async gunicorn

Author: YangSeungWon

core/Dockerfile

@@ -13,4 +13,4 @@ RUN pip install --no-cache-dir -r requirements.txt
 COPY ./ /app/
 RUN python manage.py collectstatic --noinput
 
-ENTRYPOINT ["gunicorn", "plt.wsgi", "-b", "0.0.0.0:8000"]
+ENTRYPOINT ["gunicorn", "plt.wsgi", "--worker-class gevent", "--workers=8", "--threads=2", "-b", "0.0.0.0:8000"]

core/base/apps.py

@@ -12,12 +12,12 @@ class BaseConfig(AppConfig):
 def get_latest_attack(team, category):
     if category == ITEM_CATEGORY_SQLI:
         try:
-            latest = SqliLog.objects.filter(from_team=team).latest()
+            latest = SqliLog.objects.filter(from_team=team).last()
         except SqliLog.DoesNotExist:
             latest = ''
     elif category == ITEM_CATEGORY_XSS:
         try:
-            latest = XssLog.objects.filter(from_team=team).latest()
+            latest = XssLog.objects.filter(from_team=team).last()
         except XssLog.DoesNotExist:
             latest = ''
     else:

core/plt/settings.py

@@ -56,6 +56,7 @@
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'corsheaders',
     'base',
     'sqli',
     'xss',

core/requirements.txt

@@ -3,9 +3,13 @@ cffi==1.14.4
 cryptography==3.3.1
 Django==3.1.5
 django-cors-headers==3.6.0
+gevent==21.1.1
+greenlet==1.0.0
 gunicorn==20.0.4
 pycparser==2.20
 PyMySQL==1.0.2
 pytz==2020.5
 six==1.15.0
 sqlparse==0.4.1
+zope.event==4.5.0
+zope.interface==5.2.0

core/shop/models.py

@@ -2,7 +2,7 @@
 from django.db.models import F
 from django.contrib.auth import get_user_model
 
-from base.models import RegexRule, LenRule, CspRule
+from base.models import RegexRule, LenRule, CspRule, SqliFilter, XssFilter
 from env.environ import CATEGORY, ITEM_CATEGORY_SQLI, ITEM_CATEGORY_XSS
 Team = get_user_model()
 
@@ -24,9 +24,9 @@ def already_bought(self, request):
 
     def get_filter(self, team: Team):
         if self.category == ITEM_CATEGORY_SQLI:
-            return team.sqli_filter
+            return SqliFilter.objects.get(owner=team)
         elif self.category == ITEM_CATEGORY_XSS:
-            return team.xss_filter
+            return XssFilter.objects.get(owner=team)
 
     def check_balance(self, team: Team):
         return team.balance >= self.price

core/shop/urls.py

@@ -17,5 +17,5 @@
 
 urlpatterns = [
     path('', views.ShopView.as_view(), name='shop'),
-    path('<int:item_id>', views.ItemView.as_view(), name='item'),
+    path('<int:item_id>/', views.ItemView.as_view(), name='item'),
 ]

core/sqli/apps.py

@@ -3,6 +3,7 @@
 
 import pymysql
 import random
+import re
 
 from utils.generator import random_string, random_flag
 from utils.mysql import sqli_db

core/sqli/models.py

@@ -1,4 +1,7 @@
 from django.db import models
+from django.conf import settings  
+from pytz import timezone
+
 
 
 class SqliLog(models.Model):
@@ -9,6 +12,11 @@ class SqliLog(models.Model):
     succeed = models.BooleanField(default=False)
     return_value = models.CharField(max_length=1000)
 
+    @property
+    def created_at_korean_time(self):
+        korean_timezone = timezone(settings.TIME_ZONE)
+        return self.created_at.astimezone(korean_timezone)
+
     def __str__(self):
         return f"SQLi query from {self.from_team} to {self.to_team}"
 

core/xss/apps.py

@@ -1,7 +1,7 @@
 import os
 import binascii
 import re
-from datetime import datetime
+from django.utils import timezone
 
 from django.apps import AppConfig
 from django.contrib.auth import get_user_model
@@ -27,15 +27,20 @@ def create_flag():
 
 
 def get_time_passed_after_last_attack(attack_team, target_team):
+    now_time = int(timezone.localtime().strftime("%Y%m%d%H%M%S"))
     last_attack_time = 0
     try:
-        last_attack = XssLog.objects.filter(from_team=attack_team,
+        attacks = XssLog.objects.filter(from_team=attack_team,
                                             to_team=target_team,
-                                            succeed=True).latest()
-        last_attack_time = int(last_attack.created_at.strftime("%Y%m%d%H%M%S"))
+                                            succeed=True)
+        if len(attacks) == 0:
+            return now_time
+        last_attack = attacks.last()
+        last_attack_time = int(last_attack.created_at_korean_time.strftime("%Y%m%d%H%M%S"))
     except XssLog.DoesNotExist:
         pass
-    return int(datetime.now().strftime("%Y%m%d%H%M%S")) - last_attack_time
+    print(now_time - last_attack_time)
+    return now_time - last_attack_time
 
 
 def query_xss(attack_team_name: str, target_team_name: str, query: str):
@@ -60,7 +65,7 @@ def query_xss(attack_team_name: str, target_team_name: str, query: str):
     xss_log.query = query
     xss_log.save()
 
-    checked, succeed = check_alert(f'http://localhost:8000/xss/{xss_log.hash}')
+    checked, succeed = check_alert(f'http://plus.or.kr:17354/xss/{xss_log.hash}/')
     xss_log.checked = checked
     xss_log.succeed = succeed
     xss_log.save()

core/xss/checkbot.py

@@ -18,7 +18,6 @@ def check_alert(URI):
         try:
             driver.implicitly_wait(2)
             alert = driver.switch_to_alert()
-            print(alert)
             alert.accept()
             driver.quit()
             return True, True

core/xss/models.py

@@ -1,4 +1,6 @@
 from django.db import models
+from django.conf import settings  
+from pytz import timezone
 
 from base.models import CspRule
 
@@ -13,6 +15,11 @@ class XssLog(models.Model):
     checked = models.BooleanField(default=False)
     succeed = models.BooleanField(default=False)
 
+    @property
+    def created_at_korean_time(self):
+        korean_timezone = timezone(settings.TIME_ZONE)
+        return self.created_at.astimezone(korean_timezone)
+
     def __str__(self):
         return f"XSS query from {self.from_team} to {self.to_team} /{self.hash}"
 

core/xss/urls.py

@@ -17,5 +17,5 @@
 
 urlpatterns = [
     path('', views.XssView.as_view(), name='xss'),
-    re_path(r'^(?P<hash>[0-9a-f]+)$', views.XssTestView.as_view(), name='test_xss'),
+    re_path(r'^(?P<hash>[0-9a-f]+)\/$', views.XssTestView.as_view(), name='test_xss'),
 ]

core/xss/views.py

@@ -37,7 +37,7 @@ def post(self, request):
         if not succeed:
             return JsonResponse({
                 'success': False,
-                'message': message,
+                'message': message
             }, status=status_code)
 
         flag = create_flag()
@@ -49,10 +49,10 @@ def post(self, request):
 
 class XssTestView(View):
     def get(self, request, hash):
-        data = XssLog.objects.filter(hash = hash)
-        if data:
+        try:
+            data = XssLog.objects.get(hash = hash)
             return render(request, 'xss/xss_test.html', {
-                'data': data[0],
+                'data': data,
             })
-        else:
+        except XssLog.DoesNotExist:
             return HttpResponse(status=404)

docker-compose.yml

@@ -41,4 +41,4 @@ services:
       - static_volume:/app/static
       - "./core/data/db.sqlite3:/app/db.sqlite3"
     expose:
-      - 8000
+      - 8000