return JsonResponse({
+            'success': success,
+            'message': result
+        }, status=status_code)

core/sqli/urls.py

@@ -0,0 +1,8 @@
+import random
+import string
+
+def random_string(length=10):
+    return ''.join(random.choice(string.ascii_letters) for i in range(length))
+
+def random_flag(max_len=100):
+    return 'PLUS{'+random_string(max_len-6)+'}'

core/sqli/views.py

@@ -0,0 +1,34 @@
+import pymysql
+from pymysql.constants import CLIENT
+from env.credential import MYSQL_HOST, MYSQL_PORT, MYSQL_ROOT_USER, MYSQL_ROOT_PASS
+
+
+def sqli_db(user=MYSQL_ROOT_USER, password=MYSQL_ROOT_PASS) -> pymysql.connections.Connection:
+    """
+    Make Connection to sqli mysql server
+    :return: sqli; pymysql Connection Object
+    """
+    return pymysql.connect(host=MYSQL_HOST, 
+                            port=MYSQL_PORT, 
+                            user=user, 
+                            password=password, 
+                            charset="utf8", 
+                            client_flag=CLIENT.MULTI_STATEMENTS,)
+
+
+def raw_query(conn: pymysql.connections.Connection, query: str):
+    """
+    Query Dangerously & Close DB Connection.
+    :param conn: pymysql Connection Object
+    :param query: Query Sentence
+    :return: is_success, result
+    """
+    try:
+        c = conn.cursor()
+        c.execute(query)
+        return True, c.fetchall()
+    except Exception as e:
+        print("ERROROROROROROR!!!!!:",e)
+        return False, e
+    finally:
+        conn.close()

core/utils/generator.py

@@ -0,0 +1,16 @@
+from django.contrib.auth import get_user_model
+from env.sqli_flags import SQLI_FLAGS
+
+
+
+def flag_match_list(flag_input: str):
+    return [i for i in SQLI_FLAGS if i[0] is flag_input]
+
+
+def score(flag_input: str) -> int:
+    result = flag_match_list(flag_input)
+
+    if len(result) == 0:
+        return 0
+    else:
+        return result[0][1]