last commit

Author: YangSeungWon

core/Dockerfile

@@ -13,4 +13,4 @@ RUN pip install --no-cache-dir -r requirements.txt
 COPY ./ /app/
 RUN python manage.py collectstatic --noinput
 
-ENTRYPOINT ["gunicorn", "plt.wsgi", "--worker-class gevent", "--workers=8", "--threads=2", "-b", "0.0.0.0:8000"]
+ENTRYPOINT ["gunicorn", "plt.wsgi", "--worker-class gevent", "--workers=32", "--threads=16", "-b", "0.0.0.0:8000"]

core/base/models.py

@@ -59,7 +59,7 @@ class Meta:
 class Filter(models.Model):
     owner = models.ForeignKey(Team, on_delete=models.PROTECT)
     regex_rule_list = models.ManyToManyField(RegexRule, blank=True)
-    max_len = models.PositiveSmallIntegerField(default=120)
+    max_len = models.PositiveSmallIntegerField(default=150)
 
     class Meta:
         abstract = True
@@ -72,6 +72,11 @@ class Meta:
 
 class XssFilter(Filter):
     csp_rule_list = models.ManyToManyField(CspRule, blank=True)
+
+    def __init__(self, *args, **kwargs):
+        self._meta.get_field('max_len').default = 50    
+        super(XssFilter, self).__init__(*args, **kwargs)
+
     class Meta:
         verbose_name = "XSS 필터"
         verbose_name_plural = "XSS 필터들"

core/sqli/apps.py

@@ -208,7 +208,11 @@ def query_sql(attack_team_name: str, target_team_name: str, query: str):
     sqli_log.return_value = res
     sqli_log.save()
 
-    return succeed, res, 200
+    if not succeed:
+        return False, "SQL 실행 중 오류가 발생했습니다.", 400 
+    if not res:
+        return False, "정상적으로 실행되었으나 아무 값도 가져오지 않았습니다.", 200
+    return True, "정상적으로 실행되고 특정한 값을 가져왔습니다. 그러나 내용을 알아보기는 힘듭니다.", 200
 
 
 

core/sqli/views.py

@@ -15,10 +15,12 @@ class SqliView(LoginRequiredMixin, View):
     def post(self, request):
         form = SqlQueryForm(json.loads(request.body.decode("utf-8")))
         if not form.is_valid():
-            return JsonResponse({
-                'success': False,
-                'message': '공격을 시도할 지구를 선택해야합니다.'
-            }, status=400)
+            form = SqlQueryForm(request.POST)
+            if not form.is_valid():
+                return JsonResponse({
+                    'success': False,
+                    'message': '공격을 시도할 지구를 선택해야합니다.'
+                }, status=400)
 
         success, result, status_code = query_sql(request.user.username, form.cleaned_data['team'], form.cleaned_data['query'])
         return JsonResponse({

core/utils/generator.py

@@ -1,8 +1,15 @@
 import random
 import string
 
+
+def random_int(length=5):
+    return str(random.randint(10**length, 10**(length+1)-1))
+
+
 def random_string(length=10):
     return ''.join(random.choice(string.ascii_letters) for i in range(length))
 
+
 def random_flag(max_len=100):
-    return 'PLUS{'+random_string(max_len-6)+'}'
+    length = (max_len - 9) // 4
+    return 'PLUS{'+random_int(length)+'.'+random_int(length)+'-'+random_int(length)+'.'+random_int(length)+'}'

core/xss/views.py

@@ -20,11 +20,12 @@ class XssView(LoginRequiredMixin, View):
     def post(self, request):
         form = XssQueryForm(json.loads(request.body.decode("utf-8")))
         if not form.is_valid():
-            return JsonResponse({
-                'success': False,
-                'message': '공격을 시도할 지구를 선택해야합니다.',
-            }, status=400)
-            
+            form = XssQueryForm(request.POST)
+            if not form.is_valid():
+                return JsonResponse({
+                    'success': False,
+                    'message': '공격을 시도할 지구를 선택해야합니다.',
+                }, status=400)        
 
         time_passed_after_last_attack = get_time_passed_after_last_attack(request.user.username, form.cleaned_data['team'])
         if XSS_INTERVAL - time_passed_after_last_attack > 0: